Encrypted USB flash drive and wear-leveling

5

Possible Duplicate:
Does full-disk encryption on SSD drive reduce its lifetime?

I would like to encrypt an entire USB flash ("thumb") drive (as sdb, not sdb1) with cryptsetup. Will this encryption adversely affect the life of the drive or its reliability by interfering with the wear-leveling?

From a discussion about encryption on solid states drives:

The makers of the open source encryption software True Crypt for instance recommend that "TrueCrypt volumes are not created/stored on devices (or in file systems) that utilize a wear-leveling mechanism (and that TrueCrypt is not used to encrypt any portions of such devices or filesystems)".

My interest is regarding the reliability of the drive over time, rather than potential security leaks which may result from encrypting a USB flash drive.

Links

  1. A similar question on Security.SE includes a link to a discussion on wear-leveling on the TrueCrypt web-site.
  2. Durability and performance testing of TrueCrypt on an SSD. The recommendation is to leave unpartitioned space on the drive for wear-leveling.
  3. Another TrueCrypt/SSD discussion which mentions leaving unpartitioned space. The author reports that encrypting the whole drive is the same as completely filling it with data. That is not my understanding on whole-drive encryption.

Edit

After further thought, the solution may be to create a single encrypted file container on the drive, rather than encrypting the entire drive. If this file did not occupy the entire drive, then (presumably) the drive's wear-leveling process would work as normal.

SabreWolfy

Posted 2012-07-26T10:17:14.260

Reputation: 554

Question was closed 2012-07-27T04:38:06.127

As far as I know on modern flash drives you don't really have to care about wear-leveling. It highly depends on the use case, though. – None – 2012-07-26T10:35:12.673

That warning is only about security not wearing it out. – Synetech – 2012-07-26T15:26:51.953

The part in those links that actually relates to wear-and-tear is the line The bigger problem is that encrypting the whole drive is essentially equal to completely filling the drive with data It’s true that when you enable encryption, the existing data has to be re-written as encrypted. If you want to encrypt a drive that’s already full of data, it is going to require re-writing the whole thing, but that’s not exactly a surprise. – Synetech – 2012-07-26T15:32:41.510

@Syntech: I included that information to indicate that I had researched wear-leveling and had not yet found a clear answer. I plan to encrypt a new drive. – SabreWolfy – 2012-07-26T18:02:43.103

Well then it should be okay. If the drive is already empty, then there will be no (significant) extraneous writes as data gets encrypted/decrypted before/after the write. Of course it varies by encryption module and implementation. An old drive combined with a poor encryption routine may be a bad combination, but in most cases, it will not reduce the life of the drive by any significant amount. For (random, contrived) example, rounded down to the nearest day, it may reduce the drive’s life from 2190 days to 2189 days. – Synetech – 2012-07-26T18:17:21.200

Answers

2

Your approach of having an encrypted "container file" is ideal. But if you can avoid it, try not to put a lot of small, frequently-modified files within the encrypted container. It's a good compromise to put only sensitive data within an encrypted archive or nested filesystem, and try to ensure that encrypted data is written to a minimum of times. You can of course read it as many times as you want (there's no limit on reads) but encrypted writes will degrade the disk over time in a similar way to an unencrypted write.

Basically the point being, very frequent writes are bad regardless of whether they're encrypted. Infrequent writes are fine regardless of whether they're encrypted. The encryption overhead in terms of storage and write complexity is not significant enough to make that big of a difference. If you're writing frequently enough to kill the drive in a couple years' time, then you're going to kill it in a couple years' time -- regardless of encryption or not.

BTW, wear leveling is often done in the firmware of the drive, so you can't really expect something at a higher layer like an encrypting filesystem to interfere with that.

allquixotic

Posted 2012-07-26T10:17:14.260

Reputation: 32 256

1A container would be less secure, the ENTIRE flash drive should be encrypted ( the most secure is encryption done by a hardware chip ) failing that the entire drive being encrypted is safe. What you don't want is the firmware to move unencrypted files around ( same reason you encrypt the entire SSD drive before you place anything on it ). Your comment about small files is true even without encryption. – Ramhound – 2012-07-26T15:13:43.047

The encrypted drive/file will contain many small files which will be modified regularly, so magnetic media would be the best solution. – SabreWolfy – 2012-07-26T18:06:09.310

Asked: 2012-07-26T10:17:14.260

Viewed: 1 540 times

Active: 2012-07-26T14:57:08.793