Truecypt on SSD RAID 0?

[ithenoob]

I have done much research on truecrypt on SSDs.

Just a few questions for clarifying:

Fresh SDDs -> install win7 -> truecrypt fully encrypt booting partition, then encrypt some other partitions on same SSDs. All encrypting is done prior writing of data. I do not intend to ever change passwords.

>Isn't the data written to any logically encrypted partition always fully encrypted, even if the system hibernates? Any chance of security leak?
>Would the levels of wear differ at all during use after encryption?
>Comments on full disk encryption?

On a RAID 0 system of two SSD, integrated RAID controller on motherboard with motherboard integrated TRIM.

 

[sphere nothing]

alternatively consider

http://oracle.com/technetwork/articles/servers-storage-admin/manage-zfs-encryption-1715034.html

 

[John Connor]

Have you tried the Truecrypt forums?

 

[Bubbaleone]

I have done much research on truecrypt on SSDs.

Just a few questions for clarifying:

Fresh SDDs -> install win7 -> truecrypt fully encrypt booting partition, then encrypt some other partitions on same SSDs. All encrypting is done prior writing of data. I do not intend to ever change passwords.

>Isn't the data written to any logically encrypted partition always fully encrypted, even if the system hibernates? Any chance of security leak?
>Would the levels of wear differ at all during use after encryption?
>Comments on full disk encryption?

On a RAID 0 system of two SSD, integrated RAID controller on motherboard with motherboard integrated TRIM.

There are "logical partitions", but in all the years I've been in this field I've never heard of a "logically encrypted partition". From the TrueCrypt quote below, you can see that sleep and hibernation would have no effect on encrypted data whatsoever. The problem with wear leveling on SSDs was addressed by virtually all manufacturers several years ago, thus it's a non-problem, and Windows 7 and 8 both handle TRIM natively.

Windows Disk Management doesn't treat an SSD any differently than a HDD, and an array is simply seen as a single large volume. There is absolutely no data protection in a RAID 0 array, which makes me wonder why you would even consider such a configuration if you're that concerned with data security.

I believe you would gain a much better understanding of how TrueCrypt actually functions by doing a bit more learning and a bit less research. A good place for you to start would be taking the time to study the documentation on their website: TrueCrypt Introduction

From TrueCrypt:

Note that TrueCrypt never saves any decrypted data to a disk – it only stores them temporarily in RAM (memory). Even when the volume is mounted, data stored in the volume is still encrypted. When you restart Windows or turn off your computer, the volume will be dismounted and files stored in it will be inaccessible (and encrypted). Even when power supply is suddenly interrupted (without proper system shut down), files stored in the volume are inaccessible (and encrypted). To make them accessible again, you have to mount the volume (and provide the correct password and/or keyfile).

.

 

[smakme7757]

Truecrypt will work fine.

The only security flaw when a PC hybernates that's using Truecrypt or Bitlocker is that the encryption key is unencrypted in memory.

So someone with the correct equipment and software would be able to extract the contents of your memory (via firewire for example) and then find the encryption key.

With for example:
http://www.elcomsoft.com/efdd.html

It's a reason why I've disconnected and disabled firewire on my home server that uses Bitlocker.

 

[imagoon]

Truecrypt will work fine.

The only security flaw when a PC hybernates that's using Truecrypt or Bitlocker is that the encryption key is unencrypted in memory.

So someone with the correct equipment and software would be able to extract the contents of your memory (via firewire for example) and then find the encryption key.

With for example:
http://www.elcomsoft.com/efdd.html

It's a reason why I've disconnected and disabled firewire on my home server that uses Bitlocker.

Full system encryption takes care of the hibernation and ram dump issues (short of "parasitic memory" dumps. The firewire one obviously requires disabling the ports.

If you have a system that needs encryption, it is normally wise to do the entire OS.

 

[PrincessFrosty]

>Isn't the data written to any logically encrypted partition always fully encrypted, even if the system hibernates? Any chance of security leak?
>Would the levels of wear differ at all during use after encryption?
>Comments on full disk encryption?

On a RAID 0 system of two SSD, integrated RAID controller on motherboard with motherboard integrated TRIM.

The data written the disk is encrypted in memory first, on the fly, and then written to disk, it never appears at all on the disk as plain text.

System hibernation is a problem, while the system is on and encrypted partitions are mounted the keys to encrypt and decrypt the hard drive are stored in memory and with hibernation the contents of memory are written to the disk. Full disk encryption of the OS drive solves this problem so make sure you're encrypting the OS drive when mounting other partitions.

Wear levels are the same encrypted as non encrypted, the only additional wear is a one time pass on the drive to do initial encryption. Truecrypt encrypts the free space in partitions so even empty drives go through an initial full drive write, no big deal.

Additional comments:

1) RAID 0 is built for speed only and not redundancy, in fact it has a greater chance of failure because fragging one drive breaks the entire array, make sure to take precautions for redundancy, RAID 0+1 is a good option for speed but reuqires 2x more drives.

2) Performance - With any full disk encryption the speed at which you can read/write may be limited by the CPU doing the encryption/decryption, truecrypt comes with a benchmark tool that allows you to see the max read/write speeds based on your hardware and encryption type.

Normally with a decent CPU (high end Intel) and slowish drives (single spindle) and fast encryption (AES) it's not a problem. However you plan on running RAID 0 for speed on faster SSD's, you have a potentially HUGE data transfer per second so it's worth benchmarking the max throughput of the drives non-encrypted and then benchmarking your CPU with Truecrypt and comparing the data rates.

Even if the CPU isn't a bottleneck for reading/writing data it's likely the CPU would be under significant load during read/writes and that could be problematic if the box has other roles that require CPU time.

It's also worth noting the newer Intel CPUs have hardware based AES acceleration which truecrypt supports which MASSIVELY boosts the speed at which the CPU can encrypt/decrypt the data (from 100's of MB/sec to several GB/sec), this would be a good route to go to keep performance of the array nice and fast if you're struggling.

 

[PrincessFrosty]

Oh and also check the local laws regarding encryption in your country, see what legal repercussions there are for people who know the encryption keys.

Some countries have laws that force key holders to give up the keys under certain conditions, if you consider this an issue you should consider encrypting with hidden partitions to further protect your data.

 

[ithenoob]

Thanks guys and gals
I was just thinking that if an entire logical partition were encrypted, wouldn't the SSD consider all the bytes as "used", thereby inhibiting wear-levelling.

 

[redyouch]

Thanks guys and gals
I was just thinking that if an entire logical partition were encrypted, wouldn't the SSD consider all the bytes as "used", thereby inhibiting wear-levelling.

There is an option to encrypt the whitespace during the initial volume encryption. Deselect that option if you are concerned.

 

[PrincessFrosty]

*edit* repost, sorry.

 

[ithenoob]

There is an option to encrypt the whitespace during the initial volume encryption. Deselect that option if you are concerned.

Thanks... that's what I was looking for