The Full Disk Encryption Dilemma for Windows 10



I am quite unsatisfied with the current state of full disk encryption solutions available for use with Windows 10 on a Laptop with SSD. This blag post will mirror some of what [Bruce Schneier already said on the matter][Schneier2]: I will discuss some of the options and point out problems. I am not offering a solution, just a variety of bad choices to pick from. [Schneier2]: https://www.schneier.com/blog/archives/2015/06/encrypting_wind.html # Requirements For an optimal solution, I have the following requirements: 1. It should be implemented in software ((Complex and critical system components in hardware have the catastrophic drawback that there is no straightforward and fast way to recover from a system malfunction.)). 2. The encryption should be open source, audited and deemed secure by a sufficiently large community of independent researchers. 3. Access to the encrypted drive should be as seamless as possible. # The Options Given this schedule of requirements, let us see where the different options fail. ## VeraCrypt [VeraCrypt] satsifies requirements 1 and 2 (in my opinion). However, their [FAQ] states clearly that you have to completely decrypt your hard drive before you can deploy one of those massive Windows 10 updates. Aside from being a downright agonizing way to spend 3 hours of your life, the process of decrypting, updating and re-encrypting might even leave unencrypted data on your hard drive (if you are using an SSD): A [lecture] from the [TI2] course of the ETH Zürich puts it quite succinctly: > SSDs contain more space than they tell the operating system. The extra space (called **space overhead**) gives engineers the possibility to optimize write overhead and wear leveling to an extent. The way I understand this, during decryption, sensible data could get written to a portion of the drive which is not even visible to VeraCrypt later. The only reliably secure solution to this dilemma would be to back up all sensible data from the system partition to an encrypted file container and deleting the files from the (encrypted) disk before decrypting and updating, then restoring them after the system drive has been encrypted again. A less fool-proof method would be to write random data to a file until disk space runs out and then deleting the file, several times, in the hope of eventually overwriting all possibly unencrypted parts of your SSD. So their failure to satisfy requirement 3 is so severe that it even puts a dent in requirement 2. ## BitLocker [BitLocker] is Microsoft's built-in full disk encryption solution. It satisfies requirements 1 and 3, but fails to meet the second. In particular if you rely on a TPM ((Trusted Platform Module)) to store the encryption key (rather than your mind), [there is always the conceivable danger that certain third parties might have coerced the manufacturer of this _"trusted"_ device into providing a backdoor for them][Schneier1], which subverts the security of the system completely. #### Using Bitlocker without TPM If you distrust your trusted platform module, there is a way to make BitLocker use a password instead. Navigate to: - Group Policy Editor - Local Computer Policy - Computer Configuration - Administrative Templates - Windows Components - BitLocker Drive Encryption - Operating System Drives Here, enable the feature Require additional authentication at startup and set Configure TPM at startup to Do not allow TPM. In theory, this should give you the option to encrypt your system drive with BitLocker while using a password instead of the TPM. Note that I have only tested this on a virtual machine with no TPM device available. In the end however, the fact that BitLocker is not open source means that it can never fully satisfy the second requirement. ## DiskCryptor After becoming dissatisfied with [VeraCrypt] and not being convinced sufficiently by [BitLocker], I looked around and only found one other piece of software that seems applicable. Unfortunately, it seems that [DiskCryptor] has exactly [the same problem][DCUPDATE] as [VeraCrypt], so I did not even bother trying it out. [VeraCrypt]: https://www.veracrypt.fr/en/Home.html [FAQ]: https://www.veracrypt.fr/en/FAQ.html#SystemReinstallUpgrade [TI2]: https://disco.ethz.ch/courses/ti2/ [lecture]: https://disco.ethz.ch/courses/ti2/lecture/storage.pdf [BitLocker]: https://docs.microsoft.com/en-US/windows/device-security/bitlocker/bitlocker-overview [Schneier1]: https://www.schneier.com/blog/archives/2015/03/can_the_nsa_bre_1.html [DCUPDATE]: https://superuser.com/q/1011675/222330 [DiskCryptor]: https://diskcryptor.net/

2 Replies to “The Full Disk Encryption Dilemma for Windows 10”

  1. I was just informed that there is [a script that supposedly solves the VeraCrypt dilemma](https://github.com/th-wilde/veracrypt-w10-patcher). I have not tried it.
  2. Promising news: https://twitter.com/VeraCrypt_IDRIX/status/991239780351533063 Looks like the VeraCrypt now supports the Windows 10 Update process.

Leave a Reply

Your email address will not be published. Required fields are marked *