What is Steve's current full-disk-encryption software of choice?

  • Be sure to checkout “Tips & Tricks”
    Dear Guest Visitor → Once you register and log-in please checkout the “Tips & Tricks” page for some very handy tips!

    /Steve.
  • BootAble – FreeDOS boot testing freeware

    To obtain direct, low-level access to a system's mass storage drives, SpinRite runs under a GRC-customized version of FreeDOS which has been modified to add compatibility with all file systems. In order to run SpinRite it must first be possible to boot FreeDOS.

    GRC's “BootAble” freeware allows anyone to easily create BIOS-bootable media in order to workout and confirm the details of getting a machine to boot FreeDOS through a BIOS. Once the means of doing that has been determined, the media created by SpinRite can be booted and run in the same way.

    The participants here, who have taken the time to share their knowledge and experience, their successes and some frustrations with booting their computers into FreeDOS, have created a valuable knowledgebase which will benefit everyone who follows.

    You may click on the image to the right to obtain your own copy of BootAble. Then use the knowledge and experience documented here to boot your computer(s) into FreeDOS. And please do not hesitate to ask questions – nowhere else can better answers be found.

    (You may permanently close this reminder with the 'X' in the upper right.)

satomi

New member
Feb 27, 2023
2
0
Does anyone know what is Steve's choice for full-disk-encryption on (1) external drives and (2) system drives?

  • Steve's Truecrypt page points to VeraCrypt, but both TrueCrypt and VeraCrypt have performance issues with large external SSDs. It's apparently an architectural problem.
  • BitLocker seems to be the most performant for large external SSDs, but it doesn't work on Mac/Linux, which kill the portability of the disk.
What are you guys using?
 
Well, I'm afraid you're probably hosed, as there isn't really much out there that isn't platform specific. I believe you can use BitLocker with USB devices too, but that loses your goal of cross-platform portability. It's most likely that any tool that is cross-platform is also open source, and so maybe someone else will post about a better open source tool than VeraCrypt.
 
I've full disk encrypted (Veracrypt) a few terabyte and multi terabyte USB drives (not OS disks) and did not notice them being slow. Perhaps I am just a bit patient about it, or with my somewhat aging laptop it may not be fast enough to notice. I've thought of full disk encrypting my laptop a few times undecided between Bitlocker and Veracrypt (Windows 10). I've yet to actually do it with either one. The company laptop (Windows 11) uses Bitlocker, so assuming their security people know what they are doing I guess Bitlocker is pretty secure. ChatGPT says Veracrypt may be more secure.

One day I'll probably image my mostly retired old Windows 10 laptop and set up full disk encryption including a Yubikey and see how it works out. At least that way I won't have to worry about messing up my main laptop.
 
I've full disk encrypted (Veracrypt) a few terabyte and multi terabyte USB drives (not OS disks) and did not notice them being slow. ...The company laptop (Windows 11) uses Bitlocker, so assuming their security people know what they are doing I guess Bitlocker is pretty secure. ChatGPT says Veracrypt may be more secure.

Very funny to ask ChatGPT ;).

VeraCrypt does indeed reduce performance on SSDs, in part because TrueCrypt was designed before they were even available. The performance hit is worst with random access and Idrassi, VeraCrypt's maintainer, is aware of the issue. As the linked post explains, he's experimented with fixes and not been successful, but he has very little time to devote to VeraCrypt these days due to lack of support.

VeraCrypt's user base is shrinking as people rapidly forget their Snowden-era paranoia and move on to other computing solutions, but every VeraCrypt user that remains should be supporting the software if they remember what happened to TrueCrypt. Though I've had disagreements with him over aggressive decisions like adding GOST89 (soon removed) and the complex PIM feature, Idrassi has massively transformed this legacy software and maintains VeraCrypt far more transparently than was ever done with TrueCrypt, so I, for one, want him to continue to maintain and develop the software indefinitely.

I've used full-disk encryption with TrueCrypt and VeraCrypt for well over a decade and the performance hit with SSDs has not affected my computing, but it's obviously not optimal as you are sacrificing performance that you've paid for. There is a performance hit when used with SSDs, but not with HDDs, at least in my testing. In fact, HDD performance is typically slightly higher when encrypted, for some reason.

Encrypted HDD volumes tend to perform slightly faster than non-encrypted ones and Steve discovered this for himself many years ago with TrueCrypt, but discarded his observations as mere variance. From my own prior testing, I knew his results to be repeatable and some years later did further testing as confirmation. This difference is not always noticeable on USB-connected devices where the bus itself is limiting, but for internal HDDs I have repeatedly found that encrypted volumes are slightly faster than unencrypted and that file-based volumes are slightly faster than partition-based, at least on my limited range of hardware. I have no explanations for either result and it's okay if readers don't believe me. The differences are minor for HDDs in all cases, so it's honestly not worth worrying about. The performance loss with SSDs is far more relevant.

My suggestion for Windows users is to either accept the performance loss of VeraCrypt in exchange for its open source posture or to use BitLocker, which is closed source and developed by a major tech corporation, but which has withstood the test of time and causes no substantial performance loss. There is no perfect choice here unless we can get Idrassi the time or partners he needs to re-engineer VeraCrypt's I/O.


It's fine for people to use VeraCrypt for free if they're homeless or if they're just using it for one thumb drive, but anyone that depends upon it should be supporting this vital project with their expertise and/or money. It appears that the lessons of TrueCrypt were forgotten in about 3 years. Open source software has a huge flaw in that a whole generation of humans have accepted that there is such a thing as a Free Lunch and they are dead wrong. I can't support every project, but I can support at least a few of the ones each year that I depend upon for productivity and security. You could instead donate $100 and consider that a lifetime VeraCrypt license :cool:. It's surely worth as much as SpinRite as it protects your data, but in a different way.
 
Last edited:
  • Like
Reactions: leilabd
I think I mentioned my machine has a few years on it so it's not the fastest by any stretch of the imagination. It does have a NVMe SSD at least. So far I only use full disk encryption on a couple select drives which I use more as a backup, so that may be why I haven't noticed any performance issues. I still haven't decided between Bitlocker and Veracrypt although my gut feeling is to go Veracrypt.

Thanks for the donation reminder. I have donated but it's been a while, so I need to do that again. It's always a good idea to support developers, especially if their product is useful, as Veracrypt is.