10

I have an HP Pavilion notebook which has a 1TB hard drive. I run Windows 10 on it.

If instead of fully encrypting the hard drive or encrypting the partition on which Windows is installed, I just encrypt a partition where I store my sensitive information, will it increase the chances of my data getting stolen(in comparison to the other alternatives) if my device gets stolen?

I don't want to encrypt my whole hard drive because it will take a lot of time. To encrypt 150GB is taking 10 hours.

Xander
  • 35,616
  • 27
  • 114
  • 141
fboi
  • 103
  • 1
  • 1
  • 4
  • 2
    None of the current answers mention the evil maid attack, which is significantly easier if you don’t encrypt the whole drive. If I gain access to an unencrypted operating system drive I can install a keylogger or other malware. See: https://security.stackexchange.com/questions/159173/what-exactly-is-an-evil-maid-attack – David Jul 18 '18 at 16:31

7 Answers7

9

Both solutions are acceptable but they have different pros and cons.

  1. Full disk encryption:

    Pros: you have no risk of leaking some sensitive data in a non encrypted partition

    Cons: if things go wrong, the full disk become unreadable and you will have to try to recover/reinstall from a removable bootable media: do not forget to build and securely store it

  2. Encrypted partition(s):

    Cons: if you only encrypt a data partition, sensitive data can end in temporary files or swap file in a non encrypted partition

    Pros: if things go wrong, the unencrypted partitions will be easier to recover

Following is my (subjective) advice:

If you have a recovery partition in your disk, this one should not be encrypted, but you should encrypt all windows partition be them system or data if you want to be super safe, or only the sensitive data partition if you can accept that an attacker could find traces in temp or swap files.

Alternatively, you could build a (set of) removable recovery data, and go with full disk encryption.

The initial encryption time does not really matter IMHO. It happens only once. But 10 hours for 150 Gb seems rather weird. SATA disk io throughput should allow around 100Mb/s, so encrypting 150Gb should not exceed a couple of hours.

Serge Ballesta
  • 25,952
  • 4
  • 42
  • 84
4

Encrypt the whole disk. The overhead is negligible, and you don't have to worry about someone stealing your computer and having all your data. And if you have to send your computer to repairs, you don't have to worry about stolen files or compromised applications.

Another benefit is that all data is encrypted by default, so you don't need to keep a mental process of copying sensitive data from the unprotected partition to the protected one. And if you need double protection, create a VeraCrypt volume and use it.

ThoriumBR
  • 51,983
  • 13
  • 131
  • 149
  • If you send in a computer for repairs, integrity can be violated. It may be true that you don't have to worry about stolen files, but you _do_ have to worry about compromised applications. – forest Jul 20 '18 at 03:56
  • A full disk encryption **will** protect your applications. Any repairmen skilled enough to bypass the full disk encryption and compromise your applications should quit working as repairman and work for NSA instead. And in this case, your data is compromised too. – ThoriumBR Jul 20 '18 at 12:42
  • I'm pretty sure it doesn't take IC-level knowledge to mount a simple evil maid attack, or even a malleability attack on a vulnerable block mode of operation... Remember also that it's not necessarily the repair man who does it. Interdiction is a thing. I do not work for the NSA, but I have compromised devices using full disk encryption, quite easily too. – forest Jul 20 '18 at 21:38
  • My point is not to protect against highly skilled adversaries targeting you or your data, but against forgetfulness when your motherboard died while on warranty and you take your computer to repairs. Having FDE means you don't have to copy things back and forth, and your data is most probably safe. – ThoriumBR Jul 24 '18 at 11:51
3

One benefit of encrypting only a partition vs the whole drive is that you can encrypt/decrypt the partition while using the system for other tasks, so you can encrypt it "on demand" so to say, but if you encrypt the whole disk it's decrypted every time you start up and authenticate the system.

In terms of security, as you say, if the machine gets stolen, I would say there isn't much difference between FDE and an encrypted partition in such a scenario. If you use strong encryption on your partition it's highly unlikely that your data will be compromised.

I'd say there is some benefit to using an encrypted partition / folder vs FDE if you only decrypt it when you need to access or store sensitive information and encrypt it again when you're done, so that you don't leave the filesystem in an unencrypted state all the time when you're logged in, as would be the case with only FDE.

C. Sederqvist
  • 130
  • 5
  • +1 This is effectively the only (security) benefit to using individually-encrypted partitions. Even better, it's not incompatible with using FDE on top (or alongside) to encrypt everything else. – forest Jul 20 '18 at 04:06
1

This is a controversial topic, but in your case, when you are able to clearly define what files are "sensitive information", I would go with the partial encryption.

Use a tool like Veracrypt, which allows to maintain an encrypted container, which can be mounted on demand. Then,

  • decrypt and access your data only when needed, giving minimum exposure to your data.
  • back it up regularly by backing up just this container.

This does not rule out additional whole-disk-encription, in case you later choose to have this too.

Marcel
  • 3,536
  • 1
  • 19
  • 37
  • 1
    Unfortunately, files will leak into the unencrypted partition, for example in swap space (although you can turn on swap encryption) or application-level logs. – forest Jul 20 '18 at 03:58
  • @forest This is a good point and worth to consider. – Marcel Jul 20 '18 at 05:43
0

Without having more information on the application, FDE is always the safest bet. However, for less critical data and unsophisticated attackers, an encrypted partition or virtual hard drive is probably enough.

they
  • 923
  • 1
  • 5
  • 7
  • 1
    How would the MFT be accessed if the entire partition were encrypted? The MFT is local to the filesystem, and the filesystem is local to the partition. – forest Jul 15 '18 at 00:41
  • Can you add some more information about why your answer is correct? Maybe add some examples of scenarios where it is relevant whether a disk is encrypted on disk level or partition level? – Philipp Jul 18 '18 at 09:45
0

The problem is that when you leave the Windows partition unencrypted, then you will also have an unencrypted pagefile (where Windows stores application memory when running out of RAM) and hibernation file (where Windows dumps the RAM when hibernating). When you are working with confidential data stored on your encrypted hard drive, then their content might end up in these files.

There are also other places on the system drive where confidential data might show up (depending on what information you consider confidential, of course). One thing I would always want to be encrypted is the C:\Users directory, because all kinds of applications use it to store temporary (and not so temporary) files. Whenever you view or edit a confidential file, the software you use for viewing might store information about that file in your user directory. When you are sure that you will only use programs to work with confidential files where you know that they won't ever do this, then this might not be a concern. But are you sure about this?

And by the way, all web browsers I know store their cookies and history there. Just saying.

If you want to minimize the amount of encrypted volumes, then I would recommend to use 3 partitions:

  • The Windows system partition (encrypted, decrypted on boot)
  • Confidential data (encrypted, decrypted when you need it)
  • Unconfidential data (not encrypted)

But it might be more convenient in the long run to just bite the bullet and encrypt the whole disk. Just run the initial encryption process over night.

Philipp
  • 49,017
  • 8
  • 127
  • 158
-1

I cannot foresee any shortcomings with this method of encrypting a partition. I often use full disk encryption with encrypted containers within, 7z AES256 archives. So, layers of encryption. I would advise you review which AES-XTS bit size is used, and swap to AES256-XTS, as more rounds, is used. HowToGeek outlines how to use Local Group Policy Editor to change the encryption cipher used.

However, I always have concerns as to the password strength and how to store them. E.g. do I decrypt the fully encrypted drive via a password, USB flash drive, or TPM.

safesploit
  • 1,847
  • 8
  • 18
  • Layers of encryption drastically reduces security compared to using a single layer with the two keys concatenated... Not to mention, 7zip archives are designed to secure the archive when it is sent to someone else, not to secure it on your system. 7zip will happily write unencrypted copies of the archive to a temporary directory, making it useless for protecting data locally. – forest Jul 20 '18 at 04:04
  • I would agree, but I believe you misunderstood when I said "layers of encryption". My model for this involves full-disk encryption + encrypted home directory + encrypted archives. 7zip is not directly responsible for the unencrypted copies, this occurs because of the files to be archived are not overwritten. So, overview if you use magnetic or flash memory and use the appropriate overwriting method. Also, this is why I advised full-disk encryption + encrypted home directory. – safesploit Jul 20 '18 at 12:59
  • @safesploit - Do you mean to say that the home directory is encrypted in addition to full disk encryption? If yes, why? – Motivated Dec 29 '18 at 16:46
  • @Motivated As BitLocker is used then it would be full-disk encryption. While using 7z the file(s) would be archived and this archive is then encrypted. Windows as of writing does not support home directory encryption. – safesploit Dec 31 '18 at 05:45
  • @safesploit - You mention you have a model o full disk encryption + encrypted home directory + encrypted archives. It isn't clear as to why you have an encrypted home directory in addition to full disk encryption. Additionally, what you mean by "7zip is not directly responsible for the unencrypted copies, this occurs because of the files to be archived are not overwritten" – Motivated Dec 31 '18 at 08:01
  • @Motivated While full-disk encryption methods are often better, the issue is once decrypted using the drive has full access. This becomes an issue when multiple users share the same machine. So, it is possible to share a machine with full-disk encryption without compromising your home directory. The point about archive encryption is for sharing or containing individual files. Such that the compromise of one decryption key does not lead to whole system compromise. Hence, why I mention archive (container) encryption. – safesploit Dec 31 '18 at 17:16
  • @safesploit - Is the intention of home directory encryption to enable common use of a shared system without compromising the security of each user's data? If so, how does this work in practical terms? For example, is the full disk encryption password for example shared and each user mounts their home directory subsequently with their own credentials? – Motivated Dec 31 '18 at 21:59
  • @Motivated Precisely! Every user knows the full-disk encryption password, but each user has their own user mounts for their respective encrypted home directory, which only they know the decryption key for their home directory. – safesploit Dec 31 '18 at 22:39
  • @safesploit - That's clearer. What about an encrypted swap partition? Would that be shared? For example, i have observed the following. In encrypting the boot partition, it unlocks once i provide the appropriate password. It then proceeds to load the kernel however it requests a password for the encrypted swap partition. It does not however ask me for a password for the home directory which is also encrypted. – Motivated Dec 31 '18 at 23:25
  • @Motivated Using the following [Encrypted swap partition on Debian Ubuntu](https://feeding.cloud.geek.nz/posts/encrypted-swap-partition-on/), it is possible for the encrypted swap partition to discard its passphrase after shutdown. E.g. the passphrase is stored in volatile RAM. Hence, a new passphrase for the swap partition will be generated each boot. Because of this additional hassle, I may something not create a swap partition at all, but this entirely depends on my usage (am I handling sensitive files) and can I afford the additional RAM. – safesploit Jan 01 '19 at 03:41
  • @safesploit - Thanks. That still doesn't explain how the home directory would be mounted though and what point. Additionally, why would a new passphrase be generated at each booth? Why would you use the same password? – Motivated Jan 01 '19 at 06:17
  • @Motivated fscrypt is often used for mounting the home directory, although you might be familiar that Ubuntu deprecated this. The issue is generating a secure pseudo-random password on boot can delay startup. Many reasons could be the case, and I have not inspected the source code of Linux based distros and compared them to be able to comment on an encrypted swap. At this time I am unclear how fscrypt decrypts the directory, sorry I cannot be of more help. – safesploit Jan 01 '19 at 20:10