Drive Encryption and Secure Data Wiping


  1. Posts : 386
    Windows 10 Pro (x64) 22H2 (OS Build 19045.3996)
       #1

    Drive Encryption and Secure Data Wiping


    Okay,

    A new set of questions!

    I have a 240GB SSD with Win 10 Pro, Ver. 2004, Build 19041.329 - running as sweet as a nut.

    First questions.

    I plan to dual-boot Linux Mint Mate 19.3 alongside the Windows installation in a separate partition (offered as part of the Linux installation as I understand it).

    1) For security, the System Disk should be encrypted?

    2) If so, will Linux be upset if the disk is encrypted before Linux is installed?

    3) If Linux would prefer the disk to be unencrypted before installation, what effect would encrypting the drive have on the Linuz installation - or would encrypting the drive from within Windows 10 merely encrypt the Windows partition leaving the Linux partition alone?

    4) For thos that have experience of dual booting Windows and Linux, are the two partitions (the Windows and the Linux partitions) treated as being completely separate and you can have one encrypted (eg Win) and the other not, the other way round (Linux encrypted) and Windows not, or both encrypted??

    As part of this system upgrade (switching to Win 10 Pro from Win 7 HP and moving to SSD for the boot disk), I am re-purposing the old 5TB Toshiba X300 hard disk as a data disk.

    This disk was previously acting as both the Win 7 System Disk and the Data Disk - so contains old data.

    5) Can you recommend a (free) secure wipe program - FileShredder or Eraser perhaps?

    6) Can I apply drive encryption to just the 5TB data drive and not the 240GB SSD System Disk? How do you go about encrypting the data disk (once sanitised?)

    7) If I can, is this best done (encrypting the data drive that is) as part of a formatting process or can this be activated once the drive has started to be populated with files and folders (or doesn't it matter?)

    Thanks in advance folks!

    Art

    Win 10 Pro, Ver. 2004, Build 19041.329
      My Computers


  2. Posts : 161
    Windows 10
       #2

    I wouldn't dual boot and then implement drive encryption as this can interfere with the boot process. You should ideally have one system on one drive because then you can deal with the entire drive responsible for that system individually. When you have several operating systems on one drive you have to be careful you don't interfere with their operating otherwise you can end up not being able to boot into one or more of the systems. To get everything to run smoothly is not an easy feat, especially when you're talking about knowing how each individual OS works when it comes to stuff like this.

    You could choose which OS will be your primary OS and then encrypt that drive (SSD, for example) WITHOUT installing any other OS on that drive. This drive will then be fully encrypted and inaccessible unless decrypted. This drive remains seperate and isolated from any other OS and so is very easy to manage and will not interfere with the operating of other operating systems. You can set UEFI to boot into this drive first. You could then have another drive which allows you to boot into any other OS you have installed. This drive you could dual boot and then just use drive encryption on the particular partitions installed. When you boot into that particular OS you will provided with a box to input your password which will decrypt the partition your OS is located on, LUKS is a good shout. Providing you ensure the entirety of the distribution is encrypted it will be inaccessible until a password has been provided to decrypt it. Likewise, you could encrypt the entirety of the drive itself like you did with the drive which has Windows on it. Because it's seperate there won't be any need for them to communicate with other operating systems and so you will face less issues.

    You could use something like VeraCrypt on your primary SSD drive. And then use LUKS on your Linux based distributions on the other drive. Or you could use VeraCrypt on both but ensure they are seperate and encrypted individually. And because you don't have another OS like Windows on this drive you won't need to worry about the bootloader failing to boot into any other OS because you will be using this seperate drive to do all your Linux stuff on, and not the one with Windows on it. It will be able to recognise any distributions you install on this drive.

    Also to fully santize any drive you would have to completely wipe it several times. If you don't do this then the leftovers prior to the encryption process can remain which means recoverable data. You could do a free space wipe but this will not guarantee that after changes have been made to the drive there is not recoverable data left on it as obviously when the encryption process is happening changes to the disk will reflect space on the drive and thus recoverable data. When data is deleted it's not actually deleted, the record of the space being allocated is for the file(s) is. Your best bet is wiping the drive to a very high standard and then encrypting everything in place. I know this is difficult seeing as it means finding a way to get the contents off the drive without them being wiped. Ultimately it depends on your threat model and whether you just want to be cautious or whether you really need to ensure nothing is recoverable prior to encryption. In most cases you really don't need to go over the top and santise the hell out of drives unless you intend to sell your computer or give it away or scrap it etc.
      My Computer


  3. Posts : 5,048
    Windows 10/11 Pro x64, Various Linux Builds, Networking, Storage, Cybersecurity Specialty.
       #3

    @ArthurDent -

    Let me just quickly chime in on the drive sanitizing, as the Linux/Windows with encryption can be a bit complicated.

    Eraser is just fine. You are an individual user, so a corporate concern is not in play here.

    Eraser download:

    Eraser – Secure Erase Files from Hard Drives

    As for Windows encryption, BitLocker is just one way to go - just remember that it's for Windows, not Linux. There are several different ways to go with Windows and Linux and I don't personally encrypt Linux.
    Encryption is made inside the OS, so as I understand it, you would need to encrypt inside of Windows and inside of Linux (whatever flavor you choose) after the OS loads.

    Even if you use the same encryption product you need to use the Windows version and the Linux version because it is different code for each.

    This would give you encryption on both systems without any dedicated hardware encryption (i.e. TPM), which is a generally accepted standard of security.
    I think you will need to have the operating systems and data in different locations - partitions, drives or have one on a Virtual Machine.
    Also, use a Linux Bootloader such as GRUB to choose a boot filesystem at startup.

    Let's get some additional opinions....

    HTH,

      My Computer


  4. Posts : 386
    Windows 10 Pro (x64) 22H2 (OS Build 19045.3996)
    Thread Starter
       #4

    supermammalego said:
    I wouldn't dual boot and then implement drive encryption as this can interfere with the boot process.

    You should ideally have one system on one drive because then you can deal with the entire drive responsible for that system individually. When you have several operating systems on one drive you have to be careful you don't interfere with their operating otherwise you can end up not being able to boot into one or more of the systems.

    To get everything to run smoothly is not an easy feat, especially when you're talking about knowing how each individual OS works when it comes to stuff like this.
    Okay, I get that and yes, ideally one OS per disk drive. Not possible in my case due to space limitations inside the Mini ATX Tower - hence dual-booting on a single disk.

    You could choose which OS will be your primary OS and then encrypt that drive (SSD, for example) WITHOUT installing any other OS on that drive. This drive will then be fully encrypted and inaccessible unless decrypted. This drive remains seperate and isolated from any other OS and so is very easy to manage and will not interfere with the operating of other operating systems.

    You can set UEFI to boot into this drive first.

    You could then have another drive which allows you to boot into any other OS you have installed. This drive you could dual boot and then just use drive encryption on the particular partitions installed. When you boot into that particular OS you will provided with a box to input your password which will decrypt the partition your OS is located on, LUKS is a good shout. Providing you ensure the entirety of the distribution is encrypted it will be inaccessible until a password has been provided to decrypt it. Likewise, you could encrypt the entirety of the drive itself like you did with the drive which has Windows on it. Because it's seperate there won't be any need for them to communicate with other operating systems and so you will face less issues.
    Okay. So following your suggestion, I have one disk with (let's say) Windows on it. Boot priority in BIOS means this is the drive that will boot up when the PC is turned on (whether it is encrypted or not).

    A second disk has (say) Linux Mint on it. How can I boot into Linux if it is on a separate physical disk?

    I thought the whole point of dual-booting was that during the boot process you were given a choice as to which OS you wanted to boot into. Having installed Windows first and then Linux, wouldn't it be Windows' dual-boot program (whatever it is called) that would handle the dual-boot?

    You could use something like VeraCrypt on your primary SSD drive. And then use LUKS on your Linux based distributions on the other drive. Or you could use VeraCrypt on both but ensure they are seperate and encrypted individually. And because you don't have another OS like Windows on this drive you won't need to worry about the bootloader failing to boot into any other OS because you will be using this seperate drive to do all your Linux stuff on, and not the one with Windows on it. It will be able to recognise any distributions you install on this drive.
    Are VeraCrypt and LUKS encryption programs? Are they free to use or paid-for apps? I gather from what you say that there are versions of VeraCrypt for both Windows and Linux but LUKS is only for Linux?

    Also to fully santize any drive you would have to completely wipe it several times.
    Currently doing this on a completely empty drive - ie all space is "free" space.

    If you don't do this then the leftovers prior to the encryption process can remain which means recoverable data. You could do a free space wipe but this will not guarantee that after changes have been made to the drive there is not recoverable data left on it as obviously when the encryption process is happening changes to the disk will reflect space on the drive and thus recoverable data. When data is deleted it's not actually deleted, the record of the space being allocated is for the file(s) is.
    Yep, aware of this.

    Your best bet is wiping the drive to a very high standard and then encrypting everything in place. I know this is difficult seeing as it means finding a way to get the contents off the drive without them being wiped. Ultimately it depends on your threat model and whether you just want to be cautious or whether you really need to ensure nothing is recoverable prior to encryption. In most cases you really don't need to go over the top and santise the hell out of drives unless you intend to sell your computer or give it away or scrap it etc.
    The reason behind sanitising the disk before putting the documents back and then encrypting drive is in case drive fails (as I initially thought the 5TB disk had) and it has to go back to retailer/manufacturer for repair/replacement. If drive is sanitised before the data is put back and then the drive is encrypted and the drive then goes south, the data is irrecoverable - at least that's how I view it. Unless, of course, I have this round my neck!

    Art

    - - - Updated - - -

    Compumind said:
    @ArthurDent -

    Let me just quickly chime in on the drive sanitizing, as the Linux/Windows with encryption can be a bit complicated.

    Eraser is just fine. You are an individual user, so a corporate concern is not in play here.

    Eraser download:

    Eraser – Secure Erase Files from Hard Drives
    Currently sanitising the 5TB disk using FileShredder. Should do the same thing as Eraser.

    Being such a large disk and using several passes, the sanitising job will end around 1pm GMT tomorrow afternoon (Tuesday).

    As for Windows encryption, BitLocker is just one way to go - just remember that it's for Windows, not Linux. There are several different ways to go with Windows and Linux and I don't personally encrypt Linux.

    Encryption is made inside the OS, so as I understand it, you would need to encrypt inside of Windows and inside of Linux (whatever flavor you choose) after the OS loads.

    Even if you use the same encryption product you need to use the Windows version and the Linux version because it is different code for each.

    This would give you encryption on both systems without any dedicated hardware encryption (i.e. TPM), which is a generally accepted standard of security.
    Do you have (or anyone else have) a recommendation for a free encrypting program for Linux?

    I think you will need to have the operating systems and data in different locations - partitions, drives or have one on a Virtual Machine.

    Also, use a Linux Bootloader such as GRUB to choose a boot filesystem at startup.

    Let's get some additional opinions....

    HTH,

    Bit in red: I'm planning to have Windows on one partition and Linux Mint on a second partition of the 240GB SSD. There is 223GB of space - currently consisting of a single Windows partition and I'm planning to split this 70% for the Windows partition and 30% for the Linux partition - mainly because I envisage installing more programs that use Windows.

    Bit in blue: Is GRUB installed by default when you install Linux alongside Windows or does it need to be installed separately?

    Art
      My Computers


  5. Posts : 5,048
    Windows 10/11 Pro x64, Various Linux Builds, Networking, Storage, Cybersecurity Specialty.
       #5

    @ArthurDent -

    GRUB is installed by default in Linux Mint and many other distros.

      My Computer


  6. Posts : 386
    Windows 10 Pro (x64) 22H2 (OS Build 19045.3996)
    Thread Starter
       #6

    Compumind said:
    @ArthurDent -

    GRUB is installed by default in Linux Mint and many other distros.

    @Compumind

    I’m assuming that once I boot from the DVD containing Linux Mint 20 “Ulyana” that GRUB will automatically kick-in once I opt to install Linux alongside Windows?

    From then on, when booting the PC I will be given the choice of Windows or Mint?

    If the Windows partition has been encrypted (using BitLocker or VeraCrypt for example) once I choose Windows as the OS to boot, I’ll be asked to enter the encryption key and then Windows will boot as normal?

    All data that I then save, will be encrypted on the larger 5TB data disk? Or are we saying here that it is the System Disk that would be encrypted?

    Have I got that straight?

    If so, could I arrange for different users of the PC to have their own login and the choice of whether to use encryption or not? In other words, what I am asking is, if I log on, my data is encrypted but if my wife or kids want to use the PC, they don’t have to enter an encryption key but they can’ then access my encrypted files?

    The above may sound like I’m worried what the wife or kids may see, I’m not - I just want to understand the encryption process and what is possible and what is not as I’ve never used encryption on a hard disk before nor to encrypt an OS. The only encryption I have encountered is on USB pen drives with encryption built-in and that was essentially painless (unless you forgot the passphrase!

    Art
      My Computers


  7. Posts : 5,048
    Windows 10/11 Pro x64, Various Linux Builds, Networking, Storage, Cybersecurity Specialty.
       #7

    @ArthurDent -

    Well...

    It's best to install Linux after installing and testing Windows.

    You have several concerns here that would be best addressed in the Linux Mint Forum.
    I would suggest registering there and asking your questions in the appropriate thread.

    It's important that you have the LM support there.

    One thing that I will say is to hold off on the encryption until everything is running correctly.
    I really don't think that you need encryption, as a casual user. It might slow you down a bit and complicate things.

    Here's the resource - lot's of talent there -

    https://forums.linuxmint.com/

    Let us know how you do!

      My Computer


  8. Posts : 386
    Windows 10 Pro (x64) 22H2 (OS Build 19045.3996)
    Thread Starter
       #8

    Compumind said:
    @ArthurDent -

    Well...

    It's best to install Linux after installing and testing Windows.

    You have several concerns here that would be best addressed in the Linux Mint Forum.
    I would suggest registering there and asking your questions in the appropriate thread.

    It's important that you have the LM support there.

    One thing that I will say is to hold off on the encryption until everything is running correctly.
    I really don't think that you need encryption, as a casual user. It might slow you down a bit and complicate things.

    Here's the resource - lot's of talent there -

    Linux Mint Forums - Index page

    Let us know how you do!

    @Compumind

    Thanks for that.

    I’ve already established, as you say, that it is better to install Linux after Windows - but earlier on this year (when Win 7 became EoL) when I formulated that plan, I was loathe to try it on a single disk which was both System Disk and Data Disk in case things went south.

    However, recently an offer came up over here in the UK which enabled me to get a legitimate copy of Windows 10 Pro for a snip, so I decided to buy a small, cheap, SSD and install Win 10 on that and re-purpose the large 5TB HDD as a data disk using the GPT scheme to allow access to the whole drive (post #104 in the 5TB thread outlines my current aims).

    It would probably make more sense to partition the 5TB disk into two data drives - one for Windows data and one for LM data - unless both Windows and LM can “share” the same encrypted partition (I’m thinking they probably can’t). Comments?

    The Win 10 installation is running as sweet as honey at the moment - so all good there.

    Having a clean installation of Windows 10 on a new SSD (which once it was working & populated with my usual programs such as Office I’ve now cloned onto another small laptop HDD using Macrium Reflect) and an empty data drive (the PC is currently 66% of the way through sanitising the 5TB drive), I can now install LM alongside Windows without any real fears

    The older 2TB hard disk, from which the 5TB disk was cloned back in February, is currently having its data copied onto the blank part of another PC’s hard disk (whilst the 5TB is being sanitised in parallel) before I attach the 2TB disk to the desktop as an external USB drive and copy the data across to the 5TB disk (that way I’ll have the data in 2 locations again in case one goes south).

    Regarding encryption, I think I’ll opt to encrypt just the data drive (I have a question regarding that which I’ll pop into a third thread) but not try to encrypt either the Windows or Linux Mint OSs - does that seem a sensible plan.

    Reason for encrypting the data disk is as I said in post #4 this thread - “The reason behind sanitising the disk before putting the documents back and then encrypting drive is in case drive fails (as I initially thought the 5TB disk had) and it has to go back to retailer/manufacturer for repair/replacement. If drive is sanitised before the data is put back and then the drive is encrypted and the drive then goes south, the data is irrecoverable - at least that's how I view it. Unless, of course, I have this round my neck!

    I’m already on the Mint Forum - see if you can find me (it shouldn’t be too difficult). I’m guessing you’re on the Mint Forum too, so I can PM you over there if you don’t mind.

    Thanks for all your help & advice so far,

    Kind regards,

    Art
      My Computers


 

  Related Discussions
Our Sites
Site Links
About Us
Windows 10 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 10" and related materials are trademarks of Microsoft Corp.

© Designer Media Ltd
All times are GMT -5. The time now is 12:00.
Find Us




Windows 10 Forums