• DiskCryptor - Full-Disk-Encryption
    25 replies, posted
I've been using Full-Disk-Encryption (FDE) software now for almost 5 years (Safeguard Easy, [URL="http://www.truecrypt.org/"]TrueCrypt[/URL]) and now I seem to have found the [I]perfect[/I] one called [URL="http://diskcryptor.net/wiki/Main_Page/en"]DiskCryptor[/URL]. It is fast, supports modern CPU instructions like SSE2 and [URL="http://software.intel.com/en-us/articles/intel-advanced-encryption-standard-instructions-aes-ni/"]Intel's AES-IM[/URL] to speed up encryption and also works perfectly fine with SSDs (even with ATA-Trim - But only since [URL="http://diskcryptor.net/forum/index.php?topic=1985.0"]beta 1.0.667[/URL]). If you don't want to read everything here, just scroll down to [highlight]Conclusion/tldr;[/highlight]. [b]Why should I bother to encrypt my disk?[/b] Simply for security. For myself I don't like anyone else but me getting on my PC because they could read sensitive data or fuck things up (an OS password can be easily omitted with a linux boot CD. With encryption this is impossible). You should also consider encrypting your laptop's disk. It's a bad experience if you lose your laptop but it is an even worse if the thief now has access to all your private data including passwords, private photos or other documents. [b]Doesn't Full-Disk-Encryption (FDE) slow down my PC?[/b] It really depends on the hardware setup of your PC, the used program and especially on the encryption algorithm. On my Core i5-750 CPU I'm getting 350 MB/s for [URL="http://en.wikipedia.org/wiki/Advanced_Encryption_Standard"]AES-256[/URL] and even 570 MB/s on [URL="http://en.wikipedia.org/wiki/Serpent_%28cipher%29"]Serpent[/URL]. My laptop isn't that powerful (Core Duo) but still has 114 MB/s for AES-256. One more limiting factor can be your HDD: If the disk is encrypted you need to read/write at least a block of data at the same size of what your encryption-bitlenght is (e.g. 256 bit = 32 byte). This can slowdown reading small or heavily fragmented files or from the filesystem table. I also mentioned the program to be a limiting factor: Inefficient coding can drop the performance dramatically. But nevertheless, the encryption algorithm and it's implementation (C++,C or even ASM? Does it use special hardware instruction sets?) is also important. DiskCryptor's algorithm for AES are written in Assembler and support Intel's [URL="http://software.intel.com/en-us/articles/intel-advanced-encryption-standard-instructions-aes-ni/"]AES-IM[/URL] instructions which speed up the encryption speed to 3 [B]G[/B]B/s instead of 300 MB/s. [b]What about SSDs? ([URL="http://en.wikipedia.org/wiki/TRIM"]Trim[/URL],[URL="http://en.wikipedia.org/wiki/Wear_leveling"]Wear-Levelling[/URL])[/b] Most encryption software does not support the [URL="http://en.wikipedia.org/wiki/TRIM"]ATA-TRIM[/URL] signal so your SSD becomes slower after the encryption when writing. The reason is simple: If your SSD is totally encrypted it is [U]completely full[/U] and looks like random numbers from outside. So in order to write new data to it (even if Windows shows that it has enough space left), the controler of the SSD needs to delete a data-block before it can write to it instead of using an empty one (which is 'there' with using TRIM and makes writing faster). Luckily DiskCryptor is the first FDE program I know which supports TRIM (since [URL="http://diskcryptor.net/forum/index.php?topic=1985.0"]beta 1.0.667[/URL]): It will just encrypt the data but not empty space so TRIM still works (can be disabled). [URL="http://en.wikipedia.org/wiki/Wear_leveling"]Wear-Levelling[/URL] (WL): WL is a technique to use not so heavily used cells on your SSD in order to keep the SSD alive for a long time since writing to a cell is generally limited to around 10,000 times (MLC-SSDs). This happens fully transparent on the controller so FDE does not interfere here. [b]How does the encryption work?[/b] You install the program and encrypt the drive or single partition. A custom bootloader will be installed and the next time you boot your PC you need to enter the password in order to make Windows start. [b]How to get rid of the encryption?[/b] Simply decrypt the partitions/drive with the program you used. [b]What happens if I lose my password or damage my drive/partition?[/b] If you lose your password your data are gone. Simple like that. Just do backups regularly. If your partition gets [I]fucked up[/I] and can't be mounted anymore, just shows garbage or appears as unformated then most likely the partition's header is damaged. Luckily you can backup partition-headers with DiskCryptor. Just do the backup and save that header somewhere - You can restore damaged partitions with it but nobody can use that header to decrypt your drive without knowing the password! If your drive is (physically) damaged and you can't read from it you only can get it to a specialist who exchanges the electronis or does sector-by-sector copy with special machines to a similar disk. Chances are [U]available[/U] that you can get your data back. But you better do a backup regularly. [b]Can I make a Disk-Backup with e.g. TrueImage?[/b] Yes. You can create a backup easily from within Windows. It will read every data [U]unencrypted[/U] to an image file. If you want to restore it, boot up a [URL="http://www.nu2.nu/pebuilder/"]BartPE[/URL] CD with your imaging program (I'm using TrueImage Home 2009) and DiskCryptor. Now restore the partition you have backed up. If your backup lays on an encrypted partiton you have to mount it using DiskCryptor before. Attention: If you restore the image the data will be written totally unencrypted to your disk. You also have to make sure the restored image is written back at the size of the partition (my image was 31 KByte smaller. I just fixed the size manually and everything worked). Once this is done, restart your PC and enter the Password. If you have restored the system partition Windows will just boot up (but is unencrypted). Now simply use DiskCryptor again to encrypt it. [b]Performance Benchmarks[/b] I quickly set up an old 200 GB HDD and benchmarked it with TrueCrypt,DiskCryptor and Unencrpted. Here are the results: [u]Unencrypted[/u] [img_thumb]http://files.daggeringcats.com//DiskCryptor%20vs%20TrueCrypt%20vs%20Unencrypted%20-%20Old%20HDD/Unencrypted/Atto.png[/img_thumb] [img_thumb]http://files.daggeringcats.com//DiskCryptor%20vs%20TrueCrypt%20vs%20Unencrypted%20-%20Old%20HDD/Unencrypted/CrystalDiskMark.png[/img_thumb] [img_thumb]http://files.daggeringcats.com//DiskCryptor%20vs%20TrueCrypt%20vs%20Unencrypted%20-%20Old%20HDD/Unencrypted/HDTune.png[/img_thumb] You see, the drive is old and only has about 55 MB/s in sequential read/write. [u]DiskCryptor 1.0.667[/u] [img_thumb]http://files.daggeringcats.com//DiskCryptor%20vs%20TrueCrypt%20vs%20Unencrypted%20-%20Old%20HDD/DiskCryptor/Atto.png[/img_thumb] [img_thumb]http://files.daggeringcats.com//DiskCryptor%20vs%20TrueCrypt%20vs%20Unencrypted%20-%20Old%20HDD/DiskCryptor/CrystalDiskMark.png[/img_thumb] [img_thumb]http://files.daggeringcats.com//DiskCryptor%20vs%20TrueCrypt%20vs%20Unencrypted%20-%20Old%20HDD/DiskCryptor/HDTune.png[/img_thumb] DiskCryptor does not alter the sequential read/write rates but slows down the system a little bit on below random-read/write of 4KB blocks (Second picture) marginally (around 10%) [u]TrueCrypt 6.3a[/u] [img_thumb]http://files.daggeringcats.com//DiskCryptor%20vs%20TrueCrypt%20vs%20Unencrypted%20-%20Old%20HDD/TrueCrypt/Atto.png[/img_thumb] [img_thumb]http://files.daggeringcats.com//DiskCryptor%20vs%20TrueCrypt%20vs%20Unencrypted%20-%20Old%20HDD/TrueCrypt/CrystalDiskMark.png[/img_thumb] [img_thumb]http://files.daggeringcats.com//DiskCryptor%20vs%20TrueCrypt%20vs%20Unencrypted%20-%20Old%20HDD/TrueCrypt/HDTune.png[/img_thumb] TrueCrypt is even at the same speed in sequential read/write but drops in performance significantly for random-read/write at blocks of at/below 16 KB. The losses are up to 50%! [highlight]Conclusion/tldr;[/highlight] Disk encryption is essential for security and does not really slowdown your PC if you chose your program wise. I found DiskCryptor to be [u]my personal favorite[/u] because it goes with current technologies, is incredibly fast compared to other products, perfectly supports SSDs and is [u]Open Source & GPL[/u] (where TrueCrypt is only Open Source but under a really restrictive license).
Would encryption be useful on a setup like just a normal gaming computer that is used by one person, where nobody would want access to it?
Disk encryption is a waste of time. Unless you have something to hide ?
Looks like a neat alternative to TrueCrypt but it doesn't seem to have as many features. For example custom boot error messages for pre-boot authentication or hidden operating systems are what makes TrueCrypt a very attractive choice. Though I do find it interesting that DiskCryptor supports TRIM. Been using TrueCrypt on my laptop and I've been happy with the performance but if I ever upgrade to an SSD I'll definitely need to check this out. [QUOTE=Onlyonebowman;22832284]Would encryption be useful on a setup like just a normal gaming computer that is used by one person, where nobody would want access to it?[/QUOTE] No. Unless you want to keep pesky roommates from using your computer or stealing your super secret porn stash. Its more useful for laptops because they can be stolen easily, along with your data. Mind you most of the time if your laptop is stolen the guy that took it probably doesn't give two shits about the data and just throws it up on Craigslist or something but you can't be too careful. I personally would never consider encrypting the disks on a regular desktop.
[QUOTE=Onlyonebowman;22832284]Would encryption be useful on a setup like just a normal gaming computer that is used by one person, where nobody would want access to it?[/QUOTE] It's only a matter of security. If you don't care about anyone using your PC, don't use encryption. But if you do care (like I do), get it. In my opinion most PC users (sadly) don't care about security concerning their PC but would never participate in "real life" activities which need them to reveal some of their private data (age, name, mail). That's quite contradicting. A good (and perfomant) encryption is nothing special and everyone can get this to work and should use. [editline]10:51PM[/editline] [QUOTE=Chryseus;22832590]Disk encryption is a waste of time. Unless you have something to hide ?[/QUOTE] So if I get to your home and turn on your PC, it's you don't care me reading your private mails? Similar: If I ask you for a picture of you, would you post it? Do you post your E-Mail right here? I doubt. That's exactly the same: Everyone has something to hide (private stuff). You can do the "lame method" with encrypted containers (and risk getting the pw into the pagefile so an adversary can get the pw) or encrypt the full hdd and be safe. Anyway, that's not a "fight" or "post yours" about "get encryption or not" (similar to ATI vs nVidia) it's a documentation and rating about how I found the best performant encryption software which gives you the most security with least (nearly none) performance degeneration.
[QUOTE=Chryseus;22832590]Disk encryption is a waste of time. Unless you have something to hide ?[/QUOTE] Having something to hide has nothing to do with it. I don't encrypt my desktop as it's protected from law enforcement by the fact it's in my house (if they have a warrant they can force you to give up the password anyway), but I most certainly would encrypt a laptop if it ever left the house.
[QUOTE=M2k3;22832638]Looks like a neat alternative to TrueCrypt but it doesn't seem to have as many features. For example custom boot error messages for pre-boot authentication or hidden operating systems are what makes TrueCrypt a very attractive choice.[/QUOTE] I do agree, DiskCryptor lacks these features but plausible deniability (hiddne OS) is planned. Anyway I rate this feature "useless" because as soon as someone who [b]has[/b] to get the data (e.g. you are getting extort or threatened) and knows his "buisiness" he will also know about the hidden volume capability and will ask you for this. [QUOTE=M2k3;22832638]Though I do find it interesting that DiskCryptor supports TRIM. Been using TrueCrypt on my laptop and I've been happy with the performance but if I ever upgrade to an SSD I'll definitely need to check this out.[/QUOTE] Yes, that's why I came to DiskCryptor. TC is nice. But DC is better in performance and especially with SSDs. Still I will never stop using TC for container based encryption because DC does not allow this. (Trivia: DC once was 100% compatible to TC up to version 0.5) [QUOTE=M2k3;22832638]... Its more useful for laptops because they can be stolen easily, along with your data. Mind you most of the time if your laptop is stolen the guy that took it probably doesn't give two shits about the data and just throws it up on Craigslist or something but you can't be too careful. I personally would never consider encrypting the disks on a regular desktop.[/QUOTE] Agree to the laptop. But once I got used to the encryption and the really less performance degneration on my laptop I also installed Safeguard Easy then TrueCrypt and finally DiskCryptor on my Desktop as well. Nearly no performance losses but best security. Why not to have both? These 3% in performance I lose is nothing compared to the 100% security I gain.
I found a laptop on the train, and there was just a windows password protecting everything Sam Meyers had. One boot of NTPASSWD removed that for me, and I had access to Sam's entire digital world. Once I saved the data I wanted to keep, I blew the Windows 7 Professional partition, installed Windows 7 Ultimate, Installed Linux Mint 9, and I'm using that very laptop this moment to type in this post. The bastard should have not left his laptop on the train. If you leave something as important as a laptop laying around on a train, you obviously don't need it, and definitely don't deserve to have it back. :colbert: Perhaps there is a lesson to be learned about laptop data encryption after all. :cop::crying:
[QUOTE=Pixel Heart;22835551]I found a laptop on the train, and there was just a windows password protecting everything Sam Meyers had. One boot of NTPASSWD removed that for me, and I had access to Sam's entire digital world. Once I saved the data I wanted to keep, I blew the Windows 7 Professional partition, installed Windows 7 Ultimate, Installed Linux Mint 9, and I'm using that very laptop this moment to type in this post. The bastard should have not left his laptop on the train. If you leave something as important as a laptop laying around on a train, you obviously don't need it, and definitely don't deserve to have it back. :colbert: Perhaps there is a lesson to be learned about laptop data encryption after all. :cop::crying:[/QUOTE] You're scummy.
[QUOTE=y0haN;22836736]You're scummy.[/QUOTE] Oh please, if you found a laptop worth several hundred dollars you would keep it too. Greed is the driving force of the modern society, free shit is hard to turn down.
[QUOTE=y0haN;22836736]You're scummy.[/QUOTE] You have no idea, son. :smug:
[QUOTE=Nilrus;22836813]Oh please, if you found a laptop worth several hundred dollars you would keep it too. Greed is the driving force of the modern society, free shit is hard to turn down.[/QUOTE] I find it hard to grasp why you're teaching ethics to a person on a forum.
[QUOTE=Pixel Heart;22835551]I found a laptop on the train, and there was just a windows password protecting everything Sam Meyers had. One boot of NTPASSWD removed that for me, and I had access to Sam's entire digital world. Once I saved the data I wanted to keep, I blew the Windows 7 Professional partition, installed Windows 7 Ultimate, Installed Linux Mint 9, and I'm using that very laptop this moment to type in this post. The bastard should have not left his laptop on the train. If you leave something as important as a laptop laying around on a train, you obviously don't need it, and definitely don't deserve to have it back. :colbert: Perhaps there is a lesson to be learned about laptop data encryption after all. :cop::crying:[/QUOTE] GJ thief.
[QUOTE=Pixel Heart;22835551]I found a laptop on the train, and there was just a windows password protecting everything Sam Meyers had. One boot of NTPASSWD removed that for me, and I had access to Sam's entire digital world. Once I saved the data I wanted to keep, I blew the Windows 7 Professional partition, installed Windows 7 Ultimate, Installed Linux Mint 9, and I'm using that very laptop this moment to type in this post. The bastard should have not left his laptop on the train. If you leave something as important as a laptop laying around on a train, you obviously don't need it, and definitely don't deserve to have it back. :colbert: Perhaps there is a lesson to be learned about laptop data encryption after all. :cop::crying:[/QUOTE] Yeah you're an asshole. He's such a bastard for being human and forgetting something. What you're doing is called stealing.
[QUOTE=Xera;22838904]Yeah you're an asshole. He's such a bastard for being human and forgetting something. What you're doing is called stealing.[/QUOTE] [highlight]HOW THE FUCK DO YOU FORGET A LAPTOP!?[/highlight] :byodood:
[QUOTE=Xera;22838904]Yeah you're an asshole. He's such a bastard for being human and forgetting something. What you're doing is called stealing.[/QUOTE] Oh whoops let me just leave my huge $800 piece of electronics on a crowded public transport system. That type of shit is important and unless something EXTREMELY drastic/dramatic/traumatizing happens then you deserve to lose the thing.
[QUOTE=FunnyGamer;22840858]Oh whoops let me just leave my huge $800 piece of electronics on a crowded public transport system. That type of shit is important and unless something EXTREMELY drastic/dramatic/traumatizing happens then you deserve to lose the thing.[/QUOTE] Exactly. :buddy:
[QUOTE=Pixel Heart;22835551]I found a laptop on the train, and there was just a windows password protecting everything Sam Meyers had. One boot of NTPASSWD removed that for me, and I had access to Sam's entire digital world. Once I saved the data I wanted to keep, I blew the Windows 7 Professional partition, installed Windows 7 Ultimate, Installed Linux Mint 9, and I'm using that very laptop this moment to type in this post. The bastard should have not left his laptop on the train. If you leave something as important as a laptop laying around on a train, you obviously don't need it, and definitely don't deserve to have it back. :colbert: Perhaps there is a lesson to be learned about laptop data encryption after all. :cop::crying:[/QUOTE] You're a dumbass. You should have either taken it to someone at the station or attempted to see if you could find his phone number or address in his files to return it.
yeah guys you're totally right. he deserved to have it stolen. brb stealing that car parked outside. obviously the bastard owner doesn't want.
[QUOTE=Pixel Heart;22840189][highlight]HOW THE FUCK DO YOU FORGET A LAPTOP!?[/highlight] :byodood:[/QUOTE] Stress and in a hurry. Been there done that, thankfully there was a kind person who remembered me, and gave me my laptop back next day on the same bus i forget it on. Didn't have any personal information on it either, but still. Same shit comes to forgetting to lock your car, that isn't a invitation to steal it.
Well, concerning Pixel Heart's post: That's where encryption could have helped not to get an adversary or thief on the sensitive data. Anyway I'm just encrypting my new 1 TB drive I ordered on Monday (110 MB/s encryption write speed). Arrived today. Tomorrow I'll get my 120 GB SSD which I'll use for Windows (C:) and Programs (D:) (and maybe a few games I use frequently) only to speed everything up. I'm lucky that there exists an encryption software like DiskCryptor which is incredibly fast.
Yeah, if Sam had his harddrive encrypted, I don't think there would have been an easy way in for me. Luckily, I now have this laptop with a power-on password, so it won't even boot the harddrive without a password. I know it's not that much protection, but the average dumbass wouldn't know how to reset it.
[QUOTE=Pixel Heart;22847882]Yeah, if Sam had his harddrive encrypted, I don't think there would have been an easy way in for me. Luckily, I now have this laptop with a power-on password, so it won't even boot the harddrive without a password. I know it's not that much protection, but the average dumbass wouldn't know how to reset it.[/QUOTE] The average noob asks his pc-pro-friend to fix/remove the password. So he gets access anyway
I just tested DiskCryptor with Serpent (which was the fastest algorithm on my PC with over 610 MB/s in RAM) and AES (slowest) on my OZC Vertex 2 (120 GB) which just arrived today. Looks like that sequential read/write suffers from the encryption a little bit by losing around 15% of performance (still outsmarting every HDD of course). But in random 4kb-block read/write it's at the same speed as unencrypted. IOPS do not suffer at all.
[QUOTE=Chryseus;22832590]Disk encryption is a waste of time. Unless you have something to hide ?[/QUOTE] Everyone has something to hide. It's the same reason you password your gmail account.
[QUOTE=Chryseus;22832590]Disk encryption is a waste of time. Unless you have something to hide ?[/QUOTE] You have nothing to hide? What's your address and full name then bro?
Sorry, you need to Log In to post a reply to this thread.