U
U
user0122016-07-15 12:11:22
Encryption
user012, 2016-07-15 12:11:22

TrueCrypt, SDD, TRIM, Security - leave unallocated space at the end of an encrypted SSD?

Do I need to leave an unallocated area at the end of an encrypted SSD?
there are two separate SSDs
on one installed Windows and it's all encrypted.
on the second one section is created and everything is also encrypted.
I advise many to leave an unallocated area of ​​​​about 20% at the end of the disk, otherwise the performance has dropped very much now.
But also, many say that it is not safe, since data can get there in unencrypted form, is that true?

Answer the question

In order to leave comments, you need to log in

1 answer(s)
J
John Smith, 2016-07-15
@ClearAirTurbulence

Not certainly in that way. Firstly, the disk already has a spare area that is visible only to the controller. That is why some disks of "strange" size are not 128, but 120 GB, and so on. But "adding" some space for overprovisioning never hurts.
The (highly potential) risk when using TS on an SSD is that with full encryption of a disk that already contains secret data (before encryption), the original unencrypted data may partially end up in the OP area. But to extract them, you will need very specific tools that work with memory directly, bypassing the disk controller. And in any case, the amount of such data (if any) will be insignificant, and they will be so fragmentary that it will be difficult, almost impossible, to obtain any meaningful passage.
Once the data is encrypted, there is no danger at all.
Bottom line: if you encrypt a disk from the FSB\GRU\FBI\ANB\GCHQ\OmniCorp\etc, they, although they (theoretically) have the power and means to obtain information in such an exotic way, most likely will receive it otherwise (TEMPEST\ trojan\cameras\waterboarding\soldering iron). All the rest will not have the strength / means / time to receive information in this way. In any case, it is almost impossible to obtain meaningful information in this way.
To completely eliminate such a risk, you must first encrypt a new SSD drive, and only after that write sensitive information to it, but this is an overkill for the reasons described above.

You can use Truecrypt, or any other enryption based system on a SSD reliably.
The problem is that any data you have already written before applying encryption could be hidden away there in the reserve sectors. The same is true of a regular HDD. As go bad sectors, they are remapped from a spare pool of sectors.
So, potentially, if somebody had the crazy tools necessary to read the flash without the SSD controller in the way, it could have unencrypted data.
If you haven't put any sensitive data on those SSD's yet, then you can encrypt them now and be fine.
Even if you apply full disk encryption after the fact, most likely everything important will be encrypted. Only just a few fragments of any data will be in the reserve.

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question