disk drive encryption and performance

I would recommend especially laptop/notebook/netbook users to encrypt all sensible/personal information.
Here are a few information about encrypting data on your notebook and how that affects the performance of the notebook.
There are mainly two ways to encrypt data on your computer:
drive encryption - encryption of the whole drive or a partition of your drive
file encryption - encryption of files on your computer

Drive encryption comes usually with pre-boot authentication, that means you have to enter the password for the drive/partition before the operating system starts.
File encryption you have to enter the password when you open the encrypted file (operating system is already running and is not encrypted).

Drive encryption:
Pros: minimum user interaction (only enter password at boot), all data is encrypted
Cons: Image tools like Trueimage or Ghost (the recovery media) cannot be used to backup the drive/partition except when the encryption software can be run from a boot media (CD/USB) like WinPE , has an affect on performance of the disk drive but is usually barely noticeable even with HDD

File encryption:
Pros: no affect on performance, Image tools like TrueImage or Ghost can still be used
Cons: you have to mount the encrypted volume, you have to select the files you want to encrypt or store them in the encrypted volume

A more complete explanation on how it works you can read here:
TrueCrypt - Free Open-Source Disk Encryption Software - Documentation - Introduction
For SSD's you have to be aware of that:
TrueCrypt - Free Open-Source Disk Encryption Software - Documentation - Wear-Leveling

Free encryption software: TrueCrypt - Free Open-Source On-The-Fly Disk Encryption Software for Windows 7/Vista/XP, Mac OS X and Linux , CompuSec CE-Infosys : FREE CompuSec PC Security Suite

Here are some performance tests I did with disk drive encryption:
Intel 80GB Gen1 SSD with encryption


Intel 80GB Gen1 SSD without encryption


RealSSD C300 128GB with encryption


RealSSD C300 128GB without encryption



Some drives come with a built-in feature called FDE (full disk encryption). I have no experience with that so I cannot tell what the performance impact is.

There is other encryption software out there but that usually costs money and is usually designed for companies where you have to manage several devices.

I haven't tested BitLocker from M$ but here is an article from Toms Hardware about encryption with Truecrypt and BitLocker: System Encryption: BitLocker And TrueCrypt Compared : A Bit-Locking And Cryptography Exercise

 

thx man this si great info...though barely noticeable? you lost 25-50% performance on the intel drive....thats alot. and your performance drop on thee other one wasn't that bad for the large files but the small files had an outrageous drop. This will be noted though. I am looking forward to testing this out.

 

It is not really noticeable because it is still several times faster than HDD. And you don't put that much load on the SSD (except with benchmark tools) to notice it. Other "cheaper" SSD's are maybe more sensible to encryption and performance. I've read that the sandforce SSD's use compression internally to get the performance they have. That would be problem with encryption.

By the way the Intel Gen1 SSD I've used for testing is old and tortured that is why the performance is less than a new Gen1 SSD would have.

 

its interesting but obvious why small files are most affected by the encryption. i bet that would affect boot times and hibernating the most since it hurts small files most. Also HDD are still fast. My HDD is 143MBps read and 133MBps write for large files and smaller files its alot less but its still really fast. its a Hitachi 1TB 7200rpm drive....also granted those speeds are the extyernal part of the plater so the internal part is like 67MBps and middle is like 100MBps or higher

 

Interesting stuff. I remember seeing comparisons done using 5400rpm HDDs where the differrences were much smaller in percentage terms because more of the overhead was due to the slower disk.

What encryption algorythm were you using? I think the slowest Truecrypt algorythm has three times the overhead of standard AES.

 

I had AES as encryption algorythm.

 

Instead of encrypting the drive it might be a better idea to just keep anything personal off the drive?

Sounds simpler to me...

Edit:
And that Intel SSD took a very large performance hit - a HDD would do the same.

 

lol, sure keep the drive empty.
I think the best way is to create a seperate partition that is encrypted and save the documents and emails there.

 

Unless you're really bothered by absolute performance, I'd be inclined to keep the user files on the system drive. In normal use I've never found the performance hit to be too bad (with AES).

Getting a seperate drive mounted at startup is a bit of a hassle. Also all temporary files would have to be on this seperate drive.

 

Here some FAQ's I've found regarding the built-in FDE feature on disk drives:
What is Full Disk Encryption (FDE)?
FDE is a method for encrypting hard drives in such a way that all data on the drive is always encrypted, without the use of third party encryption solutions.

How do I enable encryption?
There is no need to enable encryption. FDE drives always encrypt data on the disk. No initial set up is required. In fact, it is not possible to disable encryption on an FDE hard drive.

What encryption algorithm is used, and what is the key strength?
FDE drives use 128- bit AES encryption.

Can I back-up the encryption keys?
No, there is no way to back-up the encryption keys. There is no way to even know what key is being used to encrypt the drive. The key is generated by and maintained by the drive itself and cannot be retrieved.

Can I move an encrypted drive to another computer and still access the data?
Yes. The encryption key is not system specific. Since the key is maintained by the drive, it is possible to move the drive to another system still access the data.

If the key is on the drive, how do I prevent would-be thieves from stealing the data off my drive?
To completely protect your data, it is absolutely vital that a hard drive password be set. This can be a user password or both a user and master password. The hard drive password prevents unauthorized users from booting the drive and accessing your data, while full disk encryption prevents more sophisticated attacks, such as attempting to retrieve data directly from the drive's platters.

Can the encryption key be changed?
The encryption key can be regenerated within the BIOS, however, doing so will make all data inaccessible, effectively wiping the drive. To generate a new key, use the option listed under Security -> Disk Encryption HDD in the system BIOS.

I don't see that option in my BIOS. Why not?
There are two reasons the Disk Encryption menu will not appear in the BIOS: 1. The drive in the system is not an FDE hard drive 2. The menu option has not been enabled Since the BIOS menu is dynamic, the Disk Encryption menu will not be displayed if an FDE drive is not present. However, if your system does have an FDE drive, but the menu still does not appear, the menu option must be enabled using the "BIOS Setup Menu Extension Utility' (Lenovo has it not sure if others have that too).

Will changing the Master or User hard drive password change the FDE key?
No. The hard drive passwords have no effect on the encryption key. The passwords can safely be changed without risking loss of data.

Can a user accessing the BIOS with the User password regenerate the encryption key?
Only if a Master password has not been set. If only a User password has been set, this password can be used to access the BIOS and regenerate the FDE key. However, if both a User and Master password have been set, the Master password is required to regenerate the key.

For enterprises, it is recommended the administrators set both User and Master passwords to avoid accidental destruction of data by end users.

 

nice cut and paste, what was the original source?

 

I have now my documents , email files and temporary internet files on an encrypted partition, It was not hard to move.

Lenovo.