In this post I am going to share my experiences with encrypting a secondary drive in a Windows Vista environment.
The hardware is a Dell Optiplex core 2 duo. I will be encrypting a 1 terabyte Hitachi drive which I use primarily for storage.
The first piece of software I tried is PGP Desktop. When setting up the drives the first thing I noticed when partitioning them through windows is I have a choice of boot record formats. As of this post PGP Desktop did not even see a partition when a drive was initialized as GPT though it did not have a problem with the standard MBR type. I also attempted encrypting as a MBR type and then converting it to GPT. PGP Desktop removed its encryption status when I did this therefore I would not recommend trying that ;-). This concerned me since I am planning on implementing a raid solution and do not want to be limited to 2 terabytes by the drive table type. Regardless I went with the MBR style in order to allow PGP Desktop to play nicely. I imagine their product will support the newer format in the future. Encrypting a terabyte of data took all of the 12 hours for AES-256 which is what the tell-tell meter said it would. Once encrypted it acted just like a regular drive and upon restarting the Vista OS it prompted for a pass-phrase. Pretty simple and clean.
On a side note when I broke PGP desktop encryption on the drive I had to do the following to remove the bootguard since it resides on the boot drive:
Decrypting from a Command Line
From the command line, type pgpwde —decrypt —disk 0 (or the disk in question) —passphrase “enter passphrase here within double quotes” and press the enter key. The disk will then decrypt. The PGP Whole Disk status icon will be turning around in the system tray to show you decryption is in progress:
Once decryption is complete, see if the disk is still instrumented by bootguard by typing the —status command listed above. If the drive is not encrypted, the hard drive should boot normally. If the drive is still instrumented, but no highwater, proceed to the next steps.
Truecrypt was my next contestant. This appeals because of the great support that many open source solutions provide from the community. There are several algorithm options with TrueCrypt. I decide to go with the AES-Serpent combination but benchmark was a little off though. When creating the volume it also took around 10 hours for the terabyte volume averaging about 25 MB/s which means the AES solo algorithm probably would have taken half of the time.
I had some problems with the Truecrypt setup as well. The first round I was warned about existing partitions so I deleted everything and let TC encrypt the device (drive) instead of a partition which didn’t work so well. I learned it is recommended to encrypt a partition instead of the whole physical drive so I used the disk management snap-in via Vista’s Administrative Tools to first create the partition using the GPT style partition and let TrueCrypt format the drive using NTFS.
I have decided to stick with TrueCrypt over PGP Desktop because it’s free and it let me use the GPT style partitioning scheme. There are benefits to using PGP’s suite because it also includes email and instant messaging encryption tools amongst others but there is a fee for using the software beyond the demo period.