Recently I read an interesting research paper which talked about how Solid-State Drives (SSD) leave behind a horrible amount of old data that was supposed erased after "writing to zeros" and all that.  (Not trying to start a debate on that topic.)

Anyways, it got me to wondering this...

If a person wanted the safest of safe end-effect from *software* Full-Disk Encryption (FDE), would that mean that the FDE software should be installed on a "virgin" machine before it was ever used, OR could you have a computer with tons of personal data on it - including residual data that was "deleted" yet not truly erased off the face of the HDD - and still encypt every last bit on the HDD??


(To clarify, this would be for a conventional magnetic HDD, and NOT one of the newer Flash drives.)


My fear is that if I installed something like TrueCrypt on my 4-year-old laptop, that there might be sector or blocks with: Old Cache Files, Data Deleted but not Erased, and so on that might somehow escape being encrypted?!  (It seems like *software* FDE encrypts maybe 99% of your HDD, and I am worried about that last 1%...)

Does that make sense?

I am asking this for two reasons...

1.) I hope to buy a new MacBook Pro later this week, and I want to know if I need to set up FDE *before* actually using it to get the best effect?

2.) I have this ancient MacBook that has maybe 400GB of data on it, and I'm curious how effective installing something like TrueCrypt on it would be?  (Would doing that so late in the game really protect ALL of my data, or just most of it?!)

Sincerely,


Tom

Asked another way, what would software FDE NOT encrypt?

My understanding is that the difference between hardware FDE and software FDE, is that software FDE does not encrypt or whatever the "Boot Sector".

But after reading about how Flash technology works - or doesn't work?! - it got me to wondering if there are significant portions of my physical HDD that something like TrueCrypt misses, and thus if I had already written unencrypted data to the entire HDD, TrueCrypt might "miss" some of that current or old data?



Okay.

But back to my OP, would you agree that it is better to set up FDE on a virgin machine before you start using it, so - in theory at least - all of your data gets encrypted?


Tom

Okay, sounds good.

So, any ideas on the next step, which is "What is the best FDE software to use?"

http://www.ethicalhacker.net/forum/index.php?topic=10884.0


Tom

^ +1  I heard a few complain about it, on SSD.  I'm also using it on a container / folder basis, instead.