Encrypting a SSD

[rdl]

I have an external HDD (Seagate spinning rust) that acts like it's going bad. It was encrypted with TruCrypt. I want to replace it with a SSD (both drives are 1 TB). Should I just use Trucrypt with the new drive? Or is there a better choice? The drive does nothing but hold stuff as back up - write once and probably never again and accessed infrequently.

[Lindley]

TrueCrypt was discontinued some time ago,  assuming you are after a free program,   VeraCrypt stepped in with its updated version.

https://www.veracrypt.fr/en/Home.html

https://www.wikihow.com/Encrypt-an-External-Drive-Using-Veracrypt

For long term storage not sure about a SSD,  do they need to be refreshed in your situation ? 
They are great as the system drive, but the two we have had expired way earlier than any HDD we ever had, so if going for a SSD make sure it has a 5 year warranty.

[Nominal Animal]

If the host for the removable backup drives is running Linux or DragonFly BSD, then I'd suggest cryptsetup.  On a Linux host, it uses dm-crypt (see Wiki).

It is a bit annoying to set up, as you need to format the drive using command-line commands, and decide for yourself what encryption method you want to use, but I've found it good enough to use on my laptop for years now.  My backups have basically no sensitive information, so I don't currently encrypt those.

If the removable backup drive is to be used with machines running Windows, I don't have any good suggestions myself.

[Halcyon]

You can treat the SSD like any other hard disk when it comes to encryption. The Operating System and on-board controller takes care of any housekeeping that needs to be done.

But yes, if you were using TrueCrypt before and you're comfortable with it, I'd update to VeraCrypt as someone else has already pointed out. It has basically an identical GUI.

[IanB]

You don't mention your operating system. Windows has built in drive encryption (as does Mac I think).

The answers in this thread refer to Linux, but you didn't say that. Is that assumed?

[rdl]

It's Windows 7.

I did google this, but google is mostly noise these days and TruCrypt is old software so it wasn't much help.

I looked at VeraCrypt and that's probably the way to go. It claims to be able to load TruCrypt volumes, so that will be useful. I also use Linux and there's a Linux version of VeraCrypt. I wonder how that would work. The drive is FAT32.

I have a second drive, same model, with a copy of the data. It's not exactly up to date, but probably 95% the same (there has been some stuff added to the drive that's acting weird). I'll copy that to the SSD and then try to update only what has been added from the drive that's acting weird.

[IanB]

Well, you definitely could think about BitLocker that is built into Windows. Given that it is native, the integration should be seamless.

[iMo]

One small issue with encrypted disks is they contain a "white noise" you cannot compress. So unless your data is really sensitive I would not encrypt.
Btw. - why do you think the Truecrypt is "obsolete"? A different story, sure..

[magic]

Another option to consider is that many SSDs encrypt everything anyway (as a form of "secure" data scrambling).
Simply enabling built-in password protection is supposed to make them completely unreadable without unlocking.

This may or may not be effective against nation state level threats or sophisticated criminals having access to information leaks from the former, but good enough against a common computer thief or a roommate.

Well, you definitely could think about BitLocker that is built into Windows. Given that it is native, the integration should be seamless.

Until M$ discontinues support in Windows 13

[Lindley]

Well, you definitely could think about BitLocker that is built into Windows. Given that it is native, the integration should be seamless.

@rdl does not mention which version he of W7 they have, but its only available on the Pro and higher versions Windows.

    BitLocker is available on:
    Ultimate and Enterprise editions of Windows Vista and Windows 7
    Pro and Enterprise editions of Windows 8 and 8.1[8][2]
    Pro, Enterprise, and Education editions of Windows 10[9]
    Pro, Enterprise, and Education editions of Windows 11[10]

Rather than worry about encryption, on an external drive, might be safer to just hide the drives somewhere in the house or an out building/garage.

[Peabody]

There was a Security Now episode a while back covering those self-encrypted SSDs, and it reported that the passwords were basically not done right on any of them, and they weren't really secure.  But perhaps that's been fixed by now.

With regard to Bitlocker, you would want to be sure you could access the drive from another computer in case the original computer died.  I think that may not be as straightforward as with Veracrypt.  Something about certificates that I never understood.

With regard to imaging a Veracrypt-encrypted partition, the Terabyte Unlimited imaging software includes Veracrypt on its boot thumb drive, so you can image just the used sectors.  And you can restore back to an encrypted state directly.  Works pretty well, but not free.

[rdl]

Yeah, when I first did this I looked at the available options and TrueCrypt appeared to be the simplest and easiest way to do what I wanted. I need to be able to unlock a drive when I want access and then shut it down as soon as I'm done. Setting a drive password in the bios won't work this way. Bitlocker is not available on Windows 7 Pro. Which is not a problem because as far as I'm concerned the less Microsoft there is in my life, the better off I am.

Anyway, I have the new drive set up and encrypted with VeraCrypt. All I have to do now is copy the files over.

[mfro]

It is a bit annoying to set up, as you need to format the drive using command-line commands, and decide for yourself what encryption method you want to use, but I've found it good enough to use on my laptop for years now.

Must have been a while since you've set that up, right?
Even Debian installs with encrypted disks with no more manual effort than just typing an encryption password, nowadays.

[Nominal Animal]

It is a bit annoying to set up, as you need to format the drive using command-line commands, and decide for yourself what encryption method you want to use, but I've found it good enough to use on my laptop for years now.

Must have been a while since you've set that up, right?
Even Debian installs with encrypted disks with no more manual effort than just typing an encryption password, nowadays.

No, I meant that taking an external removable drive and setting it up for encryption, requires command-line commands.  It's a bit annoying, because one does it so rarely one forgets the details (unless one notes them down for oneself); and the settings you use definitely matter.

Most distributions nowadays support dm-crypt (and various LVM configurations, including dm-crypt on top of LVM) configuration in their installers, sure; and with quite good defaults too.  And the last time I did that was just a few months ago, actually.  It really is just selecting an option in the installer and specifying a passphrase.

But that's not what we're talking about here.  We're talking about encryption of removable drives, something that does not involve the installers at all.

[mfro]

No, I meant that taking an external removable drive and setting it up for encryption, requires command-line commands.  It's a bit annoying, because one does it so rarely one forgets the details (unless one notes them down for oneself); and the settings you use definitely matter.

Try zuluCrypt. It provides a GUI frontend to different kinds of encrypted devices/files including dm-crypt/LUKS.
LuckyLuks is a bit simpler but should probably do as well.

[Nominal Animal]

Try zuluCrypt. It provides a GUI frontend to different kinds of encrypted devices/files including dm-crypt/LUKS.
LuckyLuks is a bit simpler but should probably do as well.

Have you used these yourself with removable drives?  Would you recommend them to users not familiar with Linux command-line tools?

Like I said, the command-line tools are a bit annoying because one does such tasks so rarely it's not worth remembering the details, so at least I have to look up the details before doing such stuff, and at least I haven't found a good summary.  I don't really mind myself, the annoying bit, really, is being reminded of my minuscule brain capacity.

For example, for a removable drive that is possibly subject to bitrot, neither aes-xts-plain64 or aes-cbc-essiv:sha256 (the default ciphers for LUKS and plain encryption, respectively), do not detect bit errors in the ciphertext (XTS weakness, ESSIV malleability attack), so for offline backup purposes one should really use XFS, Btrfs, or ZFS file system.
Those won't protect against bit-rot, but at least they detect if it happens, unlike when using ext4, NTFS, etc.

A separate question is whether the GUI frontends for cryptsetup like zuluCrypt even care about such stuff.

[rdl]

So I got it all taken care of, the new disk encrypted with VeraCrypt now has a copy of all the data. Supposedly VeraCrypt will open TrueCrypt volumes but I haven't tried that yet. Due to a lack of USB 3 ports on my good better computers, I had to copy everything over USB 2.0 using an old machine and it took many hours. I really need to build something up to date. Thanks for all the info.

[magic]

ain't broke → don't fix it

By the way, it certainly is possible to password protect and then unlock a portable drive without rebooting and going through BIOS, but I admit that I only know how to do it on Linux, so whatever.

[PA0PBZ]

Supposedly VeraCrypt will open TrueCrypt volumes but I haven't tried that yet.

Yes it does, but not automatically, you have to tick the box on the 'Enter password' prompt after clicking the 'Mount' button. Something I overlooked at first



Edit: I started using Veracrypt because after some W10 update Truecrypt was unable to dismount properly and a forced dismount ended in a blue screen