DiskCryptor download is a tiny 750Kb, after installing it you will need to reboot the computer, you might notice that its 64bit drivers come signed by the ReactOS foundation a non for profit organization assisting open source projects not able to acquire an expensive signing certificate to distribute Windows 64bit drivers.
Encrypting my Windows 7 Home Premium 64bit OS, with a fairly powerful Intel i5 2200Hz (quad core) absorbed very low CPU, a steady 7% of the available resources, it took me 20 hours to encrypt a 1TB hard drive, it would have been considerably quicker using just the AES algorithm instead of the cascade algorithm I selected.
DiskCryptor lets you know how long it will take to encrypt your operating system, you can still work with your computer while it is being encrypted, I advice you to temporarily disable power management in Windows and set it to always on, Windows will not notice the hard disk being encrypted and send the OS into hibernation mode believing the computer is inactive, if this happens full disk encryption will stop and only resume once you switch the computer back on, I have found this problem to occur with both DiskCryptor and Truecrypt, more of a Windows problem than to do with the full disk encryption software.
Diskcryptor lets you benchmark the encryption ciphers (Tools>Benchmark) if you have a low spec CPU and are in a hurry you can choose the cipher that performs best in your system, AES was the quickest for me, by quite a lot of difference in contrast with Twofish and Serpent, once the OS has been encrypted it doesn’t matter what cipher you used to encrypt it, performance will be the same. You can benchmark ciphers in Truecrypt too but since only AES can be used for full disk encryption there is no point in doing it.
Truecrypt will ask you to enter your password after rebooting your computer before encrypting your operating system, DiskCryptor will not, it assumes you entered the passphrase correctly twice as asked and did not make any mistake. When using special signs in your password be aware that in booting up your computer the keyboard has a US layout that will not correspond with a non US keyboard, I searched for a photograph of US keyboard layout on the Internet to make sure there would be no mistakes about what keys to pres.
Unlike Truecrypt, DiskCryptor bootloader is highly configurable, I have my own (Ascii) logo at logon and I instructed DiskCryptor to time out after 30 seconds of inactivity at which point the computer reboots, other options like halt and exit to BIOS are possible. Using DiskCryptor keyfile for full disk encryption is something possible and not supported by Truecrypt, a keyfile will thwart dictionary attacks on your passphrase but this keyfile can not consist of anything it has to be a 64 byte file generated by DiskCryptor.
Windows 7 FDE specific problem
Unlike Vista, XP and lower Windows versions, when you use a whole disk encryption product on Windows 7, or installing a dual boot, you will notice that Windows 7 automatically creates a 100MB system reserved partition, 24MB contains actual data the rest is there for future use like Bitlocker or system restore, this partition is hidden by Windows and only visible using a live CD or through DiskCryptor or Truecrypt interface.
Windows 7 system reserved partition contains some necessary boot files, do not attempt to encrypt Windows 7 system reserved partition like I did because the computer will not boot! There are hacks around to merge that partition with the main Windows 7 operating system, I managed to do it partioning the hard disk with PartedMagic before installing Windows 7 and ignoring Windows installation DVD asking me to create the system reserved partition, everything worked fine until I fully encrypted Windows 7 without the system reserved space and the computer refused to boot.
If you would like to use whole disk encryption in Windows 7 there is no choice but to give in and allow Windows to create the unencrypted 100MB system partition, this shouldn’t be a problem regarding data leakage, you can view the files it contains with a live CD, I managed to see a bootsect.bak file, bootmgr, and System Volume Information folder and a few others with no obvious danger.
Truecrypt vs DiskCryptor comparison table
TRUECRYPT | DISKCRYPTOR | |
Open source license | Truecrypt own license | Standard Linux GPL license |
Forces you to burn a recovery CD | YES | NO (optional) |
Works with RAID volumes | YES | YES |
Hidden operating system | YES | NO (pseudo) |
Cross platform (Windows, Linux and MAC) | YES | NO |
Option of cipher for full disk encryption | AES,Twofish,Serpent & cascades | AES,Twofish,Serpent & cascades |
Supports keyfiles for full disk encryption | NO | YES |
Can place bootloader on external device | NO | YES |
Can create single encrypted containers | YES | NO |
Portable mode | YES (admin rights) | NO |
Encryption of external devices (USB,etc) | YES | YES |
Plausible deniability
DiskCryptor does not support the hidden operating system feature that Truecrypt has but allows you to install the bootloader on an external device, ie. USB thumbdrive or CD-Rom, that is where the files giving away that the operating system has been encrypted and what software has been used for that are stored, if anyone seized your hard drive it would be possible to claim that it has been wiped clean as no identifiable information can be extracted from the HDD other than random data and there is no boot loader.
Plausible deniability appears more sound than Truecrypt hidden operating system, if you give away the password for the non hidden OS in Truecrypt, the timestamps and las activities could give away that the computer has not been used for a long time.
A computer with no operating system and a wiped hard disk will look very suspicious, claims that it was wiped the day before would be held with incredulity but hard to prove it didn’t happen. Even better, I came across a thread in DiskCryptor forums to have a dual OS system where one of the Windows OS will only boot with the USB thumbdrive plugged in and when not present the other OS will boot, this set up makes one of the partitions look like random data and not like 2 operating systems on one hard disk.
Conclusion Truecrypt vs Diskcryptor
If you have a tablet or netbook without a CD-drive go for DiskCryptor because Truecrypt forces you to burn a recovery CD (there is a work around using CD-drive virtualization software, i.e. Alcohol 120% or using the command line /noisocheck).
If you would like to be able to open encrypted external devices using Linux or MAC go for Truecrypt as DiskCryptor is a Windows only program, if you want to create single encrypted containers go for Truecrypt as DiskCryptor can’t do that.
Something in which Truecrypt beats DiskCryptor is in documentation, Truecrypt manual is very complete and DiskCryptor consists of an incomplete online Wiki, DiskCryptor can make up for this showing off the ‘Blue Screen’ feature, a way to quickly crash your fully encrypted computer allowing you to set the quick emergency shutdown to any hotkey shortcut you like.
Security wise, both Truecrypt and DiskCryptor have the same credentials with their source code open to scrutiny and none of them reviewed by any qualified cryptographer, overall, DiskCryptor has more configuration features than Truecrypt, and Truecrypt is better at cross platform compatibility.
Truecrypt:http://www.truecrypt.ch
DiskCryptor: https://www.diskcryptor.net
MrOlrich
TrueCrypt does not force you to _burn_ a recovery CD, but it forces you to make at least an ISO of one. If you do have a CD/DVD drive in the machine, you can temporarily remove its drive letter during the whole disk encryption setup, and then TrueCrypt will make an ISO. You can then move the ISO elsewhere and reenable the CD/DVD drive’s drive letter.
hacker10
Hello Olrich,
I disagree with you, unless something has changed in the last version, I recall Truecrypt asking me to verify the .iso which means I had to burn it, I recall very well how I attempted to install Truecrypt full disk encryption on my Netbook and I was unable to do that because it would not let me carry on unless the .iso that it had created could be verified and since Netbooks have no CD drive I was unable to do it, that was using Truecrypt 6.0.
You also mention about removing the drive letter, Truecrypt documentation does not carry any information on how to do that, it surely would be easier for Truecrypt developers not to force people to burn an .iso for verification instead of people having to find a work around.
hacker10
MrOlrich
Hello,
I can’t remember what was the issue with version 6, that may have been as you say. But with version 7 (which has been out there for a while now), you do get the option of storing the ISO image somewhere (on a “removable drive” or something similar). You do not have to burn the ISO itself. I’ve done this on over fifty computers now, and having to burn CDs for each and every one of them, also for the ones I would have to connect a USB burner to, would be a great chore, and I’m glad I don’t have to do that any more.
It’s true as you say, the trick of temporarily removing the drive letter while setting up system encryption is not in the manual.
Kind regards,
Mr Olrich
hacker10
Hello,
I just tried with Truecrypt 7.1 (latest) and it did not work, you are correct that you can store the .iso image wherever you like, I never disputed it, the problem is that after saving the .iso to the hard disk, or the external USB thumbdrive (tried it both ways), on the screen that says “Rescue Disk Recording” when you click on next you get a message saying that it can not verify that the Rescue Disk has been correctly burned and will not let me carry on. In addition to that, on Truecrypt 7.1 latest instructions manual, chapter “System encryption“, “Truecrypt Rescue Disk“, page 34, it textually says “During the process of preparing the encryption of a system partition/drive, Truecrypt requires that you create a so called Truecrypt Rescue Disk“, they textually say you are required to do it.
Even if someone has found a work around to avoid burning a Truecrypt recovery disk, I will not be changing the comparison because this is not supported by Truecrypt and they have no instructions on how to do it and they specifically mention on the manual that you are required to burn the CD, up to the point that they even include a link so that you can download CD burning software. However I would very happy if I could understand how you say you managed to avoid burning that CD because I could not really see how it was done, the only ways I know of doing that are using a virtual drive or using the command line (mentioned in the post), and if you found another way that will be of use for other people reading this.
Skipping the CD burning using the command line /noisocheck or /n, is mentioned in Truecrypt manual, but I am not going to count that because the average user does not use the command line, this is the only officially supported method for doing it.
hacker10
Mr Olrich
Hello again,
In TrueCrypt v7.x, before you start the System Encryption process, go to Disk Management (in Windows 7) and remove the drive letter for the CD/DVD drive. Then, when the System Encryption process reaches the Rescue Disk, specify the name for the ISO file. When you then click Next, there is a popup with three choices. Select the first one, “I have no CD/DVD burner but I will store the Rescue Disk ISO image on a removable drive (e.g. USB flash drive).” After that, it’s just a matter of OK-ing and Next-ting your way to the end of the System Encryption process.
You can now reassign the drive letter to the CD/DVD drive before the computer reboots, if you wish. The whole point of it is not to start the System Encryption process with a CD/DVD recorder accessible to the computer, otherwise you’ll not be able to skip burning the actual Rescue Disk.
I happened to come across this by chance when I starting to encrypt a bunch of laptops, half of which did not have an internal CD/DVD drive, and noticed the TrueCrypt System Encryption wizard differed a little bit on those to computer “species” when it came to the Rescue Disk part. I then just tried to remove the drive letter of the CD/DVD drive on the computers that had one, and true enough, TrueCrypt let me get away with just making the ISO.
I will not go into the technicalities of whether or not TrueCrypt officially supports only making the ISO file for the Rescue Disk, but if you do this workaround as I describe, you’re are not presented with an error message or something else stating that this is not allowed. The program does allow for this process to continue, albeit with plentiful warnings and various encouragements to actually burning the Rescue Disk.
Since having a Rescue Disk is absolutely vital to any System Encrypted computer, I do understand why TrueCrypt does not allow you to not burn the CD, but I don’t necessarily agree with them. Not allowing to opt out of the burning process is a bit of a “dumbification” of the users, especially when both one is given ample warnings as well as there are certain scenarios where burning an actual CD is impractical. (When you encrypt 50 computers, it’s more conventient to just store the ISOs on a server, and burn one if you should happen to need it once.)
Hope this was a bit clarifying!
Kind regards,
Mr Olrich
hacker10
Hello Olrich,
I wasn’t aware of this trick and I suspect that the work around you explain could have been introduced specially for Netbooks as they do not have a CD-Drive, there is no need for the CD-Drive letter to disappear on a Netbook it simply isn’t there, my testing was on a Windows Vista machine and all I noticed is what I explained above, that when you click on “Next” Truecrypt would not allow me to carry on.
Thank you for having taken the time to explain this, I have now already encrypted my operating system so will not be trying it again, but hopefully it will be of use for others.
hacker10
vitamins
I recently downloaded TrueCrypt 7.1 for my Mac running OS X 10.5.8. I want to full disk encrypt my Mac, so that before the OS boots, the user is asked for my TrueCrypt password. The TrueCrypt documentation on their website says to do this:
“To encrypt a system partition or entire system drive, select System > Encrypt System Partition/Drive and then follow the instructions in the wizard. To decrypt a system partition/drive, select System > Permanently Decrypt System Partition/Drive.”
However, there is no “systems” menu to select “Encrypt System Partition/Drive” from in TC 7.1 for Mac.
If I choose “Create a Volume,” it gives me two options:
1. Create an encrypted file container
2. Create a volume within a partition/drive
If I click on the “Create a volume within a partition/drive” option, it eventually says, “WARNING: Note that the partition/device will be formatted and all data currently stored on it will be lost.”
I am totally lost. I don’t want to accidentally delete my entire hard drive, but it sounds like this will happen if I try to encrypt my entire hard drive (including the operating system).
Does anyone know of any clear documentation on how to full disk encrypt a Mac running OS X 10.5.8 using TC 7.1?
Any advice is much appreciated.
hacker10
Hello,
I don’t use Mac, I can only confirm that in Windows to fully encrypt your OS there is a “System > Encrypt System Partition/Drive” menu, Truecrypt documentation is correct.
hacker10
vitamins
Just figured it out. TrueCrypt does not support OS X for system encryption:
See also: Supported Operating Systems”
http://www.truecrypt.org/docs/?s=sys-encryption-supported-os
hacker10
Thanks for the heads up, Truecrypt FAQ says that it runs on MAC OS X and Linux but they do not make it very clear that it can not encrypt the whole OS which is confusing.
PGP does support MAC OS whole disk encryption but it is very expensive.
hacker10
noname
actually truecrypt does not require you to burn a cd. use the /n option from cmd to avoid it.
“truecrypt format” /n
hacker10
Thank you for your input, I was aware of that option, but the average user is not going to use command line, so I am not having that into account.
Best regards,
hacker10
BrollyLSSJ
Nice comparison, but the thing with the 100 MB partition is wrong as I also encrypted that and am able to boot my system normally (System has been running for 1.5 years now with that encrypted system reserved partition.). And another handy feature of DC is, that you can integrate it into the Windows Vista / 7 DVD and be able to install Windows Vista / 7 on that encrypted drive without the need for re-encryption.
http://diskcryptor.net/forum/index.php?topic=2290.0
Other than that, it is a really nice comparison.
hacker10
Hello Brolly,
I am glad you managed to encrypt the 100MB partition but I have to write based on my results and it didn’t work for me. Different computer set ups can easily yield different results and that could be the explanation. Thank you for your comment and tip.
hacker10
BrollyLSSJ
No problem. I only wanted to say, that it is possible with and without the 100 / 200 MB partition.
Mark
You’re mixing up ordinary (BIOS, MBR) and UEFI/EFI installations. The 100 MB partition is only used by the latter. TrueCrypt does not support configurations with GPT and EFI.
Hank
If no one has suggested a solution to the burning of the .iso file for the true crypt rescue disk with no physical cd/dvd drive I have a suggestion. Download and run. Win 32.Disk Imager, change the .iso to .img where the wizard shows the default path and name for the image to be saved. Insert usb drive, run Win32 app to burn it to the usb drive and when it finishes close the window that is up and click next on the wizard and the Rescue Disk will be verified. Hope this helps.
Anonymous
Having an unencrypted writeable area of a disk i.e. a hidden partition dramatically increases the chances of information leakage. Even if windows itself never writes to this partition (a large leap of faith wrt software with source code that can’t be examined by the public) there’s nothing to say that other software won’t leak data to it. After all, it’s the standard disk configuration so any malware/spyware could assume that it would exist on any windows vista/7/8/8.1 machine that it’s running on.
Luckily, there are a few ways to deal with this. If you encrypt both partitions with the same key/file and configure the truecrypt bootloader correctly the bootloader should be able to sucessfully decrypt both partitions and allow booting. Better still, if you hit Shift + F10 (boot in legacy mode; disable UEFI; truecrypt cannot boot off of GPT partitioned drives yet) while at the windows installer screen you will be given a command prompt through which you can access the program diskpart and create one partition that fills the drive using that program, which windows vista/7/8/8.1 will install to without hassle.
Anonymous
@Mark
Windows will still create a seperate boot partition by default even when installed on an old computer or a new one in legacy BIOS mode. In UEFI mode it will create an EFI system partition that contains metadata about the disk and GPT aware bootloaders, a boot partition, a microsoft reserved partition (an empty filler/scratch area for future use because GPT doesn’t allow gaps between partions) and then finally the GPT data partition which is the only one viewable in windows outside of the disk management tools, traditionally “C:”. This is with basic disks; dynamic disks (software spanning, RAID and striping) are a whole other kettle of fish outside the scope of this comment.
bfloyd28
I tried to use this to encrypt my hard drive and now my system says I have no OS. I had been running windows 8.1. My back up drive is not even recognized. Noon here who is totally lost as to what to do to recover my system.. Help please.
Hacker10
Hello bfloyd28,
Sorry about your problems, I don’t really know if DiskCryptor supports Windows 8 and I can’t help you, if I were you I would try visiting DiskCryptor forum.
Best of luck
hacker10
NGG
Diskcryptor worked on my computer with Windows 8.1.
All I had to do is convert the system drive from GPT to MBR (used AOMEI Partition Manager for this), than encrypt the “boot” and “sys” volumes using the same password. It is now asking for password on every boot.