Speed up the migration of encrypted drives to another software
DiskCryptor has been my go-to program on Windows when it comes to encrypting entire hard drives and the system partition since 2012.
Development stopped, however, several years ago. While the program works fine even on the latest versions of Windows 10, I decided some time ago to switch to another encryption software.
The main reason was that I disliked using a program that was not in active development. The consequence was that bugs or security issues would not be fixed and that it would not support any new features either (e.g. new encryption algorithms, encryption algorithm updates, performance improvements).
I decided to migrate to VeraCrypt, a cross-platform encryption software based on TrueCrypt code. VeraCrypt is in active development and it was audited for security-issues.
The main issue that I faced after I made the decision was that I could not simply migrate encrypted disks from DiskCryptor to VeraCrypt.
The prospect of having to decrypt all DiskCryptor encrypted hard drives one by one to encrypt them again using VeraCrypt was not a pleasant one. Initial tests revealed that it would take a day to decrypt the 4 Terabyte drives and even longer to decrypt the 8 Terabyte drive. But decrypting was only part of the operation, as I had to encrypt the drives as well using VeraCrypt afterward which meant that I would have to spend a week at least getting this done.
Speed up the process
Here is what I did to speed up the process significantly: instead of decrypting drives to encrypt them again, I decided to move all files to another drive, format the-then-empty drive using quick format, and encrypt it using VeraCrypt in the end.
Moving required that I had enough free space on another drive (which I had). All I did was mount two of the drives and move all files from one drive to the other so that the source drive would have zero files on it.
I right-clicked on the drive and select the format option to run a quick format on it.
Doing so was no security or privacy issue as I would encrypt the entire drive again using VeraCrypt after the formatting ended. Even better, VeraCrypt could encrypt the entire drive quickly because no data was on the drive.
The whole operation took about two hours (with moving files off the drive and on again after the VeraCrypt encryption process completed) instead of the two or so days that it would have taken if I would have run decrypt and encrypt operations on the drive.
I repeated the process for the other drives and moved the files of the other drives to the VeraCrypt encrypted drives.
It took less than a day to process all hard drives and migrate from the old encryption software to the new software.
Closing Words
The main caveat is that you need a drive with enough free disk space to park the files that are on the drive that you want to migrate to another encryption software.
Now You: Do you encrypt your drives and system?
@Ryan, thanks for your input. That’s my bad – I did not ask clearly enough. If I booted off an Acronis flash drive or anything else – so my partition is encrypted and locked and I back it up sector by sector – what would be an expected outcome? If I try to restore it and then mount it in the OS assuming that I have the keys/password – will I be able to access the data?
@Ascar, assuming you use VeraCrypt or something similar: if you are within your OS as you make the backup, there will be no issue. The backup software, like every other software on the system (think MS Word), is reading the files in cleartext as it builds your backup archive. This is because the encryption/decryption happens at the kernel driver layer. So from Acronis’ standpoint, making a backup of your encrypted partition is no different from any other backup.
Be aware then that if you are saving your backup to another unencrypted disk, the backup itself will also be unencrypted just as if you had copied a document to an external unencrypted USB drive (unless of course Acronis adds its own encryption to backups)
Hello, all.
Can someone tell me whether I can make image-level backups (e.g. Acronis) of encrypted partitions/disks?
Hello, thanks for article.
One question: How did you deal with Veracrypt PIM requirements?
If have password shorten than 20 character, Veracrypt is unlocking drive dozens of seconds.
If you have password longer than 20 char. you can set PIM to 1 and have instant unlock.
Thanks
I have opened an issue about this on GitHub, for a while: https://github.com/veracrypt/VeraCrypt/issues/204
Sadly, the author Mounir Idrassi still hasn’t replied to it, and it seems the issue will be pending for a while… I’d love to be proven the contrary :)
I think that there are some workarounds – for example encrypt with older VeraCrypt version and after that upgrade, or use CipherShed and upgrade to Veracrypt…
It is sad that Bitlocker is so good in compare and VeraCrypt is less usable than TrueCrypt few years ago…
@Supliment thanks for this, I really need to read up more about the software I use.
https://www.veracrypt.fr/en/Personal%20Iterations%20Multiplier%20%28PIM%29.html
Thank you very much for tips !
Does VeraCrypt support Windows OS upgrades/installations ?
If it is like TrueCrypt, you need to decrypt the drive to upgrade. Don’t think that changed but have not tried with VeraCrypt.
Thank you very much for your answer.
Well, that would be a big drawback compared to BitLocker unfortunately… even if I would much prefer an open source solution.
They have been fixing the Windows 10 upgrade issue in the recent beta versions:
https://sourceforge.net/projects/veracrypt/files/VeraCrypt%20Nightly%20Builds/
Unfortunately, the performance impact on disk operations is still massive in comparison to BitLocker (and DiskCryptor too):
https://github.com/veracrypt/VeraCrypt/issues/136
Thanks a lot for your input !
People still use software encryption that affects performance?
@Jeff:
Sure. Sometimes software encryption is the best solution, and sometimes it’s the only solution.
I thought VeraCrypt had issues with MS updates on Windows 10 in cases where you encrypt the entire drive? Have they fixed that now?
“Do you encrypt your drives and system?”
I encrypt everything on my mobile devices and on my NAS, but on my other home devices, I don’t. For my really sensitive data, I have an encrypted USB stick.
No encrypted system not even drive here. I do understand the pertinence of encrypting a laptop, should it be stolen or peeked at in an unfamiliar environment, but when it comes to a home PC I linger to understand what the benefit would be.
I do use the old TrueCrypt 7.1a, never decided myself to switch to VeraCrypt, as a simple vault for more/less confidential data, built for a 512MB only virtual drive, and I still happen to ask myself if it’s worth it. I think encryption choices depend largely on the user’s context : would Robinson Crusoe set a lock to his home-made bungalow?! :=)
I never felt a great need to encrypt a whole system drive. For one thing, I know it would make me a little nervous at the result, and possible glitch.
I also still use Truecrypt 7.1, since I simply do not mind if it has all the latest algorithms or bugfixes, as I found Truecrypt to be very settled and happy on my systems.
For me, the idea that there could be a tiny way into one of those old Truecrypt containers just doesn’t matter, because there’s nothing in there that is the end of the world if it was broken into. And who is going to do that? It just isn’t going to happen…..so for me, its “containers only”, and not volumes….and the old software is still doing very nicely thank you.
I use veracrypt for all my systems simply due to compatibility across all major OS.
I do use this method when buying new drives or moving data or simply re-encrypting.
One key fact is that both the source and temporary drive are full disk encrypted.
Never ever decrypt a drive and expose your data unless you can write over the data enough times (which takes time ie days) if you are going to use the drive again or take the drive apart and destroy it if its old and being retired.
There is also an alleged backdoor built in to Diskcryptor.
The source files was pulled quickly by moderator and its difficult to try and replicate the scenario.
But even so I since flagged Discryptor. Don’t touch it until it can be proven otherwise.
https://www.reddit.com/r/crypto/comments/7axp15/alleged_diskcryptor_backdoor/
In short words the boot sector would be able to boot another encrypted disk if you booted from disk B and A is still connected as the boot sector will look for other diskcryptor drives and act as a slave if another drive is present.
If you type the password for disk A the password would still boot disk B.
I tried this and failed to boot disk B but then I did not have much time to play around with this.
Hi update relating to this alleged issue (longtime DC forum members said it’s false):
https://diskcryptor.net/forum/index.php?topic=5702.0