Sunday, April 15, 2012

How To Migrate Encrypted Drive

Problem

I recently got a new 240Gb SSD to replace my older one. The old one was encrypted by a TrueCrypt, which makes it harder to make a clean migration.

The usual advice you will get when migrating to a new hard drive is to decrypt the data on the old one, migrate, then re-encrypt the new one. It could have been a good advice, except there is no way to guarantee that all the existing data was overwritten:
The security risk associated with SSDs is that sensitive data cannot be reliably erased due to the delayed erasure of deleted blocks and the operation of the SSD wear-leveling mechanism. The solution is to encrypt the SSD as soon as you take possession of it and before you write any sensitive data to it in plaintext. 
Thus, it's not a system encryption issue or a TrueCrypt issue. The issue is that you can't reliably sanitize an SSD. If you've already written sensitive data to an SSD as plaintext then it's too late for you to achieve 100% data privacy. 
Why is it important? The data, that could be left on the drive could contain, among other sensitive data, portions of swap file, which contains raw memory dump with all the keys and passwords in non-encrypted form. With SSD wear-leveling mechanism, you could pretty much guarantee, that sectors of swap file would be all over the place. Therefore, it is crucial, that the drive is encrypted before migration.

Plan

Here's what I'm planning to do here. In order to successfully boot with SSD, you must have a) properly set up mater boot record; b) correct copy of a drive.

Here is the process I will follow:
  1. Replace an existing disk with a new one
  2. Install operating system from scratch, ensure it has no page file.
  3. Convert system partition to TrueCrypt
  4. Put back an old drive, and boot from it. Have a new drive attached.
  5. Mount both drives. Using Acronis, make a sector-by-sector copy.
Stay tuned, I will make another post once I get a drive.

No comments:

Post a Comment