In-Place Encryption using TrueCrypt while maintaining original drive letter

Posted on 2010-08-18
Medium Priority
Last Modified: 2013-11-08
I am attempting to fully encrypt all hard drives on a number of servers at my company.  My problem is this:

We run a medical database off of a dedicated server which has 3 separate drives (all mirrored independently)  The OS resides on the C: drive, SQL database on the D: drive and the front end medical program on the E: drive.  All three operate in conjunction with one another.

I need to be able to encrypt all three drives using full disk encryption but need them to auto-mount on system boot (preboot authentication), I need the drives encrypted in-place to ensure there is no interruption in service, and I need the encrypted volumes to maintain their original drive letters since the needed programs have been running upwards of 18 months and I cannot afford a reinstallation to allow the drive references to be changed.

The system partition is easy, no need for instruction there.  My issue then becomes encrypting non system partitions in place and allowing the original drive letter to be used.  Is there any way to do this with TrueCrypt?  My initial thoughts are that I need to dump the files off a set of hard drives, use disk management to change drive letters, encrypt and reinsert files, then add to system favorites verifiying that the original drive letter is being used as well as making sure it is loaded using preboot authentication.  That process really gives me chills considering without this database, the company shuts down.  Is there a better way of doing this or even a better 3rd party software to utilize?

Any recommendations would be greatly appreciated.
Question by:mcvay178
  • 4
  • 2
LVL 63

Accepted Solution

SysExpert earned 1500 total points
ID: 33468134
first of all, as part of Disaster Recovery, you should have access to a backup server and use that while you are doing your encryption.

1) Full backup - preferably twice

2) Shut down all services accessing data ( SQL etc )

3) change drive letters of D, E to F, G  or similar

4) encrypt data  and now use D and E for encrypted drives

If there are problems you can either reverse the process or restore from backups as needed.

I hope this helps !

Author Comment

ID: 33469030
This is pretty much what I was expecting.  You didn't mention anything about pulling data off of the drives initially.  Does this mean that you can encrypt non system partitions 'in-place' with truecrypt?  If so, a brief description of how to get to this capability would be greatly appreciated.  I am working on getting a backup server updated to the appropriate database level while I perform the encryption.
LVL 63

Expert Comment

ID: 33470626
Not sure, But I though the newest version supported something like this.

Depending on your RAID controller, It may be possible to unmirror the drives as your backup ( IF RAID 1 )
so that you can then encrypt one drive, copy the data from the other mirror so no additional copying is needed.

But Your RAID mirror must support mirroring from 1 drive to another rather than starting from scratch.

Otherwise you will need to backup and copy the data over after encrypting.

 [eBook] Windows Nano Server

Download this FREE eBook and learn all you need to get started with Windows Nano Server, including deployment options, remote management
and troubleshooting tips and tricks


Author Comment

ID: 33477277
I luckily have a test server already set up for the medical database in question.  A few changes in IP address in the front end INI files along with changing adapter settings and a quick update will get me a functional backup in place.  I will look at the raid setup and see what I can't find out but would rather leave as much as possible in place on the system.  Since the server was set up by another company and shipped to us before I began working here, the system is a bit of an enigma to me.

I will proceed with duplicate full backups and simply copying the data off of the D: and E: drives and replacing after encryption and hope for the best.   Will post back and award points once the procedure is complete.

Author Comment

ID: 33538506
Just a follow up.  Spent the past weekend encrypting all system drives.  All encryption was successful.  Unfortunately TrueCrypt does not have the ability to encrypt non-system partitions in place on any operating system older than Vista or Server 2008.  This centers around the fact that older OS's do not support 'on the fly' adjustments to partition size, which apparently TrueCrypt requires for an in place encryption.

Method to follow was to run dual backups and have a test server in standby for disaster recovery, use unlocker to kill all processes accessing the random files on the server (after shutting down all services known to access the files).  Perform a copy and past to a spare backup drive.  At this point, access computer management and change the drive letter and Reboot.  Run disk encryption.  With TrueCrypt 7.0 if you have an encrypted system partition you can add a non system partition to the mounting list for the preboot authenticator.  To do this, simply make the non system partition a system favorite and access the System favorites properties and set to mount when system comes up.

Only downside was my data partition took upwards of 5 hours to encrypt but our company now has significant mitigating factors in place to deal with HIPAA laws assuming the server ever grew legs.

Author Closing Comment

ID: 33538515
Solution basically confirmed my initial assumptions so helped in that way, but did not provide specific information regarding the system favorites capabilities of truecrypt or the specifics regarding in place encryption.  That being said, the confirmation was help in and of itself.  TYTY!

Featured Post

Get quick recovery of individual SharePoint items

Free tool – Veeam Explorer for Microsoft SharePoint, enables fast, easy restores of SharePoint sites, documents, libraries and lists — all with no agents to manage and no additional licenses to buy.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article shows how to use a free utility called 'Parkdale' to easily test the performance and benchmark any Hard Drive(s) installed in your computer. We also look at RAM Disks and their speed comparisons.
Will you be ready when the clock on GDPR compliance runs out? Is GDPR even something you need to worry about? Find out more about the upcoming regulation changes and download our comprehensive GDPR checklist today !
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…
Suggested Courses
Course of the Month14 days, 4 hours left to enroll

809 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question