In-Place Encryption using TrueCrypt while maintaining original drive letter

Posted on 2010-08-18
Medium Priority
Last Modified: 2013-11-08
I am attempting to fully encrypt all hard drives on a number of servers at my company.  My problem is this:

We run a medical database off of a dedicated server which has 3 separate drives (all mirrored independently)  The OS resides on the C: drive, SQL database on the D: drive and the front end medical program on the E: drive.  All three operate in conjunction with one another.

I need to be able to encrypt all three drives using full disk encryption but need them to auto-mount on system boot (preboot authentication), I need the drives encrypted in-place to ensure there is no interruption in service, and I need the encrypted volumes to maintain their original drive letters since the needed programs have been running upwards of 18 months and I cannot afford a reinstallation to allow the drive references to be changed.

The system partition is easy, no need for instruction there.  My issue then becomes encrypting non system partitions in place and allowing the original drive letter to be used.  Is there any way to do this with TrueCrypt?  My initial thoughts are that I need to dump the files off a set of hard drives, use disk management to change drive letters, encrypt and reinsert files, then add to system favorites verifiying that the original drive letter is being used as well as making sure it is loaded using preboot authentication.  That process really gives me chills considering without this database, the company shuts down.  Is there a better way of doing this or even a better 3rd party software to utilize?

Any recommendations would be greatly appreciated.
Question by:mcvay178
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 2
LVL 63

Accepted Solution

SysExpert earned 1500 total points
ID: 33468134
first of all, as part of Disaster Recovery, you should have access to a backup server and use that while you are doing your encryption.

1) Full backup - preferably twice

2) Shut down all services accessing data ( SQL etc )

3) change drive letters of D, E to F, G  or similar

4) encrypt data  and now use D and E for encrypted drives

If there are problems you can either reverse the process or restore from backups as needed.

I hope this helps !

Author Comment

ID: 33469030
This is pretty much what I was expecting.  You didn't mention anything about pulling data off of the drives initially.  Does this mean that you can encrypt non system partitions 'in-place' with truecrypt?  If so, a brief description of how to get to this capability would be greatly appreciated.  I am working on getting a backup server updated to the appropriate database level while I perform the encryption.
LVL 63

Expert Comment

ID: 33470626
Not sure, But I though the newest version supported something like this.

Depending on your RAID controller, It may be possible to unmirror the drives as your backup ( IF RAID 1 )
so that you can then encrypt one drive, copy the data from the other mirror so no additional copying is needed.

But Your RAID mirror must support mirroring from 1 drive to another rather than starting from scratch.

Otherwise you will need to backup and copy the data over after encrypting.

Will your db performance match your db growth?

In Percona’s white paper “Performance at Scale: Keeping Your Database on Its Toes,” we take a high-level approach to what you need to think about when planning for database scalability.


Author Comment

ID: 33477277
I luckily have a test server already set up for the medical database in question.  A few changes in IP address in the front end INI files along with changing adapter settings and a quick update will get me a functional backup in place.  I will look at the raid setup and see what I can't find out but would rather leave as much as possible in place on the system.  Since the server was set up by another company and shipped to us before I began working here, the system is a bit of an enigma to me.

I will proceed with duplicate full backups and simply copying the data off of the D: and E: drives and replacing after encryption and hope for the best.   Will post back and award points once the procedure is complete.

Author Comment

ID: 33538506
Just a follow up.  Spent the past weekend encrypting all system drives.  All encryption was successful.  Unfortunately TrueCrypt does not have the ability to encrypt non-system partitions in place on any operating system older than Vista or Server 2008.  This centers around the fact that older OS's do not support 'on the fly' adjustments to partition size, which apparently TrueCrypt requires for an in place encryption.

Method to follow was to run dual backups and have a test server in standby for disaster recovery, use unlocker to kill all processes accessing the random files on the server (after shutting down all services known to access the files).  Perform a copy and past to a spare backup drive.  At this point, access computer management and change the drive letter and Reboot.  Run disk encryption.  With TrueCrypt 7.0 if you have an encrypted system partition you can add a non system partition to the mounting list for the preboot authenticator.  To do this, simply make the non system partition a system favorite and access the System favorites properties and set to mount when system comes up.

Only downside was my data partition took upwards of 5 hours to encrypt but our company now has significant mitigating factors in place to deal with HIPAA laws assuming the server ever grew legs.

Author Closing Comment

ID: 33538515
Solution basically confirmed my initial assumptions so helped in that way, but did not provide specific information regarding the system favorites capabilities of truecrypt or the specifics regarding in place encryption.  That being said, the confirmation was help in and of itself.  TYTY!

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In 2017, ransomware will become so virulent and widespread that if you aren’t a victim yourself, you will know someone who is.
Backups and Disaster RecoveryIn this post, we’ll look at strategies for backups and disaster recovery.
This video Micro Tutorial explains how to clone a hard drive using a commercial software product for Windows systems called Casper from Future Systems Solutions (FSS). Cloning makes an exact, complete copy of one hard disk drive (HDD) onto another d…
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…
Suggested Courses

770 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question