In-Place Encryption using TrueCrypt while maintaining original drive letter

Posted on 2010-08-18
Last Modified: 2013-11-08
I am attempting to fully encrypt all hard drives on a number of servers at my company.  My problem is this:

We run a medical database off of a dedicated server which has 3 separate drives (all mirrored independently)  The OS resides on the C: drive, SQL database on the D: drive and the front end medical program on the E: drive.  All three operate in conjunction with one another.

I need to be able to encrypt all three drives using full disk encryption but need them to auto-mount on system boot (preboot authentication), I need the drives encrypted in-place to ensure there is no interruption in service, and I need the encrypted volumes to maintain their original drive letters since the needed programs have been running upwards of 18 months and I cannot afford a reinstallation to allow the drive references to be changed.

The system partition is easy, no need for instruction there.  My issue then becomes encrypting non system partitions in place and allowing the original drive letter to be used.  Is there any way to do this with TrueCrypt?  My initial thoughts are that I need to dump the files off a set of hard drives, use disk management to change drive letters, encrypt and reinsert files, then add to system favorites verifiying that the original drive letter is being used as well as making sure it is loaded using preboot authentication.  That process really gives me chills considering without this database, the company shuts down.  Is there a better way of doing this or even a better 3rd party software to utilize?

Any recommendations would be greatly appreciated.
Question by:mcvay178
  • 4
  • 2
LVL 63

Accepted Solution

SysExpert earned 500 total points
ID: 33468134
first of all, as part of Disaster Recovery, you should have access to a backup server and use that while you are doing your encryption.

1) Full backup - preferably twice

2) Shut down all services accessing data ( SQL etc )

3) change drive letters of D, E to F, G  or similar

4) encrypt data  and now use D and E for encrypted drives

If there are problems you can either reverse the process or restore from backups as needed.

I hope this helps !

Author Comment

ID: 33469030
This is pretty much what I was expecting.  You didn't mention anything about pulling data off of the drives initially.  Does this mean that you can encrypt non system partitions 'in-place' with truecrypt?  If so, a brief description of how to get to this capability would be greatly appreciated.  I am working on getting a backup server updated to the appropriate database level while I perform the encryption.
LVL 63

Expert Comment

ID: 33470626
Not sure, But I though the newest version supported something like this.

Depending on your RAID controller, It may be possible to unmirror the drives as your backup ( IF RAID 1 )
so that you can then encrypt one drive, copy the data from the other mirror so no additional copying is needed.

But Your RAID mirror must support mirroring from 1 drive to another rather than starting from scratch.

Otherwise you will need to backup and copy the data over after encrypting.

Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.


Author Comment

ID: 33477277
I luckily have a test server already set up for the medical database in question.  A few changes in IP address in the front end INI files along with changing adapter settings and a quick update will get me a functional backup in place.  I will look at the raid setup and see what I can't find out but would rather leave as much as possible in place on the system.  Since the server was set up by another company and shipped to us before I began working here, the system is a bit of an enigma to me.

I will proceed with duplicate full backups and simply copying the data off of the D: and E: drives and replacing after encryption and hope for the best.   Will post back and award points once the procedure is complete.

Author Comment

ID: 33538506
Just a follow up.  Spent the past weekend encrypting all system drives.  All encryption was successful.  Unfortunately TrueCrypt does not have the ability to encrypt non-system partitions in place on any operating system older than Vista or Server 2008.  This centers around the fact that older OS's do not support 'on the fly' adjustments to partition size, which apparently TrueCrypt requires for an in place encryption.

Method to follow was to run dual backups and have a test server in standby for disaster recovery, use unlocker to kill all processes accessing the random files on the server (after shutting down all services known to access the files).  Perform a copy and past to a spare backup drive.  At this point, access computer management and change the drive letter and Reboot.  Run disk encryption.  With TrueCrypt 7.0 if you have an encrypted system partition you can add a non system partition to the mounting list for the preboot authenticator.  To do this, simply make the non system partition a system favorite and access the System favorites properties and set to mount when system comes up.

Only downside was my data partition took upwards of 5 hours to encrypt but our company now has significant mitigating factors in place to deal with HIPAA laws assuming the server ever grew legs.

Author Closing Comment

ID: 33538515
Solution basically confirmed my initial assumptions so helped in that way, but did not provide specific information regarding the system favorites capabilities of truecrypt or the specifics regarding in place encryption.  That being said, the confirmation was help in and of itself.  TYTY!

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Suggested Solutions

The article will include the best Data Recovery Tools along with their Features, Capabilities, and their Download Links. Hope you’ll enjoy it and will choose the one as required by you.
Since pre-biblical times, humans have sought ways to keep secrets, and share the secrets selectively.  This article explores the ways PHP can be used to hide and encrypt information.
This video Micro Tutorial explains how to clone a hard drive using a commercial software product for Windows systems called Casper from Future Systems Solutions (FSS). Cloning makes an exact, complete copy of one hard disk drive (HDD) onto another d…
This video demonstrates how to create an example email signature rule for a department in a company using CodeTwo Exchange Rules. The signature will be inserted beneath users' latest emails in conversations and will be displayed in users' Sent Items…

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now