BitLocker takes days on an empty external disk / Is “Encrypt used disk space only” available on Windows...
I have Windows 7 x64 and a brand new USB external 2 TB hard drive. I formatted it and I confirm it's empty.
I enabled BitLocker, and two things happen:
It is about to take at least 10 hours or even days:
The disk was initially empty (1.81 TB free / 1.81 TB total), but just after enabling BitLocker, it's like the disk is immediately full (5.99 GB free out of 1.81 TB):
No files are present when I open F:
though.
Why does BitLocker take hours on a brand new empty disk?
Note: I've found this screenshot for Windows 10 here. Is the option "Encrypt used disk space only" available in Windows 7 for removable devices ("BitLocker To Go")?
windows-7 hard-drive external-hard-drive encryption bitlocker
add a comment |
I have Windows 7 x64 and a brand new USB external 2 TB hard drive. I formatted it and I confirm it's empty.
I enabled BitLocker, and two things happen:
It is about to take at least 10 hours or even days:
The disk was initially empty (1.81 TB free / 1.81 TB total), but just after enabling BitLocker, it's like the disk is immediately full (5.99 GB free out of 1.81 TB):
No files are present when I open F:
though.
Why does BitLocker take hours on a brand new empty disk?
Note: I've found this screenshot for Windows 10 here. Is the option "Encrypt used disk space only" available in Windows 7 for removable devices ("BitLocker To Go")?
windows-7 hard-drive external-hard-drive encryption bitlocker
@Kinnectus New vs old does not matter, of course. But here it's an empty disk, so there is no data to initially encrypt. Here in this topic it is said it should be instantly done...
– Basj
Nov 22 '18 at 14:55
1
Make also sure you use the fastest USB port(s) available on your machine. While the answer addresses the need to encrypt the entire drive, 2TB can be done faster
– usr-local-ΕΨΗΕΛΩΝ
Nov 23 '18 at 8:47
1
@Basj: Instantly enabling encryption ("encrypted drive") only works with Windows 8 and above. That's basically just telling the drive which is already encrypting anyway to secure the decryption master key or replace the decryption key password with a different one, whichever. Nothing really changes on the actual disk. Early Bitlocker implementations were unluckily pretty dumb to the point of being unusable. They don't get around encrypting every block in software when the hardware is already doing that anyway.
– Damon
Nov 23 '18 at 13:31
@Damon this isn't correct on drives that don't support hardware encryption (and I've not seen details on whether this is true for HW encrypted drives). Used space only encryption does exactly that: it reads, encrypts, and writes every block on the volume that's in use. See the quote from Microsoft in my answer for details.
– Twisty Impersonator
Nov 23 '18 at 18:49
add a comment |
I have Windows 7 x64 and a brand new USB external 2 TB hard drive. I formatted it and I confirm it's empty.
I enabled BitLocker, and two things happen:
It is about to take at least 10 hours or even days:
The disk was initially empty (1.81 TB free / 1.81 TB total), but just after enabling BitLocker, it's like the disk is immediately full (5.99 GB free out of 1.81 TB):
No files are present when I open F:
though.
Why does BitLocker take hours on a brand new empty disk?
Note: I've found this screenshot for Windows 10 here. Is the option "Encrypt used disk space only" available in Windows 7 for removable devices ("BitLocker To Go")?
windows-7 hard-drive external-hard-drive encryption bitlocker
I have Windows 7 x64 and a brand new USB external 2 TB hard drive. I formatted it and I confirm it's empty.
I enabled BitLocker, and two things happen:
It is about to take at least 10 hours or even days:
The disk was initially empty (1.81 TB free / 1.81 TB total), but just after enabling BitLocker, it's like the disk is immediately full (5.99 GB free out of 1.81 TB):
No files are present when I open F:
though.
Why does BitLocker take hours on a brand new empty disk?
Note: I've found this screenshot for Windows 10 here. Is the option "Encrypt used disk space only" available in Windows 7 for removable devices ("BitLocker To Go")?
windows-7 hard-drive external-hard-drive encryption bitlocker
windows-7 hard-drive external-hard-drive encryption bitlocker
edited Nov 22 '18 at 18:12
Twisty Impersonator
18.5k146699
18.5k146699
asked Nov 22 '18 at 14:41
BasjBasj
793629
793629
@Kinnectus New vs old does not matter, of course. But here it's an empty disk, so there is no data to initially encrypt. Here in this topic it is said it should be instantly done...
– Basj
Nov 22 '18 at 14:55
1
Make also sure you use the fastest USB port(s) available on your machine. While the answer addresses the need to encrypt the entire drive, 2TB can be done faster
– usr-local-ΕΨΗΕΛΩΝ
Nov 23 '18 at 8:47
1
@Basj: Instantly enabling encryption ("encrypted drive") only works with Windows 8 and above. That's basically just telling the drive which is already encrypting anyway to secure the decryption master key or replace the decryption key password with a different one, whichever. Nothing really changes on the actual disk. Early Bitlocker implementations were unluckily pretty dumb to the point of being unusable. They don't get around encrypting every block in software when the hardware is already doing that anyway.
– Damon
Nov 23 '18 at 13:31
@Damon this isn't correct on drives that don't support hardware encryption (and I've not seen details on whether this is true for HW encrypted drives). Used space only encryption does exactly that: it reads, encrypts, and writes every block on the volume that's in use. See the quote from Microsoft in my answer for details.
– Twisty Impersonator
Nov 23 '18 at 18:49
add a comment |
@Kinnectus New vs old does not matter, of course. But here it's an empty disk, so there is no data to initially encrypt. Here in this topic it is said it should be instantly done...
– Basj
Nov 22 '18 at 14:55
1
Make also sure you use the fastest USB port(s) available on your machine. While the answer addresses the need to encrypt the entire drive, 2TB can be done faster
– usr-local-ΕΨΗΕΛΩΝ
Nov 23 '18 at 8:47
1
@Basj: Instantly enabling encryption ("encrypted drive") only works with Windows 8 and above. That's basically just telling the drive which is already encrypting anyway to secure the decryption master key or replace the decryption key password with a different one, whichever. Nothing really changes on the actual disk. Early Bitlocker implementations were unluckily pretty dumb to the point of being unusable. They don't get around encrypting every block in software when the hardware is already doing that anyway.
– Damon
Nov 23 '18 at 13:31
@Damon this isn't correct on drives that don't support hardware encryption (and I've not seen details on whether this is true for HW encrypted drives). Used space only encryption does exactly that: it reads, encrypts, and writes every block on the volume that's in use. See the quote from Microsoft in my answer for details.
– Twisty Impersonator
Nov 23 '18 at 18:49
@Kinnectus New vs old does not matter, of course. But here it's an empty disk, so there is no data to initially encrypt. Here in this topic it is said it should be instantly done...
– Basj
Nov 22 '18 at 14:55
@Kinnectus New vs old does not matter, of course. But here it's an empty disk, so there is no data to initially encrypt. Here in this topic it is said it should be instantly done...
– Basj
Nov 22 '18 at 14:55
1
1
Make also sure you use the fastest USB port(s) available on your machine. While the answer addresses the need to encrypt the entire drive, 2TB can be done faster
– usr-local-ΕΨΗΕΛΩΝ
Nov 23 '18 at 8:47
Make also sure you use the fastest USB port(s) available on your machine. While the answer addresses the need to encrypt the entire drive, 2TB can be done faster
– usr-local-ΕΨΗΕΛΩΝ
Nov 23 '18 at 8:47
1
1
@Basj: Instantly enabling encryption ("encrypted drive") only works with Windows 8 and above. That's basically just telling the drive which is already encrypting anyway to secure the decryption master key or replace the decryption key password with a different one, whichever. Nothing really changes on the actual disk. Early Bitlocker implementations were unluckily pretty dumb to the point of being unusable. They don't get around encrypting every block in software when the hardware is already doing that anyway.
– Damon
Nov 23 '18 at 13:31
@Basj: Instantly enabling encryption ("encrypted drive") only works with Windows 8 and above. That's basically just telling the drive which is already encrypting anyway to secure the decryption master key or replace the decryption key password with a different one, whichever. Nothing really changes on the actual disk. Early Bitlocker implementations were unluckily pretty dumb to the point of being unusable. They don't get around encrypting every block in software when the hardware is already doing that anyway.
– Damon
Nov 23 '18 at 13:31
@Damon this isn't correct on drives that don't support hardware encryption (and I've not seen details on whether this is true for HW encrypted drives). Used space only encryption does exactly that: it reads, encrypts, and writes every block on the volume that's in use. See the quote from Microsoft in my answer for details.
– Twisty Impersonator
Nov 23 '18 at 18:49
@Damon this isn't correct on drives that don't support hardware encryption (and I've not seen details on whether this is true for HW encrypted drives). Used space only encryption does exactly that: it reads, encrypts, and writes every block on the volume that's in use. See the quote from Microsoft in my answer for details.
– Twisty Impersonator
Nov 23 '18 at 18:49
add a comment |
4 Answers
4
active
oldest
votes
Is the option "Encrypt used disk space only" available in Windows 7?
Unfortunately no. This option was introduced with Windows 8, as announced in the Microsoft TechNet Tip of the Day post BitLocker 'Encrypt Used Disk Space Only':
Previously, BitLocker encryption has been an ‘all or nothing’. Either a volume was completely encrypted or it was not. Windows 8 brings us a new option, ‘Encrypt Used Disk Space Only’.
Why does BitLocker take hours on a brand new empty disk?
Because without the Encrypt Used Space Only option, BitLocker must encrypt the entire disk, i.e. both data and free space (technically it only wipes the free space). This is also why the volume has only 6 GB free space during the encryption process. Here's the Microsoft BitLocker Team's explanation of what's going on:
Q: I enabled BitLocker on my volume and – poof! – all my free space is
gone! What’s wrong? More importantly, how do I get it back?
Good news: nothing is wrong and the only thing that you have to do to
get it back is wait. Here’s a high level explanation (some intricate
technical details have been omitted for brevity).
In the IT world “delete” usually means “remove from plain view” rather
than “obliterate out of existence”. Unallocated disk space is prone to
contain interesting data: rotting skeletons of compensation
spreadsheets, “deleted” text files with passwords and credit card
numbers, discarded autosave copies of top secret presentations. Hence,
BitLocker cannot just ignore free space when the volume is being
encrypted.
On the other hand, encrypting (or, to be exact, “reading, encrypting,
and writing back”) free space is a real waste on a typical volume that
is usually less than twenty percent full. As a performance
optimization, BitLocker simply overwrites unallocated space with
noise, thereby avoiding redundant reads. As expected, wiping free
space is about two times faster than encrypting data, but it still
takes considerable time on large volumes.
Now, free space tends to be very fluid. Unallocated chunks of disk
space appear and disappear all over the place, all the time.
Determining whether a given sector needs to be encrypted or wiped at a
particular moment of time is a considerable technical challenge.
BitLocker solves this problem by creating a huge file that takes most
of the available disk space (leaving 6 GB for short-term system needs)
and wiping disk sectors that belong to the file. Everything else
(including ~6 GB of free space not occupied by the wipe file) is
encrypted. When encryption of the volume is paused or completed, the
wipe file is deleted and the amount of available free space reverts to
normal.
And the reason why the option is available at all even though it leaks information about disk usage is because SSDs use the free blocks for wear leveling and caching.
– ratchet freak
Nov 23 '18 at 10:51
add a comment |
Additional solution:
Use a friend's Windows 10 to format the drive + enable BitLocker with "Encrypt used disk space only" feature on. It will take only a few minutes.
When you're back on Windows 7 Ultimate, you can still read/write the disk
And even better:
- When you're back on Windows 7 Pro, you can still read/write the disk!
The latter is very interesting because "BitLocker is unavailable for Windows 7 Professional and it cannot be downloaded and installed.". My test showed that creating a new BitLocker-encrypted disk is not possible with Windows 7 Pro, but using (read+write) on an already-BitLocker-enabled is possible with Windows 7 Pro!
1
+1 for investing time to verify this and getting it figured out yourself!
– gronostaj
Nov 22 '18 at 22:13
Thanks @gronostaj... I spent hours today trying BitLocker + VeraCrypt :) Finally I'll use BitLocker, because if I use VeraCrypt, then I'll be the only one at home to be able to use this external HDD. The UI/UX of VeraCrypt is not possible for a non-power user (many little - only little, but still - drawbacks that would make it difficult to use for my family). It was an interesting test!
– Basj
Nov 22 '18 at 22:46
add a comment |
Full disk encryption isn't only about hiding content of files; it's also about hiding their presence or lack. A properly encrypted disk should look like it's completely filled with random data unless you know the encryption key.
BitLocker was probably fully formatting the encrypted volume, i.e. filling it with zeros, to make sure every part of it looks like random data before decryption.
Is it like this by default? People said here in this old topic that it should be instant for an empty partition. Also I see in this postyou can choose between "encrypt only new data" and "encrypt data which is already on the drive"
. Where can one modify this BitLocker setting in Windows 7?
– Basj
Nov 22 '18 at 15:02
See the edited end of the question, do you know where to find this option in Windows 7?
– Basj
Nov 22 '18 at 15:13
Sorry, I don't know that. It's possible that this feature was introduced later.
– gronostaj
Nov 22 '18 at 15:50
When you use BitLocker yourself @gronostaj, is it useful to have 24hrs+ of work to initialize an empty new external USB hard drive?
– Basj
Nov 22 '18 at 16:44
1
@Basj I don't use Bitlocker, but I have some experience with similar solutions for Linux. Whether it's useful or not depends on your risk model. Having a fully encrypted drive will make it impossible to discern which areas of disk are unused. If you don't care about attackers knowing that, then you can save time by skipping full formatting.
– gronostaj
Nov 22 '18 at 17:11
|
show 1 more comment
Since Windows 7 BitLocker will encrypt the whole disk, it has to read and write to the entire volume. This can take much longer on an external disk due to bandwidth limits on some interfaces like USB1/2. Also external storage devices (non-SSD) tend to be slower spinning disks to help with reliability since external storage is moved more often.
What do you mean by "...to help with reliability since external storage is moved more often"? Can you elaborate (by editing your answer, not responding here in comments (if appropriate))?
– Peter Mortensen
Nov 23 '18 at 19:52
add a comment |
Your Answer
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "3"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1377591%2fbitlocker-takes-days-on-an-empty-external-disk-is-encrypt-used-disk-space-onl%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
4 Answers
4
active
oldest
votes
4 Answers
4
active
oldest
votes
active
oldest
votes
active
oldest
votes
Is the option "Encrypt used disk space only" available in Windows 7?
Unfortunately no. This option was introduced with Windows 8, as announced in the Microsoft TechNet Tip of the Day post BitLocker 'Encrypt Used Disk Space Only':
Previously, BitLocker encryption has been an ‘all or nothing’. Either a volume was completely encrypted or it was not. Windows 8 brings us a new option, ‘Encrypt Used Disk Space Only’.
Why does BitLocker take hours on a brand new empty disk?
Because without the Encrypt Used Space Only option, BitLocker must encrypt the entire disk, i.e. both data and free space (technically it only wipes the free space). This is also why the volume has only 6 GB free space during the encryption process. Here's the Microsoft BitLocker Team's explanation of what's going on:
Q: I enabled BitLocker on my volume and – poof! – all my free space is
gone! What’s wrong? More importantly, how do I get it back?
Good news: nothing is wrong and the only thing that you have to do to
get it back is wait. Here’s a high level explanation (some intricate
technical details have been omitted for brevity).
In the IT world “delete” usually means “remove from plain view” rather
than “obliterate out of existence”. Unallocated disk space is prone to
contain interesting data: rotting skeletons of compensation
spreadsheets, “deleted” text files with passwords and credit card
numbers, discarded autosave copies of top secret presentations. Hence,
BitLocker cannot just ignore free space when the volume is being
encrypted.
On the other hand, encrypting (or, to be exact, “reading, encrypting,
and writing back”) free space is a real waste on a typical volume that
is usually less than twenty percent full. As a performance
optimization, BitLocker simply overwrites unallocated space with
noise, thereby avoiding redundant reads. As expected, wiping free
space is about two times faster than encrypting data, but it still
takes considerable time on large volumes.
Now, free space tends to be very fluid. Unallocated chunks of disk
space appear and disappear all over the place, all the time.
Determining whether a given sector needs to be encrypted or wiped at a
particular moment of time is a considerable technical challenge.
BitLocker solves this problem by creating a huge file that takes most
of the available disk space (leaving 6 GB for short-term system needs)
and wiping disk sectors that belong to the file. Everything else
(including ~6 GB of free space not occupied by the wipe file) is
encrypted. When encryption of the volume is paused or completed, the
wipe file is deleted and the amount of available free space reverts to
normal.
And the reason why the option is available at all even though it leaks information about disk usage is because SSDs use the free blocks for wear leveling and caching.
– ratchet freak
Nov 23 '18 at 10:51
add a comment |
Is the option "Encrypt used disk space only" available in Windows 7?
Unfortunately no. This option was introduced with Windows 8, as announced in the Microsoft TechNet Tip of the Day post BitLocker 'Encrypt Used Disk Space Only':
Previously, BitLocker encryption has been an ‘all or nothing’. Either a volume was completely encrypted or it was not. Windows 8 brings us a new option, ‘Encrypt Used Disk Space Only’.
Why does BitLocker take hours on a brand new empty disk?
Because without the Encrypt Used Space Only option, BitLocker must encrypt the entire disk, i.e. both data and free space (technically it only wipes the free space). This is also why the volume has only 6 GB free space during the encryption process. Here's the Microsoft BitLocker Team's explanation of what's going on:
Q: I enabled BitLocker on my volume and – poof! – all my free space is
gone! What’s wrong? More importantly, how do I get it back?
Good news: nothing is wrong and the only thing that you have to do to
get it back is wait. Here’s a high level explanation (some intricate
technical details have been omitted for brevity).
In the IT world “delete” usually means “remove from plain view” rather
than “obliterate out of existence”. Unallocated disk space is prone to
contain interesting data: rotting skeletons of compensation
spreadsheets, “deleted” text files with passwords and credit card
numbers, discarded autosave copies of top secret presentations. Hence,
BitLocker cannot just ignore free space when the volume is being
encrypted.
On the other hand, encrypting (or, to be exact, “reading, encrypting,
and writing back”) free space is a real waste on a typical volume that
is usually less than twenty percent full. As a performance
optimization, BitLocker simply overwrites unallocated space with
noise, thereby avoiding redundant reads. As expected, wiping free
space is about two times faster than encrypting data, but it still
takes considerable time on large volumes.
Now, free space tends to be very fluid. Unallocated chunks of disk
space appear and disappear all over the place, all the time.
Determining whether a given sector needs to be encrypted or wiped at a
particular moment of time is a considerable technical challenge.
BitLocker solves this problem by creating a huge file that takes most
of the available disk space (leaving 6 GB for short-term system needs)
and wiping disk sectors that belong to the file. Everything else
(including ~6 GB of free space not occupied by the wipe file) is
encrypted. When encryption of the volume is paused or completed, the
wipe file is deleted and the amount of available free space reverts to
normal.
And the reason why the option is available at all even though it leaks information about disk usage is because SSDs use the free blocks for wear leveling and caching.
– ratchet freak
Nov 23 '18 at 10:51
add a comment |
Is the option "Encrypt used disk space only" available in Windows 7?
Unfortunately no. This option was introduced with Windows 8, as announced in the Microsoft TechNet Tip of the Day post BitLocker 'Encrypt Used Disk Space Only':
Previously, BitLocker encryption has been an ‘all or nothing’. Either a volume was completely encrypted or it was not. Windows 8 brings us a new option, ‘Encrypt Used Disk Space Only’.
Why does BitLocker take hours on a brand new empty disk?
Because without the Encrypt Used Space Only option, BitLocker must encrypt the entire disk, i.e. both data and free space (technically it only wipes the free space). This is also why the volume has only 6 GB free space during the encryption process. Here's the Microsoft BitLocker Team's explanation of what's going on:
Q: I enabled BitLocker on my volume and – poof! – all my free space is
gone! What’s wrong? More importantly, how do I get it back?
Good news: nothing is wrong and the only thing that you have to do to
get it back is wait. Here’s a high level explanation (some intricate
technical details have been omitted for brevity).
In the IT world “delete” usually means “remove from plain view” rather
than “obliterate out of existence”. Unallocated disk space is prone to
contain interesting data: rotting skeletons of compensation
spreadsheets, “deleted” text files with passwords and credit card
numbers, discarded autosave copies of top secret presentations. Hence,
BitLocker cannot just ignore free space when the volume is being
encrypted.
On the other hand, encrypting (or, to be exact, “reading, encrypting,
and writing back”) free space is a real waste on a typical volume that
is usually less than twenty percent full. As a performance
optimization, BitLocker simply overwrites unallocated space with
noise, thereby avoiding redundant reads. As expected, wiping free
space is about two times faster than encrypting data, but it still
takes considerable time on large volumes.
Now, free space tends to be very fluid. Unallocated chunks of disk
space appear and disappear all over the place, all the time.
Determining whether a given sector needs to be encrypted or wiped at a
particular moment of time is a considerable technical challenge.
BitLocker solves this problem by creating a huge file that takes most
of the available disk space (leaving 6 GB for short-term system needs)
and wiping disk sectors that belong to the file. Everything else
(including ~6 GB of free space not occupied by the wipe file) is
encrypted. When encryption of the volume is paused or completed, the
wipe file is deleted and the amount of available free space reverts to
normal.
Is the option "Encrypt used disk space only" available in Windows 7?
Unfortunately no. This option was introduced with Windows 8, as announced in the Microsoft TechNet Tip of the Day post BitLocker 'Encrypt Used Disk Space Only':
Previously, BitLocker encryption has been an ‘all or nothing’. Either a volume was completely encrypted or it was not. Windows 8 brings us a new option, ‘Encrypt Used Disk Space Only’.
Why does BitLocker take hours on a brand new empty disk?
Because without the Encrypt Used Space Only option, BitLocker must encrypt the entire disk, i.e. both data and free space (technically it only wipes the free space). This is also why the volume has only 6 GB free space during the encryption process. Here's the Microsoft BitLocker Team's explanation of what's going on:
Q: I enabled BitLocker on my volume and – poof! – all my free space is
gone! What’s wrong? More importantly, how do I get it back?
Good news: nothing is wrong and the only thing that you have to do to
get it back is wait. Here’s a high level explanation (some intricate
technical details have been omitted for brevity).
In the IT world “delete” usually means “remove from plain view” rather
than “obliterate out of existence”. Unallocated disk space is prone to
contain interesting data: rotting skeletons of compensation
spreadsheets, “deleted” text files with passwords and credit card
numbers, discarded autosave copies of top secret presentations. Hence,
BitLocker cannot just ignore free space when the volume is being
encrypted.
On the other hand, encrypting (or, to be exact, “reading, encrypting,
and writing back”) free space is a real waste on a typical volume that
is usually less than twenty percent full. As a performance
optimization, BitLocker simply overwrites unallocated space with
noise, thereby avoiding redundant reads. As expected, wiping free
space is about two times faster than encrypting data, but it still
takes considerable time on large volumes.
Now, free space tends to be very fluid. Unallocated chunks of disk
space appear and disappear all over the place, all the time.
Determining whether a given sector needs to be encrypted or wiped at a
particular moment of time is a considerable technical challenge.
BitLocker solves this problem by creating a huge file that takes most
of the available disk space (leaving 6 GB for short-term system needs)
and wiping disk sectors that belong to the file. Everything else
(including ~6 GB of free space not occupied by the wipe file) is
encrypted. When encryption of the volume is paused or completed, the
wipe file is deleted and the amount of available free space reverts to
normal.
edited Nov 22 '18 at 20:59
answered Nov 22 '18 at 18:03
Twisty ImpersonatorTwisty Impersonator
18.5k146699
18.5k146699
And the reason why the option is available at all even though it leaks information about disk usage is because SSDs use the free blocks for wear leveling and caching.
– ratchet freak
Nov 23 '18 at 10:51
add a comment |
And the reason why the option is available at all even though it leaks information about disk usage is because SSDs use the free blocks for wear leveling and caching.
– ratchet freak
Nov 23 '18 at 10:51
And the reason why the option is available at all even though it leaks information about disk usage is because SSDs use the free blocks for wear leveling and caching.
– ratchet freak
Nov 23 '18 at 10:51
And the reason why the option is available at all even though it leaks information about disk usage is because SSDs use the free blocks for wear leveling and caching.
– ratchet freak
Nov 23 '18 at 10:51
add a comment |
Additional solution:
Use a friend's Windows 10 to format the drive + enable BitLocker with "Encrypt used disk space only" feature on. It will take only a few minutes.
When you're back on Windows 7 Ultimate, you can still read/write the disk
And even better:
- When you're back on Windows 7 Pro, you can still read/write the disk!
The latter is very interesting because "BitLocker is unavailable for Windows 7 Professional and it cannot be downloaded and installed.". My test showed that creating a new BitLocker-encrypted disk is not possible with Windows 7 Pro, but using (read+write) on an already-BitLocker-enabled is possible with Windows 7 Pro!
1
+1 for investing time to verify this and getting it figured out yourself!
– gronostaj
Nov 22 '18 at 22:13
Thanks @gronostaj... I spent hours today trying BitLocker + VeraCrypt :) Finally I'll use BitLocker, because if I use VeraCrypt, then I'll be the only one at home to be able to use this external HDD. The UI/UX of VeraCrypt is not possible for a non-power user (many little - only little, but still - drawbacks that would make it difficult to use for my family). It was an interesting test!
– Basj
Nov 22 '18 at 22:46
add a comment |
Additional solution:
Use a friend's Windows 10 to format the drive + enable BitLocker with "Encrypt used disk space only" feature on. It will take only a few minutes.
When you're back on Windows 7 Ultimate, you can still read/write the disk
And even better:
- When you're back on Windows 7 Pro, you can still read/write the disk!
The latter is very interesting because "BitLocker is unavailable for Windows 7 Professional and it cannot be downloaded and installed.". My test showed that creating a new BitLocker-encrypted disk is not possible with Windows 7 Pro, but using (read+write) on an already-BitLocker-enabled is possible with Windows 7 Pro!
1
+1 for investing time to verify this and getting it figured out yourself!
– gronostaj
Nov 22 '18 at 22:13
Thanks @gronostaj... I spent hours today trying BitLocker + VeraCrypt :) Finally I'll use BitLocker, because if I use VeraCrypt, then I'll be the only one at home to be able to use this external HDD. The UI/UX of VeraCrypt is not possible for a non-power user (many little - only little, but still - drawbacks that would make it difficult to use for my family). It was an interesting test!
– Basj
Nov 22 '18 at 22:46
add a comment |
Additional solution:
Use a friend's Windows 10 to format the drive + enable BitLocker with "Encrypt used disk space only" feature on. It will take only a few minutes.
When you're back on Windows 7 Ultimate, you can still read/write the disk
And even better:
- When you're back on Windows 7 Pro, you can still read/write the disk!
The latter is very interesting because "BitLocker is unavailable for Windows 7 Professional and it cannot be downloaded and installed.". My test showed that creating a new BitLocker-encrypted disk is not possible with Windows 7 Pro, but using (read+write) on an already-BitLocker-enabled is possible with Windows 7 Pro!
Additional solution:
Use a friend's Windows 10 to format the drive + enable BitLocker with "Encrypt used disk space only" feature on. It will take only a few minutes.
When you're back on Windows 7 Ultimate, you can still read/write the disk
And even better:
- When you're back on Windows 7 Pro, you can still read/write the disk!
The latter is very interesting because "BitLocker is unavailable for Windows 7 Professional and it cannot be downloaded and installed.". My test showed that creating a new BitLocker-encrypted disk is not possible with Windows 7 Pro, but using (read+write) on an already-BitLocker-enabled is possible with Windows 7 Pro!
answered Nov 22 '18 at 21:32
BasjBasj
793629
793629
1
+1 for investing time to verify this and getting it figured out yourself!
– gronostaj
Nov 22 '18 at 22:13
Thanks @gronostaj... I spent hours today trying BitLocker + VeraCrypt :) Finally I'll use BitLocker, because if I use VeraCrypt, then I'll be the only one at home to be able to use this external HDD. The UI/UX of VeraCrypt is not possible for a non-power user (many little - only little, but still - drawbacks that would make it difficult to use for my family). It was an interesting test!
– Basj
Nov 22 '18 at 22:46
add a comment |
1
+1 for investing time to verify this and getting it figured out yourself!
– gronostaj
Nov 22 '18 at 22:13
Thanks @gronostaj... I spent hours today trying BitLocker + VeraCrypt :) Finally I'll use BitLocker, because if I use VeraCrypt, then I'll be the only one at home to be able to use this external HDD. The UI/UX of VeraCrypt is not possible for a non-power user (many little - only little, but still - drawbacks that would make it difficult to use for my family). It was an interesting test!
– Basj
Nov 22 '18 at 22:46
1
1
+1 for investing time to verify this and getting it figured out yourself!
– gronostaj
Nov 22 '18 at 22:13
+1 for investing time to verify this and getting it figured out yourself!
– gronostaj
Nov 22 '18 at 22:13
Thanks @gronostaj... I spent hours today trying BitLocker + VeraCrypt :) Finally I'll use BitLocker, because if I use VeraCrypt, then I'll be the only one at home to be able to use this external HDD. The UI/UX of VeraCrypt is not possible for a non-power user (many little - only little, but still - drawbacks that would make it difficult to use for my family). It was an interesting test!
– Basj
Nov 22 '18 at 22:46
Thanks @gronostaj... I spent hours today trying BitLocker + VeraCrypt :) Finally I'll use BitLocker, because if I use VeraCrypt, then I'll be the only one at home to be able to use this external HDD. The UI/UX of VeraCrypt is not possible for a non-power user (many little - only little, but still - drawbacks that would make it difficult to use for my family). It was an interesting test!
– Basj
Nov 22 '18 at 22:46
add a comment |
Full disk encryption isn't only about hiding content of files; it's also about hiding their presence or lack. A properly encrypted disk should look like it's completely filled with random data unless you know the encryption key.
BitLocker was probably fully formatting the encrypted volume, i.e. filling it with zeros, to make sure every part of it looks like random data before decryption.
Is it like this by default? People said here in this old topic that it should be instant for an empty partition. Also I see in this postyou can choose between "encrypt only new data" and "encrypt data which is already on the drive"
. Where can one modify this BitLocker setting in Windows 7?
– Basj
Nov 22 '18 at 15:02
See the edited end of the question, do you know where to find this option in Windows 7?
– Basj
Nov 22 '18 at 15:13
Sorry, I don't know that. It's possible that this feature was introduced later.
– gronostaj
Nov 22 '18 at 15:50
When you use BitLocker yourself @gronostaj, is it useful to have 24hrs+ of work to initialize an empty new external USB hard drive?
– Basj
Nov 22 '18 at 16:44
1
@Basj I don't use Bitlocker, but I have some experience with similar solutions for Linux. Whether it's useful or not depends on your risk model. Having a fully encrypted drive will make it impossible to discern which areas of disk are unused. If you don't care about attackers knowing that, then you can save time by skipping full formatting.
– gronostaj
Nov 22 '18 at 17:11
|
show 1 more comment
Full disk encryption isn't only about hiding content of files; it's also about hiding their presence or lack. A properly encrypted disk should look like it's completely filled with random data unless you know the encryption key.
BitLocker was probably fully formatting the encrypted volume, i.e. filling it with zeros, to make sure every part of it looks like random data before decryption.
Is it like this by default? People said here in this old topic that it should be instant for an empty partition. Also I see in this postyou can choose between "encrypt only new data" and "encrypt data which is already on the drive"
. Where can one modify this BitLocker setting in Windows 7?
– Basj
Nov 22 '18 at 15:02
See the edited end of the question, do you know where to find this option in Windows 7?
– Basj
Nov 22 '18 at 15:13
Sorry, I don't know that. It's possible that this feature was introduced later.
– gronostaj
Nov 22 '18 at 15:50
When you use BitLocker yourself @gronostaj, is it useful to have 24hrs+ of work to initialize an empty new external USB hard drive?
– Basj
Nov 22 '18 at 16:44
1
@Basj I don't use Bitlocker, but I have some experience with similar solutions for Linux. Whether it's useful or not depends on your risk model. Having a fully encrypted drive will make it impossible to discern which areas of disk are unused. If you don't care about attackers knowing that, then you can save time by skipping full formatting.
– gronostaj
Nov 22 '18 at 17:11
|
show 1 more comment
Full disk encryption isn't only about hiding content of files; it's also about hiding their presence or lack. A properly encrypted disk should look like it's completely filled with random data unless you know the encryption key.
BitLocker was probably fully formatting the encrypted volume, i.e. filling it with zeros, to make sure every part of it looks like random data before decryption.
Full disk encryption isn't only about hiding content of files; it's also about hiding their presence or lack. A properly encrypted disk should look like it's completely filled with random data unless you know the encryption key.
BitLocker was probably fully formatting the encrypted volume, i.e. filling it with zeros, to make sure every part of it looks like random data before decryption.
edited Nov 23 '18 at 19:26
Peter Mortensen
8,376166185
8,376166185
answered Nov 22 '18 at 14:57
gronostajgronostaj
28.4k1471107
28.4k1471107
Is it like this by default? People said here in this old topic that it should be instant for an empty partition. Also I see in this postyou can choose between "encrypt only new data" and "encrypt data which is already on the drive"
. Where can one modify this BitLocker setting in Windows 7?
– Basj
Nov 22 '18 at 15:02
See the edited end of the question, do you know where to find this option in Windows 7?
– Basj
Nov 22 '18 at 15:13
Sorry, I don't know that. It's possible that this feature was introduced later.
– gronostaj
Nov 22 '18 at 15:50
When you use BitLocker yourself @gronostaj, is it useful to have 24hrs+ of work to initialize an empty new external USB hard drive?
– Basj
Nov 22 '18 at 16:44
1
@Basj I don't use Bitlocker, but I have some experience with similar solutions for Linux. Whether it's useful or not depends on your risk model. Having a fully encrypted drive will make it impossible to discern which areas of disk are unused. If you don't care about attackers knowing that, then you can save time by skipping full formatting.
– gronostaj
Nov 22 '18 at 17:11
|
show 1 more comment
Is it like this by default? People said here in this old topic that it should be instant for an empty partition. Also I see in this postyou can choose between "encrypt only new data" and "encrypt data which is already on the drive"
. Where can one modify this BitLocker setting in Windows 7?
– Basj
Nov 22 '18 at 15:02
See the edited end of the question, do you know where to find this option in Windows 7?
– Basj
Nov 22 '18 at 15:13
Sorry, I don't know that. It's possible that this feature was introduced later.
– gronostaj
Nov 22 '18 at 15:50
When you use BitLocker yourself @gronostaj, is it useful to have 24hrs+ of work to initialize an empty new external USB hard drive?
– Basj
Nov 22 '18 at 16:44
1
@Basj I don't use Bitlocker, but I have some experience with similar solutions for Linux. Whether it's useful or not depends on your risk model. Having a fully encrypted drive will make it impossible to discern which areas of disk are unused. If you don't care about attackers knowing that, then you can save time by skipping full formatting.
– gronostaj
Nov 22 '18 at 17:11
Is it like this by default? People said here in this old topic that it should be instant for an empty partition. Also I see in this post
you can choose between "encrypt only new data" and "encrypt data which is already on the drive"
. Where can one modify this BitLocker setting in Windows 7?– Basj
Nov 22 '18 at 15:02
Is it like this by default? People said here in this old topic that it should be instant for an empty partition. Also I see in this post
you can choose between "encrypt only new data" and "encrypt data which is already on the drive"
. Where can one modify this BitLocker setting in Windows 7?– Basj
Nov 22 '18 at 15:02
See the edited end of the question, do you know where to find this option in Windows 7?
– Basj
Nov 22 '18 at 15:13
See the edited end of the question, do you know where to find this option in Windows 7?
– Basj
Nov 22 '18 at 15:13
Sorry, I don't know that. It's possible that this feature was introduced later.
– gronostaj
Nov 22 '18 at 15:50
Sorry, I don't know that. It's possible that this feature was introduced later.
– gronostaj
Nov 22 '18 at 15:50
When you use BitLocker yourself @gronostaj, is it useful to have 24hrs+ of work to initialize an empty new external USB hard drive?
– Basj
Nov 22 '18 at 16:44
When you use BitLocker yourself @gronostaj, is it useful to have 24hrs+ of work to initialize an empty new external USB hard drive?
– Basj
Nov 22 '18 at 16:44
1
1
@Basj I don't use Bitlocker, but I have some experience with similar solutions for Linux. Whether it's useful or not depends on your risk model. Having a fully encrypted drive will make it impossible to discern which areas of disk are unused. If you don't care about attackers knowing that, then you can save time by skipping full formatting.
– gronostaj
Nov 22 '18 at 17:11
@Basj I don't use Bitlocker, but I have some experience with similar solutions for Linux. Whether it's useful or not depends on your risk model. Having a fully encrypted drive will make it impossible to discern which areas of disk are unused. If you don't care about attackers knowing that, then you can save time by skipping full formatting.
– gronostaj
Nov 22 '18 at 17:11
|
show 1 more comment
Since Windows 7 BitLocker will encrypt the whole disk, it has to read and write to the entire volume. This can take much longer on an external disk due to bandwidth limits on some interfaces like USB1/2. Also external storage devices (non-SSD) tend to be slower spinning disks to help with reliability since external storage is moved more often.
What do you mean by "...to help with reliability since external storage is moved more often"? Can you elaborate (by editing your answer, not responding here in comments (if appropriate))?
– Peter Mortensen
Nov 23 '18 at 19:52
add a comment |
Since Windows 7 BitLocker will encrypt the whole disk, it has to read and write to the entire volume. This can take much longer on an external disk due to bandwidth limits on some interfaces like USB1/2. Also external storage devices (non-SSD) tend to be slower spinning disks to help with reliability since external storage is moved more often.
What do you mean by "...to help with reliability since external storage is moved more often"? Can you elaborate (by editing your answer, not responding here in comments (if appropriate))?
– Peter Mortensen
Nov 23 '18 at 19:52
add a comment |
Since Windows 7 BitLocker will encrypt the whole disk, it has to read and write to the entire volume. This can take much longer on an external disk due to bandwidth limits on some interfaces like USB1/2. Also external storage devices (non-SSD) tend to be slower spinning disks to help with reliability since external storage is moved more often.
Since Windows 7 BitLocker will encrypt the whole disk, it has to read and write to the entire volume. This can take much longer on an external disk due to bandwidth limits on some interfaces like USB1/2. Also external storage devices (non-SSD) tend to be slower spinning disks to help with reliability since external storage is moved more often.
edited Nov 23 '18 at 19:49
Peter Mortensen
8,376166185
8,376166185
answered Nov 23 '18 at 8:56
Secured2kSecured2k
111
111
What do you mean by "...to help with reliability since external storage is moved more often"? Can you elaborate (by editing your answer, not responding here in comments (if appropriate))?
– Peter Mortensen
Nov 23 '18 at 19:52
add a comment |
What do you mean by "...to help with reliability since external storage is moved more often"? Can you elaborate (by editing your answer, not responding here in comments (if appropriate))?
– Peter Mortensen
Nov 23 '18 at 19:52
What do you mean by "...to help with reliability since external storage is moved more often"? Can you elaborate (by editing your answer, not responding here in comments (if appropriate))?
– Peter Mortensen
Nov 23 '18 at 19:52
What do you mean by "...to help with reliability since external storage is moved more often"? Can you elaborate (by editing your answer, not responding here in comments (if appropriate))?
– Peter Mortensen
Nov 23 '18 at 19:52
add a comment |
Thanks for contributing an answer to Super User!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1377591%2fbitlocker-takes-days-on-an-empty-external-disk-is-encrypt-used-disk-space-onl%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
@Kinnectus New vs old does not matter, of course. But here it's an empty disk, so there is no data to initially encrypt. Here in this topic it is said it should be instantly done...
– Basj
Nov 22 '18 at 14:55
1
Make also sure you use the fastest USB port(s) available on your machine. While the answer addresses the need to encrypt the entire drive, 2TB can be done faster
– usr-local-ΕΨΗΕΛΩΝ
Nov 23 '18 at 8:47
1
@Basj: Instantly enabling encryption ("encrypted drive") only works with Windows 8 and above. That's basically just telling the drive which is already encrypting anyway to secure the decryption master key or replace the decryption key password with a different one, whichever. Nothing really changes on the actual disk. Early Bitlocker implementations were unluckily pretty dumb to the point of being unusable. They don't get around encrypting every block in software when the hardware is already doing that anyway.
– Damon
Nov 23 '18 at 13:31
@Damon this isn't correct on drives that don't support hardware encryption (and I've not seen details on whether this is true for HW encrypted drives). Used space only encryption does exactly that: it reads, encrypts, and writes every block on the volume that's in use. See the quote from Microsoft in my answer for details.
– Twisty Impersonator
Nov 23 '18 at 18:49