Subscribe via e-mail: 
Last year, Intel introduced a new system platform called AtomTM, which consumes less power compared to standard CPUs and is highly integrated. A new type of PC developed around this platform: the netbook. Although the Atom offers very little CPU power, certain advantages of the netbooks make them attractive to mobile home and business users alike: compact size, long-lasting battery charge, and low price.
Because netbooks are designed to be taken with you everywhere, their small size makes it easier for you to forget them and for criminals to steal. A lost netbook containing sensitive data could be a real threat, particularly to enterprises whose very survival can depend on the security of their data.
The Enterprise and Ultimate editions of Windows 7 offer a comfortable way to encrypt your hard disk and protect your data, called BitLocker. Encryption isn’t free, however, even with this tool—it needs CPU power. On common CPUs, you will barely notice a difference in how fast the computer deals with your daily work whether your hard disk is encrypted or not. Atom computers, however, just cope with a slim Windows Desktop, and as soon as more applications run at the same time the system feels slow. Enabling encryption further cripples their performance.
A few options exist to help you gain a little bit of performance. You can set a group policy to change the default encryption algorithm from 128 bit key with diffuser to AES 128 bit without diffuser, which lets you gain a little bit of performance at the expense of security. Installing more memory offers another boost in performance because the data is only encrypted when written to the hard disk. Neither option will increase the performance significantly, though, but maybe another encryption tool will.
TrueCrypt, a free application that was already discussed in a few posts, offers fewer options than BitLocker regarding centralized management. Nonetheless, TrueCrypt is very popular because it’s free and it is open source. For some security gurus, open source is the only way to implement secure encryption because—by obfuscating code and not making it publicly available—the number of persons who can review and test the algorithm are limited.
To decide if it’s worth it to switch to TrueCrypt I ran some benchmarks on an Atom N260 Netbook. For BitLocker, I chose three different encryption algorithms. For TrueCrypt, I chose only the fastest algorithm according to its built-in benchmark. Here are the results:
As you can see, TrueCrypt performs worse. The default BitLocker algorithm (AES 128 bit with diffuser) is 12% faster. If you use the same algorithm in BitLocker and TrueCrypt, BitLocker is even faster by 14%. So switching to TrueCrypt in order to increase performance is a bad idea. But in defense of TrueCrypt I have to say that the difference is hardly noticeable; running encryption on a netbook makes it slow whether BitLocker or TrueCrypt is used.
So the only feasible approach would be a hard disk with built-in encryption, which pretty much negates the advantage of a Netbook.
Does a TPM improve performance for BitLocker? i.e. offloading encrypt/decrypt to the TPM should reduce the work the CPU is doing (obviously not available in a Netbook). I haven’t noticed (or measured though) any difference after enabling BitLocker on a laptop with a TPM.
Aaron, the TPM does not do any sort of encryption offloading. It’s basically just a smart card soldered to the motherboard.
The reason why you probably didn’t see much of performance difference is that with a modern Core 2 Duo CPU (which most laptops with TPMs have), the performance difference is only visible in benchmarks.
E.g. my current 4050E AMD processor can encrypt more then 200 MB/s with TrueCrypt, which is way faster then the throughput of SATA hard disks. So you won’t notice any slowdown if you encrypt your data on Dual-Core CPUs.
TPM chips are not taking an active part in encryption, they more or less provide storage for the keys. So the existence of a TPM chip doesn’t influence encryption performance, it may make encryption safer, though.
TrueCrypt has a ton of advantages. The encryption might have less options but the total drive management is much more versatile. Multiboot, multipartitions, hidden partitions, on the fly encryption/decryption while maintaining full use of the drive.
Microsoft should have given Windows 7 away free…since it is really just what Vista was supposed to be.
It’s funny how a persons standards can be lowered to the point that one actually thinks BitLocker is something special. Microsoft has released so much rubbish in the last decade that when something as minimalistic as BitLocker finally works…people get excited. It is just a simple encryption tool that will encrypt your drives and that’s about it. Not nearly as nice as TrueCrypt…and TrueCrypt has proven itself to be a worthy tool…Bitlocker…ehh.
Don’t overlook the other facts either:
1. TrueCrypt is FREE!!!
2. It’s Open Source!!!
3. It works on a lot more OS’s than BitLocker!!!
PS…who the hell encrypts data on an Atom anyway. It’s a web device…not a computer. Buy a real computer and run TrueCrypt. No noticeable speed difference on any real CPU. Not to mention that TrueCrypt has a lot more spy versus spy kind of stuff.
NIN, I am using TrueCrypt and BitLocker and both encryption tools have their downsides and upsides. TrueCrypt system drive encryption is more or less useless because it doesn’t support TPM. If you leave your computer in a hotel room, you can never be sure that somebody hasn’t manipulated your system drive. I also find BitLocker more convenient because there is no need for passwords.
I usually use TryCrypt for external drives. The main disadvantage of BitLocker To Go is that you only have read access on Vista and XP. That doesn’t make sense at all. I want to be able to use a portable device on all Windows versions.
Your three “facts” don’t really convinced me. It doesn’t matter for me if TrueCrypt is Open Source because I don’t intend to extend the code. I also have no use for other operating systems and I use Windows 7 Ulitmate anyway. However, I agree that if you don’t have Windows 7 Ultimate, then TrueCrypt is the best choice. In my view Microsoft should make security features available on all Windows versions.
As to your PS, I strongly disagree here. The main advantage of netbooks is that you can bring them everywhere. This is why they get easily “lost”. Therefore encryption on netbooks makes more sense than on any other computer type.
More exclaimation marks do not make a point more true. I have to agree with Micheal (mostly):
1. TrueCrypt is free – A business performing any sort of reasonable Windows 7 deployment will be using Enterpise, so there is no additional cost for BitLocker. Because BitLocker can be centrally managed and recovery keys stored in Active Directory, I would content that BitLocker would be the cheaper option over the life of the PC. Smaller organisations, using Windows 7 Professional may find benefit in using TrueCrypt.
2. TrueCrypt is open source – this is only a benefit if you plan to contribute to the codebase. I assume you are alluding to closed source having a back door. Surely if this was the case, Microsoft would have a hard time selling Windows outside of the US.
3. TrueCrypt works on more OSs – Windows XP’s lifetime is (finally) limited; therefore any Windows OS deployment moving forward will have BitLocker builtin. Hetrogenous environments (Linux, Windows and Mac OS on the desktop) may benefit from TrueCrypt, but then as per point 1, BitLocker would still be the cheaper option to manage on Windows desktops.
As for encypting NetBooks – they do make good thin-clients – with no data there’s little requirement for encryption.
Good points. But let me comment on some statements and clarify other things as well.
“TrueCrypt system drive encryption is more or less useless because it doesn’t support TPM. If you leave your computer in a hotel room, you can never be sure that somebody hasn’t manipulated your system drive.”-MP
Let’s be realistic. If someone went into your hotel room without your permission they would simply steal the laptop…not try to access data since you could return and catch them in the act.
Now…assuming you are a top secret agent and another spy is wanting to go unnoticed and copy your data…
Did you power down your laptop? If not the TPM has stored the authentication data in RAM. A savvy spy could still gain access to the entire system quickly and easily. If you have powered down than it is not so easy. Any attempt on the TPM protected harddrive would probably be futile or simply destroy the data. Hey…wait a minute…isn’t that the same thing that would happen to a TrueCrypt drive?
“Your three “facts” don’t really convinced me. It doesn’t matter for me if TrueCrypt is Open Source because I don’t intend to extend the code.”-MP
You don’t have to be a programmer to appreciate Open Source projects. The benefit of Open Source on TrueCrypt is that thousands of people have analyzed the code. If there were a glaring defect it would have already been addressed by now. Microsoft on the other hand has a track record a mile long of leaked code, security issues and reliability.
“I also have no use for other operating systems and I use Windows 7 Ulitmate anyway.”-MP
You are in the minority. The majority of Windows 7 users are not using Ultimate or Enterprise version. Google it. Does that mean these users should not have a basic feature such as drive encryption in an operating system that is as highly touted as Windows 7?
“As to your PS, I strongly disagree here. The main advantage of netbooks is that you can bring them everywhere.”-MP
You can’t bring a laptop anywhere?
The main “advantage” of a netbook is nothing more then low cost.
“This is why they get easily “lost”. Therefore encryption on netbooks makes more sense than on any other computer type.”-MP
Computers are lost by irresponsible people…not because they are portable. Encrypting a netbook that is already computationally challenged and that is intended for surfing the web and not really storing data seems a little silly. If you need a portable computer…save your money…by a laptop and then you’ll have the CPU, RAM and harddrive to support the encryption.
“A business performing any sort of reasonable Windows 7 deployment will be using Enterpise”-Aaron
Somewhat valid point…for large business users. The MAJORITY of Windows 7 users are using the Home Premium version. The difference in the Upgrade cost to get BitLocker is $100 dollars. This should have been included in ALL version of Windows 7. TrueCrypt is the best option for the majority of Windows 7 users.
“this is only a benefit if you plan to contribute to the codebase. I assume you are alluding to closed source having a back door.”-Aaron
Microsoft…back door…not a chance! They have the most secure OS’s in the world…didn’t you know?-SARCASM
“therefore any Windows OS deployment moving forward will have BitLocker builtin. Hetrogenous environments (Linux, Windows and Mac OS on the desktop) may benefit from TrueCrypt, but then as per point 1, BitLocker would still be the cheaper option to manage on Windows desktops.”-Aaron
So…based on this comment I guess we can assume that Windows 7 is a step backward??? The majority of Windows 7 users don’t have BitLocker built in. And there is NO WAY that it is worth the additional $100 dollars or cheaper than free.
I would venture to guess that MOST people that are interested in drive encryption are looking at using it on external drives anyway. This makes BitLocker virtually useless since the majority of public computer systems are STILL running XP.
Later.
One other thing I failed to mention.
You could just buy a hardware encrypted drive right? You know…one of those with a keypad.
Now assume your are the top secret spy I spoke of earlier in the ridiculous scenario. Your adversary puts a gun to your head and makes you unlock the drive with your PIN. He now has full data access. (Same with TPM enable drive and BitLocker…although not as cool as one of those drives with a numberpad built in).
Hmmm….but if you were using TrueCrypt…you give him the “other” password which seemingly unlocks the drive. A quick test by the adversary shows that the drive has one partition, the partition is using 100% of the drives capacity, and the top secret files are clearly visible. Little does he know that these are bogus files planted by you to derail your adversary in just such an event.
If you login with the “real” password all of your Top Secret files are revealed. Sweet!
TrueCrypt doesn’t leave a signature when installed properly and the data would look random with any low level drive tools available today.
PS…part two:
The ridiculous part about this whole article is that TrueCrypt is running a 256bit algorithm and being compared to Microshafts 128bit algorithm.
For a real comparison they both should be running similar encryption algorithms and then benchmarked using real world file transfers…both reading and writing.
How hard would that be? gpedit.msc is your friend. Set BitLocker to 256bit and try again.
See ya’
TrueCrypt real world test comparison:
Windows 7 Ultimate with all updates
E6600 Intel Core Duo at stock speed
ASUS P5W DH Deluxe
4 GIGS of RAM
Raptor II drives
2-Western Digital Passport Elites.
#1 Unencrypted
#2 Encrypted with a hidden partition and a secret partition. Data is written to the latter TOP SECRET partition. Encryption is 256bit AES.
Transfer ISO file of 1.7Gbyte to both drives. Both drives have built in activity indicators. Indicators strope side to side when transferring data. Timed drives from the moment the strobing starts until it stops.
1:15 for BOTH drives. Absolutely amazing! I expected about a 20% drop but in reality there is none with LARGE contiguous files. I will try small frys next and post again. Bye for now.
Tested with 200 small files…ranging from 1K to 10Mb and it took 7 seconds on both drives.
There is no difference when using the drives in a USB setup. The bus is probably the limiting factor since the drives are running at about 30-32Mb per second.
I’ll yank ‘em out of the cases and hookem’ up via SATA and see what happens. I bet we’ll see some differences then…but since the majority of people will be using TrueCrypt on external drives…the reality is they won’t feel a thing!
I didn’t mention that this was on 64bit Vista Ultimate.
Now for more goodness I can attribute to open source and TrueCrypt.
TrueCrypt is written in C. It can be compiled to run in ASM since it is Open Source.
BANG!!! TrueCrypt runs 25 to 40% faster in ASM!!!
I guess I will quit hogging this thread but I will probably write up a “real” article that will answer all of the questions about performance and the plus and minuses of TrueCrypt versus BitLocker. I can only see BitLocker winning in a few scenarios…ie…Large enterprise configurations with centralized management. The reality is that this is the minority of the real world and there are probably NO large enterprise level corporations that are even thinking about switching to Windows 7 as of right now…so BitLocker looks like a bust…but we’ll see if I’m right with real world testing.
64 bit Windows 7……grrrrrr….too many Windows operating systems.
99% of the People that use Windows Home Premium don’t know or even want full drive encryption. It’s a feature for enterprises or professionals with highly valuable data. It’s not interesting for my mother.
Of course, the paranoid will also appreciate it.
But if you’re paranoid about backdoors in closed source software and use TrueCrypt to encrypt Windows, that’s just inconsequential – after all, the backdoor could be used to siphon the data off your system while it’s running.
Article to follow will cover side by side comparisons of 256 versus 128 encryption, entire system encryption using a laptop with TPM and BitLocker versus TrueCrypt, feature comparison.
BitLocker may have a performance advantage on Laptops with TPM modules for full system encryption but I HIGHLY doubt it…since the TPM module does nothing other than throw out a key.
Over and out…for now.
“PS…who the hell encrypts data on an Atom anyway. It’s a web device…not a computer. Buy a real computer and run TrueCrypt. No noticeable speed difference on any real CPU” NIN Rocket
I agree that netbooks are consumer devices, but on every conference I attend there are at least a few people with netbooks. So despite of their target audience they are used in buisness as well.
“The ridiculous part about this whole article is that TrueCrypt is running a 256bit algorithm and being compared to Microshafts 128bit algorithm.” NIN Rocket
The benchmark was done with different algorithms as you can easily see when you look at the images.
Personally I use BitLocker and TrueCrypt. For me they just have different purposes. On the enterprise level there is no way around BitLocker, because it is integrated in the OS and runs without any need of end user interaction. It also offers centralized key management. TrueCrypt on the other hand is a valuable application to encrypt usb-stick and external hdds, because I want them to be independent of the OS.
One other note for those that think drive encryption is only for corporations.
When WiFi was first introduced I remember how easy it was to hitch a ride onto 100’s of networks simply at will. Always there were open networks that had been setup by novice admins/users.
In my own neighborhood I USED to could see about 2 dozen access points with NO security or WEP.
Well…fast forward to today. In my same neighborhood there is only 1 open network out of the 10(not 2 dozen)networks that are visible. There is only 1 of the protected systems running WEP(which I hacked in about 90 seconds just to prove to the guy it was that easy…he’s an admin for LOCKHEED…OH MY GOD!!!!!) All the rest are running WPA or WPA2 and most aren’t broadcasting SSID.
SO……..the point I’m making is that encryption is slowly becoming mainstream.
I would venture to bet that in the not too distant future that drive encryption will be standard fair and built into OS’s.
When this happens….do you honestly think that Microsoft WON’T have backdoors….when they are based in the USA….and Uncle Sam likes to watch people. Sure they will.
TrueCrypt on the other hand…probably not…since they have nothing to gain since it is FREE and Open Source.
Oh…and I love Microsoft products…and hate ‘em too.
Anybody that puts a lot of trust in Microsoft must be brain dead though.
I think most the people that I know were running Windows 7 Ultimate Final on SLIC 2.1 hardware modded BIOS’s before it was even at the RTM stage. That don’t happen unless Microsoft has a lot of people on the payroll that like to spend their spare time in the hacking community.
It’s always the little guys against the MAN. Always will be too.
traumatized….I need to either learn how to proofread…(too lazy) or 4sysops.com needs to allow edits on posts…:twisted:
smiley test
“I agree that netbooks are consumer devices, but on every conference I attend there are at least a few people with netbooks. So despite of their target audience they are used in buisness as well.”-Alexander Weiß
Signs of a recession…..ouch!
In the later than sooner but still not to distant future…all of this becomes hogwash anyway.
Microsoft and all the other software producers are losing tons of money to piracy. With wireless technology constantly improving in multiple forms…it’s only a matter of time until the harddrive, flashdrive, etc. are made obsolete. Everything will be on “thin clients” aka terminals.
No drives to lose. Data is centralized. Data is easy to control. Everyone ends up paying a monthly useage fee…and the software companies are happy.
The focus needs to be on network security.
I personally think that anything that can be hacked that can have a huge impact on people…like a power plant or missile site…should NOT have remote access capabilities.
WOW…I just solved all the worlds problems…in just a few sentences. King NIN.
With the drives hooked up via SATA I transfer the same 1.7Gb file in 31 seconds. Encrypted or not.
There is NO performance difference between a drive encrypted with TrueCrypt or an unencrypted drive.
But wait…CPU useage is where you can see a difference.
Transfers to the plain drive had the CPU at about 5%.
Transfers to the TrueCrypt drive pushed the CPU up to 45%.
All of these tests were on the C version. I will retest with ASM version once I compile it. Should use less CPU because of the lower interpretation.
I can see where you might see bottlenecks if you have some SSD’s set up or were running RAID. The faster the potential data rate…the more CPU you’ll need…until finally you run out of head room.
I don’t REALLY want to test it on my Raptors but I might just to see if it finally bottlenecks.
Peace.