System Encryption TrueCrypt can on-the-fly encrypt a system partition or entire system drive, i.e. a partition or drive
where Windows is installed and from which it boots.
System encryption provides the highest level of security and privacy, because all files, including
any temporary files that Windows and applications create on the system partition (typically, without
your knowledge or consent), hibernation files, swap files, etc., are always permanently encrypted
(even when power supply is suddenly interrupted). Windows also records large amounts of
potentially sensitive data, such as the names and locations of files you open, applications you run,
etc. All such log files and registry entries are always permanently encrypted as well.
System encryption involves pre-boot authentication, which means that anyone who wants to gain
access and use the encrypted system, read and write files stored on the system drive, etc., will
need to enter the correct password each time before Windows boots (starts). Pre-boot
authentication is handled by the TrueCrypt Boot Loader, which resides in the first track of the boot
drive and on the TrueCrypt Rescue Disk (see below).
Note that TrueCrypt can encrypt an existing unencrypted system partition/drive in-place while the
operating system is running (while the system is being encrypted, you can use your computer as
usual without any restrictions). Likewise, a TrueCrypt-encrypted system partition/drive can be
decrypted in-place while the operating system is running. You can interrupt the process of
encryption or decryption anytime, leave the partition/drive partially unencrypted, restart or shut
down the computer, and then resume the process, which will continue from the point it was
stopped.
The mode of operation used for system encryption is XTS (see the section
Modes of Operation ).
For further technical details of system encryption, see the section
Encryption Scheme in the
chapter
Technical Details .
To encrypt a system partition or entire system drive, select
System >
Encrypt System Partition/Drive and then follow the instructions in the wizard. To decrypt a system partition/drive,
select
System >
Permanently Decrypt System Partition/Drive .
Note: By default, Windows 7 and later boot from a special small partition. The partition contains
files that are required to boot the system. Windows allows only applications that have administrator
privileges to write to the partition (when the system is running). TrueCrypt encrypts the partition
only if you choose to encrypt the whole system drive (as opposed to choosing to encrypt only the