I'm looking for a solution to fully encrypt my dual-boot SSD drive (it's still new and empty, and I want to set up encryption before I put anything on it).
While there's a lot of chaos on the web regarding that question, it appears that TrueCrypt might be able to do this, although I might need its boot loader on an extra boot disk. From what I'm reading, some Linux tools (including some modified GRUB2) might also be able to do that.
However, I have my doubts, and no article I read really went in deep enough to answer a basic question: if the whole disk is encrypted, and some pre-boot tool asks the user for a key to decrypt it, doesn't that mean this tool has to run beneath the OS that's going to boot? In other words, are there tools that leave the OS unaware of the fact that the disks it sees are actually encrypted?
If there's no such tool, doesn't that mean the decryption tool somehow has to pass decryption information to the OS on boot? I can imagine that this would be hard to do cross-platform.
Best Answer
Yes, pretty much. Hardware-based full disk encryption does this: the encryption is handled entirely by the device (hard disk/flash) or possibly in a controller along the chain leading to the physical device(s), and is not "visible" to the OS.
With this, the OS does I/O exactly like it would if it was dealing with a plain, unencrypted device, the magic happens in hardware (and/or firmware - "below" the OS in any case).
There would have to be some form of information transfer indeed, if the encryption cannot be done "underneath" the OS (either as above, or possibly using virtualization techniques – but then you sort of have two (or more) OSes running). And yes that means cross-OS is hard.
You'll also need the boostrap code (bootloader at the very least) to be un-encrypted if you don't have hardware/firmware assistance.
The Wikipedia disk encryption article has more about this.