Whole Disk Encryption (WDE) discussion:
... pretty pragmatic, but for Windows.
Schneier's preferred tool, PGP-Disk
is pretty silent on how it works. Bruce uses it because he trusts the company, not because it is really WDE.
You need some care - the "whole disk" encryption tools, like compusec et al, use a pre-boot validation... how? Obviously, that part of the system is not encrypted... if it lives on the HDD in question, then that means that the whole
disk is not
I don't think any of these apps actually repartition the drive, so there should be an encrypted container for the "whole disk" and a plaintext part outside that for "pre-boot apps". The bootloader launches the pre-boot part, which runs validation, decrypts the container, and launches the OS.
If that is not what happens, then the app does something functionally identical -
Linux (dmcrypt et al) does this with the initramfs ... which is why the /boot partition is outside the container. In this case, pre-boot validation can be launched from external media... is this the case with those windows apps?
In effect, WDE has come to be a technical term for "all the disk you'd normally write files to" and not all the actual data on the disk. In windows, this means the system "drive", usually C:/ (alone, in the case of BitLocker WDE - only home and swap with FileVault).
"So why make a song and dance about it?" I hear you ask...
1. If you are not encrypting the whole disk, don't call it WDE. This is logical, if a bit pedantic.
2. We need to recognize ad-speak when we hear it.
3. Helps when comparing commodity/commercial software between different paradigms.
3.a. Linux disk encryption tends to suffer thee complaint that it is not WDE - when, what the complainant is thinking of is not actual WDE either.
3.b. Linux DE is less WDE than some because the main-OS system files are not in the container - but if WDE apps just have their own system files outside the container that they put the main-OS system files into. So this is a bit "six of one and half-a-dozen of the other."
I maintain that you want to keep /boot an an external drive, with the full disk encrypted. I would call that "True WDE" since the entire laptop HDD
is encrypted. The plaintext part is on a chain around your neck (or whatever).
This also provides an intreguing plausible deniability...
Official: Is that your laptop?
Off: Excuse me?
You: It's my bosses laptop, he left it at the office and I'm fetching it for him.
Off: Would you switch it on for me please?
You: OK - but it won't go. [demonstrate]
Off: boot the laptop please sir
You: I can't - it is set so it won't boot without the bosses key, which only he has.
Off: I see... I am confiscating this laptop as a national security threat and placing you under arrest as a suspected terrorist, step this way for your cavity search [pulls on rubber glove]
... um... that didn't go the way I expected...
Of course, technically there is nothing stopping you from booting automatically to a familiar WinXP partition if the key ain't there... (This will mean sacrficing 10 or so gig in the name of misdirection - similar to using a false bottom in a breifcase) so long as nobody compares the partition size to the disk size... even so, windows will claim the extra space is unformatted or corrupt.