May 7 2018
There are (at least) three approaches to data encryption: Whole Disk Encryption, Virtual Disk Encryption, and File Encryption. Each has its advantages and disadvantages. CryptDisk is a Virtual Disk system.
Whole Disk Encryption encrypts everything on a phyical volume except the boot sector(s). The encryption driver loads very early during system boot and the user is prompted for authentication (password or USB key) before most of the operating system loads. This has the advantage of having everything is encrypted, including swap files and temporary directories. It is very unlikely any data will leak out of the encrypted disk. It is also the most convenient, since I am asked for only a single password once during boot. The biggest disadvantage is that once the user enters the password the whole disk is effectively plain text -- any code running on the system can read everything on the disk (subject to normal OS restrictions). WDE provides protection only when the system is not running. The encrypted data is typically locked to the disk hardware and is not portable.
CryptDisk does not (currently) support Whole Disk Encryption. Microsoft's BitLocker is a whole disk encryption system.
Virtual Disk Encryption encrypts only the data placed inside the virtual disk. The encryption driver loads on demand well after the operating system boots, or may never be loaded at all. The data remains encrypted and secure until I decide to access it. The data becomes plain text visible to all programs only when the virtual disk in mounted. I can control when the data is accessible by mounting and unmounting the virtual disks as needed, and segment my sensitive data by using multiple virtual disks. The size of the virtual disk's container file can be as small or as large as needed, and can be easily moved between systems or stored on a portable USB drive.
CryptDisk goes a step further and lets me mount a virtual disk in restricted view. This lets me control which programs are allowed to see the plain text, preventing any other programs from accessing the disk even when it is mounted.
A disadvantage of virtual disks is possible data leakage if the operating system happens to copy sensitive data to a swap file or temporary file on an unencrypted system volume.
VM Disk Encryption is a hybrid of WDE and VDE where an entire Virtual Machine (VM) is stored inside an encrypted virtual disk. This has all the advantages of WDE and VDE, plus portability and implicit daily full-system backups. The disadvantage is the extra storage, memory, and work involved in maintaining two instances of the OS. I have found the advantages far outweigh the disadvantages, and this is my personal setup.
File Encryption encrypts only specific files. This is less convenient as I need to explicitly encrypt and decrypt the files as needed. The danger of data leakage is much greater (almost certain) since the unencrypted data will be stored as plain text on an unencrypted volume. File encryption should really only be used for communicating files between systems, not for secure storage.
CryptDisk supports explicit file encryption, but not "on-the-fly" file encryption.
Determining which method is appropriate depends almost entirely on how and why I need data encryption in the first place. There are some general guidelines.
Comments are moderated. Anonymous comments are not visible to others until moderated. Comments are owned by the author but may be removed or reused (but not modified) by this site at any time without notice.