Technology in terms you understand. Sign up for the Confident Computing newsletter for weekly solutions to make your life easier. Click here and get The Ask Leo! Guide to Staying Safe on the Internet — FREE Edition as my thank you for subscribing!

Does Whole-disk Encryption Impact Computer Performance?

Does whole-disk encryption only affect performance while the computer is starting or does it have constant effect on the computer’s overall performance?

Neither and both, actually.

Encryption in general, and whole-disk encryption specifically, has come a long way since it was first introduced many years ago. One of the most striking changes is its impact on performance.

I’ll put it this way: I wouldn’t let performance concerns hold you back from using whole-disk encryption.

Become a Patron of Ask Leo! and go ad-free!

“Whole disk” is all about the disk

Whole-disk encryption kicks in when things are written to or read from the disk. That means the apparent performance of your disk when encryption is at play is gauged by two things: the speed of the disk itself and the speed of your CPU.

Both have been getting significantly faster over time.

Whole Disk Encryption While not directly impacting encryption, the speed of hard disks — both SSD and HDD — is impressive. In general, speed is the first thing we think of when it comes to read/write performance, whether your data is encrypted or not. You’re more likely to notice the impact of a slower drive than you are to notice whether the data is being encrypted.

CPU speeds, as well as the number of CPUs available on a PC, directly impacts the performance impact of encryption. Encryption can be a (very) complex mathematical calculation. As complex as it may be, though, today’s CPUs are more than capable of handling the work without breaking a digital sweat.

In comparison to the amount of time required to get the data on and off the disk — which is the same whether it’s encrypted or not — the additional time it takes to encrypt or decrypt that data is amazingly small.

Encryption is all about disk activity

There’s no specific time when whole-disk encryption has more or less impact. It’s simply something that happens as your computer reads and writes data to and from the encrypted disk.

Startup tends to be particularly disk intensive, as the operating system and all your startup applications and data are read from (or written to) the disk. But this is the same with or without encryption.

I also can’t say that it has “constant” effect on your performance, because it’s only about disk operations, nothing else. If your computer is idling, there can be no impact, as there’s no disk activity and no encryption being performed.

Whole-disk encryption: more important than speed

Performance is not a reason to avoid modern whole-disk encryption offered by Windows’ own BitLocker or tools like VeraCrypt.  Performance impact is minimal if it’s even noticeable at all.

More important is your ability to access the data when something goes wrong. That means:

  • Back up the key. Make absolutely certain your encryption key is backed up. Microsoft makes this easy if you’re using BitLocker, a Microsoft account, and OneDrive — it offers to back up the information for you. Regardless, take the extra time to export the key1 and save it in a safe place. If for any reason you lose the ability to log in to your machine, your encrypted data is lost forever without the ability to recover that key2.
  • Remember the password. If you use a password- or passphrase-based encryption tool like VeraCrypt, don’t lose the password. There’s no back door. Without the password, your data is inaccessible. Keep it in a safe place, such as your encrypted password vault (even if only to be able to remind yourself, or copy/paste when needed) or some other secure location.
  • Keep backups safe. I strongly recommend backing up your encrypted drive in unencrypted form. Most backup programs do this automatically, as the encryption is just as transparent to them as it is to any other software running on your machine. That means you need to make sure that the backups themselves are stored securely since they’re unencrypted.

If your data is sensitive, or your computer is easily lost or stolen, the benefits of whole-disk encryption are worth considering for the privacy and security of your data.

If you found this article helpful, I'm sure you'll also love Confident Computing! My weekly email newsletter is full of articles that help you solve problems, stay safe, and give you more confidence with technology. Subscribe now and I'll see you there soon,

Leo

Podcast audio

Play

Video Narration

Footnotes & References

1: Article forthcoming; but to start, right-click on the drive in Windows File Explorer and then click on Manage BitLocker.

2: Kinda the point of the encryption in the first place: someone unable to log in to your machine, and not in possession of the recovery key, shouldn’t be able to view your data.

14 comments on “Does Whole-disk Encryption Impact Computer Performance?”

  1. “1: Article forthcoming; but to start, right-click on the drive in Windows File Explorer and then click on Manage BitLocker”
    bit locker is also in the control panel. is there a reason you chose this method to access it?

    Reply
    • Either way will work. Right-clicking in File Explorer might be a bot faster way of accessing it, but otherwise, both methods ring you to the same place.

      Reply
  2. I once used encryption on some sensitive files (taxes, wills, etc) on a portable drive as well as the main computer. Then I got a new computer, cloned everything on to it and much to my dismay I found out the hard way that I could no longer access those files, even with the proper keys. Because the hardware changed the files were locked on both the computer and portable drives. I got lucky and found an old drive that still had the files on them. Never again!

    Reply
  3. I travel a bit. If my encrypted computer is lost or stolen, could a clever hacker access the hard drive by removing it from my computer and installing it in another, or would the bios or other hardware issues still prevent access?

    Reply
    • If the drive is encrypted, a hacker wouldn’t be able to access anything on it. All they would be able to do is reformat and install a fresh version of Windows as long as you are using strong encryption.

      Reply
  4. There have been very precise reports of big performance drops on SSDs, when using Vera Crypt whole disk encryption. This seems to be contingent on the model used. Individual users have reported it, and Vera Crypt has recognized the issue. Any take on that ?

    Reply
  5. I was using Veracrypt for the first time recently. I tried using its feature to create a hidden drive (mistake) to backup some material related to a transition in my life. To create a hidden drive, one has to create an encrypted non-hidden drive first, and then create the hidden drive within it. I backed up a lot of material there. All but the last 30 days were backed up on a cloud service with 2 factor authentication. I just ran out of time and didn’t have a chance to do the second backup of the last 30 days.

    Not knowing enough about it, I later wrote something to the encrypted non-hidden section. With that, everything on the hidden drive was corrupted. I now have found where Veracrypt says not to do that, but I didn’t know. I tried a number of tools to recover them, to no avail. So I did lose the last 30 days. Everything else I was able to find somewhere else.

    I am since much more careful with Veracrypt

    Reply
    • When you use a hidden volume in Veracrypt, the hidden volume is written to from the end moving towards the beginning of the Veracrypt file. If you save too much information in either volume, it will begin to overwrite the information on the other volume. You need to keep an eye on the amount of data you are writing to each volume.

      Reply
      • Mark,

        I just saw your reply about Veracrypt writing inner from the opposite direction as outer.

        I do not think this is correct. I do believe that after you have created the inner, writing ANYTHING, even one byte to the outer, would corrupt the inner. See this from Veracrypt:
        https://www.veracrypt.fr/en/Protection%20of%20Hidden%20Volumes.html

        I tried a lot of ways to get back that inner drive, based on recommendations from that site, but nothing really worked. What did help me was that I had the material on the drive before I had copied it to the inner, so I was able to undelete that. The one thing I couldn’t get, I believe, I had forgot to copy to begin with.

        Reply
  6. I use Bitlocker on one of my PCs that has Windows Professional. Every now and then, the machine insists on me providing the unlock key rather than just letting me login. It’s not clear why this happens. Any ideas?
    On the plus side it is a way of ensuring I still remember where to find my encryption key.

    Having my key stored on OneDrive is a useful backup option (& I think it is optional) but for the really paranoid, this backup is likely to be vulnerable to a court order directing Microsoft to disclose the key.

    Another point to note is that while your disk may be encrypted, this does not mean that any contents which are replicated to a cloud service are encrypted in the cloud service. I share OneDrive and a Dropbox accounts between 2 PCs (one with Bitlocker and the the other with no whole disk encryption). There are no issues with this arrangement, which means that the Bitlocker encryption on the one PC is not replicated to the cloud service.

    Reply

Leave a reply:

Before commenting please:

  • Read the article.
  • Comment on the article.
  • No personal information.
  • No spam.

Comments violating those rules will be removed. Comments that don't add value will be removed, including off-topic or content-free comments, or comments that look even a little bit like spam. All comments containing links and certain keywords will be moderated before publication.

I want comments to be valuable for everyone, including those who come later and take the time to read.