u/TheMagicMiller

I've been reviewing the Veracrypt documentation regarding wear leveling on SSDs (link).

As I understand it, unless you fully encrypt a brand-new SSD before putting sensitive data on it, then Veracrypt cannot guarantee that sensitive data is fully encrypted; if already added data is encrypted in-place, then some unencrypted data may exist in unused sectors.

Suppose that you encrypted an SSD in-place with sensitive data already on it. Could you somehow wipe the SSD and copy data back onto it to ensure wear-leveled sectors do not contain sensitive data unencrypted?

For instance, performing the following steps:

1. Boot into a USB based Linux distro.
2. Clone all raw data from the SSD to an equivalently sized HDD.
3. Perform a proper wipe of the SSD, such as a Secure Erase, flashing all NAND cells.
4. Clone the raw data from the HDD back to the SSD.
5. Securely erase all data from the HDD.

Would this prevent the leaks mentioned in the Veracrypt documentation regarding wear leveling?

I had some questions regarding backup volume headers for non-system partitions.

As I understand it, the rescue disk for system partitions allows for the full decryption of that partition, given you have the password.

Is the same true for non-system partitions? In particular:

1. If I save an external backup volume header for a non-system partition, and let's say store it on a USB stick, would that backup volume header allow for full decryption of my non-system partition, assuming I have the password?

2. Is the external backup volume header itself encrypted, as the rescue disk is for system partitions? i.e. without the password, does the external backup volume header allow an attacker to decrypt my non-system partition?