Full disk encryption in a business is a great idea, even if you are a private individual who travels with a laptop frequently it is a good idea to encrypt your laptop in case it is lost or stolen.

Full disk encryption does come with a performance overhead but just how much performance do you loose?

I have run some tests on an old laptop, a HP 6730b with a Core2Duo @ 2.4 GHz with 2GB RAM. The disk installed was the standard 160GB. This laptop was chosen because it does not have the AES coprocessor in the later Core i series CPU's so I think the statistics are more real world. Statistics were generated using HDTune.

 I'm specifically interested in comparing the performance difference between TrueCrypt and Bitlocker. Since TrueCrypt has now been discontinued I've also added Compusec Full Disk Encryption by CE-Infosys.


Baseline (Unencrypted)


Bitlocker AES 128bit


Bitlocker AES 128bit (With Diffuser)


Bitlocker AES256


Bitlocker AES 256bit (With Diffuser)



The real figure here to look at is the burst rate as this will give the closest indication of the performance experience you will receive as a user in windows.


Software Protocol                 Throughput MB/s  
Max Min Average Burst Performance Hit %
Unencrypted   28.8 67.7 54.4 72.5  
Truecrypt AES 32.9 67.5 53.9 38.3 -47.2
Compusec AES256 2.6 51.8 42.6 42.6 -41.2
Bitlocker AES128 32.9 67.7 54.1 71.3 -1.7
Bitlocker AES128 With Diffuser 4.5 67.7 52.2 69.6 -4
Bitlocker AES256 32.9 67.7 54.2 72.2 -0.4
Bitlocker AES256 With Diffuser 32.9 67.7 54.2 71.5 -1.4


What has surprised me here is the performance hit by using TrueCrypt and Compusec is massive, I've added a comparison to show the performance reduction against the unencrypted machine. The other surprise is the performance drop with bit locker is smaller with AES256 over AES128.

Now the only thing to decide on is would you use a free an open-source full disk encryption package that will significantly impact performance and is now discontinued or would you use the closed source Microsoft alternative or Compusec?

Another thing to consider is Microsoft is a US controlled company so if the NSA has forced them to open a back door you will be vulnerable. Compusec is based in Germany so the back door will be German. So it boils down to do you want your US OS protected with US encryption with an NSA back door? or would you prefer the US OS protected by German software with a German back door?