I'm interested in adding a second drive to my computer in order to
make a dual-boot system.
When the computer is booted off my "secure" disk (for financial
transactions only), I want the other boot disk to be powered off, and
vice-versa. If my regular disk gets infected surfing the web, I don't
want it to be able to infect my "secure" boot disk.
You won't know when you regular disk gets infected. Then you'll power
your "secure" disk and it will get infected. Other than a layered setup
to protect against viruses, spyware, and other malware along with
regular backups (which do incrementals with you keeping several fulls so
you can walk back to a point where you aren't infected), not installing
downloads off the Net and disconnecting from the Net is your only safest
means of computing. Keeping a disk powered off hoping it won't get
infected when you power it up won't work - unless you also power down
all other disks.
Not all pests go BANG right away when they find your host. You won't
know when a nasty is sitting on your drive waiting to get triggered. To
truly isolate one hard drive from all the others, you would need to
power off or disable all hard drives except the one you wanted to use.
If you are concerned about your surfing habits and exposure to infection
on your regular drive, what makes you think that same lack of layered
protection and bad surfing habits won't also expose your secure drive to
the same hazards? If you have a safer means of using the Net when you
are using your "secure" disk, why are you not doing the same when you
using your regular disk?
If you happen to accidentally or deliberately power off a drive while
the system is still powered on and the OS still running, you can corrupt
files or lose data because of the cache both in the OS and in the hard
drive. That cached data won't get committed into the file system for
the OS. Rather than splice in switches into the power leads for all
hard drives and hope you configure them all correctly before powering up
and hope you never or nothing else hits those switches while you are
powered up, you could go into the BIOS to determine which drive
controller is enabled. If a port is disabled, no OS or malware is going
to get to any drives on that port. Just as with the switches, you would
need to make sure that when you enabled one drive port that you also
disable all the others.
Rather than trying to disconnect and reconnect power to the hard drives
(something that you could end up doing accidentally while the host was
still powered on), or having to bother going into the BIOS and wade
through the menus to enable and disable ports, use swappable hard
drives. You will still be required to shutdown the OS to properly flush
the drive caches. When powered down, you insert whichever drive you
want to use.
Can I simply switch the +5V supply to the disk drives and set them
both as master on the same IDE?
There are both +5V and +12V lines in the 4-pin connector to the hard
drive. You would need to use a 2-pole switch. You would need one for
every drive so you could select which drive(s) to power up and which to
leave unpowered. Flipping in your secure drive while your regular drive
is powered up obviates the whole exercise of you trying to protect your
secure drive from pests that got onto your regular drive.
Will a partially un-powered disk drive hanging on the IDE hurt
anything?
Why would you only *partially* unpower a hard drive?
Any other ideas to accomplish this goal?
My second disk drive could also boot off of the currently unused SATA
bus.
If you put the hard drives on different controllers (i.e., ports) then
you could disable that port in the BIOS so it isn't reachable by
anything, including your OS. However, then you have to remember to boot
into the BIOS when you power up, pick which port to enable, pick which
port to disable, and make sure that you did both the enable and disable
as a paired action so both don't get enabled at the same time (both
being disabled at the same time would be recoverable by going back into
the BIOS and fixing your mistake).
Seems a lot more work than needed. Get a multiboot manager, like GAG at
sourceforge.net. Use it to decide from which hard drive you will boot.
Use EFS to protect your files or folders on your "secure" drive. You
can't use EFS on the OS folders but you could use them elsewhere (and,
besides, you could always reinstall a fresh copy of the OS for
recovery). I doubt you even need to protect your applications on the
secure drive. Just use EFS on your data files or folders. When you
boot using the secure drive, that instance of the OS can read the
EFS-protected data files. When you boot using the normal drive, that
instance of the OS can *not* read the EFS-protected data files. Make
sure to export the EFS certificate to a floppy or CD you can import it
later if you need to reinstall the OS to redefine EFS certificate so you
can access your old EFS-protected files; otherwise, with the old EFS
cert, all your data becomes unreadable to you, too. There is no
backdoor to EFS; otherwise, it wouldn't be secure.
It may even be possible to incorporate a whole-disk encryption program
where the decryption in the MBR bootstrap is required to access anything
on that disk. Since it usurps the MBR bootstrap area, it won't work
with a multi-boot manager that also wants to use that area for its boot
code, but maybe some multi-boot managers can
If your surfing habits really are so uncontrollable that you end up
getting nailed by malware, why not surf within a virtual machine.
VMWare Server and Virtual PC are both free. With VMWare Server, you can
install a fresh copy of the OS, do the Windows updates, tweak it however
you want, and then save a snapshot. After you are done surfing, just
revert to the snapshot and you have your clean base state again. With
Virtual PC, you have to make a copy of the folder under which the VM
files are created so you can slide it back in to perform the equivalent
of a snapshot (or restore from backups). Surf however you like in the
VM. Then revert the VM back to its base state whenever you want.
Instead of infecting your host OS, you end up infecting your guest OS in
the VM (which you can revert to snapshot). I use VMs all the time to
trial new programs. I don't even have to bother uninstalling them since
I can just revert to the base snapshot.
If you are worried about your regular drive getting infected, your same
behavior can get your secure drive infected. The common vector for
attack is through you.
