How to: Set Up TrueCrypt Disk Encryption, Part 1
Eric Geier gives step-by-step instructions for improving laptop security by protecting your data with TrueCrypt disk encryption.
Even if your Windows (or other OS) account is password-protected, thieves can still access your drives and data using simple tools if they aren’t encrypted. Look no further than recent headlines to know the damage one lost or stolen laptop full of patient or client data can do. If you work with sensitive data, you should consider using disk encryption to protect your data from physical theft or hacking.
One easily accessible method of disk encryption for Windows users is BitLocker, a Windows feature that provides disk encryption. Unfortunately, it is only available in the Enterprise and Ultimate editions of Windows Vista and Windows 7, and in Windows Server 2008. Other Windows users will need to employ a third-party tool, such as TrueCrypt, a free, open source disk encryption tool.
TrueCrypt runs on all of the major platforms: Windows XP/Vista/7, Mac OS X, and Linux. There are a variety of encryption options, including system drive support and hidden volumes. TrueCrypt also features real-time or on-the-fly encryption; meaning the files within the encrypted volumes aren’t decrypted until absolutely necessary.
You can use one or more of TrueCrypt’s three encryption methods:
· File container: This is the easiest option for beginners and essentially makes a virtual drive that is, of course, encrypted. Though it’s a single file, it can contain other files and folders, similar to a zip or compressed folder. By entering the encryption password, you can mount or assign the file container to a Windows drive letter using TrueCrypt. Therefore, it will appear just like any other drive or partition when browsing your files in Computer or My Computer. Then you can copy and/or drag files into the encrypted drive. Once you unmount or restart the computer, the file container is inaccessible and remains encrypted. Since the file container is like any other file, you can still move, copy, or delete it.
· Non-system partition or drive: This encrypts an entire secondary partition or drive (where Windows isn’t installed), which can be an internal hard drive, USB flash drive, solid-state drive, or other storage device. This method doesn’t really provide any advantages over the easier method of file containers. However, if you plan to use encrypted drives long-term, you might just want to secure the entire drive or a partition. As with file containers, you have to mount the encrypted drive or partition using TrueCrypt before you can access it.
· System partition or entire drive: If you want full protection and privacy of your computer and data, you may want to encrypt the primary partition or drive (where Windows is installed). This would protect the system files, such as temporary, cache, hibernation, and swap files. This method, however, is the most complex and may require you to modify your drive partitions.
Each method has a hidden implementation to provide double-protection. This is useful if you are ever forced to reveal your password and encrypted data; or if someone finds your initial password. It works by creating a decoy or outer encrypted volume and then placing a hidden encrypted volume inside. When encrypting the system partition or drive, you can actually create a whole hidden Windows installation.
Setting up an encrypted file container
You can follow these steps if you want to create a standard file container:
1. Open the main TrueCrypt application and click Create Volume.
2. In the wizard, keep the first option selected (see Figure 2) and click Next.
3. We’re going to create a standard volume, so leave the first option selected and click Next.
4. Click Select File, find a location at which to create the volume, give it a name, and click Save to return to the wizard.
5. To prevent others from easily seeing the location of this file container from the main TrueCrypt window, select the Never save history option.
6. Click Next to continue.
7. If you have a favorite encryption or hash algorithm, select them here and click Next; otherwise use the default settings. To see how well each encryption algorithm performs on your PC, click the Benchmark button. After running the test, it will show the speed at which it takes to encrypt and decrypt with each encryption algorithm, with higher speeds being the best.
8. On the next wizard page, specify the size of the file container you want to create and click Next. Remember, you can’t modify the size later, but you can create additional file containers.
9. On the Volume Password page (see Figure 3, below), enter a password twice, following the security tips given in the wizard.
10. For an extra layer of protection, you can also use keyfiles in conjunction with the password. Therefore, when you mount the file container as a drive so you can access it, you’d have to enter the password and select the keyfile(s) you’ve created. If you prefer, you can actually apply a blank password when using a keyfile. You can pretty much make any file (such as a doc, mp3, avi, txt, etc.) into a keyfile. You can also specify folders as keyfiles. Keep in mind; you need to choose files and/or folders that aren’t going to be edited or modified. To specify keyfiles, select the Use keyfiles option and click the Keyfiles button. Then create or select the keyfiles and click OK.
11. Click Next to continue.
12. On the Volume Format page (see Figure 4), if you have a choice between the FAT and NTFS Filesystem, you probably want to choose NTFS. The other default settings should be fine. Before continuing, help the tool create a highly strong key by moving the mouse around the screen for at least 30 seconds. When you’re done, click Format.
13. When formatting is complete, click Exit.
Before you can start moving files into the encrypted file container, you must mount it to a drive letter:
1. Open TrueCrypt, click Select File, browse to the file, and click Open.
2. Then select the desired drive letter and hit Mount.
3. On the prompt, enter the password you created. If you created a keyfile, click the Keyfiles button and use the pop-up window to add them.
4. If you select the Cache passwords and keyfiles in memory option, the credentials are saved until you wipe or clear the cache or restart the computer. Until then you can dismount and mount the file container repeatedly without entering the password and/or keyfiles.
5. When you’re ready to mount it, click OK.
Now you can double-click the volume to open it. You can also navigate to it via Computer or My Computer like other drives. Then you can start saving, copying, or moving files to it.
In the second and final installment, we’ll work with other encrypted methods, discover how to automatically mount volumes, and review other tips.
Eric Geier is the Founder and CEO of NoWiresSecurity, which helps businesses easily protect their Wi-Fi with enterprise-level encryption by offering an outsourced RADIUS/802.1X authentication service. He is also the author of many networking and computing books for brands like For Dummies and Cisco Press.