How to: Set Up TrueCrypt Disk Encryption, Part 2
In the second and final part of this series, we cover more advanced methods of configuration and mounting of this open source tool.
In the first installment of this two-part tutorial series, we learned some of the basics of configuring TrueCrypt, a free open source disk encryption tool, similar to the BitLocker feature in the Enterprise and Ultimate editions of Windows. After outlining the three different encryption methods, we configured the easiest method--file container.
In this second and final part, we’ll discuss more complex methods and see how to configure TrueCrypt to automatically mount.
Encrypting a non-system partition or drive
As discussed in the previous installment, you can encrypt either an entire drive or just a partition of a drive. Encrypting a non-system drive or partition (where Windows is not installed) doesn’t really give you many benefits over the easier file container method. However, if you plan to regularly use drive encryption, you might consider it.
To create a non-system encrypted drive or partition, follow these steps:
- Open the main TrueCrypt program and click the Create Volume button.
- Select the second or middle option and click Next.
- We’re going to create a standard volume, so leave the first option marked and click Next.
- Click Select Device, select the desired drive or partition on which to create the volume, and click OK to return to the wizard. If you want to encrypt the entire drive, you might consider selecting the partition instead of the complete drive, in cases where there is only one partition. If you really apply it to the complete drive, Windows and other operating systems might cause problems.
- To prevent others from easily seeing the location of this encrypted volume from the main TrueCrypt window, select the Never save history option.
- Click Next to continue.
- If you want to keep any files or data on the drive or partition, select the in-place method, or if it’s okay to lose any files, keep the format method selected, and then click Next.
- If you have a favorite encryption or hash algorithm, select them here and click Next; otherwise use the default settings. To see how well each encryption algorithm performs on your PC, click the Benchmark button. After running the test, it will show the speed it takes to encrypt and decrypt with each encryption algorithm, with higher speeds being the best.
- Verify that the drive or partition size sounds right and click Next.
- Enter a password twice, following the security tips given in the wizard.
- For an extra layer of protection, you can also use keyfiles in conjunction with the password. Therefore, when you mount the drive/partition you’d have to enter the password and select the keyfile(s) you’ve created. If you prefer, you can actually apply a blank password when using keyfiles. You can pretty much make any file (such as a doc, mp3, avi, txt, etc.) into a keyfile. You can also specify folders as keyfiles. Keep in mind; you need to choose files and/or folders that aren’t going to be edited or modified. To specify keyfiles, select the Use keyfiles option and click the Keyfiles button. Then create or select the keyfiles and click OK.
- Click Next to continue.
- On the Volume Format page, if you have a choice between the FAT and NTFS Filesystem, you probably want to choose NTFS. The other default settings should be fine. Before continuing, help the tool create a highly strong key by moving the mouse around the screen for at least 30 seconds. When you’re done, click Format.
- When formatting is complete, click Exit.
Like with the file container method, you must mount the device as a drive letter before you can access it:
Open TrueCrypt, click Select Device, choose the drive or partition, and click OK. For security reasons, encrypted volumes aren’t identified from other regular volumes. Then select the desired drive letter and click Mount.
On the password prompt, enter the password you created. If you created a keyfile, click the Keyfiles button and use the pop-up window to add them. If you select the Cache passwords and keyfiles in memory option, the credentials are saved until you wipe or clear the cache or restart the computer. Until then you can dismount and mount the file container repeatedly without entering the password and/or keyfiles. When you’re ready to mount it, click OK.
Now you can double-click the volume to open it. You can also navigate to it via Computer or My Computer like other drives. Then you can start saving, copying, or moving files to it.
Encrypting a system partition or entire drive
As discussed in the first part, encrypting the drive or partition where Windows is installed and boots from provides the best security. You can encrypt all the system and temporary files, in addition to your personal documents. Windows won’t even boot without entering the correct password. If you need double protection, you can even create a hidden Windows installation where you can work with the sensitive files and data.
Like the other methods, to get started encrypting a system drive or partition, click the Create Volume button. Then select the last or bottom option and click Next. Since this method is more complex, we won’t review it. Follow the wizard and its instructions.
Automatically mount volumes when Windows boots
If you’ve created an encrypted file container or non-system device, you might want them to automatically mount. Otherwise you’ll have to open TrueCrypt after each boot to manually mount them. Of course this is good if you want them to be as hidden as possible. However, remember they are only mounted and accessible after someone successfully logs into your Windows account.
One way to configure automatic mounting is to define your favorite volumes and then tell TrueCrypt to mount your favorite volumes when Windows boots. To do this, mount the desired file containers and/or devices. Then click Volumes > Save Currently Mounted Volumes as Favorites. Now click Settings > Preferences. Then in the third section down, mark Mount favorite volumes and click OK.
Points to remember
We covered how drive encryption, and particularly TrueCrypt, can keep our files and data safe from thieves and hackers. We configured the simplest encryption method using file containers and the more complex entire drive or partition method. Now here are some final tips to keep in mind:
- Your encrypted volume(s) can be deleted and/or become corrupted.
- Don’t forget to secure your back up procedures and backup storage areas.
- If you create a hidden volume, it’s easy to open the hidden volume: just open the regular volume with the hidden volume’s password.
- You don’t have to format partitions or lose data when modifying partitions with tools, such as GParted.
Eric Geier is the Founder and CEO of NoWiresSecurity, which helps businesses easily protect their Wi-Fi with enterprise-level encryption by offering an outsourced RADIUS/802.1X authentication service. He is also the author of many networking and computing books for brands like For Dummies and Cisco Press.