TrueCrypt - Basic Thoughts

Probably the easiest way to get started with on-the-fly encryption is to create a TrueCrypt volume file and mount that as a Windows drive letter. The volume file (i.e. "mydrive.tc") can be stored on any hard drive and can be easily backed up as long as the volume is not mounted. Controlling who can mount a volume can be limited by using either a passphrase and/or a set of "keyfiles".

Once you have created the volume, you can store files inside it (using the mounted volume's drive letter) just like you would store files on any regular hard drive, USB/Firewire drive, or network share. It's completely invisible to the application. This makes it ideal for storing application data such as e-mail, financial programs, or other sensitive data.

For starters, I recommend creating a volume file that is protected with only a passphrase. This file should be small enough to copy off to CD or DVD media as a periodic backup. The passphrase should be something easy to remember, but difficult to guess. Punctuation and mixed-case should be part of the passphrase.

Once you have a good passphrase, you should guard against its discovery or loss. A good way of doing this is to write the passphrase down on an 3x5 index card. Fold the card in half and place it inside a folded piece of letter-sized paper. Place all of that inside a security envelope (security envelopes have a printed pattern on the interior which is designed to make it difficult to shine light through the envelope to read the contents). Seal the envelope and write your name or information over the edge of the flap, then place clear packing tape over the flap edge. Store the envelope in a secure location such as a bank vault or document safe. You should be reasonably secure against someone opening it up without discovery.

Creating and mounting the volume file:

1. Open up the TrueCrypt window.


2. Click the "Create Volume" button, this opens up the TrueCrypt Volume Creation Wizard


3. Create a standard TrueCrypt volume, click "Next"


4. Pick a location for your volume file. I would recommend an easy to locate folder such as C:\ or C:\Data. Give the file a reasonable name that is not overly specific (i.e. "ZDrive.tc"). You can use a file extension other then ".TC", but a determined attacker will be able to find out which files are TrueCrypt volumes anyway. Click "next" once you have specified where the volume file will be created.


5. Choose your encryption and hash algorithms. The defaults (AES and RIPEMD-160) are generally good enough. Click "Next" when done.


6. Enter your volume size. 650MB (CD-sized) or 4050MB (DVD-sized) are good values which allow you to easily backup your volume file to optical media. You can always create another, larger, volume later and copy your data from the old one to the new one. Click "Next" when ready.


7. Enter your passphrase that you picked earlier. Click "Next" when ready.


8. Now you are ready to format the encrypted volume. For smaller volumes (less then 1GB), I would recommend FAT. Click "Format" when finished.


9. Click "Exit" to leave the wizard.

Now you are ready to mount your new volume:

1. In the "Volume" section at the bottom of the TrueCrypt window, click on the "Select File..." button.


2. Browse to and select your volume from the list.


3. Choose an unused drive letter in the upper window.


4. Click on the "Mount" button.


5. You will be prompted to enter your passphrase for the volume.


6. You may now start copying data to your new encrypted volume.

TrueCrypt

I've been looking for a good disk encryption system for a while. In the past few years, I've been using PGP's PGPDisk tool with good success, but there have been a few annoyances.

- Difficulty interacting with WindowsXP, drives have to be mounted at bootup or they won't show up after being mounted. This made it difficult to keep PGP volumes on DVD-R for ad-hoc mounting to refer to information contained within the encrypted disk.

- PGPDisk does not remember how to mount disks at the previously mounted drive letter. (Something that DriveCrypt did very well.)

- Pricing. The PGP suite with PGPDisk has gotten more and more expensive over the years. It used to be available for well under US$100 with no subscription but now costs US$80/yr for each user. That cost precludes using it for more then a handful of users.

So, with all that in mind, I've been looking at TrueCrypt which is a replacement for the PGPDisk tool. It offers the same functionality, but is open-source and free.

Note: Disk encryption works in two ways.

1) You create a file on your hard drive that contains a virtual drive. The PGPDisk / TrueCrypt / DriveCrypt software allows you to mount this file as a drive letter on your system. Any data inside of that virtual drive is encrypted on the fly. When the drive is not mounted, the data is safe from prying eyes.

2) You create an encrypted partition on a dedicated hard drive (or a partition on a hard drive). This is called "whole disk encryption" by some vendors. It has some advantages over the file-based method but mostly works in an identical manner.

...

So why should someone use disk encryption?

The easiest scenario to sell is with someone who uses Quicken or MS Money to manage their finances. This is the primary reason that I started using disk encryption back in 2000. Since I keep my Quicken program on my laptop, I want to protect my financial data in case the laptop gets stolen. By storing my Quicken files inside of an encrypted volume that is rarely mounted, a thief who steals the laptop will not have access to those files.

In addition, if the hard drive fails, I don't have to worry about getting it back up and running to wipe the data before getting a replacement.