Hard drive encryption sounds like an intimating concept, mostly because it is. The thought of taking your precious files, then using a mathematical formula to convert them into random noise before scattering them back across your disk is a hard sell. The harsh reality is, mobile computing is on the rise, and so is laptop theft. Depending on who you ask, anywhere from 500,000 to over 1,000,000 laptops are lost or stolen in the US each year. In some cases, the data on the hard drive is often more valuable than the machine itself.
To determine if disk encryption is something you should be considering, simply ask yourself if your PC contains anything you wouldn’t want posted publically on the internet. If the answer to this is yes (and I assume for most of us it is) then encryption is worth considering.
What you'll Need:
* A Windows/MAC/Linux PC
*A Hard Drive (Or Any Detachable Media)
* 30 Minutes For Each 100 GB of Hard Drive
Space Encrypted (Estimate)
True Crypt Installer
- ISO Burning Software
The good news is you no longer need to be a member of the CIA to lock down your machine with government level encryption. In fact, one of the most highly regarded and powerful encryption tools available is both free, and open source (our favorite combination!) True Crypt allows you to protect either all your data, or only what you choose. You can mask your boot drive and sensitive documents, while leaving your games or other non generic data in the clear. While no encryption process is without risk, True Crypt is designed to put your mind at ease, and takes no chances with your data. The process can be reversed at any time even without being able to boot into windows.
So if you're ready to get started click the jump to learn step by step how to protect your data.
Upon entering TrueCrypt you will notice that the interface is very simple and well laid out. The majority of the UI displayed on the main screen (shown above) has more to do with the primary focus of TrueCrypt up until version 5; the mounting and unmounting of encrypted file containers. These are for user’s who don’t feel the need to encrypt their entire drive. TrueCrypt allows you to create a single file which is essentially a huge blob of encrypted data. Using the above interface you are able to mount this file as volume which will appear to Windows as a standard drive. Once done, you will be able to read and write from the drive while TrueCrypt provides on the fly encryption/decryption.
This is an elegant solution if you merely wish to protect a group of files and not your entire partition. For super sensitive information this isn’t really your best bet however. If your primary drive is unencrypted, parts of files you are working with may be cached locally in non encrypted areas of the drive. Generally office suites will maintain a revision cache as a hidden file in the same directory as the original, but content can transparently jump into your windows swap file as well.
The most useful application for using this method is in conjunction with a USB key. By creating a blob of encrypted data and carrying around the truecrypt.exe file, you can securely transport data that is safe even if you lose your thumb drive.
Assuming that you're ready to move ahead and encrypt your system drive, follow along through the next set of steps. If you determined based on section 1 that an encrypted container will suit your needs, you can simply click on Create Volume within the main screen. The steps that follow are very similar to what you find when you encrypt a system partition, so you can still follow along.
To start encrypting a system partition begin by clicking the System tab in the top left hand side of the window, then select Encrypt System Partition/Drive. The correct menu option is highlighted in the screen shot above.
The first choice you will have to make during the encryption process gives you a pretty good overview of just how many scenarios this suite was designed to handle. If you select the Normal system encryption, each and every sector of your hard drive will be converted to what looks like random noise and can only ever be read with your master password. Most people will want this option.
The Hidden encryption method actually allows you to create two mirror OS’s protected by different passwords. Using this method, should you be coerced into entering your password by a third party, you will have the option of using a password that presents them with a version of your OS which is completely insulated from the other. Applications for this feature for average citizens are somewhat limited, but 007 if you're reading this section, this one is for you.
Generally if you're using a home brewed PC it is safe to click Yes here, thereby allowing True Crypt to encode the host protected area. If you are using an OEM machine on the other hand, some of these systems store recovery data and RAID drivers in this area. The best way to determine if it is safe to encrypt the host area is to check and see if your system has any kind of built in recovery tools accessible during startup. If you do, and you cannot locate these files on a separate partition, your host area may be in use and shouldn’t be encrypted.
If you're not sure it’s best to say No. The information stored in the host protected area is generally not sensitive and if you answer this one incorrectly your system may simply refuse to boot following the encryption. If you do answer this incorrectly and your system refuses to boot fear not, everything we are doing here can be undone outside of Windows. Worst case scenario is that you're forced to decrypt using the rescuce CD and start over. This process is covered in the troubleshooting section. Answer the question to the best of your knowledge and click Next.
It is very important during this stage of the installation that you accurately identify if you are dual booting into multiple OS’s. Since TrueCrypt writes its own boot loader to the first sector of the drive, failure to answer this correctly will result in your boot loader being over written. Currently the only multi boot loaders that are support are the Windows MBL (this is default interface that automatically installs with Windows 2000, XP, or Vista) and the Linux alternative Grub.
If you select Multi-boot TrueCrypt will move your boot loader from the maser boot record to another sector on the hard drive, out of harm’s way. When you are ready to proceed, click Next.
TrueCrypt is a very full featured encryption tool and the author's commitment to customization shows. When you reach the encryption options step (shown above) you will be able to pick from the dizzying array of encryption algorithms built in. But for those of you who don’t feel like putting in years of research on learning the differences of each, I highly recommend selecting AES.
Advanced Encryption Standard, which is also known as Rijndael is the encryption standard used by the U.S. government and is widely regarded as a benchmark in terms of security. In addition to being very robust, it is surprisingly lightweight computationally. What does all this mean? It gives you super strong protection and very fast encryption/decryption. This is becomes extremely important since everything you do from now on will need to be encrypted/decrypted on the fly. The default Hash Algorithm – RIPEMD-160 is a good match and doesn’t need to be changed. When you are ready to proceed, click Next.
The next screen will allow you to set your master password and this step is by far the most important yet. Many people out of habit, and convenience, select relatively weak passwords. And while a simple three letter password might be good enough to protect your Maximum PC comment account, you wouldn’t actually use “dog” to protect your bank accounts would you? Below the password selection window True Crypt will give you some tips for selecting a good password. In addition here are some practical and sound tips for selecting a password.
TrueCrypt is going to strongly recommend that you select a password that is 20 characters or more. Selecting a password of this length, with a good mix of non dictionary alpha numeric’s, is generally considered “unguessable”. The only way to unlock a properly encrypted system would be to use a method known as brute force. This method essentially tries every combination of characters until it stumbles upon your password. Usually, they make use of the dictionary to help narrow down the choices. Assuming you aren’t using common words, a 20 character password could take decades to brute. Anything less will reduce the amount of time it would take a crack your code, but is still ultimately much more secure then when you started. If you don't think you can remember a 20 character password just continue ahead. You're better off picking a smaller password you can remember, then a longer one you will forget. .
Need to use words for the dictionary? Try using them backwards, or splice in upper and lower case letters or punctuation.
Using a number combination that might be guessable? Try using the shift key to turn them into random looking symbols.
Make sure you can remember it! In the next step we will build an ISO CD that will be able to restore your computer to its current state but if you forget your password 2 months from now your out of luck. TrueCrypt offers no means of recovering you're password, lost passwords are gone forever, along with your data.
If you absolutely have to write it down, don’t stick it to your monitor!
The guys at TrueCrypt clearly leave no details to chance and now give you the opportunity to salt your encryption keys by using random data generated by your mouse movements. It’s important to notice that this step, though comforting, is highly unnecessary. Before you ever move your mouse you can see from the content pool that a great deal of information already exists. This is because TrueCrypt is taking random data from all over your system before you even begin. This includes information from clocks, globally unique ID’s, serial numbers from hardware components, etc.
My point here is to simply let you know that wearing all the material off your mouse pad during this step won’t help you much. Slowly swirl your way slowly down to NEXT and click past the screen shown below that display’s a snippet of your encryption keys.
The next few screens are going to walk you through creating a rescue CD which is a required step for a very good reason. If something goes wrong during the encryption stage the rescue CD is the only tool that will allow you to recover your data. The rescue CD contains a utility which will allow you to decrypt your drive or restore your master boot record if it ever becomes damaged. Damage to the MBR can happen in many ways, but it is most often caused by some invasive form of DRM that embeds itself in the MBR or some form of malware like a root kit. Essentially anything that writes to the MBR following the installation of TrueCrypt stands a pretty good chance of making your system unbootable.
Your rescue CD is your first and last line of defense here. In the troubleshooting section we will go over how to use the rescue CD should something ever go wrong. In the dialogue box above you’re a picking a path where TrueCrypt will deposit the recovery CD's ISO file. After clicking Next you will be reminded again to burn the ISO to CD and this is where CDBurnerXP (free CD burning utility) comes in handy. This step can be “faked” by using an ISO mounting tool such Windows Virtual CDROM but doing so is not recommended and should be done so at your own peril.
It is also important that you create a Rescue disk for each separate computer you encrypt. The reasons for this are explained in the troubleshooting section if you are interested.
Assuming you were successful in verifying the rescue CD TrueCrypt will give you the option to move ahead.
If the disk you are encrypting is new, this step won’t be necessary. Essentially what TrueCrypt is allowing you to do here is to wipe any data that you have deleted previously, but might still be recoverable using third party tools. Because True Crypt will only encrypt your current or new files, everything done and deleted in the past will still in the clear.
You have several wipe options available to pick from and they range in both the amount of time needed, and effectiveness. The higher options also defiantly suffer from a high rate of diminishing returns. 3 pass setting is generally enough to defeat all but the most advanced and expensive governmental tools, while the 35 pass setting is insanely overkill and generally a waste of your time. Depending on the size of the drive, and the setting selected, this step can range from a few hours to several days. Once you're ready to continue click Next.
Next True Crypt is going to test your memory by restarting your computer, and giving you the opportunity to enter your master password for yourself.
If you fail to enter the password successfully (or have forgotten it) do not fear, your still safe at this stage. Following the reboot TrueCrypt will bring you back into Windows where you will be forced to reconfirm your master password. Since no encryption has been performed yet, this is simply a test to make sure you have your login information memorized. From this point forward, forgetting your master password will result in 100 per cent data loss (except the backups you made right?).
Now simply Click Encrypt to begin the process. You will still be able to use the OS while the encryption process is underway. The TrueCrypt driver keeps track of what data is, and is not encrypted, and operates completely transparently
Congratulations you're all done! If you ever run into any issues while booting, continue on to the troubleshooting section for a look at how to use the rescue CD.
The issue you are most likely to encounter at any given point is a corruption of your MBR. This will prevent you from being able to enter your password, and will likely result in errors that would suggest you are dealing with an empty drive. If this proves to be an ongoing problem, the most likely culprit is a recently installed application with an invasive form of DRM, or a root kit. Keep in mind here that all troubleshooting steps require your password. If you forget it, TrueCrypt cannot help you recover it. Any back doors or secret methods of decrypting the drive would defeat the security benefits.
When the Rescue CD boots up (shown above) you will have the option to either:
This restores your system to its original state. You data will once again be in the clear, as it was before. Your password will be required to begin the decryption, and it’s important to note that if you are encrypting several computers, you will need to keep separate CD’s. This restore function, as well as all the tasks listed below are specific to the password you chose before creating the disk. If your password becomes compromised and you decide to change it, you should destroy the old CD as it can be used to decrypt your machine using the old passphrase.
This will repair a TrueCrypt system that refuses to boot. The rescue CD however cannot restore you password. The password is the cipher used to decrypt the information on your hard drive. The TrueCrypt boot loader is simply the means of entering it.
If for any reason your password should fail to enter (and you're sure you typed it in correctly) run this function. It will prompt you to enter the password again, only this time it will be verified using encrypted data on the CD. Assuming that it matches the information encoded on the Rescue Disk, it will repair the entry on your hard drive.
If you used step 1 to decrypt your drive, and you had a multi-boot loader installed prior to TrueCrypt's installation, you will want to run this step. When combined with step 1, your system will be completely restored to it's pre-encryption state.