Executive Summary:
| With the encryption tool TrueCrypt, unlike with other file-based security encryption products, you specify the maximum total size of the container when you first create it. TrueCrypt then encrypts the entire container, including unused free space within the container. For example, if you create a 1GB container but store only a few files totaling less than 100KB within the container, no one will be able to surmise the size or contents of the files in your container. TrueCrypt supports encryption of files and volumes on a flash drive, hard drive, CD-ROM, or DVD. |
What sets the TrueCrypt encryption tool apart from other encryption programs is its ability to hide an encrypted volume within another encrypted volume for extra security. This means that if someone steals your flash drive, the thief won’t know how large your inner encrypted volume is or if the outer volume is actually a decoy—even if you’re forced to give up your password. TrueCrypt's transparency and ease of use lets you conduct on-the-fly encryption and decryption of your data files. Using this free, open-source encryption tool, you create an encrypted container on your hard drive, flash drive, or other storage media (e.g., CD-ROM, DVD), which you can use just like a typical local drive—your OS won’t know the difference. In TrueCrypt's traveler mode, you can run it directly from a flash drive on any computer for which you have administrator rights.
How TrueCrypt Works
The concept of TrueCrypt is straightforward: You run the program and create a container, which can be a single file or a partition or device. You enter the correct password or keyfile, and TrueCrypt permits the OS to mount the encrypted container as a local drive. Your OS can read and write data from the encrypted container as if it were a regular storage device, but the data always remains encrypted on the storage device.
TrueCrypt encrypts and decrypts the data to and from the container and stores decrypted data only in RAM. Unlike with other file-based encryption products, such as WinZip, you specify the maximum total size of the container when you first create it. TrueCrypt then encrypts the entire container, including unused free space within the container. For example, if you create a 1GB container but store only a few files totaling less than 100KB within the container, no one will be able to surmise the size or contents of the files in your container: They will see a 1GB encrypted object. Of course, you must still be wary of functions in the OS, such as the swap file and hibernation, which write memory data to unencrypted portions of the hard disk, or programs that read data from your encrypted location but then save portions of it as temporary files in unencrypted temporary directories such as %temp% (some word processors used to do this). TrueCrypt encrypts data across platforms, so you could create an encrypted FAT volume on a flash drive in Windows and mount the flash drive and decrypt the contents from another computer running Linux. The TrueCrypt Web site provides precompiled binaries for both Windows and Linux.
Getting Started with TrueCrypt
You can download the latest compiled versions of TrueCrypt (http://www.truecrypt.org/downloads.php) for Windows Vista, Windows Server 2003, Windows XP, and Windows 2000, or Ubuntu or openSuSE Linux, or download the source code and compile it yourself. The Windows version includes a setup program as well as an independent executable and device driver called the traveler version. Copy the traveler version to your flash drive to access your encrypted data from any computer on which you have administrative rights. The program even supports AutoRun, which simplifies mounting your volume when you insert the flash drive.
The program is intuitive, but I recommend that even the tech savvy review the table of contents in the 92-page user’s manual. The manual goes into detail about how the program works, even down to how the encryption and hashing algorithms are used. Plus it gives you essential tips about the advantages of different configurations—for example, how to create a hidden encrypted container, when to use dynamically sized volumes, when to use FAT instead of NTFS for your encrypted containers, and how to back up your volume headers, which could prevent you from losing data. The guide also details each of the tool's command-line options.
Creating Your First Encrypted Container
The first time you use TrueCrypt, you need to create an encrypted volume, mount it to the file system, and assign it a drive letter. Then you can add or remove files from this virtual drive as if it were another local drive: Your applications won’t know the difference. In fact, the entire file allocation table, data, and even free space will be encrypted within this container.
Figure 1 shows a sample of the TrueCrypt main program where you can create a volume, mount a volume, and access the program's other features. To create a volume, click Create a Volume. Next, you will be asked whether to create a standard or hidden TrueCrypt volume. If you are creating a brand new TrueCrypt volume, you must choose to create a standard volume. After you create a standard volume, you can choose to create a hidden volume within it. Hidden volumes are a second level of protection designed to thwart attackers if you're forced to give up the password to your standard volume. Because the entire TrueCrypt standard volume is encrypted regardless of the number of files in it, an attacker who mounted your standard volume using your password would have no idea that a second, hidden volume existed. If you require this higher level of security, you would create the hidden volume within the free space of your standard volume. The program walks you through the procedure, which is actually very easy, but it does require a second set of credentials to access. To access the hidden volume, you would mount the primary volume and then the hidden volume. You’ll want to read more of the details in the user’s manual for successfully creating a hidden volume as there are some caveats: for example, your outer standard volume must be FAT and not NTFS.
After you choose to create a standard volume, choose the volume location, either a file or device. If you choose a file, the program will create an encrypted volume represented as a file. An attacker can’t access the contents of this file, as it is completely encrypted, but could copy or delete it. If you choose a device, then TrueCrypt will encrypt the entire hard drive partition, flash drive, or other storage device. Note that if you encrypt an entire flash drive, you can read it only on a computer that already has TrueCrypt installed. Consider an alternative—creating a smaller encrypted volume as a file on the USB drive and also copying the TrueCrypt traveler binaries to the same flash drive. Then you can access your encrypted data using only what’s on the flash drive.
Click Select File and choose the name of a new file, which will be the encrypted container. In this example, I chose d:\ Sensitive Data.tc. Next, choose the encryption and hash algorithm to be used. TrueCrypt supports several algorithms including Advanced Encryption Standard (AES), Serpent, and Twofish, plus the ability to cascade multiple algorithms, such as first encrypting with AES and then with Serpent.
TrueCrypt offers a cool feature that lets you benchmark the performance penalties of using different combinations of encryption algorithms. For example, on my system Twofish was the fastest, AES-Twofish was approximately half as fast, and AES-Twofish-Serpent was about a quarter of the speed of Twofish. Ultimately, your choice of algorithm will depend on the sensitivity of the data you're protecting together with the frequency of access and size of the data. (That is, how long do you want to wait while TrueCrypt dynamically encrypts and decrypts your data?)
Next, set the size of your encrypted volume. Remember that both the data and free space of your container will be encrypted. When prompted, choose a strong password to protect your volume. You can also use keyfiles. Not to be confused with public key infrastructure (PKI) arrangements or certificates, keyfiles are actually text or binary files that you specify (or can randomly generate) combined with a password to create a more complicated authentication scheme that's highly resistant to brute force attack. You would store your keyfile on media separate from your TrueCrypt volume. As another scenario, you could use keyfiles to permit shared user access. For example, you provide a password and your keyfile, and your colleague provides a keyfile. Only when you both provide your keyfiles can your shared data be decrypted.
The last step to creating your encrypted container is to choose the volume format, either FAT or NFTS, and format the volume. During this process, TrueCrypt randomly creates the crypto keys used to secure your data.
After the volume has been created, you must mount it in order to use it. First, click Select File or Select Device and navigate to your newly created container. Select the local drive on which to map the volume, then select Mount. Enter the password, and if applicable, specify the keyfile(s) for your container, and click OK to mount the volume. When successful, you’ll mount your encrypted container to a drive and your OS will recognize it just as it would any other local drive, which you can see in Figure 2.
Creating an encrypted file on a USB flash drive is just as easy. Now you can rest assured that should you lose your flash drive, even elite attackers will have a difficult time accessing your data.
