Use TrueCrypt and Close Security Holes With Open Source Encryption
By Ian Harac PCWorld
TrueCrypt is a powerful, free, open source program that allows you to create encrypted volumes on your computer, or to encrypt entire disks, including your system disk. Furthermore, it allows you to create hidden volumes, or even an entire hidden operating system.
Proper computing practices can usually keep people from attacking your system remotely, but there’s still a high risk if they gain physical access to your computer or your drives. Encryption programs such as TrueCrypt render the actual stored data unreadable without the proper key, making it difficult to even determine which parts of the encrypted disk hold data and which hold random gibberish. This imposes very few limits on ordinary system use, as modern encryption software is extremely fast and performs on-the-fly encryption and decryption with a very minimal speed hit.
TrueCrypt can be used by anyone, but it sometimes delves into technical terms. The documentation is very extensive, however, and should be understandable to anyone who is in a position to use or need this kind of software.
There are two modes of using TrueCrypt. The first, the easiest for most users, is to create an encrypted volume as a file on an existing disk. This requires a good chunk of free space, though that depends on how much you want secured–if it’s just a few Excel files or the like, you can make a very small volume; if it’s extensive archives, you will need a lot more space. Once the file is created, it can be mounted like any other Windows disk, and files can be read from it and written to it. All programs just treat it like a normal drive: The TrueCrypt drivers intercept all read and write requests, processing the data transparently. Without the password (and/or a key file), no one else can mount that volume, and anyone who copies the encrypted volume will just have random bytes. (Usage tip: This doesn’t apply if they can access your system while the volume is mounted and the decryption is running; they will then see the files just as you do. So keep your firewall secure and if you’re in a shared environment, set TrueCrypt to dismount shared volumes after inactivity.)
The second mode is full-volume encryption. This can be a non-system partition, or you encrypt your system drive. Doing the latter provides the maximum in security, since it means that all of the things Windows stores without your knowledge, such as system restore points, temp files, and other clutter, will also be encrypted. It also means that if you ever forget your password, you cannot boot your computer. TrueCrypt will insist you make a recovery CD in the event that the boot level drivers on the encrypted disk become corrupt, but use of the CD still requires you to know the password, and there’s no way to recover or reset the password if you’ve forgotten it.
Encrypting an existing disk can be a time-consuming process; it took about 20 hours to encrypt my 1TB USB drive. While this process can be safely paused, the disk cannot be mounted while it’s being encrypted. If you encrypt your system disk, TrueCrypt will do it without locking up your computer, but it takes a long time to complete. These actions are best saved for a time when you don’t plan to use your computer for a while.
TrueCrypt has the ability to create hidden volumes, which are useful if you fear you will be forced to reveal a key due to what some call “rubber hose cryptanalysis.” Basically, Key 1 unlocks a volume and reveals files and data. Key 2, applied to the same volume, reveals different files. Because the free space on an encrypted volume is random data, it’s very difficult to prove that a volume contains hidden data.
TrueCrypt is free, powerful, and flexible. I strongly recommend it if you’re looking for a disk encryption solution. It’s probably enough for most users to set aside a few dozen gigabytes for an encrypted volume to store your most sensitive information, but if your need for security is greater, TrueCrypt will meet it.