Encrypting Your System With TrueCrypt
...A personal journey
(O.K., that's a little hokey, but I was told I needed to humanize this rather dry article)
Last week an article was posted to Solosez from an attorney whose client had their laptop stolen, complete with a whole lot of personal and sensitive client information. The attorney was looking for advice on how to counsel the client on what to do in the wake of the theft and the potentially serious exposure of private client info. Not being an attorney I didn't have a lot to contribute to the conversation but it got me to thinking about how much better it is to lock the barn than to try and contain the damage after the horse has been stolen. So, I wrote a quick blog article about it which you can find here.
That blog entry got pointed out on Solosez and a small hue and cry arose, both in the group and in my private e-mail, for me to write an article on HOW to use TrueCrypt to encrypt a laptop or mobile device. That's what I get for opening my big mouth I guess!
So...it was time for me to flatten and rebuild one of my netbooks anyhow and I decided this would be a good chance to go ahead and document the TrueCrypt process so that others feel more comfortable giving it a try. So here we go...
First thing I did was install Windows 7 Enterprise on this netbook. Yes, I could have used one of the lighter versions but this netbook has 160GB hard drive and 2GB of RAM and it was easier to use the version of Windows 7 I had close at hand. Besides, I want to see how well the Enterprise version runs on a netbook - if it runs well then I know the lighter versions will run even better. If I don't like it I can always redo.
In the course of this install I reformatted the hard drive so I could start clean and ended up with a single 150GB (or so) partition formatted for NTFS (the default). It's NOT necessary for you to reformat or rebuild your machine in order to encrypt it - I just happened to be doing so. TrueCrypt is perfectly happy to install on an existing machine.
Once I had Windows 7 installed and running I downloaded the most recent version of TrueCrypt (6.3a) and ran the installer for it. TrueCrypt is free.
The setup routine begins by presenting you with a Terms of Service for you to read and approve. Yes, I actually DID read the Terms of Service - they're pretty innocuous. Mostly concern terms of how you can incorporate TrueCrypt into your own applications and that the software is offered As-Is. Not much there that will be of concern to end users. I accepted it.
The next step in the install offers you a screen of options such as whether or not you want to place icons for TrueCrypt on the desktop and what folder you want to install it to. I accepted all of the defaults, except that I DID NOT want to put an icon for TrueCrypt on my desktop. Once I was satisfied with those options, I clicked the "Install" button. It took roughly 30 seconds to complete, then the install was successful.
At the conclusion of the install TrueCrypt offers to let you view a tutorial on how to use the product. If you're not familiar with TrueCrypt then I strongly encourage you to do so. You can find a version of that tutorial online, without downloading anything, here. Once you're done with the tutorial click Finish and the install is done. So far I'd spent probably 15 minutes on TrueCrypt - including downloading time and reading the Terms of Service.
The install is only the first part, however. Now that you've installed the TrueCrypt application it's time to actually encrypt the drive. Let me warn you know however...this step can take quite a bit of time! My ~160GB hard drive required about FOUR HOURS to encrypt. If you don't have that kind of time right now you can stop here, with TrueCrypt installed but nothing encrypted, and come back to it later. I needed to get this article done, though, so I pressed on...
Second stage...run TrueCrypt. I clicked Start, found TrueCrypt on my programs list and ran the program.
The program opens, showing me a list of drive letters that I can create encrypted volumes on and options to auto-mount devices and such. My intention is to encrypt this entire laptop, however, so I don't care about any of that. To get to the option I want I click the "System" menu at the top and the very first option on the menu is "Encrypt System Partition/Drive." I select that option and it asks what type of volume I want to create - normal vs. hidden.
Hidden volumes are great, if you're worried about being taken hostage and having the password for your TrueCrypt data tortured out of you. I'll spare you the technical details of how they work, if you care you can read more about them here. The premise is that you can have your real data inside the hidden volume while you have harmless stuff in the regular volume. After they take you off the waterboard you give them the password to the regular volume and they think they've gotten what they want...but little do they know...the real data lives within the hidden volume. (twist moustache)
I selected "normal."
TrueCrypt asks if I want to encrypt the whole drive and I selected "Yes". It also asked if I want to encrypt the Host Protected Area and since I can't think of any reason, off-hand, not to I said "Sure". (Yes)
At this point Windows 7's User Access Control did it's job and asked if I wanted to allow these changes. You betcha. I clicked "Yes".
TrueCrypt went about trying to detect any hidden changes and then asked if my system was single boot or multi-boot. That means - do I have multiple operating systems that I bounce back and forth between or do I just always boot the same operating system. This machine is just a straight Windows 7 box so I selected "Single Boot". (so will most of you).
Next TrueCrypt asked what encryption algorithms I wanted to use. The default is Advanced Encryption Standard (AES), 256-bit. I'm fine with that for this application, so I accepted it. TrueCrypt also asked which hash algorithm I wanted to use. The default is RIPEMD-160. If you're passionate about your hash algorithms you can choose something else like SHA-512 or Whirlpool. I opted for the default.
Then TrueCrypt asked me to assign a password for my volume. This is important - the process is only as good as your password. If you use "Hello" it doesn't matter how strong your encryption is, that password will give up long before the rest of the system does. I used "Open Sesame". Yes, I really did! (No, of course I didn't!) TrueCrypt encourages you to use a passphrase that is at least 20 characters long. I'm not sure it really needs to be quite THAT long, but longer is definitely better. Use a phrase, with spaces, to make it easier to remember and type. Use of mixed case, symbols and numbers can help as well.
TrueCrypt also asked if I wanted to use keyfiles. Keyfiles are a neat idea - something you use in conjunction with your passphrase. This gives you a second factor of authentication (the passphrase is something you know, the keyfile is something you have). If I were creating a high-security encrypted volume, for example on a storage server or external hard drive, I would probably use a keyfile. For this laptop, however, a good strong passphrase will suffice. If we're honest the decision was academic because keyfiles are currently not supported for system encryption.
From there the next screen asked me to move my mouse around in the window. This probably seems silly - what's it for!? What it's doing is generating a random number for the master encrpytion key. You don't have to care what that means, just know that the more (and more randomly) you move your mouse around the more secure it will be. So just indulge it, move the mouse around in the window for at least a minute or two, pretend it's an Etch-a-Sketch and draw your favorite cartoon character or write your girlfriend's initials inside a little heart. Whatever - just dance the mouse around in the window for a minute or two. When you're done with that click NEXT.
Now the Windows UAC steps up again and once again asks you to confirm that you want to allow changes. Once again, I clicked "YES".
You'll get a message that TrueCrypt and generated the keys and you can just click "Next."
The next step is designed to protect you against something bad happening in the encryption. It asks you to create a Rescue Disk. TrueCrypt will create an ISO file that has the information it would need to restore your system to its present state. Just in case. Have it create the ISO file, then burn it to a CD. TrueCrypt will ask to see that CD before it will proceed! "But wait! I have a Netbook! It doesn't have a CD drive!". If you have an external CD-ROM drive, use that. If not, you can use something like Virtual CloneDrive (Free) to mount an ISO file as a CD-ROM drive. Don't worry, it's not hard to do and it will satisfy TrueCrypt.
You will want to copy that ISO file off onto a safe storage place, however. If not a CD-ROM then perhaps a flash drive? I've never had TrueCrypt fail or corrupt my drive, but better safe than sorry.
Once the Rescue Disk has been verified TrueCrypt will ask you just one more question...what Wipe Mode do you want to use. Wipe mode carefully overwrites deleted data within the volume. It really only matters if you think that somebody will be able to decrypt the volume and then try to un-delete deleted data. I think that's pretty unlikely so I just left it set to "NONE" (the default) and continued from there.
At this point TrueCrypt is going to run a pre-test to make sure it can do the encryption o.k. I've never seen this fail so I can't tell you what happens when it does. During the test your system will reboot, you'll be asked for the TrueCrypt password that you gave it earlier, and then Windows (or whatever your OS is) will boot up and the pretest will have successfully completed. TrueCrypt will automatically resume at that point and ask you to go ahead with the rest of the encryption. I clicked the "Encrypt" button.
TrueCrypt showed me some hopefully-not-necessary rescue instructions to tell me what to do if the imminent process were to fail somehow, and asked me to click OK when I was ready to continue. I clicked OK, the Windows 7 UAC came up one last time to ask me to confirm that I want it to allow changes and I said "Yes". Then I had to click "Yes" because my computer doesn't recognize spoken commands like that. (Yet)
Thus began the encryption process. TrueCrypt displays a nice status screen that tells you what percentage it has done and what the estimated remaining time is. It took my system somewhat over 4 hours to complete. When the process was finally done, the system rebooted and I was asked for my TrueCrypt passphrase. I entered it, Windows booted and...now it's done.
I now have an encrypted mobile device. If it's lost or stolen the bad guys will have the hardware but it's going to be VERY difficult for them to get at the data without the passphrase. Most likely they'll just have to reformat it blank and then resell it as blank hardware. That would suck for me, but not nearly as much as it would suck to have to call each of my clients and tell them I lost their confidential data and work product.
Go on, do it. You need to. When in doubt, you can generally accept the default setting and it should be fine.
Can It Be Broken?!
Recently a bit of alarm was sounded by folks who heard about Passware's product which claims to decrypt TrueCrypt volumes. Yes, you do need to have access to a Firewire port in order to do it but if you don't have one the bad guys could just take your hard drive out of your computer and mount it in a box that does. HOWEVER...
Your computer has to be on and the encrypted drive mounted in order for this to work. If it's on and mounted then they ALREADY have access to the contents of the drive. This tool simply lets them decrypt the contents of the drive for future use.
Best practices dictate that you turn your encrypted computer OFF when you're done using it. Don't put it to sleep or hibernate it - that leaves the decryption keys in memory and makes Passware's attack possible.
If you turn your computer off when you're done with it then your TrueCrypt encrypted drive should be safe and secure. (You did use a GOOD passphrase for it, right? Not "Hello" or "Pizza"?)