Data at Rest Remains Secure With TrueCrypt
Protecting data in motion is only part of the security puzzle. What about data that's sitting on a hard drive or thumb drive? TrueCrypt brings strong encryption to data at rest.
In past articles we’ve looked at how to encrypt data to protect it “in flight” as it passes from one computer to another over the Internet. In this article we’ll look at protecting data “at rest,” stored on a laptop or desktop computer, on a removable disk, a data CD or DVD, or on a USB memory stick.
Business or personal data stored in this way represents a huge security risk: hundreds of thousands of laptops and memory sticks are lost or stolen every year, and hardly a day goes by without reports in the media about large organizations losing customers’ confidential information when computer equipment goes astray. The cost of losing this data can be very high - data may have to be recreated or regathered, customers may have to be compensated, and there may be legal ramifications and a loss to the organization’s reputation. Yet this risk can be mitigated almost completely by taking the simple precaution of encrypting the data before it is stored.
Microsoft now includes its BitLocker data encryption system in some versions of Windows. But if you use a version of Windows without BitLocker, or if you use Linux or Mac OS X - or if you simply don’t want to use an encryption system provided by Microsoft - then the good news if there is an open source alternative called TrueCrypt which is powerful, easy to use, and free.
TrueCrypt can encrypt an entire device such as a USB stick or hard disk drive, or it can create an encrypted container on a device. This is a virtual disk: a file containing encrypted information which can be mounted (when the correct password is supplied) and used like a normal disk drive. In the Windows version of TrueCrypt (for XP, Vista, Server 2003 and Server 2008) the software can also encrypt the system drive which contains the operating system, storing a TrueCrypt boot loader in the first track of the boot drive in the drive’s boot sector. This prevents anyone from booting the computer without the necessary password.
One of the key points about TrueCrypt is that it carries out encryption and decryption transparently and “on the fly.” This means that data in an encrypted disk or container is always stored in an encrypted form, and decrypted as it is transferred from disk to memory when it is being used. Any data saved to an encrypted disk or container (or dragged and dropped from an unencrypted disk to an encrypted one, for example ) is encrypted automatically without any intervention on the part of the user. In fact once set up the only interaction the user has with TrueCrypt is to supply the correct passwords to allow access to encrypted devices. In theory any encryption system must incur a performance overhead, but in practice this is negligible.
To access data stored in an encrypted volume it’s necessary to supply the password that was specified when the volume was first encrypted. A password provides good protection as long as it remains confidential, and provided it is unguessable. In practice this means it must be long and preferably a random string of characters. To add additional security a keyfile can also be used. This can be any type of computer file stored on any type of device. For example, you could choose as a keyfile a particular JPEG image or MP3 file stored on your computer. To gain access an encrypted device you would have to supply your password and specify the image or music file which you have chosen as your keyfile.
In fact the keyfile need not be stored on your computer at all. By storing a particular image or music file (or a keyfile containing random data, which TrueCrypt can generate for you) on a USB key you can create a two-factor authentication system: a protected volume can only be made accessible by providing the password (something you know) and by inserting the USB key containing the keyfile (something you have.)
The easiest way to start with TrueCrypt is to create a container which you mount as a virtual drive - a process which I’ll outline now.
The first step is to download TrueCrypt from http://www.truecrpyt.org. For the purposes of this HowTo I’ll be using the Windows version, but the container I create (which is actually just a file) can be moved to a Linux or OS X based machine and mounted as a drive on either of those operating systems.
Once TrueCrypt is installed and running, you’ll be presented with the main TrueCrypt window..
Click on the Create Volume button to get started. This brings up the Volume Creation Wizard, presenting the option of creating an encrypted container, encrypting a non-system partition/drive, or encrypting the system partition or entire system drive. (Note: the Linux and OS X versions of the software do not include this last option.)
To create an encrypted container, click Next, and Next again to create a Standard TrueCrypt volume
You’ll now be asked to create a file which will be the encrypted container.
This window is actually quite misleading. Clicking the Select File… button brings up a file selector window, but what you need to do next is navigate to the location where you want to create your secure container (which you can move later) and then provide a name for the file. If you choose an existing file it will be deleted and replaced with an empty container.
It may be helpful to provide an obvious name for the file, like “my encrypted container” , or you may prefer to disguise it by giving it an innocuous name such as “Readme.txt” or “Rainbow.jpg”. This is only necessary if you are worried about parties such as foreign governments searching the contents of your computer and compelling you to provide the passwords to any encrypted volumes they find.
Next you need to choose an encryption algorithm and hash algorithm to use. Unless you have a particular reason not to do so, or new vulnerabilities are discovered, the defaults (AES (Rijndael) and RIPEMD-160) are a good choice.
Now choose the size of the container you want to create, and specify the password you want to protect the container. If you want to use one or more keyfiles as well then click the keyfiles checkbox and click the Keyfiles… button to select a keyfile, or create a random one.
At the Volume Format screen you’ll be asked to move your mouse around on top of the screen for a period of time to help introduce randomness into the process (30 seconds minimum is recommended) before clicking the Format button to complete the volume creation process.