Data at Rest Remains Secure With TrueCrypt
In past articles we’ve looked at how to encrypt data to protect it “in flight” as it passes from one computer to another over the Internet. In this article we’ll look at protecting data “at rest,” stored on a laptop or desktop computer, on a removable disk, a data CD or DVD, or on a USB memory stick.
Business or personal data stored in this way represents a huge security risk: hundreds of thousands of laptops and memory sticks are lost or stolen every year, and hardly a day goes by without reports in the media about large organizations losing customers’ confidential information when computer equipment goes astray. The cost of losing this data can be very high - data may have to be recreated or regathered, customers may have to be compensated, and there may be legal ramifications and a loss to the organization’s reputation. Yet this risk can be mitigated almost completely by taking the simple precaution of encrypting the data before it is stored.
Microsoft now includes its BitLocker data encryption system in some versions of Windows. But if you use a version of Windows without BitLocker, or if you use Linux or Mac OS X - or if you simply don’t want to use an encryption system provided by Microsoft - then the good news if there is an open source alternative called TrueCrypt which is powerful, easy to use, and free.
TrueCrypt can encrypt an entire device such as a USB stick or hard disk drive, or it can create an encrypted container on a device. This is a virtual disk: a file containing encrypted information which can be mounted (when the correct password is supplied) and used like a normal disk drive. In the Windows version of TrueCrypt (for XP, Vista, Server 2003 and Server 2008) the software can also encrypt the system drive which contains the operating system, storing a TrueCrypt boot loader in the first track of the boot drive in the drive’s boot sector. This prevents anyone from booting the computer without the necessary password.
One of the key points about TrueCrypt is that it carries out encryption and decryption transparently and “on the fly.” This means that data in an encrypted disk or container is always stored in an encrypted form, and decrypted as it is transferred from disk to memory when it is being used. Any data saved to an encrypted disk or container (or dragged and dropped from an unencrypted disk to an encrypted one, for example ) is encrypted automatically without any intervention on the part of the user. In fact once set up the only interaction the user has with TrueCrypt is to supply the correct passwords to allow access to encrypted devices. In theory any encryption system must incur a performance overhead, but in practice this is negligible.
To access data stored in an encrypted volume it’s necessary to supply the password that was specified when the volume was first encrypted. A password provides good protection as long as it remains confidential, and provided it is unguessable. In practice this means it must be long and preferably a random string of characters. To add additional security a keyfile can also be used. This can be any type of computer file stored on any type of device. For example, you could choose as a keyfile a particular JPEG image or MP3 file stored on your computer. To gain access an encrypted device you would have to supply your password and specify the image or music file which you have chosen as your keyfile.
In fact the keyfile need not be stored on your computer at all. By storing a particular image or music file (or a keyfile containing random data, which TrueCrypt can generate for you) on a USB key you can create a two-factor authentication system: a protected volume can only be made accessible by providing the password (something you know) and by inserting the USB key containing the keyfile (something you have.)
The easiest way to start with TrueCrypt is to create a container which you mount as a virtual drive - a process which I’ll outline now.
The first step is to download TrueCrypt. For the purposes of this HowTo I’ll be using the Windows version, but the container I create (which is actually just a file) can be moved to a Linux or OS X based machine and mounted as a drive on either of those operating systems.
Once TrueCrypt is installed and running, you’ll be presented with the main TrueCrypt window..
Click on the Create Volume button to get started. This brings up the Volume Creation Wizard, presenting the option of creating an encrypted container, encrypting a non-system partition/drive, or encrypting the system partition or entire system drive. (Note: the Linux and OS X versions of the software do not include this last option.)
To create an encrypted container, click Next, and Next again to create a Standard TrueCrypt volume
You’ll now be asked to create a file which will be the encrypted container.
This window is actually quite misleading. Clicking the Select File… button brings up a file selector window, but what you need to do next is navigate to the location where you want to create your secure container (which you can move later) and then provide a name for the file. If you choose an existing file it will be deleted and replaced with an empty container.
It may be helpful to provide an obvious name for the file, like “my encrypted container” , or you may prefer to disguise it by giving it an innocuous name such as “Readme.txt” or “Rainbow.jpg”. This is only necessary if you are worried about parties such as foreign governments searching the contents of your computer and compelling you to provide the passwords to any encrypted volumes they find.
Next you need to choose an encryption algorithm and hash algorithm to use. Unless you have a particular reason not to do so, or new vulnerabilities are discovered, the defaults (AES (Rijndael) and RIPEMD-160) are a good choice.
Now choose the size of the container you want to create, and specify the password you want to protect the container. If you want to use one or more keyfiles as well then click the keyfiles checkbox and click the Keyfiles… button to select a keyfile, or create a random one.
At the Volume Format screen you’ll be asked to move your mouse around on top of the screen for a period of time to help introduce randomness into the process (30 seconds minimum is recommended) before clicking the Format button to complete the volume creation process.
Using the Encrypted Container
Once you’ve created your container, it simply appears as a file in Windows Explorer. To use it as a virtual drive, you’ll first need to mount it. To do this, go back to the main TrueCrypt window, click on the Select File… button, and choose the file which is your encrypted container. You can also select a drive letter to mount it to, or let TrueCrypt choose an unused drive letter for you.
You’ll then be asked to supply your password (and keyfile if used), and after a second or two your encrypted volume will appear in Windows Explorer as a Local Disk (in this case P:) which you can use to store anything you like. Any files saved to this disk or dragged onto it will be encrypted automatically.
When you have finished with the virtual drive you can click the Dismount button in the TrueCrypt window, or the drive will dismount automatically when you shut down the computer.
Encrypted containers can be moved from one computer to another, and the virtual disks they contain can then be mounted as long as the computer has TrueCrypt installed. To make it more convenient to move USB drives or optical disks containing encrypted containers between Windows machines which may not have TrueCrypt installed, the Windows version of TrueCrypt enables the creation of a Traveller Disk.
Accessed from the Tools menu on the main TrueCrypt window, the Traveller Disk Setup option allows you to install the files needed to run TrueCrypt directly from the removable media, without needing to install anything on a Windows computer it is attached to. You can also specify that the virtual disk should automatically mount when the media is inserted into a computer (as long as the correct password and keyfile - if applicable - are supplied.)
TrueCrypt includes many other features - such as the ability to have a hidden volume within an encrypted volume - which are beyond the scope of this article.
The biggest difference between TrueCrypt and BitLocker - and commercial disk encryption products such as CheckPoint, PGP, Safeboot or Utimaco - is that TrueCrypt doesn’t include any key management system. That means that if you forget your password or lose access to your keyfile, you won’t be able to access the encrypted data ever again. By contrast BitLocker keys, for example, can be stored in an Active Directory database by default when they are created so that users who forget their keys can retrieve them. But if the lack of key management is not important to you then as a simple way to secure your data using strong encryption, on multiple platforms, TrueCrypt is very hard to beat.