Securing your PC with True Crypt
Only a few days ago I published an article about true crypt and recommended it. Back then I bought a usb 2.0 hard drive with 300 GB capacity and encrypted its entire partition with the data encryption software. This was done to test the programs functionality but also to see if it would slow down my main computer (athlon 64 3000+, 1 gb ram) or file operations.
To my great surprise it did not slow down the PC and I decided to expand the encryption to cover all of my computer's hard drives. Let me tell you why and how I did this and why you should also be considering this.
The first question that comes to my mind and probably yours as well is: Why would someone want to encrypt the hard drives / part of the hard drives? (note you can also encrypt other storage devices like usb sticks)
There are numerous reasons for this. It can be as profane as to hide your daily dose of naked ladies from your wife, hide personal information from other people who might have access to your PC or encrypt your files on a removable storage device for transportation to prevent that the files can be accessed when the device is stolen.
Now, why encrypt the whole drive(s) and not just a small part of it?
This is a good questions and I have to answer it to some lengths. Let me first tell you that true crypt is not able to encrypt an operating system and boot from it at the same time. That means either you use a second unencrypted operating system or move all sensible user data to the encrypted partitions. (Update: The most recent version of True Crypt can encrypt the operating system partition as well)
As I said earlier I only encrypted the removable usb hard drive before. All my tools that I've been using daily are still on the unencrypted internal drive. Guess what happens when I open Open Office and load a document from the encrypted drive?
It leaves traces. Last used files are normally shown, it probably gets cached in windows cache as well. That means, although the file itself is encrypted the possibility exists that it can still be accessed by other means. There are lots of scenarios like this, a browser caches the pages you visit, a media player keeps records of last played files aso.
Wouldn't it be much securer if those tools are also stored on an encrypted disk?
I decided to do the following. I already have a partition for the operating system. All other partitions will be encrypted. The user data from the operating system resides on an encrypted disk, as does the pagefile and all other caching related locations like the browser cache.
On a side note:, one could also install a clean operating system on that partition and use vmware to install another operating system on encrypted drives. BartPE is another possibility. The operating system is stored on a read only device then so that it cannot record information about files that you access nor cache them.
All my tools reside on the encrypted drives, making it impossible for someone else to access them. (unless one would keep the PC running when leaving..)
I suppose you already are using your drives. True Crypt will erase all data on a partition if its applied to it. Therefore you should move or backup your files before you start this process. (Update: True Crypt can now encrypt partitions without deleting the data on them)
Start True Crypt and select Create Volume. You have the choice of creating a standard or a hidden True Crypt Volume. The difference between the two is the following. A hidden volume has its own pass phrase and always resides inside a standard volume. If someone forces you to reveal the pass phrase you provide the one for the standard volume. Its impossible to say if a hidden volume exists even if the standard volume has been mounted (True Crypt partitions are always filled with random data and one can't therefore analyze the data to find out about hidden volumes).
Select standard partition now and in the next window you have the option to store the encrypted data in a file or encrypt a whole device. We want to encrypt a complete hard drive, select device and chose your hard drive that you want encrypted.
You have to select an encryption algorithm and a Hash Algorithm now. I don't want to recommend one to you but as of now none has been officially cracked. Some people are discussing their choices on the official true crypt forum, if you are unsure you might want to go there. You can also use Wikipedia for more information. (Blowfish information in this example)
Make sure that in the next step the whole hard disk space will be encrypted.
Selecting a password:
You will have to select a password which you will have to enter every time you want to mount your encrypted drive. Recommendations are that yours should be 20+ chars that consist of a mixture of upper- and lowercase, special chars and numbers. Its hard to remember at first but it will become easier over time. Its suggested that you do not write it down but that's up to you..
Move the mouse around for 30+ seconds, select a file system (ntfs for Windows xp recommended), leave cluster size at default and click format afterwards. The whole partition will be formatted and encrypted, all data that is left on the device will be lost forever. Make sure there is none that you still need left.
You have to mount an encrypted partition to make the files it contains available. Chose Select Device in the main menu of True Crypt and pick the encrypted drive. Then click on mount and enter your pass phrase. If its correct the drive will appear and you can fill it with data.
The drive letter remains the same as before, so there should not be any problems with broken program links or the like.
Depending on your choices in regards to an unencrypted operating system, BartPE or VMware you need to make sure that all personal data and caches are stored on the encrypted partition. I strongly suggest you use one of the latter for the best security.
If you encounter errors I suggest you visit the true crypt forum which is well visited and contains lots of valuable topics of users that had problems with the tool.
I for myself decided to give BartPE a go and forget about the idea to have the operating system on the unencrypted partition. This saves a lot of the hassle of moving all cache and personal data locations to ones on the encrypted drive.Advertisement