Helping people with computers... one answer at a time.
Truecrypt is a flexible & useful way to encrypt data, particularly if your computer could be stolen. I'll walk through setting up a volume.
I recommend Truecrypt as perhaps the most flexible, the most useful way to encrypt your computer, particularly if it's portable or you're concerned about it being stolen.
It's not necessarily a way to share files with other people, but its usage is so easy, so simple that once you understand the basic model behind TrueCrypt, it becomes something that is just second nature.
Download the video: trueCrypt.mp4 (55M).
I talk about TrueCrypt a lot because I use TrueCrypt a lot. I recommend it as perhaps the most flexible, the most useful way to encrypt your computer, particularly when your computer is a portable one or when you are concerned about the actual computer itself being stolen. It's not necessarily a way to shift files around, to share files with other people because as you'll see, you'll end up making containers that are typically much larger than the individual files that you might want to share. But its usage is so easy, so simple that once you understand the basic model behind TrueCrypt, it becomes something that is just second nature; it really is. So, we're going to go out and go to TrueCrypt.com; download TrueCrypt (hit Downloads here) and naturally you are welcome to make a donation if you ever find this stuff useful, I did quite some time ago; I'm actually...given how much I use this thing, I'm probably going to end up making another donation sometime soon. It's just that valuable of software to me.
So, once again, we accept the Agreement, we install...now it's up to you if you want to create a restore point. If you've followed any of my articles for awhile already, you realize that I'm not a huge fan of restore points in general, of system restore in general, so I personally don't do this. I rely on my daily backups to give me the moral equivalent thereof. Since this is a demonstration machine, I don't want to take the time to do that either.
And TrueCrypt is installed. It's worth going through the tutorial. Hopefully, some of the pointers I'll be giving you today may be valuable enough for those of you that tend to skip these kinds of tutorials to actually get things done without that. But it's a good resource to go back to and you can actually get it off their website at any time. When we finish this, I'm going to minimize this, and we what we have now is an icon here on the desktop for TrueCrypt and you'll also find it on the Start menu.
This is TrueCrypt. Now this doesn't really help you very much. The marvel behind TrueCrypt is actually fairly simple. What you do is you create an encrypted volume, which we're going to do here in a second. That volume then is a place where you place your files that you wish to be encrypted after it's been mounted. Again, mounting is something that tends to confuse people too so I'm going to show you exactly what that is here.
So, to start using TrueCrypt, the very first thing you need to do is create a volume. We're going to create an encrypted file container. That's what I use 99% of the time. It's a Standard TrueCrypt volume; these are options for people that are in situations where they might be forced to show that they have a TrueCrypt volume, but actually hide the encrypted, the real encrypted TrueCrypt volume within a fake, other encrypted TrueCrypt volume. The TrueCrypt people have really looked at some of the scenarios that people might be faced with and put in some interesting ways to keep secret things 'secret'. In our case, I'm simply more concerned that a TrueCrypt volume on a stolen laptop can't be opened and a Standard TrueCrypt Volume is perfect for that.
I'm going to place that volume...I'm going to place it in the same location as these two documents right now. I'm going to call it TrueCrypt Volume. And, let's see, 'Next'; the encryption algorithm default is fine the hash algorithm default is fine. Here you get to choose how large a volume you want. This requires just a little bit of thought because you do want to choose a size that is large enough to contain the files that you expect to want to encrypt and yet small enough so that you're not taking up space from your system that you didn't really mean to. The volume size is the size of the file that will be created whether you put things in it or not. So it's worth, think about it; I actually have two...I have one...on my laptop, I have two encrypted volumes. One is, I think, in the order of 100 or 200 GB. It's very large; it contains all of my work but it's not a file that itself would get ever copied anywhere. And I use it literally almost as if it were a separate drive. The second one that I use is actually fairly small; it's a few hundred megabytes and it contains some personal files. That encrypted volume gets copied from machine to machine. So it's important that it be large enough to hold what I want but small enough so that the copy operation is completed in a reasonable amount of time.
For purposes of this demonstration, I'm going to create a 100 MB TrueCrypt volume. This is where you do your password. Now, once again, the weakest link in almost any encryption system is the password. I'm going to use a very short, very simple password and you should never, ever do that. You should use a very long password as long as you can stand. The word password here is actually a misnomer. The best way to think of this is as a passphrase; a multi-word sentence that you will easily remember makes this almost theoretically 'uncrackable' in any reasonable amount of time. The ones that I've chosen and since you can display the password, I'll show you. So the password that I'm using which I've shown you here is very simple and since you can display the password and presumably you're in a secure location where you don't have somebody staring over your shoulder, you can actually make sure you are typing it in correctly. Longer passwords, even something as simple four or five words that you'll remember make this password long enough to make it exceptionally secure. And, of course, here it's warning me that I'm using an exceptionally short password. They suggest something of more than 20 characters. If you use four or five words, you'll hit 20 characters very, very quickly.
So this is kind of interesting; what it's doing now is encryption depends a lot on randomness. Good encryption requires random noise and the most random thing connected to your computer is you. So one of the things they ask you to do is to move your mouse randomly and I don't know if it's coming across in the video but the numbers here in Random Pool are changing at rates that vary depending on how much and how quickly I move my mouse. They change maybe once a second or twice a second here but now when I move my mouse, they change fairly rapidly. And that's all randomness. Like I said, encryption, good encryption, starts with a random number. In this particular case, you can choose between file systems. I tend to choose NTFS just because it's easy. You can also change the cluster size if you like; I'm sticking with the default. And it goes off and formats.
So, what it has now done is that it has formatted a 100 MB virtual disk, if you will. 'Do you want to allow the following programs to make changes to this computer' - Yes, please. The virtual disk is what we will be using shortly. At this point, the volume has been created and is ready for use. So, nothing's changed yet but I want to show you is that all we've done so far is we've created a new file called TrueCrypt volume that is 10 MB in size. You'll notice that I literally said TrueCrypt volume. It did not assume a file extension of any sort. That's up to you; you can choose to leave it as, any file extension you want it to be and people that are deliberately hiding encrypted TrueCrypt volumes will often call it something like 'FamilyPhoto.jpg'. They know that it's not a jpeg image, but they can then mount it and see the contents of the file but to any casual observer, they may very well see the filename as being FamilyPhoto.jpg and just pass it by.
I'm going to go ahead and update the extension to be .tc so that we know it's a TrueCrypt volume. Again, in my case, I'm not particularly concerned that people realize that the volume is there; what I'm concerned about is that they can't get into it. But there's nothing in it yet. The next thing to do then is to mount this volume. Now this means you'll be assigning a drive letter to it. I'm going to assign 'G'. I'm going to go select the file; so what I'm about to do here is mount this TrueCrypt volume that we've just created and assign it the letter 'G' - the drive letter 'G'. It's going to ask me for my password...'1234'. Once again, if you want, you can see what the password is. Very helpful; I find it very helpful, very helpful in the morning when I haven't had my first cup of coffee yet and I can't type this long password in to save my life, I can at least see what it is and see where I've been mistyping it.
And it's mounted. So what does that mean? Well, that means that, we now have an additional drive here. This drive is now empty but it represents what is stored inside of the encrypted TrueCrypt volume. So, how do we put things there? Well, the easiest thing to do is to go back to the location where you have the files that you want encrypted, and copy them to that local Disk G. So now what we have, is we have inside of this encrypted volume, our two secret documents. We can go back here to the original location; delete them; empty the Recycle Bin and to make sure to run some kind of Secure Delete to ensure that files are truly removed from the visible portions of the file system, wiping all of the empty space. Now, the only place the files exist are in this local disk G. But they're visible and that's one of the conceptual leaps to understanding how TrueCrypt works. When a TrueCrypt volume is mounted, its contents are visible as if it were just another disk on your system. Now the good news is that means that any program, any utility, anything that you want to do, you can do directly from this encrypted disk. And so for example, in this particular case, if I want to open one of these files and see its contents, it's simply reading, Windows is simply reading from what it sees as another disk on your system. What it doesn't realize and what it doesn't care about is that TrueCrypt is inbetween decrypting what is stored on the physical disk making it look like a normal file on this virtually mounted disk that Windows can then operate on normally.
So, we have our files inside of this TrueCrypt container but they're visible; anybody can access them, any program can access them; that's how you would use the files that are contained within this volume. The security part comes when you then go back to TrueCrypt and say 'dismount'. What has happened is that extra drive has disappeared from our system. Those files are no longer visible on our system because we actually deleted them from 'C'. The TrueCrypt volume is still here but it contains only random noise. What you can't see until you remount the volume is the contents of the volume and in order to do that you need to remember and specify the password. So these files are now completely and securely encrypted inside of this volume. You want to get back at them; and it doesn't have to be the same letter; you can change letters if you'd like. I tend to do it fairly consistently. If I want to re-access those files in that volume. I simply remount the volume; specify the password; the virtual drive is once again provided by TrueCrypt - and there they are. That's really all there is to TrueCrypt for the like 99% use case.
Like I said, I find this incredibly valuable and incredibly easy way to maintain lots of encrypted data. Like I said, I have a 200 GB TrueCrypt volume on which I contain all my work. It's 100 GB on my laptop so I'll use that as my example. When I fire up my laptop and boot it into Windows, one of the first things that I do is to mount that volume, that 100 GB volume; specify the password that opens it up, and now on my system I have drive 'F' on which all of my work exists until I shut down my laptop or until that laptop gets rebooted or until...something. That way, if my laptop is stolen, if I leave it somewhere, if I leave it behind airport security, whatever, then that drive 'F' is not mounted by default. Somebody has to explicitly mount it and they have to know the password to mount it. So that means all of the files within that volume are completely inaccessible to someone who's found my laptop.
Any questions on TrueCrypt so far? A couple of questions coming in: 'Does the file system have to be FAT?' It does not. In fact, this question may have come in before I actually did the formatting; I selected NTFS for this one. There are...if your TrueCrypt volume is too small you may be restricted from using NTFS. But you can use either NTFS or FAT 32.
'Several months after encrypting an external drive with TrueCrypt containing my Acronis True Image images, had to restore an image because Windows crashed but was unable to access my external drive without a fresh install of Windows and installing TrueCrypt. Was there an easier way?' Probably not. While it is certainly possible to do exactly what you just described, the Acronis Restore Disk is not able to read TrueCrypt encrypted volumes. So you actually do want to...there's two approaches to that: one is to mount that external drive on a different machine that has TrueCrypt installed and then make a copy of the backup images that are unecrypted or to go ahead use Acronis' own native encryption; they do have an encryption option that you can specify.
'When you create a backup, an image of your drive, do you encrypt the whole thing first?' That's kinda related to this. Personally, I do not. There are two approaches to backing up using something like TrueCrypt. One is you can backup the file container. So for example, in this particular case, I have one file here; I can backup truecrypt_volume.tc and that will back up everything that it contains. But it's a stand-alone volume so I can take it to any machine and I can mount it on any machine that has TrueCrypt installed and then I can then access the files that are in it. The other approach that is perhaps...well, there are pros and cons, is to actually backup the contents of the TrueCrypt volume. In other words, you are backing up the unencrypted data and then making sure that the backup itself is then maintained properly. Which you end up doing really depends on your own security needs. The best example I can give you is I mentioned that I have two TrueCrypt volumes that I work with on my two primary machines. Each has a large, what I'll call a data volume that has all of my files, all of my AskLeo!, all of the questions, the answers, etc. - that thing's huge and I do not back up the encrypted volume. I backup the contents of the encrypted volume. So all of the individual files are backed up separately in a way that's appropriate to them. It's backed up securely because I control where that backup gets placed and how it gets handled.
Now, I also mentioned that I have a smaller one that contains a bunch of personal information and in that particular case, I actually backup the TrueCrypt file itself, the .tc file itself for a couple of reasons: one, it's a quick way to get that important information replicated or copied to a bunch of different machines but it's also a file that is kinda of an important piece of information that other people may need to have access to. So by actually having that file available to them, theoretically, I could place it just out on the open internet and no one would be able to crack it but I do keep it fairly secure but it's a file that I can feel comfortable giving to someone and then saying, 'OK, if you ever need to access this file, here's the password.'
'How to recover a forgotten password?' You don't. It's that simple. With TrueCrypt, and actually with any really good encryption software, you cannot recover the forgotten password. There is no 'back door'; there are no 'hints'; you saw that we didn't create any hints as we were going along here. If you somehow forget the password to your TrueCrypt volume, the contents of that TrueCrypt volume are lost. There is no recovery. And that actually folds up nicely back into the backup question because it is one argument for backing up the contents of your TrueCrypt volumes separately from the volumes themselves. By keeping the TrueCrypt, the contents, the actual files, in a backup that you then somehow keep secure by some other means, typically physical security, keeping it locked or not carrying it on your laptop or whatever, then you're not tied to remembering that forgotten password if you need to recover from those backups. But the bottom line is however you want to look at your security, and the TrueCrypt people are very upfront about this; you'll find a FAQ on their site. There's simply...there are no back doors, there are no hints, there's no way of getting back data if you don't know your password. And from a personal perspective, I honestly believe that if software has a way to recover the password, to truly recover the password, then that software isn't as secure as you really want it to be because that means that there are ways that potentially other people could recover a forgotten password. I mean, let's face it; if you've forgotten the password, you're asking how to crack open the file without knowing the password. That's the definition of somebody else coming in with malicious intent. You don't want them to be able to do that. So TrueCrypt has; I said that this was the 99% case and that's really is all there is to TrueCrypt, in reality, TrueCrypt has a bucketload of other things you can do with it. I encourage you, if you're at all interested in using TrueCrypt, to investigate some of those alternatives, or some of those additional options.
I did an article a few weeks ago on whole disk encryption. The difference there is that...what we have here is we're creating an encrypted volume. In other words, we have a file on our disk that is the TrueCrypt volume. It resides alongside all the other files on that system including things like Windows itself that are not encrypted. Whole disk encryption says, we'll use a completely different model. We will encrypt the entire contents of the disk. There is no separate .tc file; in order to access THE disk; anything on the disk you must first specify a password. Now the example article I wrote on that encrypts an external disk so I will have an external disk for backup when I'm traveling. In order to even access the contents of anything on that disk, I need to specify the password to mount it and to have TrueCrypt to be able to decrypt it.
That's the easiest one. For extra security, TrueCrypt can also be installed in such a way that it will encrypt your system disk. In other words, before Windows itself even boots, you are required to enter a password to decrypt your system drive. That means that everything on it, including Windows, including temporary files, including your paging file, including anything else that might get written to your disk it's all encrypted and it's all unlocked by that initial password that you had to specify when you boot your machine. There's some shortcuts for saving things that they call Favorite Volumes that obviously I use a lot since I use the same two files all the time a couple of keystrokes will immediately walk me through mounting my favorite volumes. This file gets mounted as that drive letter and this file gets mounted as that drive letter so I type two passwords and I'm done; everything's set up the way I want it. It's worth looking into.
I find TrueCrypt incredibly useful, incredibly powerful and I encourage you if you're interested at all in doing some kind of serious security in particular for laptops, I can't stress this enough the amount of data that gets lost on laptops without being encrypted is kinda scary and this is almost the ideal solution for that kind of situation.
I'm hoping that it's come across clear enough. Like I said, there's a conceptual leap to understanding how TrueCrypt works. I tried to focus on the container model and the mounted drive so hopefully this will make that clear.
Comments on this entry are closed.
If you have a question, start by using the search box up at the top of the page - there's a very good chance that your question has already been answered on Ask Leo!.
If you don't find your answer, head out to http://askleo.com/ask to ask your question.