Helping people with computers... one answer at a time.
Whole-drive encryption is a little complicated to set up, but it provides a very high degree of data security, particularly for easily lost external drives.
I realized the other day that the external hard drive that I carry with me when traveling was an easy thing to lose. Now, much of the data on that drive is encrypted in various ways; some files are explicitly encrypted backup archives created using 7-zip and others are encrypted TrueCrypt volumes. But the vast majority of whatever is on that drive is unencrypted.
If that drive - that conveniently small and portable drive - walked off in someone's pocket, they'd have access to a lot of stuff. Hopefully, none of the unencrypted contents would be things that I cared about, but still...
In a forehead-slapping moment, I realized that I was going about this all wrong.
I should encrypt the entire drive.
•
Whole-drive encryption
When you encrypt an entire drive, it's set up so that when it's connected to your computer, it looks like an empty, unformatted drive. To access the contents of the drive, you must first "mount" it; this includes providing the proper password (or ideally pass phrase) that enables its decryption.
Once mounted, it operates like any other unencrypted drive.
Until you shut down or disconnect, that is. Then, it reverts to looking like that empty drive again.
If someone does walk away with the drive ... well, they have a nice, empty drive that they can do whatever they want with ... except access my data.
For this walkthough, I'm going to assume that you already have TrueCrypt installed and that you've used it to create your own encrypted volumes, although that won't be a requirement.
Encrypting a drive
In TrueCrypt, click Tools and then click Volume Creation Wizard to create a new encrypted volume.
Select Encrypt a non-system partition/drive. A system partition is what Windows itself is installed on and we're not going to do that. This is all about encrypting an additional drive; in my case, it's an external drive.
Click Next.
Select Standard TrueCrypt volume and click Next. (Hidden volumes are beyond the scope of what we need to do here.)
In the resulting Volume Location dialog, click the Select Device... button.
You can see that each hard disk on my machine is listed, including the external one; on hard drives that have multiple partitions, each partition is listed as well.
In my case, I'll click \Device\Harddisk1\Partition1, also labeled as E:, which is my external drive and click OK. This returns to the Volume Location dialog with the location filled in. Click Next.
When encrypting an external drive, TrueCrypt can operate one of two ways:
-
It can erase the drive, creating a new, empty encrypted volume to contain your data. This is fastest.
-
It can encrypt the data in place. This takes much more time as every sector - used or not - is read, encrypted, and written back out to the drive. Note: This only works for NTFS formatted partitions.
My external drive was full of data, so I choose Encrypt partition in place.
Encrypting a volume in place is time consuming and encryption is a significant operation. If something should happen while TrueCrypt is doing its thing, it is possible that all of the data being encrypted in place could be lost. TrueCrypt warns you to have a backup, just in case.
TrueCrypt actually supports a number of different encryption algorithms and you can select among the variations here if you want. It's typically best to simply accept the defaults and click Next.
Password selection is perhaps the single most important aspect of this entire operation. A poor password is by far the weakest link in any encryption.
As you can see, TrueCrypt will allow you to see the password as you type it in, if you so choose. In this case, I've typed in an example pass phrase - a short multi-word phrase that is both memorable and relatively long.
Do not forget your password. A TrueCrypt volume cannot be accessed without the password. There are no back doors, there are no recovery methods. If you lose your password to a TrueCrypt volume, you have lost the contents of that volume.
Random data is an important aspect of encryption. Don't take this the wrong
way, but you are the most random thing connected to your computer. 
Move your
mouse randomly in the window for a few seconds, and then click
Next.
Wipe mode is the moral equivalent of a secure delete. Before writing your encrypted data to the hard drive, the media is overwritten a few times to thwart some advanced data recovery techniques. It will increase the conversion time significantly.
If this is a flash drive that you're encrypting, do not select a wipe mode. The data recovery techniques that we're taking steps to prevent don't apply to flash memory and the added writing will simply wear out the flash memory more quickly.
Chances are that you don't need this anyway, so click Next.
Finally, the "go" button. Click Encrypt to begin the process.
Well, almost begin. Naturally, TrueCrypt includes an additional warning message before it begins its work.
TrueCrypt will take a long time to encrypt a volume of any significant size. It doesn't matter how much data is on the volume, all sectors, whether they're used or not, are encrypted.
The example above is a 15-gigabyte flash drive, which takes a couple of hours to convert. My 450-gigabyte external hard drive took closer to 12 hours or so. (I'm not actually certain, because it finished while I was asleep in bed).
When complete, TrueCrypt provides some additional instructions on how to mount your encrypted drive.
Using your encrypted drive
When you insert your TrueCrypt encrypted drive, you may get this message:
THE ANSWER IS CANCEL.
Your drive is encrypted and has not been mounted. To Windows, your encrypted data looks like an unformatted drive. If you were to format it, you would lose everything on the drive.
Click Cancel and fire up TrueCrypt instead.
Click the drive letter that you want your encrypted volume to appear as and then click Select Device....
(As you can see, I didn't feel like waiting for two hours for the flash drive to finish encrypting, so we're mounting my previously encrypted external drive.)
Click the drive letter or line that represents the encrypted drive and click OK.
You can see the volume is filled in (in my case, it's \Device\Harddisk1\Partition1). Click Mount to mount the drive.
Enter the passphrase that you used when you encrypted the drive and click OK.
As you can see, the contents of the encrypted volume are now available at drive "N:". Drive "E:", the drive letter at which the external drive originally appears, remains in use and still looks like an unformatted disk. TrueCrypt makes its encrypted contents available as the drive that you select when mounted (in this example, the "N:" drive).
Dismounting
Naturally, when you power down your machine, the encrypted volume will be cleanly dismounted. When you next power up your machine or attach your external drive, you'll need to mount the drive again in order to access its contents, providing the pass phrase, of course.
That is kinda the point.
If you want to remove the external drive without turning off your computer:
-
Close all programs that are accessing files on the encrypted volume ("N:" in my example above).
-
In TrueCrypt, click the mounted volume and then click Dismount.
-
Finally, click the "Safely Remove Hardware" icon in the Windows Taskbar and click the device listed there. ("E:" in my example above.)
Yes, it's a bit of work to set up, but once it's done, it's relatively easy to use. More importantly, it's secure. I can now lose my external hard drive without fear of anyone being able to gain access to its encrypted contents.
Article C4861 - July 2, 2011
Leo A. Notenboom has been playing with computers since he
was required to take a programming class in 1976. An 18 year career as a programmer at Microsoft soon followed.
After "retiring" in 2001, Leo started Ask Leo! in 2003 as a place for answers
to common computer and technical questions. More about Leo.
Truecrypt has one giant flaw IMO. Deleted files go to the recycle bin on the active drive where they can be recovered by "anyone." Emptying the recycle bin will send them on as a recoverable deleted file. Perhaps if you use a file destroyer within Truecrypt you are ok. Otherwise, it works pretty well.
Posted by: Ed Longwood at July 5, 2011 11:57 AM"Truecrypt has one giant flaw IMO. Deleted files go to the recycle bin on the active drive "
I remember solving this problem about two years. IF I remember correctly setting the drive type to removable causes the file to be deleted and not moved to the recycle bin. If that does not work for you hold down the shift key when deleting. This is independent of the TrueCrypt and will work on any drive.
Posted by: Just Looking at July 5, 2011 1:30 PM@Ed and @Just Looking, The deleted files on a True Crypt volume do NOT move to the recycle bin on an unencrypted drive. You can verify this fact by deleting a test file on an encrypted drive. IF you open the recycle bin, you will be able to see the file. However, if you dismount the encrypted drive, the file deleted from the encrypted drive no longer shows up in the recycle bin. The reason that this occurs is that the file never left the encrypted drive and once you dismount the drive, the file is not accessible to Windows and so it won't show up in the recycle bin.
Each drive has its own recycle bin (actually a directory where deleted files are stored) by default. There is a way to remove the recycle bin on a specific drive, but with True Crypt this configuration change is unnecessary.
Posted by: Peter Mackin at July 5, 2011 2:35 PM@Nick
Posted by: Mark J at July 5, 2011 3:19 PMTruecrypt uses a device driver to access the encrypted disk. For this, administration privileges are needed. As far as I know, there are no ways around this unless Truecrypt has already been installed on the system by an administrator. Here's what it say on the Truecrypt web site,
"In Windows, a user who does not have administrator privileges can use TrueCrypt, but only after a system administrator installs TrueCrypt on the system. The reason for that is that TrueCrypt needs a device driver to provide transparent on-the-fly encryption/decryption, and users without administrator privileges cannot install/start device drivers in Windows."
I've use TrueCrypt since Steve Bass mentioned it when he wrote for PC World.
Posted by: Snert at July 6, 2011 9:13 AMYou can encrypted data INSIDE an already encrypment, if that's the word. Think of onions layers. And you can do this many times. The documentation from TrueCrypt expalins this.