Helping people with computers... one answer at a time.

Whole-drive encryption is a little complicated to set up, but it provides a very high degree of data security, particularly for easily lost external drives.

I realized the other day that the external hard drive that I carry with me when traveling was an easy thing to lose. Now, much of the data on that drive is encrypted in various ways; some files are explicitly encrypted backup archives created using 7-zip and others are encrypted TrueCrypt volumes. But the vast majority of whatever is on that drive is unencrypted.

If that drive - that conveniently small and portable drive - walked off in someone's pocket, they'd have access to a lot of stuff. Hopefully, none of the unencrypted contents would be things that I cared about, but still...

In a forehead-slapping moment, I realized that I was going about this all wrong.

I should encrypt the entire drive.

Whole-drive encryption

When you encrypt an entire drive, it's set up so that when it's connected to your computer, it looks like an empty, unformatted drive. To access the contents of the drive, you must first "mount" it; this includes providing the proper password (or ideally pass phrase) that enables its decryption.

Once mounted, it operates like any other unencrypted drive.

Until you shut down or disconnect, that is. Then, it reverts to looking like that empty drive again.

If someone does walk away with the drive ... well, they have a nice, empty drive that they can do whatever they want with ... except access my data.

For this walkthough, I'm going to assume that you already have TrueCrypt installed and that you've used it to create your own encrypted volumes, although that won't be a requirement.

Encrypting a drive

TrueCrypt main UI showing the Volume Creation Wizard link

In TrueCrypt, click Tools and then click Volume Creation Wizard to create a new encrypted volume.

Type of TrueCrypt encrypted volume to create

Select Encrypt a non-system partition/drive. A system partition is what Windows itself is installed on and we're not going to do that. This is all about encrypting an additional drive; in my case, it's an external drive.

Click Next.

TrueCrypt Volume Type selection

Select Standard TrueCrypt volume and click Next. (Hidden volumes are beyond the scope of what we need to do here.)

TrueCrypt Volume Location dialog

In the resulting Volume Location dialog, click the Select Device... button.

TrueCrypt volume selection dialog

You can see that each hard disk on my machine is listed, including the external one; on hard drives that have multiple partitions, each partition is listed as well.

In my case, I'll click \Device\Harddisk1\Partition1, also labeled as E:, which is my external drive and click OK. This returns to the Volume Location dialog with the location filled in. Click Next.

TrueCrypt Volume Creation Mode

When encrypting an external drive, TrueCrypt can operate one of two ways:

  • It can erase the drive, creating a new, empty encrypted volume to contain your data. This is fastest.

  • It can encrypt the data in place. This takes much more time as every sector - used or not - is read, encrypted, and written back out to the drive. Note: This only works for NTFS formatted partitions.

My external drive was full of data, so I choose Encrypt partition in place.

TrueCrypt Backup Warning

Encrypting a volume in place is time consuming and encryption is a significant operation. If something should happen while TrueCrypt is doing its thing, it is possible that all of the data being encrypted in place could be lost. TrueCrypt warns you to have a backup, just in case.

TrueCrypt Encryption Options

TrueCrypt actually supports a number of different encryption algorithms and you can select among the variations here if you want. It's typically best to simply accept the defaults and click Next.

TrueCrypt Password Selection

Password selection is perhaps the single most important aspect of this entire operation. A poor password is by far the weakest link in any encryption.

As you can see, TrueCrypt will allow you to see the password as you type it in, if you so choose. In this case, I've typed in an example pass phrase - a short multi-word phrase that is both memorable and relatively long.

Do not forget your password. A TrueCrypt volume cannot be accessed without the password. There are no back doors, there are no recovery methods. If you lose your password to a TrueCrypt volume, you have lost the contents of that volume.

TrueCrypt Random data collection

Random data is an important aspect of encryption. Don't take this the wrong way, but you are the most random thing connected to your computer. Smile Move your mouse randomly in the window for a few seconds, and then click Next.

TrueCrypt wipe mode

Wipe mode is the moral equivalent of a secure delete. Before writing your encrypted data to the hard drive, the media is overwritten a few times to thwart some advanced data recovery techniques. It will increase the conversion time significantly.

If this is a flash drive that you're encrypting, do not select a wipe mode. The data recovery techniques that we're taking steps to prevent don't apply to flash memory and the added writing will simply wear out the flash memory more quickly.

Chances are that you don't need this anyway, so click Next.

TrueCrypt ready to start encrypting

Finally, the "go" button. Click Encrypt to begin the process.

TrueCrypt Are You Sure dialog

Well, almost begin. Naturally, TrueCrypt includes an additional warning message before it begins its work.

TrueCrypt encrypting

TrueCrypt will take a long time to encrypt a volume of any significant size. It doesn't matter how much data is on the volume, all sectors, whether they're used or not, are encrypted.

The example above is a 15-gigabyte flash drive, which takes a couple of hours to convert. My 450-gigabyte external hard drive took closer to 12 hours or so. (I'm not actually certain, because it finished while I was asleep in bed).

TrueCrypt instructions on completion

TrueCrypt instructions on completion

When complete, TrueCrypt provides some additional instructions on how to mount your encrypted drive.

Using your encrypted drive

When you insert your TrueCrypt encrypted drive, you may get this message:

Windows thinks this drive is unformatted

THE ANSWER IS CANCEL.

Your drive is encrypted and has not been mounted. To Windows, your encrypted data looks like an unformatted drive. If you were to format it, you would lose everything on the drive.

Click Cancel and fire up TrueCrypt instead.

TrueCrypt prior to mounting a drive

Click the drive letter that you want your encrypted volume to appear as and then click Select Device....

TrueCrypt Device selection for mount

(As you can see, I didn't feel like waiting for two hours for the flash drive to finish encrypting, so we're mounting my previously encrypted external drive.)

Click the drive letter or line that represents the encrypted drive and click OK.

TrueCrypt ready to mount

You can see the volume is filled in (in my case, it's \Device\Harddisk1\Partition1). Click Mount to mount the drive.

TrueCrypt prompting for password

Enter the passphrase that you used when you encrypted the drive and click OK.

TrueCrypt Mounted volume

As you can see, the contents of the encrypted volume are now available at drive "N:". Drive "E:", the drive letter at which the external drive originally appears, remains in use and still looks like an unformatted disk. TrueCrypt makes its encrypted contents available as the drive that you select when mounted (in this example, the "N:" drive).

Mounted and original drives as seen in Windows Explorer

Dismounting

Naturally, when you power down your machine, the encrypted volume will be cleanly dismounted. When you next power up your machine or attach your external drive, you'll need to mount the drive again in order to access its contents, providing the pass phrase, of course.

That is kinda the point. Smile

If you want to remove the external drive without turning off your computer:

  • Close all programs that are accessing files on the encrypted volume ("N:" in my example above).

  • In TrueCrypt, click the mounted volume and then click Dismount.

  • Finally, click the "Safely Remove Hardware" icon in the Windows Taskbar and click the device listed there. ("E:" in my example above.)

Yes, it's a bit of work to set up, but once it's done, it's relatively easy to use. More importantly, it's secure. I can now lose my external hard drive without fear of anyone being able to gain access to its encrypted contents.

Article C4861 - July 2, 2011 « »

Share this article with your friends:

Share this article on Facebook Tweet this article Email a link to this article
Leo Leo A. Notenboom has been playing with computers since he was required to take a programming class in 1976. An 18 year career as a programmer at Microsoft soon followed. After "retiring" in 2001, Leo started Ask Leo! in 2003 as a place for answers to common computer and technical questions. More about Leo.

Not what you needed?

18 Comments
Bob Z
July 5, 2011 8:23 AM

How do you use the encrypted drive when you're traveling? After you finished the explanation of encrypting the drive, you instruct to "fire up Truecyrpt". If I'm traveling and carrying the drive in my pocket and am not traveling with a computer, how do I access the data on the encrypted drive? Assume I have access to a computer not my own at my destination or along the way.

Mark J
July 5, 2011 9:03 AM

@Bob
That's a problem with Truecrypt. You can put a portable version of Truecrypt on your removable drive, but if you don't have administration privileges on the computer you are using, you won't be able to access your data. In that case you may prefer to use an encrypted zip file for your data. All computers have a utility to open a zip file or you can get a program like portable 7Zip run it from your removable drive. In that case, you might want to save the data in a few or several zip file so you don't have to decrypt all the files at the same time.

Richard Deem
July 5, 2011 10:17 AM

Using TrueCrypt to encrypt an entire drive is so not ready-for-prime-time. Besides Windows always asking me to format the drive, I had endless problems getting the thing to mount and eventually gave up. However, you can't just unencrypt your drive, but have to reformat it! Buyer beware. BitLocker is so much easier to use. I have used it on two systems (Vista and Windows 7) and would never go back to TrueCrypt. TrueCrypt Free Encryption Software Review - Not Ready for Prime Time!

Needless to day I disagree. I'm exceptionally happy with TrueCrypt, and have had zero problems with my fully encrypted external hard drive, having taken it between my two primary systems already. I avoid bitlocker like the plague because my understanding is that if you don't save recovery information (which most people don't), if you ever lose the Windows login you've lost your encrypted data.
Leo
06-Jul-2011

nick
July 5, 2011 10:45 AM

QUESTION
truecrypt on a non-administrator machine - any way around this?

COMMENT, suggestion -truecrypt, when you are asked to format;
first, do NOT encrypt the DRIVE itself.
make an EXTENDED PARTITION drive, and then encrypt a giant file that encompasses about 95% of the drive.
this leaves you with a standard drive that gets recognized ok, WITHOUT the format comment;
and you ahve space to include a truecrypt PROGRAM folder, and some space for simple storage of workfiles, etc

then when you WANT to access your encrypted data, just either
1. double click the actual .TC file that is your encrypted storage, if the remote machine has truecrypt on it (it will bring up the file, and ask you to mount it)
OR
2. start truecrypt from your stored folder on the unencrypted portion of the physical external drive, then point to the truecrypt file (the .TC file) that you wish to open, and mount it.

I have done this with USB sticks, external USB drives (1 tb drives), etc, and it is fantastic, and my data is safe also.

I also use truecrypt to encrypt my TABLET PC, and in that case, I encrypt the WHOLE DRIVE, not just partitions, and I can boot them very well.

I can give more details if needed, as I have been using this for past couple years in multiple sites

nick

Ed Longwood
July 5, 2011 11:57 AM

Truecrypt has one giant flaw IMO. Deleted files go to the recycle bin on the active drive where they can be recovered by "anyone." Emptying the recycle bin will send them on as a recoverable deleted file. Perhaps if you use a file destroyer within Truecrypt you are ok. Otherwise, it works pretty well.

Just Looking
July 5, 2011 1:30 PM

"Truecrypt has one giant flaw IMO. Deleted files go to the recycle bin on the active drive "

I remember solving this problem about two years. IF I remember correctly setting the drive type to removable causes the file to be deleted and not moved to the recycle bin. If that does not work for you hold down the shift key when deleting. This is independent of the TrueCrypt and will work on any drive.

Peter Mackin
July 5, 2011 2:35 PM

@Ed and @Just Looking, The deleted files on a True Crypt volume do NOT move to the recycle bin on an unencrypted drive. You can verify this fact by deleting a test file on an encrypted drive. IF you open the recycle bin, you will be able to see the file. However, if you dismount the encrypted drive, the file deleted from the encrypted drive no longer shows up in the recycle bin. The reason that this occurs is that the file never left the encrypted drive and once you dismount the drive, the file is not accessible to Windows and so it won't show up in the recycle bin.

Each drive has its own recycle bin (actually a directory where deleted files are stored) by default. There is a way to remove the recycle bin on a specific drive, but with True Crypt this configuration change is unnecessary.

Mark J
July 5, 2011 3:19 PM

@Nick
Truecrypt uses a device driver to access the encrypted disk. For this, administration privileges are needed. As far as I know, there are no ways around this unless Truecrypt has already been installed on the system by an administrator. Here's what it say on the Truecrypt web site,
"In Windows, a user who does not have administrator privileges can use TrueCrypt, but only after a system administrator installs TrueCrypt on the system. The reason for that is that TrueCrypt needs a device driver to provide transparent on-the-fly encryption/decryption, and users without administrator privileges cannot install/start device drivers in Windows."

Snert
July 6, 2011 9:13 AM

I've use TrueCrypt since Steve Bass mentioned it when he wrote for PC World.
You can encrypted data INSIDE an already encrypment, if that's the word. Think of onions layers. And you can do this many times. The documentation from TrueCrypt expalins this.

Marcel
November 29, 2012 7:18 PM

Dear Leo,

just read you informative article.
I am not in the particular situation that the E: on my computer is a Truecrypt mounted encrypted partition - i.e. after mounting it shows as E.

Now I would like to backup this partition on the external harddrive which I encrypt as well but then I have to mount BOTH devices with the truecrypt on my computer at the same time.

Any idea how this can be done?

Thanks,

M.

Mark J
November 29, 2012 11:00 PM

@Marcel
You can easily open several Truecrypt volumes at a time. You just have to open them using different drive letters.

namewithheld
December 21, 2012 1:18 PM

I am interested in using TrueCrypt because I read an article called 'Encryption is Not Enough' which outlined why you need open-source full-drive encryption as opposed to commercial and rather than merely encrypting a few files or folders. I am interested in having the whole computer encrypted and don't want embedded adware to defeat the whole purpose. So I downloaded TrueCrypt and tried to install it. This error message appeared:

"Your system drive contains a non-standard partition"

And:

"If you are using a notebook, your system drive probably contains a special recovery partition. After the whole system drive is encrypted (including any recovery partition), your system might become unbootable if your system is using an inappropriately designed BIOS. It would also be impossible to use any recovery partition until the system drive is decrypted. Therefore, we recommend that you encrypt only the system partition.

Do you want to encrypt the system partition instead of the entire drive?

Note that you can create partition-hosted TrueCrypt volumes within any non-system partitions on the drive (in addition to encrypting the system partition)."

I went to the TrueCrypt forum and asked what I should do, but am not getting any answers except one which is asking why I don't just encrypt a partition. My expertise in this area is limited but that shouldn't mean I can't have the security I'm looking for.

The computer is a laptop and I also have portable drives which I also want to encrypt, but will encrypt them separately if I can get past the error messages.

So if anyone knows what this error message means and what to do about it, I'd appreciate it.

Danilo
January 4, 2013 6:59 AM

Ok to click Cancel when XP / WIN7 ask me to format the drive, but next time I boot pc, OS will ask me again to format drive ?
If so how to avoid ?
Thanks in advance

Mike
January 31, 2013 12:55 PM

Hi,

Have you ever had problems with TrueCrypt inasmuch that it displays the 'Incorrect password, or not a TrueCrypt volumn' after the (correct password) has ben entered.

For example, why does it not recognise a password on the first 2 occasions, but works on the third attempt?

Sometimes I have to reboot my PC to make it work, which makes me think it's a Windows thing, and not TrueCrypt.

The program says you can recover the password from a Backup but, what's the first thing it asks for in order to do it - the password of course!

Ethan
March 1, 2013 4:46 PM

Hello there Leo.

Other tutorials did not make much sense to me. But this cleared a lot of questions I had.

I have a few new questions though.

Asume I got a brand new hard drive. When I format this drive under windows I get two system directories in the root of this drive automagically. Every other drive used for storage under windows7 has them. Supposedly temp/recycle-bin directories. Should I remove these after I encrypt/format the whole disk with truecrypt for storage?

Im so afraid windows will overwrite truecrypt data if these dirs exist on the drive for some reason. Don't know if my fear (not knowledge) is legitimate.

Ethan
March 15, 2013 12:48 PM

I tried truecrypti g mh entire drive today. Setup is okay until it 'starts'. It gives me an error right away " error: truecrypt cannot shrink the filesystem (it needs to make space for volume heder" now what?
Win7 64, 1 tb hdd with 50gb free, truecrypt 7.1i truecrypt-formatted another drive earlier and put data on it and there was no problem at all.

Jonathan
April 10, 2013 5:01 AM

Hey Ethan and to all of you who also got the
"Cannot shrink the filesystem"-error:

Try defragmenting that drive. It worked for me.
On Windows 7:
(Rightclick on the drive that you want to encrypt -> Properties -> Tools -> Defragment now)
On Windows 8:
(Rightclick on the drive that you want to encrypt -> Properties -> Tools -> Optimize)

Regards
Jonathan

Rami Shalev
April 18, 2013 12:32 PM

Hello Leo
I just finished reading this article. Great job, very clear and easy to follow. I hope you can please answer one question for me. Can I use this with any PC or laptop that has the TrueCrypt installed on it as long as I use the same password??
Thank you very much
Rami

That should work, yes.
Leo
19-Apr-2013

Comments on this entry are closed.

If you have a question, start by using the search box up at the top of the page - there's a very good chance that your question has already been answered on Ask Leo!.

If you don't find your answer, head out to http://askleo.com/ask to ask your question.