Helping people with computers... one answer at a time.
Whole-drive encryption is a little complicated to set up, but it provides a very high degree of data security, particularly for easily lost external drives.
I realized the other day that the external hard drive that I carry with me when traveling was an easy thing to lose. Now, much of the data on that drive is encrypted in various ways; some files are explicitly encrypted backup archives created using 7-zip and others are encrypted TrueCrypt volumes. But the vast majority of whatever is on that drive is unencrypted.
If that drive - that conveniently small and portable drive - walked off in someone's pocket, they'd have access to a lot of stuff. Hopefully, none of the unencrypted contents would be things that I cared about, but still...
In a forehead-slapping moment, I realized that I was going about this all wrong.
I should encrypt the entire drive.
When you encrypt an entire drive, it's set up so that when it's connected to your computer, it looks like an empty, unformatted drive. To access the contents of the drive, you must first "mount" it; this includes providing the proper password (or ideally pass phrase) that enables its decryption.
Once mounted, it operates like any other unencrypted drive.
Until you shut down or disconnect, that is. Then, it reverts to looking like that empty drive again.
If someone does walk away with the drive ... well, they have a nice, empty drive that they can do whatever they want with ... except access my data.
For this walkthough, I'm going to assume that you already have TrueCrypt installed and that you've used it to create your own encrypted volumes, although that won't be a requirement.
In TrueCrypt, click Tools and then click Volume Creation Wizard to create a new encrypted volume.
Select Encrypt a non-system partition/drive. A system partition is what Windows itself is installed on and we're not going to do that. This is all about encrypting an additional drive; in my case, it's an external drive.
Select Standard TrueCrypt volume and click Next. (Hidden volumes are beyond the scope of what we need to do here.)
In the resulting Volume Location dialog, click the Select Device... button.
You can see that each hard disk on my machine is listed, including the external one; on hard drives that have multiple partitions, each partition is listed as well.
In my case, I'll click \Device\Harddisk1\Partition1, also labeled as E:, which is my external drive and click OK. This returns to the Volume Location dialog with the location filled in. Click Next.
When encrypting an external drive, TrueCrypt can operate one of two ways:
It can erase the drive, creating a new, empty encrypted volume to contain your data. This is fastest.
It can encrypt the data in place. This takes much more time as every sector - used or not - is read, encrypted, and written back out to the drive. Note: This only works for NTFS formatted partitions.
My external drive was full of data, so I choose Encrypt partition in place.
Encrypting a volume in place is time consuming and encryption is a significant operation. If something should happen while TrueCrypt is doing its thing, it is possible that all of the data being encrypted in place could be lost. TrueCrypt warns you to have a backup, just in case.
TrueCrypt actually supports a number of different encryption algorithms and you can select among the variations here if you want. It's typically best to simply accept the defaults and click Next.
Password selection is perhaps the single most important aspect of this entire operation. A poor password is by far the weakest link in any encryption.
As you can see, TrueCrypt will allow you to see the password as you type it in, if you so choose. In this case, I've typed in an example pass phrase - a short multi-word phrase that is both memorable and relatively long.
Do not forget your password. A TrueCrypt volume cannot be accessed without the password. There are no back doors, there are no recovery methods. If you lose your password to a TrueCrypt volume, you have lost the contents of that volume.
Random data is an important aspect of encryption. Don't take this the wrong way, but you are the most random thing connected to your computer. Move your mouse randomly in the window for a few seconds, and then click Next.
Wipe mode is the moral equivalent of a secure delete. Before writing your encrypted data to the hard drive, the media is overwritten a few times to thwart some advanced data recovery techniques. It will increase the conversion time significantly.
If this is a flash drive that you're encrypting, do not select a wipe mode. The data recovery techniques that we're taking steps to prevent don't apply to flash memory and the added writing will simply wear out the flash memory more quickly.
Chances are that you don't need this anyway, so click Next.
Finally, the "go" button. Click Encrypt to begin the process.
Well, almost begin. Naturally, TrueCrypt includes an additional warning message before it begins its work.
TrueCrypt will take a long time to encrypt a volume of any significant size. It doesn't matter how much data is on the volume, all sectors, whether they're used or not, are encrypted.
The example above is a 15-gigabyte flash drive, which takes a couple of hours to convert. My 450-gigabyte external hard drive took closer to 12 hours or so. (I'm not actually certain, because it finished while I was asleep in bed).
When complete, TrueCrypt provides some additional instructions on how to mount your encrypted drive.
When you insert your TrueCrypt encrypted drive, you may get this message:
THE ANSWER IS CANCEL.
Your drive is encrypted and has not been mounted. To Windows, your encrypted data looks like an unformatted drive. If you were to format it, you would lose everything on the drive.
Click Cancel and fire up TrueCrypt instead.
Click the drive letter that you want your encrypted volume to appear as and then click Select Device....
(As you can see, I didn't feel like waiting for two hours for the flash drive to finish encrypting, so we're mounting my previously encrypted external drive.)
Click the drive letter or line that represents the encrypted drive and click OK.
You can see the volume is filled in (in my case, it's \Device\Harddisk1\Partition1). Click Mount to mount the drive.
Enter the passphrase that you used when you encrypted the drive and click OK.
As you can see, the contents of the encrypted volume are now available at drive "N:". Drive "E:", the drive letter at which the external drive originally appears, remains in use and still looks like an unformatted disk. TrueCrypt makes its encrypted contents available as the drive that you select when mounted (in this example, the "N:" drive).
Naturally, when you power down your machine, the encrypted volume will be cleanly dismounted. When you next power up your machine or attach your external drive, you'll need to mount the drive again in order to access its contents, providing the pass phrase, of course.
That is kinda the point.
If you want to remove the external drive without turning off your computer:
Close all programs that are accessing files on the encrypted volume ("N:" in my example above).
In TrueCrypt, click the mounted volume and then click Dismount.
Finally, click the "Safely Remove Hardware" icon in the Windows Taskbar and click the device listed there. ("E:" in my example above.)
Yes, it's a bit of work to set up, but once it's done, it's relatively easy to use. More importantly, it's secure. I can now lose my external hard drive without fear of anyone being able to gain access to its encrypted contents.
Comments on this entry are closed.
If you have a question, start by using the search box up at the top of the page - there's a very good chance that your question has already been answered on Ask Leo!.
If you don't find your answer, head out to http://askleo.com/ask to ask your question.