How to Encrypt Your Hard Drive with Truecrypt

keyI’m relatively new to the whole cryptography and computing security scene and it has always intrigued me on how so many people with their Macbooks, Netbooks, iPhones, external hard drives, and other mobile devices are so vulnerable to malicious attacks from outsiders. There has always been an age-old saying in the IT business: PEBKAC (Problem Exists Between Keyboard and Chair).

While most of the problems that IT managers and security professionals deal with stem from the inability of users to practice some common sense when browsing the web, those types of problems are easy to rectify.

However, there is very little IT managers and security professionals can do about physical theft, such as a burglaries and corporate espionage.  Thankfully, there is a way for ordinary people like you and me to protect your sensitive data from physical theft.

TrueCrypt to the rescue!

truecryptTrueCrypt is a disk-encryption tool that utilizes modern cryptography for encrypting and decrypting hard drives and other storage volumes. It does this by either:

a. Formatting the entire drive (wiping it clean) and then incorporating an encryption scheme (such as the impenetrable AES or Two-Fish) in the read and write process

or

b. Taking the entire volume you want to encrypt and taking each bit of data and using the encryption algorithm of your choice (such as AES or Two-Fish) to encrypt and decrypt your files.

The Caesar Cipher

For a (very) brief run-down on what encryption/decryption is, let’s take a look at the very-easy-to-understand and basic Caesar Cipher. We’ll use the example of the text provided by the Wikipedia article “ABCDEFGHIJKLMNOPQRSTUVWXYZ”.

The basic premise of the Caesar Cipher is to take each individual letter in the original text – in this case “ABCDEFGHIJKLMNOPQRSTUVWXYZ” – and apply some mathematical rule, like taking the numerical position of the source letter and adding three or four spaces to the left and replacing it with the corresponding letter. Here’s a basic rundown.

If the letter at hand was “A” and the algorithm(process we use to encrypt or decrypt data) to encrypt the data was “Take numerical position of Letter, add 4. Take new letter and replace source”, then the new letter would be “E” instead of “A”.

For instance:

  • Assume A, B, C, …, Z is 1, 2, 3, … 26 respectively.
  • The numbers represent the numerical position of the letter.
  • The algorithm we use requires us to use the source letter (in this case “A”), which has a position of 1 according to the first bullet point, and add 4 positions to the right.
  • Counting upwards, we would get 5, which corresponds with the letter “E”.
  • So the letter “A” –> “E”.

Then we do this with the rest of the source data.

Now, this is a very basic cipher and one of the most widely known encryption method. In other words, if any hacker figures out the number of shifts the algorithm uses to convert the source data into encrypted data, it would not take a long time for the hacker to solve and decrypt your data. This would be very bad.

AES Technology

The Advanced Encryption Standard (or AES) was first published in 1998 by Vincent Rijmen and Joan Daemen as part of the US’ DARPA contest to modernize the security methods of the US and their agencies. I don’t want to go into the technical aspects of the algorithm (like the process in which the algorithm uses to encode and decode data) as that would only serve to confuse you. Instead, just know this: AES has yet to be broken and if the FBI/CIA/NSA uses it, then you can remain confident in your usage as well.

Getting started: What you will need

  • A Windows/MAC/Linux PC
  • A backup of your entire hard drive
  • Truecrypt

Now, back to TrueCrypt.

TrueCrypt has gone a long way from their original release and has gotten pretty successful in letting ordinary users like you or me to practice safe encryption standards and security.

Once you download and install the actual piece of software for your system of choice, you will be prompted with this screen (or its equivalent) at first boot:

truecrypt1.png

There are several options for you to choose here, but since we’re talking about encrypting hard disks (non-bootable), we’re going to select option 2.

After going past the Windows UAC prompt, you’re going to encounter this prompt:

truecrypt2.png

Whether you want to make it hidden or not is entirely up to you, but for the sake of progressing this article forward we’re going to pick option 1 and click “Next”.

After clicking the “Next” button, you will be prompted by this:

truecrypt3.png

Be sure to select the proper device (in this case not your boot drive since there is a separate option for that) and then click “Next”.

After selecting the drive you want to encrypt, TrueCrypt is going to ask you whether or not you want to completely wipe the drive and start from scratch, or encrypt each piece of data that already exists on the drive:

truecrypt4.png

If you’re encrypting a blank external drive, I would recommend picking the first option and not the second. If you already had data stored on the drive and wish to keep it, then pick option 2. You have been warned. Clicking “Next” to continue is going to prompt the type of encryption algorithm you would like to use and the type of Hash algorithm you would like to use in order to randomly generate a key the decryption would use to decrypt your data.

truecrypt5.png

Note: There are different encryption algorithms listed like Two-Fish or DES, but AES is proven to be as secure and faster than those listed in the box. You could always benchmark it on your computer if you desire, but for the sake of progress, we’re going to pick AES for the encryption algorithm and the default Hash algorithm.

The next prompt is going to ask you for a key, and this is where the adage PEBKAC comes in. Allow me to emphasize the following piece of text: PICKING A WEAK PASSWORD WILL ALWAYS RESULT IN WEAKER SECURITY.

truecrypt6.png

Ahem. Now that that is out of the way, enter a password that is complex, yet easy to remember and write that down somewhere you can remember, but no one else will find.

Tip: Passwords with symbols and numbers and upper/lower-case letter are harder to crack, but are harder to remember. Conversely, passwords using words that are small in length and/or combinations of words with relevance are easier to crack, but easier to remember. I recommend picking a password with words that have no relevance with each other and combine it with a numerical code that is easy for you to remember. This way is harder to crack than relevant words, but easier to remember than a string of random gibberish.

Related: xkcd

The following prompt will ask you to move you mouse around. Please do this thoroughly as it will help generate a harder-to-crack hash key.

truecrypt7.png

The next prompt is up to user preference. It deals with the method of secure file deletion from an encrypted drive. Theoretically, it is possible for a hacker to erase the entire drive and then use a file-recovery program to look for files. Selecting a multiple-pass wipe method would essentially prevent that from happening*.

*Note: This happens because as you delete a file and a (for this example) 2-pass wipe method is used, the data is wiped and written with random bits of data, making it harder for hackers to recover the data.

truecrypt8.png

As I said before, this is entirely up to you, but I’m going to select “None” and move on with my life.

And now the actual encryption begins:

truecrypt9final.png

Press the “Encrypt” button and watch as your CPU churns out random bits of data and thwarts the would-be identity-thieves of the world!

On a serious note, if you do have pre-existing files on your disk that you plan to encrypt, be sure to NOT turn off the power and expect the encryption to take a very long time, depending on how much data there is to encrypt (Anecdote: It took me 18 hours to encrypt nearly 900GB of data on an i7 machine).

Now every time you want to mount and add/remove files from the disk, just open up TrueCrypt and click the “Auto-Mount Devices” button at the bottom and enter your super secret password that you should only know. TrueCrypt then handles the rest!

Congratulations! You have a newly-encrypted hard drive!

cat-password

Now your cat won't be able to access your computer's data

Now for the legal stuff that you should keep in mind:

  • If asked, never give your password to anyone that you don’t want snooping around. This includes federal and local police officers. You are never obligated to disclose that information when asked. If anything, respond with the 5th amendment and ask for a lawyer.
    • The rationale for this is there is a certain level of privacy the courts have established that protect people from potential self-incrimination (hence the 5th amendment plea).
    • However, there is a little loophole for this rule: If the police or anyone asks anyone you know for a potential password and it works, you are liable for whatever incriminating thing they find on your hard drive.

That’s it for today – if you have any questions or comments, please leave a message in the comment field below and have a safe and secure computing experience!

You can follow me on Twitter here.

  • Nepharian86

    I didn’t even read the article, I was too distracted by the error in the maxim at the beginning. PEBKAC stands for Problem exists BETWEEN keyboard and chair. “Behind” makes no sense.