Installing and Configuring TrueCrypt for Full Disk Encryption
TrueCrypt is an excellent open-source, cross-platform solution for file and disk encryption. It is under constant development, with regular updates being posted to its site. Another attractive feature for me is the availability of AES encryption. The Advanced Encryption Standard (AES) specifies a FIPS-approved cryptographic algorithm (Rijndael, designed by Joan Daemen and Vincent Rijmen, published in 1998) that may be used by U.S. federal departments and agencies to cryptographically protect sensitive information. If it’s good enough for the federal government, it’s good enough for me. TrueCrypt can currently encrypt the following operating systems:
- Windows Vista
- Windows Vista x64 (64-bit) Edition
- Windows XP
- Windows XP x64 (64-bit) Edition
- Windows Server 2008
- Windows Server 2008 x64 (64-bit)
- Windows Server 2003
- Windows Server 2003 x64 (64-bit)
- Mac OS X 10.4 Tiger
- Mac OS X 10.5 Leopard
- Linux (kernel 2.4, 2.6, or compatible)
Encrypting the System Volume: Step By Step
The TrueCrypt application interface is quite simple (see Figure 1).
Figure 1 TrueCrypt application interface.
All features are available from a single interface. To encrypt the system volume, click on the System menu item and select Encrypt System Partition/Drive:
Figure 2 Encrypt the system/partition drive.
Two methods of system encryption are available: Normal and Hidden. We’re looking at the simplest case here, so we’ll perform the Normal encryption process (see Figure 3).
Figure 3 Normal encryption process.
The next step may be critical, depending on your computer. You have the choice to encrypt the Windows system partition, or encrypt the whole drive. Encrypting the Windows system partition will only encrypt the partition where Windows installed. This may leave portions of your drive unencrypted and potentially vulnerable. However, choosing to encrypt the whole drive may cause problems if you have multiple partitions with more than one operating system installed or a multi-boot environment. Because my laptop has only a single partition and operating system, I choose Encrypt the Whole Drive (see Figure 4).
Figure 4 Encrypting the whole drive.
Next we need to know if our computer has a Host Protected Area, and if so can we encrypt it. The Host Protected Area exists on some computers to store recovery tools, specialized drivers and so on. If you’re not sure about your computer, please make sure to contact your vendor before proceeding!
My laptop is a clean install with no Host Protected Area, so I select No.
I have a single-boot, single OS laptop, so I choose Single-boot. Select as appropriate for your computer (see Figure 5).
Figure 5 Single-boot operating system.
As I mentioned earlier, I’m a fan of AES Encryption. TrueCrypt supports the following encryption algorithms:
And these hash algorithms:
I choose AES (the default) and RIPEMD-160 (also the default), as shown in Figure 6.
Figure 6 Choosing an encryption option.
Now you’re prompted to enter your password. I prefer a passphrase. Whatever you choose, make it reasonably long and complex. Use upper- and lowercase letters, numbers, spaces, and special characters. I enter my passphrase and continue.
Figure 7 Selecting a passphrase.
Now TrueCrypt asks you to move your mouse around the screen. Why? That’s an excellent question. Moving the mouse randomly around the screen generates random data used as a salt when generating your cryptographic keys for the encryption process. So, wiggle that mouse around as randomly as possible for as long as you want (longer is better). When you’re ready, click Next and continue.
Figure 8 Generating random data used as salt.
Now the keys are generated; Congratulations!
Figure 9 The keys are generated.