Everyone has secrets. Some of yours probably live on your computer. If you want to keep digital information private, locking it behind a password won’t really keep it secure. The only real solution is encryption, which scrambles the contents of files, making them unintelligible to anyone without the digital key to unscramble them. TrueCrypt can encrypt and decrypt files, documents, and even entire filesystems. The app also provides on-the-fly encryption for enhanced security, which means it can automatically encrypt and decrypt data before reading and writing it, so it’s never on your hard drive in human-readable format.
TrueCrypt is designed to use modern hardware and its multiple cores to speed up encryption and decryption. Besides Linux, it also runs on Windows and Mac operating systems.
Of course TrueCrypt is not your only encryption alternative. GNU Privacy Guard (GPG) is free software’s answer to Pretty Good Privacy (PGP), the industry standard for encrypting all types of data on the computer. But GPG is a suite of tools that allow you to encrypt and digitally sign arbitrary data such as files and emails, while TrueCrypt offers convenience and the advantage of deniability.
Basic Usage
Installing TrueCrypt is a no-brainer. Since TrueCrypt’s license has not been officially approved by the Open Source Initiative, the software is not available in any distro’s repository. You’ll have to download TrueCrypt from its website, extract the tar archive, and run through the graphical setup, after making sure your computer has the Fuse library and the device mapper tools installed. On Linux TrueCrypt installs under /usr/bin.
To use TrueCrypt you first need to create an encrypted container, which can be a virtual encrypted disk within a file, an encrypted partition, or a disk such as a removable USB drive. The first option gives you a virtual encrypted filesystem to store files on, and is the easiest for the technologically challenged. To create this type of container, launch the app and click on the Create Volume button to launch the Volume Creation Wizard. Select the first option to create a virtual disk. Point the app to a file on the disk that’ll be the encrypted volume. If the file exists, TrueCrypt will recreate it, using one of eight encryption algorithms. If you aren’t sure which one to use, go with the default selection. Next, specify the size of the encrypted volume, and format it as a FAT filesystem, which makes it accessible from other OSes as well. Finally, choose a password you’ll specify when you mount the encrypted volume.
After it’s been created, you can mount the partition as read-write or read-only from within the TrueCrypt interface just by selecting the encrypted file. Once the encrypted volume is mounted you can save files to it just as you do to a normal volume. When you’re through, unmount the volume with the Dismount button within the program.
When it isn’t mounted, the encrypted filesystem appears to be a random collection of bits in the file whose name you specified. Even when it is mounted, data is always encrypted before it is written to the volume.
For added security at the cost of a little inconvenience, check the “Never save history” box when you create or mount a volume, in order to prevent TrueCrypt from remembering the files that were mounted as TrueCrypt volumes. This makes it harder for unauthorized users to find your encrypted filesystem, but you’ll have to manually point to it every time you want to mount it.
The procedure for encrypting a partition or a removable device is similar to that of encrypting a virtual disk. Just select the appropriate option in the Volume Creation Wizard and instead of a file on the filesystem, point to the partition or the disk you want to protect.
Hidden Volumes
When creating a volume the wizard asks you the Type of Volume you wish to create, and gives you the option to either create a standard volume or a hidden volume. For most situations where you just need to shield documents from prying eyes, you can opt for the first option.
A hidden volume gives you the added advantage of plausible deniability. In security parlance, this means that even after being forced to give out the password for a (decoy) encrypted volume, you can convincingly deny the existence of other encrypted volumes. Creating a hidden volume gives you this kind of safeguard.
By design, a hidden volume always resides within an encrypted volume. Free space within an encrypted volume is just random data, so there is no way for an attacker to figure out if an encrypted volume contains another hidden volume or just gibberish.
To create a hidden volume, select the Hidden TrueCrypt Volume option when you create a new volume. The app will first create an outer volume and let you add non-sensitive data to it. It then calculates the maximum possible size you can allocate to the hidden volume. Although it should go without saying, ensure that the password for the inner hidden volume is different from that of the outer encrypted volume.
You mount a hidden volume in almost the same way as a standard TrueCrypt volume. The only difference is that when you select the file, partition, or device that is the outer volume, TrueCrypt mounts the hidden volume only if you specify its password. In other words, if you enter the password for the outer volume, that will be mounted, and if you enter the password for the inner volume, the hidden volume will be mounted.
When handling hidden volumes remember that, although you can read from the outer volume, writing to it might corrupt the hidden volume. To write to the outer volume without the risk of damaging the inner volume, you must check a special option when you enter the password for mounting the outer volume. Expand the Option section and select “Protect hidden volume when mounting outer volume.”
Encrypting the OS
Besides an encrypted volume, you can use TrueCrypt to encrypt an entire Windows operating system. Unfortunately you can’t encrypt a system drive in the Linux version of TrueCrypt, but the current version of TrueCrypt supports various version of Windows, both on the 32-bit and 64-bit platforms, including Windows 7, Vista, Server 2003, and Server 2008. By encrypting a Windows installation you ensure that all its files, including log files, the registry, and temporary and swap files are always encrypted.
You wouldn’t want to encrypt the OS on all the desktops in your network. Not only does it require extra effort to set up, but it costs a slight hit in performance. Instead, use this option for systems where security and privacy are paramount.
You can encrypt a Windows system from within Windows even while Windows is running. Along with its two regular options, the Volume Creation Wizard in the Windows version of TrueCrypt offers an additional option to encypt the Windows partition, or you can go to System -> Encrypt System/Partition Drive and follow the wizard there.
When you encrypt a Windows partition, the tool installs the TrueCrypt boot loader in the master boot record (MBR) of the drive. TrueCrypt’s boot loader will replace GRUB if you’ve got Linux distros installed on the box, but you can use them together.
Also when you are encrypting a Windows system partition or drive, the wizard asks you to create a TrueCrypt Rescue Disk, which you can use to restore the TrueCrypt boot loader if it gets corrupted. Don’t worry about the security of your system if you lose the Rescue Disk; to boot your encrypted Windows installation with it, an attacker needs your password as well.
The truly paranoid will appreciate the fact that they can even install and use Windows from within a hidden partition.
With its graphical interface and thorough wizards, TrueCrypt packs powerful features that makes it an ideal choice for any organization that values privacy.
Related posts:
- More Slick OpenSSL Tricks
- Instant Messaging in the Enterprise with Openfire
- A Comparison of Enterprise Mail Servers – Open Source and Otherwise
- Four Simple Ways to Install Enterprise Apps
- Comparing Open Source Reporting Tools for Use in the Enterprise
Ok, so all my corporate laptops are whole drive encrypted with TrueCrypt – any device that is portable needs to be encrypted. We know this. Then something terrible happens and the CEO is killed in a car accident, his laptop is ok, but he is dead.
Nobody knows his passphrase to the truecrypt volume.
How do we access the data that is **only** on his laptop? I don’t think it is possible, which is the flaw in this solution. New, almost complete, contracts and strategic plans are lost.
Other solutions allow for multiple keys to be used so the company can place a base key on the encrypted volume to grant key IT groups access to the data without knowing the passphrase/pass-file used by the end user.
Sure, procedures that have the passphrase shared with IT (sealed envelop method) could be created, but do any companies really do that? What happens when the passphrase is changed periodically? Do you think a new sealed envelop will actually be provided?
Don’t misunderstand, I love truecrypt and use it daily. In fact, the VM I’m using right now is contained inside a truecrypt whole encrypted partition, but in the corporate world, some other assurances to allow access to data are needed. I’m a CIO for a company and we share critical, 3rd party, accounts for IT things with 2 highly trusted people. I don’t share the passphrase to my truecrypt volumes on work systems, which means they will have to get the stuff they need from system backups (ooops, not encrypted). If I died today, it would be really bad for the company. That isn’t my intention. I need to fix that soon.
Like you rightly point out, companies need to have a contingency plan in place before encrypting data. Such decisions are always a compromise between integrity and convenience. TrueCrypt’s plausible deniability ensures that even if you share the password for a hidden volume and it leaks to an attacker, they’ll still need to know where to look.
[...] Read More… [...]
I wouldn’t recommend Truecrypt. I tried it on Linux and Windows (the reason was exactly this, multiplatform). It worked fine on Linux, but on Windows it constantly crashed entire machine. Then I found out, that reporting bugs for TC is a bit peculiar, and it is very hard to get feedback about such issues. So, if you rule out Windows (my case, I was forced to do that), there is absolutely no reason to still use TC, because in Linux world there is dm-crypt, which has much better support.
Since Ubuntu offers encrypted file system support during install, what is the incentive to use TrueCrypt?
@macias I haven’t had any issues with TrueCrypt crashing under Windows 98 and Windows 7.
@macias @JustWondering Sure there are other options, but TrueCrypt’s forte is its ability to create hidden containers for deniability.
@JohnP: I’d recommend using a keyfile in your case.
A copy of every keyfile would be stored in a safe place (the company’s safe box or a bank for example) so you have a second method of decrypting critical information if needed.
I use dm-crypt in my notebook, because it lets me use a password (or several) + keyfiles as a contingency plan.
Regards.
@Mayank Sharma, of course everyone has its own reasons to use this and that software. With dm-crypt you can use stealth mode which causes the partition to look as not encrypted, but I don’t use it — what matters for me is a long run. What if I use even best software today, if after a year I go into problems and:
a) there would be no other software which could help me
b) there would be no support
It is better (IMHO) not to go to the edge with encryption, because — as for example with hidden partitions — other, system, software could do more harm than you expected.
I use TrueCrypt at my place of employment to encrypt all of our Windows laptops, some Windows XP and some Windows 7. Never had it cause any problems.
Hi,
Regarding the solution which DM-Crypt provides there are few challenges when we deploy the same on 10000 ubuntu machines:
1. Manageability in case someone loses/forgets his/her user passphrase.
2. Working with 8 slots do not give much permutations.
Hence there is a search which goes on for a Secure managed FHDE software for linux OS.
Not sure if truecrypt does that… since i did not get any option for FHDE.
Any suggestions??