Create a high-security vault for your data in 5 minutes

In the last article, Protecting your sensitive data with TrueCrypt, I gave an overview of what Truecrypt can do for you: make an encrypted virtual hard drive, encrypt an entire partition, or encrypt an entire hard drive. This time, we'll see how to make the virtual hard drive in at most 5 minutes. Rather than write my own tutorial, I direct you to the step-by-step TrueCrypt Beginner's Tutorial with full screen shots.

Instead of another tutorial, I'll summarize the steps, add a note or two, and try to give a little more explanation of what is happening in this method.

Why use TrueCrypt?

First, why use Truecrypt rather than one of the many, many other encryption programs?

• Compatibility: TrueCrypt runs on Microsoft systems from Windows 2000 upward, on Mac OS X 10.4 and 10.5, and on Linux. (According to this Wikipedia article, only one of the other 45 disk encryption programs work on all three systems, and that one is not open source).
• Price: Free. Not shareware, not trial-ware, not "free download," but just free, period.
• Open source: This means that anyone can examine the program's instructions to see how it all works. This means that many people can be working on improvements and bug-fixing. More importantly, though, the transparency of open source makes it hard for any security flaws to remain undetected.
• Wide use. TrueCrypt is one of the most widely used encryption programs. The site reports over 10 million downloads to date.

That said, the most important thing is to protect your sensitive data somehow and to use a well-supported, respected encryption program. If you like experimenting, there are many programs out there. TrueCrypt can be a complicated program with all kinds of options, but it's quite easy to use the most important features.

Overview

Goal

What will you accomplish when you follow the tutorial?

• Within a few minutes, you will have a new "drive" M: on your computer where you can safely store sensitive information. You can use it like any other drive--create files, drag-and-drop files into our out of folders on the drive, even use a folder on the drive as your "My Documents" if you like.
• Though in action you see a new drive M:, all the data is kept in a container file that can only be unlocked ("mounted") using TrueCrypt and your passphrase.
• While your new drive is mounted, you will not know or care that your files are encrypted. When you turn off your computer or lock ("dismount") the drive, the data will be invisible, safe from any prying eyes.
• You can copy or move the entire encrypted drive, as a single file, to a different location such as a USB flash drive or another computer. This is good for backup.

Steps

Here's a high-level explanation of the 18 steps in the tutorial.

• Step 1: Download and install the program.
• Steps 2-12: Create the container file. This only has to be done once.
• Steps 13-18: Mount the container file for use. You do this every time you want to unlock and access your data.

Precautions

• You are making a data vault or safe, and your passphrase is the combination to the lock. There is no backup, no spare key or emergency button to use to recover your data if you lose or forget your passphrase. In most cases, it is probably best to record your passphrase somewhere safe rather then rely on your memory. Obviously, you don't want to keep it somewhere where a thief will see it, such as in your computer bag. Depending on your situation, you may not even want to keep it in writing in your home or office, but do consider keeping it somewhere.
• Putting your information onto an encrypted drive is only one part of security. Do not neglect other parts; a chain is as strong as its weakest link.

OK, let's do it

Now, go to the tutorial and follow it step by step, referring to these notes as you do.

• Step 1. Downloading and installing TrueCrypt. Ideally, you should download the program directly from TrueCrypt so that you get the most up-to-date, "pure" version.
• Steps 2-5. Telling TrueCrypt you want to create a virtual drive. Just click the buttons as shown, no choices to make here.
• Step 6. Specify location and name of container file. Attention: be sure to read the explanation in the tutorial. Although it might appear that you are to select an existing file to encrypt, this is not true. Rather you are giving the program the location and name of a file to create. This new file will be the "container" for your virtual drive. If you select an existing file, it will be erased, not encrypted!
• Steps 7-8. Having chosen a name for your container file, you just press "next" two times.
• Step 9. Tell TrueCrypt how big to make your virtual drive, how much data you will be able to store in it. TrueCrypt will create a container file of this size, so you will need at least that much free space in the location you have chosen. Don't make it too big if you plan to copy the entire thing onto a flash drive.
  Optional note: If you choose to make the container "dynamic" (Step 11), it is very small at first and only grows as you add files. In this case, the size you select in step 9 is the maximum size. If you do not make the container dynamic, then the container file will be this maximum size from the very beginning, even though it contains no data.
• Step 10. Choosing a passphrase. While you are just testing, you can use a simple passphrase. For serious use, however, be sure to read the guidelines about how to make a secure passphrase.
• Step 11. Select format type. Just follow the instructions, moving your mouse around randomly for a while to help make the encryption strong, then click Format.
  Optional note: For advanced use, you can use a format other than the default FAT. For large virtual drives in Windows, you might consider using NTFS.
• Step 12. Finishing up. Now the container file is ready to use.
• Steps 13-18. Mounting the container as a virtual hard drive. Although this occupies six steps in the tutorial, it is really simple. First, you choose a drive letter to assign to the new drive (step 13), then you tell TrueCrypt which container file to use (i.e., the one you just created) (steps 14-16). Finally, you enter your passphrase for that container file and mount it (steps 17-18).

At this point, your new drive M: is ready to use just like any other drive. Remember that you data is exposed as long as the drive is mounted; if someone steals the computer while you are working on it, M: will be unlocked until the computer is shut down. Depending on the situation, you may want to manually dismount it when you leave the computer or when you do not need to access the secure files.

Finally, read the small print at the end of the tutorial and realize that your original, unencrypted data is still present on your original drive even after you delete it--that's why file-recovery programs work. To permanently remove it, you need to use a disk wiping program with the option of erasing all unused disk space. See Purge Your Hard Drive for a good explanation. One wiping program is Heidi Computer's Eraser. Some others are reviewed in Best Free Secure Erase Utility.

Even then, how do you know that you have deleted all the files that contain sensitive data? What about backups, email folders, temporary files, obscure files in the Application Data folder, the paging and hibernation files? You really don't know. That's where whole disk encryption comes into play. It may seem a little scarier to think of altering your whole hard drive, but it's actually easier than making a virtual drive, and it eliminates all these residues of the information you want to protect. You will not need to worry about wiping or shredding your files, either. I'll cover whole disk encryption next time, in a much shorter article I hope!

Photo of safe by rpongsaj on Flickr, http://www.flickr.com/photos/pong/ / CC BY 2.0

Protecting your sensitive data with TrueCrypt

About two weeks ago, I finally took the big plunge and encrypted my laptop's entire hard drive. I knew in theory that it was a good security precaution, and in fact, our mission's IT policy requires hard drive encryption on all laptops. It's a policy that is still more honored in the breech than in practice. Why didn't I do it earlier?

Not that I've been totally slack about protecting my data. I've always kept my passwords and financial accounts encrypted. (Always? What about those home accounting programs--I know my Microsoft Money program opens without a password....) I don't think there is any sensitive information in my email folders, except that anyone successfully logging on to the computer could get enough information about me and my contacts to start lots of scams even without actually breaking into my email server. ("This is Pastor Jonah, friend of Mike, who you support. He's been in a bad accident and needs money for treatment. Please urgently send $1000 to this account number ...") The bottom line is that any unencrypted information on my computer is potentially exposed to anyone who steals or borrows my laptop.

But since I have a good password for even logging on to my laptop, no one should even get that far, right? Wrong. It's very easy to break into a Windows computer if you have physical access to it. Anyway, if the data is not encrypted, someone can take out the hard drive and read it on another operating system.

Last year, I finally installed TrueCrypt, an excellent, free encryption tool. TrueCrypt can work in three main ways:

• Create an encrypted virtual hard drive. Tell TrueCrypt where to put the file to contain the data, assign a pass phrase, and TrueCrypt creates new, encrypted volume ("hard drive") for you with the drive letter you choose, such as "T:". From then on, you can use it exactly like any other drive. As long as the volume is unlocked with your pass phrase, you can't even tell that the data is encrypted. Lock it again and the drive letter disappears, leaving only what looks like a file of random garbage.
• Encrypt a partition. Most hard drives these days are divided into different logical areas or partitions, each with its own drive letter ("C drive," "D drive," etc.). TrueCrypt encrypts all the data in the entire partition, making it inaccessible until you supply the pass phrase. This option allows you to keep some data unprotected and more sensitive data encrypted on a separate partition. Unless you encrypt the operating system partition (usually C: in Windows), you can still boot the computer without the password.
• Encrypt an entire drive. In this case, everything on the drive is encrypted and nothing can be accessed without the pass phrase. Nothing, that is, except the tiny boot program that loads enough TrueCrypt to get your password and unlock the drive for you. If you lose your pass phrase, there is no way you're going boot your system or recover your data, period.

Rather than encrypting my whole drive, I started with the first option--a virtual hard drive where I could keep my sensitive data. Next time I'll show just how easy it was.