Encrypting an Enterprise Desktop with TrueCrypt
Everyone has secrets. Some of yours probably live on your computer. If you want to keep digital information private, locking it behind a password won't really keep it secure. The only real solution is encryption, which scrambles the contents of files, making them unintelligible to anyone without the digital key to unscramble them. TrueCrypt can encrypt and decrypt files, documents, and even entire filesystems. The app also provides on-the-fly encryption for enhanced security, which means it can automatically encrypt and decrypt data before reading and writing it, so it's never on your hard drive in human-readable format.
TrueCrypt is designed to use modern hardware and its multiple cores to speed up encryption and decryption. Besides Linux, it also runs on Windows and Mac operating systems.
Of course TrueCrypt is not your only encryption alternative. GNU Privacy Guard (GPG) is free software's answer to Pretty Good Privacy (PGP), the industry standard for encrypting all types of data on the computer. But GPG is a suite of tools that allow you to encrypt and digitally sign arbitrary data such as files and emails, while TrueCrypt offers convenience and the advantage of deniability.
Installing TrueCrypt is a no-brainer. Since TrueCrypt's license has not been officially approved by the Open Source Initiative, the software is not available in any distro's repository. You'll have to download TrueCrypt from its website, extract the tar archive, and run through the graphical setup, after making sure your computer has the Fuse library and the device mapper tools installed. On Linux TrueCrypt installs under /usr/bin.
To use TrueCrypt you first need to create an encrypted container, which can be a virtual encrypted disk within a file, an encrypted partition, or a disk such as a removable USB drive. The first option gives you a virtual encrypted filesystem to store files on, and is the easiest for the technologically challenged. To create this type of container, launch the app and click on the Create Volume button to launch the Volume Creation Wizard. Select the first option to create a virtual disk. Point the app to a file on the disk that'll be the encrypted volume. If the file exists, TrueCrypt will recreate it, using one of eight encryption algorithms. If you aren't sure which one to use, go with the default selection. Next, specify the size of the encrypted volume, and format it as a FAT filesystem, which makes it accessible from other OSes as well. Finally, choose a password you'll specify when you mount the encrypted volume.
After it's been created, you can mount the partition as read-write or read-only from within the TrueCrypt interface just by selecting the encrypted file. Once the encrypted volume is mounted you can save files to it just as you do to a normal volume. When you're through, unmount the volume with the Dismount button within the program.
When it isn't mounted, the encrypted filesystem appears to be a random collection of bits in the file whose name you specified. Even when it is mounted, data is always encrypted before it is written to the volume.
For added security at the cost of a little inconvenience, check the "Never save history" box when you create or mount a volume, in order to prevent TrueCrypt from remembering the files that were mounted as TrueCrypt volumes. This makes it harder for unauthorized users to find your encrypted filesystem, but you'll have to manually point to it every time you want to mount it.
The procedure for encrypting a partition or a removable device is similar to that of encrypting a virtual disk. Just select the appropriate option in the Volume Creation Wizard and instead of a file on the filesystem, point to the partition or the disk you want to protect.
When creating a volume the wizard asks you the Type of Volume you wish to create, and gives you the option to either create a standard volume or a hidden volume. For most situations where you just need to shield documents from prying eyes, you can opt for the first option.
A hidden volume gives you the added advantage of plausible deniability. In security parlance, this means that even after being forced to give out the password for a (decoy) encrypted volume, you can convincingly deny the existence of other encrypted volumes. Creating a hidden volume gives you this kind of safeguard.
By design, a hidden volume always resides within an encrypted volume. Free space within an encrypted volume is just random data, so there is no way for an attacker to figure out if an encrypted volume contains another hidden volume or just gibberish.
To create a hidden volume, select the Hidden TrueCrypt Volume option when you create a new volume. The app will first create an outer volume and let you add non-sensitive data to it. It then calculates the maximum possible size you can allocate to the hidden volume. Although it should go without saying, ensure that the password for the inner hidden volume is different from that of the outer encrypted volume.
You mount a hidden volume in almost the same way as a standard TrueCrypt volume. The only difference is that when you select the file, partition, or device that is the outer volume, TrueCrypt mounts the hidden volume only if you specify its password. In other words, if you enter the password for the outer volume, that will be mounted, and if you enter the password for the inner volume, the hidden volume will be mounted.
When handling hidden volumes remember that, although you can read from the outer volume, writing to it might corrupt the hidden volume. To write to the outer volume without the risk of damaging the inner volume, you must check a special option when you enter the password for mounting the outer volume. Expand the Option section and select "Protect hidden volume when mounting outer volume."
Encrypting the OS
Besides an encrypted volume, you can use TrueCrypt to encrypt an entire Windows operating system. Unfortunately you can't encrypt a system drive in the Linux version of TrueCrypt, but the current version of TrueCrypt supports various version of Windows, both on the 32-bit and 64-bit platforms, including Windows 7, Vista, Server 2003, and Server 2008. By encrypting a Windows installation you ensure that all its files, including log files, the registry, and temporary and swap files are always encrypted.
You wouldn't want to encrypt the OS on all the desktops in your network. Not only does it require extra effort to set up, but it costs a slight hit in performance. Instead, use this option for systems where security and privacy are paramount.
You can encrypt a Windows system from within Windows even while Windows is running. Along with its two regular options, the Volume Creation Wizard in the Windows version of TrueCrypt offers an additional option to encypt the Windows partition, or you can go to System -> Encrypt System/Partition Drive and follow the wizard there.
When you encrypt a Windows partition, the tool installs the TrueCrypt boot loader in the master boot record (MBR) of the drive. TrueCrypt's boot loader will replace GRUB if you've got Linux distros installed on the box, but you can use them together.
Also when you are encrypting a Windows system partition or drive, the wizard asks you to create a TrueCrypt Rescue Disk, which you can use to restore the TrueCrypt boot loader if it gets corrupted. Don't worry about the security of your system if you lose the Rescue Disk; to boot your encrypted Windows installation with it, an attacker needs your password as well.
The truly paranoid will appreciate the fact that they can even install and use Windows from within a hidden partition.
With its graphical interface and thorough wizards, TrueCrypt packs powerful features that makes it an ideal choice for any organization that values privacy.
This work is licensed under a Creative Commons Attribution 3.0 Unported License
This work is licensed under a Creative Commons Attribution 3.0 Unported License