by Michael Desrosiers
This month's topic is TrueCrypt, a truly affordable hard drive, laptop and USB Drive
encryption software for your business critical data.
Lost or stolen laptops are a privacy and security nightmare, especially for small to mid-size
organizations that handle customer data and/or are bound to one of the numerous regulatory
requirements. Smaller companies cannot afford the tangible and branding costs associated
with breach notification or incident response. Encryption of data at rest or on mobile resources
is a logistical nightmare for most businesses. Fortunately for them there is a free, open source
laptop or software encryption option available in TrueCrypt.
TrueCrypt is no secret. It has been downloaded more than 10 million times, and that is all the
proof that it is a worthy alternative for companies unwilling to shell out for some of the more
expensive commercial products. TrueCrypt is not an enterprise product. It lacks the central
management, key management, reporting, access control features and scalability of enterprise
commercial products. But for small to mid-size companies, this is an ideal solution. Multiple
users can share access to the encrypted data by presenting key-files in addition to their own
passwords. You can create any number of key-files using TrueCrypt's built-in random number
generator. While not necessarily enterprise-ready, TrueCrypt's use of cryptographic algorithms
and encryption methodology is comparable to many of its commercial counterparts and may
be easier to use.
The mode of operation TrueCrypt uses for encrypted partitions, drives and virtual volumes
is XTS, XTS mode uses two independent keys, specifically, its own secret key, or so called
"tweak key," that is independent from the primary encryption key. "Tweak" refers to a block
cipher that can accept a second input (the tweak) in addition to its plain-text or cipher-text
input. Encryption algorithms include AES, Serpent and Twofish, while ciphers can be
cascaded, that is, used in combination--AES-Twofish, Serpent-Twofish-AES, etc. For
example, a 128-bit block is first encrypted using Twofish (256-bit key), then with AES
(256-bit key). the hash algorithms, which include RIPEMD-160, SHA-512 and Whirlpool, are
utilized during volume creation, password changes and key-file generation. That is enough
"geek speak" for now.
TrueCrypt supports Windows Vista, XP, MacOSX and Linux distros. Installation on Windows
is as simple as downloading TrueCrypt, executing the installer, accepting the license, choosing
the Install radio button, and accepting default options for the last step. You can utilize installers
for Windows Vista/XP/2000, Mac OS X 10.4 and 10.5, and Linux OpenSUSE and Ubuntu. You
could use operating system options like Vista/Server 2008's BitLocker or Mac OS X's FileVault
to create encrypted volumes, partitions and disks, but TrueCrypt offers the benefit of being
platform agnostic, where as you can mount a TrueCrypt volume on any supported OS. You can
create two types of volumes: file-hosted (container) or partition/device-hosted. A file-hosted volume
is simply a normal file that contains an entirely independent virtual disk device and can be maintained
on any storage device. More simply, imagine it as a secure area on your hard drive or USB device
for your business critical information. You can also utilize TrueCrypt to encrypt an entire partition
or hard drive or USB thumb drive. Further, you can create TrueCrypt volumes as being Standard
or Hidden. A Standard volume is a normal, visible volume; a Hidden volume is nestled within another
TrueCrypt volume. Even if you reveal your password, it's invisible to a third party. The trick here is
that free space on any TrueCrypt volume is always filled with random data when the volume is
created. No part of the (dismounted) hidden volume can be distinguished from random data.
The TrueCrypt interface is simple and intuitive, allowing you to easily implement the encryption
method of your choice. Before beginning, choose a location in your file system where you'd like to
store your TrueCrypt volume(s) and create a new empty file. To create a file-hosted volume, just
click the Create Volume button to launch the Volume Wizard in a separate window, select the Create
a File Container radio button, and then decide between Standard and Hidden volume. Next, choose
the empty file you created and answer "yes" when asked if you'd like to replace it with your newly
created TrueCrypt volume. You'll then be presented with encryption options. The default options are
AES for the encryption algorithm and RIPEMD-160 for the hash algorithm. Since we are extremely
"paranoid", we prefer three ciphers in cascade, but there are performance impacts as you add more
complex combinations. Using the TrueCrypt benchmark feature, you can determine an appropriate
compromise between encryption and performance. You can now choose a hash algorithm. I really
like SHA-512, which is slightly faster than Whirlpool and more secure than RIPEMD-160.
Next comes volume size. Besides the space you think you'll need, one consideration might be how
portable it is. You might choose 3,9 MB for a 4 GB USB drive, as an example. Now, choose a strong
password. TrueCrypt will grade you on the password, so this to me is the most important step
(think pass-phrase). If you choose a password of fewer than 20 characters, you will be scolded for
your "wimpiness" and reminded that it might be easily brute-forced. We recommend using key-files
as well. In addition to allowing shared access, as discussed earlier, key-files provide protection
against keystroke loggers and brute force attacks that might crack your password. Finally, choose
your volume format (FAT, NTFS or none) and cluster size (up to 64 KB). You'll see the Random Pool
in this window, representing the random number generator (RNG) used to generate the master
encryption key; note the difference in entropy while your system is at rest versus moving your mouse
rapidly. The more you move your mouse, thus creating more randomness (entropy) for the RNG, the
stronger your key will be. And last, but not least. format the volume.
Once your volume is created, return to the primary interface, navigate to your newly created volume and
mount it. You'll be prompted for your password and you'll also have the chance to select more advanced
mount options, including mounting the volume as removable media. This option is important when you
wish to prevent Windows from automatically creating the Recycled and/or System Volume Information
folders on the volume (these folders are used by the Recycle Bin and System Restore facilities).
Now comes the "real cool" feature of TrueCrypt, Traveler Mode which runs from the USB drive itself. This
feature allows for true portability and, should you choose this option, we recommend a minimum of a 8 GB
USB 2.0 storage device. In Traveler Mode, TrueCrypt does not need to be installed on the operating system
it is running on. If, heaven forbid, you choose to use a kiosk or cafe machine, this may prove quite useful. For
a great example, let's say you travel with your data to your West Coast branch office, but leave your laptop
behind. Traveler Mode allows you to plug the USB thumb drive you installed TrueCrypt on into a PC and
directly run TrueCrypt from the thumb drive. TrueCrypt does not need to be installed on the PC. That is
cool! The Traveler Mode creation process is also wizard-driven and simple to follow.
So, there you have it. Whether you choose to encrypt an entire drive, a disk partition or just a file-hosted
container, you'll be glad you decided to use TrueCrypt. If you carry private or confidential company data,
and/or personally identifiable information, TrueCrypt's robust methodology will protect it as long as you
implement it properly and utilize strong password practices.
To find out more about TrueCrypt, go to the following site:
To view more articles:
or to inquire about an on-site presentation, please feel free to call me at
508-995-4933 or email me at email@example.com.
Until next time.....
Founder & Principal Consultant
Managing Your Security and Risk Needs
Got something to add? Send me email.
Increase ad revenue 50-250% with Ezoic
More Articles by Michael Desrosiers
© 2011-03-20 Michael Desrosiers