APLawrence.com -  Resources for Unix and Linux Systems, Bloggers and the self-employed

Protect your Laptop with TrueCrypt

© August 2009 Michael Desrosiers
by Michael Desrosiers

This month's topic is TrueCrypt, a truly affordable hard drive, laptop and USB Drive encryption software for your business critical data.

Lost or stolen laptops are a privacy and security nightmare, especially for small to mid-size organizations that handle customer data and/or are bound to one of the numerous regulatory requirements. Smaller companies cannot afford the tangible and branding costs associated with breach notification or incident response. Encryption of data at rest or on mobile resources is a logistical nightmare for most businesses. Fortunately for them there is a free, open source laptop or software encryption option available in TrueCrypt.

TrueCrypt is no secret. It has been downloaded more than 10 million times, and that is all the proof that it is a worthy alternative for companies unwilling to shell out for some of the more expensive commercial products. TrueCrypt is not an enterprise product. It lacks the central management, key management, reporting, access control features and scalability of enterprise commercial products. But for small to mid-size companies, this is an ideal solution. Multiple users can share access to the encrypted data by presenting key-files in addition to their own passwords. You can create any number of key-files using TrueCrypt's built-in random number generator. While not necessarily enterprise-ready, TrueCrypt's use of cryptographic algorithms and encryption methodology is comparable to many of its commercial counterparts and may be easier to use.

The mode of operation TrueCrypt uses for encrypted partitions, drives and virtual volumes is XTS, XTS mode uses two independent keys, specifically, its own secret key, or so called "tweak key," that is independent from the primary encryption key. "Tweak" refers to a block cipher that can accept a second input (the tweak) in addition to its plain-text or cipher-text input. Encryption algorithms include AES, Serpent and Twofish, while ciphers can be cascaded, that is, used in combination--AES-Twofish, Serpent-Twofish-AES, etc. For example, a 128-bit block is first encrypted using Twofish (256-bit key), then with AES (256-bit key). the hash algorithms, which include RIPEMD-160, SHA-512 and Whirlpool, are utilized during volume creation, password changes and key-file generation. That is enough "geek speak" for now.

TrueCrypt supports Windows Vista, XP, MacOSX and Linux distros. Installation on Windows is as simple as downloading TrueCrypt, executing the installer, accepting the license, choosing the Install radio button, and accepting default options for the last step. You can utilize installers for Windows Vista/XP/2000, Mac OS X 10.4 and 10.5, and Linux OpenSUSE and Ubuntu. You could use operating system options like Vista/Server 2008's BitLocker or Mac OS X's FileVault to create encrypted volumes, partitions and disks, but TrueCrypt offers the benefit of being platform agnostic, where as you can mount a TrueCrypt volume on any supported OS. You can create two types of volumes: file-hosted (container) or partition/device-hosted. A file-hosted volume is simply a normal file that contains an entirely independent virtual disk device and can be maintained on any storage device. More simply, imagine it as a secure area on your hard drive or USB device for your business critical information. You can also utilize TrueCrypt to encrypt an entire partition or hard drive or USB thumb drive. Further, you can create TrueCrypt volumes as being Standard or Hidden. A Standard volume is a normal, visible volume; a Hidden volume is nestled within another TrueCrypt volume. Even if you reveal your password, it's invisible to a third party. The trick here is that free space on any TrueCrypt volume is always filled with random data when the volume is created. No part of the (dismounted) hidden volume can be distinguished from random data.

The TrueCrypt interface is simple and intuitive, allowing you to easily implement the encryption method of your choice. Before beginning, choose a location in your file system where you'd like to store your TrueCrypt volume(s) and create a new empty file. To create a file-hosted volume, just click the Create Volume button to launch the Volume Wizard in a separate window, select the Create a File Container radio button, and then decide between Standard and Hidden volume. Next, choose the empty file you created and answer "yes" when asked if you'd like to replace it with your newly created TrueCrypt volume. You'll then be presented with encryption options. The default options are AES for the encryption algorithm and RIPEMD-160 for the hash algorithm. Since we are extremely "paranoid", we prefer three ciphers in cascade, but there are performance impacts as you add more complex combinations. Using the TrueCrypt benchmark feature, you can determine an appropriate compromise between encryption and performance. You can now choose a hash algorithm. I really like SHA-512, which is slightly faster than Whirlpool and more secure than RIPEMD-160.

Next comes volume size. Besides the space you think you'll need, one consideration might be how portable it is. You might choose 3,9 MB for a 4 GB USB drive, as an example. Now, choose a strong password. TrueCrypt will grade you on the password, so this to me is the most important step (think pass-phrase). If you choose a password of fewer than 20 characters, you will be scolded for your "wimpiness" and reminded that it might be easily brute-forced. We recommend using key-files as well. In addition to allowing shared access, as discussed earlier, key-files provide protection against keystroke loggers and brute force attacks that might crack your password. Finally, choose your volume format (FAT, NTFS or none) and cluster size (up to 64 KB). You'll see the Random Pool in this window, representing the random number generator (RNG) used to generate the master encryption key; note the difference in entropy while your system is at rest versus moving your mouse rapidly. The more you move your mouse, thus creating more randomness (entropy) for the RNG, the stronger your key will be. And last, but not least. format the volume.

Once your volume is created, return to the primary interface, navigate to your newly created volume and mount it. You'll be prompted for your password and you'll also have the chance to select more advanced mount options, including mounting the volume as removable media. This option is important when you wish to prevent Windows from automatically creating the Recycled and/or System Volume Information folders on the volume (these folders are used by the Recycle Bin and System Restore facilities).

Now comes the "real cool" feature of TrueCrypt, Traveler Mode which runs from the USB drive itself. This feature allows for true portability and, should you choose this option, we recommend a minimum of a 8 GB USB 2.0 storage device. In Traveler Mode, TrueCrypt does not need to be installed on the operating system it is running on. If, heaven forbid, you choose to use a kiosk or cafe machine, this may prove quite useful. For a great example, let's say you travel with your data to your West Coast branch office, but leave your laptop behind. Traveler Mode allows you to plug the USB thumb drive you installed TrueCrypt on into a PC and directly run TrueCrypt from the thumb drive. TrueCrypt does not need to be installed on the PC. That is cool! The Traveler Mode creation process is also wizard-driven and simple to follow.

So, there you have it. Whether you choose to encrypt an entire drive, a disk partition or just a file-hosted container, you'll be glad you decided to use TrueCrypt. If you carry private or confidential company data, and/or personally identifiable information, TrueCrypt's robust methodology will protect it as long as you implement it properly and utilize strong password practices.

To find out more about TrueCrypt, go to the following site:


To view more articles:


or to inquire about an on-site presentation, please feel free to call me at 508-995-4933 or email me at mdesrosiers@m3ipinc.com.

Until next time.....


Michael Desrosiers
Founder & Principal Consultant
m3ip, Inc.
Managing Your Security and Risk Needs

Got something to add? Send me email.

(OLDER)    <- More Stuff -> (NEWER)    (NEWEST)   

Printer Friendly Version

-> Protect your Laptop with TrueCrypt


Inexpensive and informative Apple related e-books:

Take Control of the Mac Command Line with Terminal, Second Edition

El Capitan: A Take Control Crash Course

Digital Sharing Crash Course

Take Control of iCloud, Fifth Edition

iOS 10: A Take Control Crash Course

More Articles by © Michael Desrosiers

Sat Aug 15 15:03:10 2009: 6756   TonyLawrence

Thanks, Mike: I worry about this constantly. I'll definitely take a look at TrueCrypt.

Sat Aug 15 16:24:33 2009: 6757   BruceGarlock

I keep all OS binaries of TrueCrypt on my keychain USB drive. It's with me at all times. I have all the stuff I need to protect in a 1GB container on my USB key, and from what we know about encryption, not even the NSA could get my information off it. Not to mention, my password is around 60 or so characters long, with mixed case, symbols, spaces, etc.. -- basically a sentence, with mixed in gibberish so I can remember it easier.

This begs the question: How in the hell are people in a position where they have personal information about people, still losing laptops and having that information exposed? How? Why? Please don't say cost! It boggles my mind when I hear about lost laptops, and the fact that I have been using TrueCrypt for years!!

Sat Aug 15 23:28:20 2009: 6758   BrettLegree

TrueCrypt is pretty amazing - great post, by the way.

There are some neat things you can do with Standard and Hidden volumes. You can protect the data on a Hidden volume (there's a tick box to do this) so it can't be overwritten if you write to the Standard volume.

One could put some dummy data in the Standard volume that isn't really that sensitive, then if tortured or whatever, give the password for the Standard volume.

You can also use any sort of file as a keyfile instead of using a password, and you can run TrueCrypt from a USB drive.

So, one could keep a hundred or so innocent photos of your dog or whatever on the hard drive of a laptop along with a Hidden volume, and have TrueCrypt on a USB drive, and no one would know for sure if you had stuff on there.

Of course, you get to pick what photo or photos (you can use multiple keyfiles) are the ones to open the Hidden volume, and because TrueCrypt is on the USB drive, who would suspect you are using it? Carry a dozen or so USB drives and it would be unlikely anyone would check all of them. Or don't carry TrueCrypt with you at all, just leave it at home and in the office if you don't need the data in the field.

A lot of power for a simple program.


Printer Friendly Version

Have you tried Searching this site?

This is a Unix/Linux resource website. It contains technical articles about Unix, Linux and general computing related subjects, opinion, news, help files, how-to's, tutorials and more.

Contact us

Printer Friendly Version

It is the the duty of a Webmaster to allocate URIs which you will be able to stand by in 2 years, in 20 years, in 200 years. (Tim Berners-Lee)

Linux posts

Troubleshooting posts

This post tagged:






Unix/Linux Consultants

Skills Tests

Unix/Linux Book Reviews

My Unix/Linux Troubleshooting Book

This site runs on Linode