Installing and Configuring TrueCrypt for Full Disk Encryption

By Randy Nash

The latest battle cry in the security community is for full-disk encryption (FDE). This has been largely due to concerns over lost and stolen information that could lead to identity theft. Disk encryption for mobile devices has become mandatory for the federal government, but it’s a good idea for anyone who wants to protect personal information either at work or at home. With that in mind, security expert Randy Nash describes how he deployed a FDE solution on his personal laptop using the free, cross-platform, and open-source solution from TrueCrypt.
TrueCrypt is an excellent open-source, cross-platform solution for file and disk encryption. It is under constant development, with regular updates being posted to its site. Another attractive feature for me is the availability of AES encryption. The Advanced Encryption Standard (AES) specifies aFIPS-approved cryptographic algorithm (Rijndael, designed by Joan Daemen and Vincent Rijmen, published in 1998) that may be used by U.S. federal departments and agencies to cryptographically protect sensitive information. If it’s good enough for the federal government, it’s good enough for me. TrueCrypt can currently encrypt the following operating systems:

Windows Vista
Windows Vista x64 (64-bit) Edition
Windows XP
Windows XP x64 (64-bit) Edition
Windows Server 2008
Windows Server 2008 x64 (64-bit)
Windows Server 2003
Windows Server 2003 x64 (64-bit)
Mac OS X 10.4 Tiger
Mac OS X 10.5 Leopard
Linux (kernel 2.4, 2.6, or compatible)
Encrypting the System Volume: Step By Step
The TrueCrypt application interface is quite simple.

All features are available from a single interface. To encrypt the system volume, click on the System menu item and select Encrypt System Partition/Drive:

Two methods of system encryption are available: Normal and Hidden. We’re looking at the simplest case here, so we’ll perform the Normal encryption process.

NOTE

A hidden operating system is intended for very unique situations. A recent court ruling states that “border agents could examine the contents of a laptop without reasonable suspicion of wrongdoing.” If you encrypt your laptop, you may feel protected from this action; however, border agents may simply confiscate your laptop. TrueCrypt allows you to create a hidden operating system whose existence is very difficult to prove. You could then decrypt the primary system without being forced to decrypt or reveal the password for the hidden operating system. For more information, see the TrueCrypt website for details on plausible deniability.

The next step may be critical, depending on your computer. You have the choice to encrypt the Windows system partition, or encrypt the whole drive. Encrypting the Windows system partition will only encrypt the partition where Windows installed. This may leave portions of your drive unencrypted and potentially vulnerable. However, choosing to encrypt the whole drive may cause problems if you have multiple partitions with more than one operating system installed or a multi-boot environment. Because my laptop has only a single partition and operating system, I choose Encrypt the Whole Drive.

Next we need to know if our computer has a Host Protected Area, and if so can we encrypt it. The Host Protected Area exists on some computers to store recovery tools, specialized drivers and so on. If you’re not sure about your computer, please make sure to contact your vendor before proceeding!

My laptop is a clean install with no Host Protected Area, so I select No.

I have a single-boot, single OS laptop, so I choose Single-boot. Select as appropriate for your computer.

As I mentioned earlier, I’m a fan of AES Encryption. TrueCrypt supports the following encryption algorithms:

AES
Serpent
Twofish
AES-Twofish
AES-Twofish-Serpent
Serpent-AES
Serpent-Twofish-AES
Twofish-Serpent
And these hash algorithms:

RIPEMD-160
SHA-512
Whirlpool
I choose AES (the default) and RIPEMD-160 (also the default).

Now you’re prompted to enter your password. I prefer a passphrase. Whatever you choose, make it reasonably long and complex. Use upper- and lowercase letters, numbers, spaces, and special characters. I enter my passphrase and continue.

Now TrueCrypt asks you to move your mouse around the screen. Why? That’s an excellent question. Moving the mouse randomly around the screen generates random data used as a saltwhen generating your cryptographic keys for the encryption process. So, wiggle that mouse around as randomly as possible for as long as you want (longer is better). When you’re ready, click Next and continue.

Now the keys are generated; Congratulations!