Using TrueCrypt to protect your data

TrueCrypt is a software application that allows you to encrypt a single file, an entire partition on a hard disk or a storage device such as a USB flash drive. Encrypting data makes information inaccessible to an unauthorized third party. If your computer (or your USB flash drive) is lost or stolen, no one can access the encrypted data without knowing the password you set.

The principle

This tutorial explains how to create a TrueCrypt volume (or container) that encrypts all the files contained within it. This container or volume can be on a hard disk, a USB flash drive, a memory card and so on.

To understand how it works, it helps to compare a TrueCrypt volume or container to a safe. Each time you want to encrypt a file, you open the TrueCrypt volume, move the file into the volume, and then close the volume. The file is then encrypted and protected.

Before starting 

TrueCrypt’s developers have announced on their website that this application is no longer safe and suggest that users should replace it with BitLocker, a commercial equivalent, and should download the “final” version 7.2 of TrueCrypt (version 7.2), which decrypts volumes that are already encrypted, but does not encrypt. We advise against installing this final version. And we advise against using BitLocker, because it is not open-source and therefore does not allow for a security audit. Other teams of developers have already announced their intention to continue the TrueCrypt project. Pending the development of an equivalent application, you can continue using the previous version of TrueCrypt, version 7.1 (which can be downloaded here), or you can use other programmes that incorporate encryption options such as Tails.

Before starting, download and install TrueCrypt on your computer. TrueCrypt is free, open-source software available for Windows, Mac and Linux. As a TrueCrypt volume is protected by a password, you must now:

  • Create a strong password: a sequence of letters and numbers of your choosing (not a quote or a line from a film), a random password. Something long and complicated that cannot be found in a dictionary.
  • Remember your password. If you forget it, you will not be able to recover the data in your TrueCrypt volume.
  • Don’t write your password down anywhere. The best password is useless if someone can find it… stuck to your keyboard, for example.

Create the volume

To create an encrypted volume, launch the TrueCrypt application and click on the Create Volume button.

 

You are presented with a choice between three options. The first is to create an encrypted file container, the second is to create an encrypted non-system partition and the third is to encrypt a system partition. Select the first option, Create an encrypted file container, and click on Next.

 

Now you can choose between creating a standard encrypted volume and a hidden encrypted volume (we will explain that later). Click on the first option, Standard TrueCrypt volume, and then click on Next.

 

You must now choose the location where you want to create your encrypted volume. It can be located in a folder on your computer’s hard disk, in an external storage device (such as a USB flash drive, an external disk drive or NAS device) or in an online storage device. Click on Select File to choose a location.

 

In the file selector window that opens, choose a location, give a file name to the volume you are going to create (you may, if you want, give it an explicit name such as “My Photos.tc” or “Encrypted Data.tc”). And then click on Save.

 

The file name and full path you have chosen are displayed in the Volume Location field. Click on Next.

 

In the next window, choose AES, the default encryption algorithm.
After selecting the desired encryption algorithm, there is a second choice, the hash algorithm. The hash transforms your password into irreversible code. If you don’t know which to choose, select SHA-512 (also used by US governmental organizations). After making your choice, click on Next.

 

Specify the size of the volume you want to create. The sizes are expressed in KB, MB and GB, the abbreviations of kilobyte, megabyte and gigabyte (1 GB = 1,000 MB = 1,000,000 KB). If you are not sure how space you need, here are some average file sizes:

  • A Word file: 200 KB
  • A photo (taken with a camera): 1 MB
  • A sound file (MP3): 4 MB
  • A film (encoded in DivX): 700 MB.

Nowadays, the hard drive capacity of the average laptop ranges from 160 GB to 320 GB, while USB flash drives range from 2 GB to 16 GB in size. After specifying the size of your volume, click on Next.

 

You must now set the password that you will use to encrypt and decrypt your data. You are advised to choose one with at least 20 characters. You can choose a phrase that will be easier for you to remember, or you can use a random sequence of characters (which is harder to crack). If you opt for  a phrase, it shoud not be a known one (such as a quote, a line from a film or a song title).

 

TrueCrypt does not let you use accented letters (such as é à ï ô or ù) in a password. If you want a phrase with accented letters as your password, use the non-accented equivalents. You can use symbols and punctuation marks to make the password more difficult. After choosing your password, click on Next.

 

Optional: This window will only appear if you have chosen to create a volume of more than 4,096 MB (4 GB) in size. The FAT32 file system limits the size to 4,096 MB. For anything bigger, choose Microsoft’s NTFS format. If you have limited understanding of computers, select No. Then click on Next.

 

The TrueCrypt container is now going to be created. If you don’t know what the options in this screen refer to, keep the defaults. We advise experienced users against checking the Dynamic option. It allows the TrueCrypt volume to increase in size dynamically (according to storage needs) but poses a security problem inasmuch as it lets any attacker know the real size of the stored data and poses a problem for plausible deniability of a hidden volume. Your are now going to format the volume. The programme fills the container’s unused space with random data. Click on Format to start the formatting.

 

This can take a long time, depending on the size of the volume, the speed of the processor and the performance characteristics of the medium in which it is being created.

 

Congratulations. You have just created your encrypted volume. To finish, click on Exit.

 

Opening the encrypted volume

To access your data, click on Select file.

 

Select the encrypted volume where it has been saved and then click on Open.

 

You an also access the encrypted volume by double-clicking on it in File Explorer.

 

Your encrypted volume’s filename and path appears in the Volume field. From the list of virtual drive letters, select the drive letter that you will use to access your encrypted data (usually the first one will do). Click on the Mount button.

 

Enter the password you set when you created the TrueCrypt volume and then click on OK.

 

The encrypted volume is now “mounted” as a standard drive that is accessible from within File Explorer. You can now access the content of your encrypted volume directly from within File Explorer by double-clicking on the drive with the letter you chose, or by clicking on the drive and selecting Open.

 

Using the encrypted volume

We are going to encrypt a file on our hard disk: a photo. It is currently in the Pictures folder. After selecting it, we “cut” it so that it will no longer be available in unencrypted form in its original position.

 

Once we are located in the mounted TrueCrypt volume, we “paste” it. It is now safely in our encrypted volume. Our image and all the files that we henceforth move to this volume will automatically be encrypted. The password that was set when the volume was created will be necessary to access them.

 

Once the files have been moved to the digital safe (the mounted TrueCrypt volume), it must be closed again by means of an operation called “dismounting.” (It is automatically closed if the computer is turned off.) To do this, select the volume in the list and then click on the Dismount button. You can also just click on the Dismount all button.

 

TrueCrypt and plausible deniability

TrueCrypt offers the possibility of creating a hidden volume for the eventuality that you are forced to surrender your password. It is the principle of the bag with a double bottom or, in cryptography, plausible deniability.

Instead of creating a single encrypted volume, you can use TrueCrypt to create two, an outer volume and a hidden second volume within it. Each volume opens with different passwords. The outer one is just a decoy. The really confidential data is inside the inner volume. Even if you reveal the password to the outer volume, it will not provide access to the inner volume, whose existence cannot be detected. It is impossible to know if space encrypted by TrueCrypt contains one or two volumes.

To create a hidden volume, start as you would for creating a regular volume:

Click on the Create Volume button

 

Select Create an encrypted file container and then click on Next.

 

You now have the choice between creating a Standard TrueCrypt volume and a Hidden TrueCrypt volume. Click on the latter and then click on Next.

 

The procedure is much the same as the one described earlier, except that you create two volumes, first the external one and then the hidden inner one, each with different passwords.

There are several drawbacks to using a hidden volume:

  • It results in a loss of storage space
  • You have to remember an additional password
  • If you created the hidden volume some time ago and have not touched the partition since then, your adversary may, if he knows what he is looking for, be alerted to its existence by the date that a file was last modified.

There are other ways to conceal data. It is possible, for example, to conceal a TrueCrypt container within video files. This is less easy to execute but offers better camouflage.

Original article published here: http://wiki.korben.info/truecrypt (in french).