Submitted by brian on Wed, 2008-02-06 17:03.
TrueCrypt 5 was released yesterday, the long awaited (by some, anyway) version of the excellent TrueCrypt software. TrueCrypt allows you to encrypt sensitive data on your hard disk, like financial information, passwords, etc..., and the best part is that it's free and open source.
In addition to the already great ability to encrypt regular files, TC5 now supports full disk encryption, which allows your entire disk, including the operating system, to be encrypted. This is especially relevant for laptops which can easily be stolen. We've all heard the news about some government laptop with 1,000s of social security numbers on it getting stolen, and this feature of TC5 will go a long way in helping to prevent this type of data loss/theft.
You don't need to reinstall your system to get it working either. TC5 can take an existing installation and convert it to an encrypted volume on the fly, running in the background while you continue doing other stuff (though it's probably a bad idea to run a virus scan or disk defrag). Before running the conversion, make sure to back up all of your data! Anything that does this much to your disk has potential to go wrong, so make sure you protect yourself.
Before embarking on a change this big, I like to see how it all works beforehand. So here's a walkthrough of how to encrypt your system drive:
- After downloading and installing TrueCrypt 5, run it and you will see the main window
- Go to the System menu and select "Encrypt System Partition/Drive..."
- Then select the area of the drive you want to encrypt. You have the option to encrypt only the partition that Windows is installed upon, or you can encrypt the entire disk. Here I'm going to do the entire disk, because that is the default.
- Next TrueCrypt will detect hidden sectors on the disk.
- Then you need to tell TrueCrypt if you are dual booting with another operating system. I am not, so I'm choosing Single-Boot here.
- Next tell TC what encryption and hashing algorithm to use. The defaults are reasonable, and if you want to change them you'll have to make your own determination about which algorithms you think are best to use.
- Now you will be asked for the password to use when encrypting. It is extremely important to pick a good password. It would be even better if you were to use a "pass-phrase", which is more like a whole sentence. It's easier to remember and provides much better security than the name of your dog or your birthday. An example of a passphrase would be: "To be, or not to be, that is the question". See? Easy to remember and provides much better security than if you used a password like "password123". Also, replacing i's with 1's and o's with 0's does not make a password any more secure. You should make the pass-phrase at least 20 characters long, and remember which letters you made upper-case, because that matters.
- Next TC will generate the random data that it needs to properly encrypt the data. Move your mouse around and you'll see the numbers change. Do that for a few seconds, then press Next.
- Once the keys are generated, a confirmation is displayed
- TC will now force you to create a "Rescue Disc" in case something bad happens. TC stores a lot of important information in the first sector of the hard disk, and if that gets corrupted, all of your data will be un-recoverable. The rescue disc keeps a copy of this data, and is also bootable, so if a problem ever were to occur, you can recover from it. It's this sort of thing that really make truecrypt shine as a great tool -- you can see how much effort and thought has been put into it.
The Rescue Disc will be created as an ISO file, which you will have to burn to a CD or DVD using some burning software. ISO Recorder is a great free tool that will let you do this.
- Creating the ISO is now complete. Now go and burn the ISO to a CD. When you're done, put the CD in the drive and press "Next" so TrueCrypt can verify it was successful.
- If you really want to make sure all of your data is safe, you should wipe the disk in addition to encrypting it. This will ensure that there is no unencrypted data laying around on the disk. This may take a long time!
- Next TC will perform a pretest before it actually encrypts anything. This makes sure that your system can boot using the TrueCrypt boot loader, and just makes sure that everything will work correctly. If something goes wrong here, your data has not been encrypted, so you will be able to recover it.
- A warning is displayed before you can proceed
- You will then be asked to restart the computer. Upon reboot, you will be presented with the TrueCrypt boot loader and password screen. Enter your pass-phrase and then the system will continue to boot normally.
- Once the system has booted, you will (hopefully) get a "Pretest Completed" message.
- The next step is to start the encryption (or you can press "Defer" and come back to do it later). First another warning is displayed:
- Then the encryption will start. While the encryption is running, you can pause or stop it, and come back at a later time.
- Once it's done, you can reboot and enter your password. Then your system should start up as usual.
One thing to note is that if you encrypt your system drive, hibernation will be disabled. There are various reason for this, and hopefully the issues be overcome in future versions of truecrypt. For now, if you use hibernation, you may want to wait until that is resolved. As of version 5.1, this issue has been resolved and you can now hibernate when using full disk encryption.