Last week I wrote a post on how to encrypt entire hard drives with TrueCrypt. We all know how easy it is to have your laptop lost or stolen and how important it is to protect sensitive data. However, something that is even easier to lose and often has just as sensitive data on it is thumb drives. I know personally I’ve lost a couple of them over time.
Today we’re going to learn how to encrypt these drives to keep them from prying eyes.
Just a few things to get you prepared for the encryption process.
- Grab TrueCrypt if you don’t already have it.
- Make sure your thumb drive is plugged in and move everything on it to your desktop. This is important because TrueCrypt is going to format the drive during the encryption process.
- Open the main TrueCrypt window
Beginning the Encryption Process
During this phase, we will be getting the settings together so we can actually encrypt the drive.
- Click the ‘Create Volume‘ button on the main TrueCrypt window
- Choose the second radio button: Create a volume with a non-system partition/device
- At the next screen, leave the radio button on ‘Standard TrueCrypt Volume‘ (unless you know what you’re doing and want to get fancy:)
- Now click the button that says ‘Select Device‘
- Find your thumb drive in the list (you can tell by what drive letter it is mounted in Windows). For this tutorial, we are going to choose the ‘partition’ not the actual device (so in my case ‘\Device\Harddisc6\Partition1′)
If you get a warning after clicking ‘ok’, you can ignore it. It’s simply stating that you could also create an encrypted file on the device rather than encrypting the entire drive. Click Next
- I like to leave the Encrpytion and the Hash algorithms at their defaults, AES and RIPEMD-160 respectively. Feel free to play around if you know what you are doing.
- On the Volume Size screen, you won’t be able to do anything because we chose to encrypt the entire drive. Click ‘Next‘
- Create a passphrase on the next screen. Depending on how secure you want it to be, 20 characters is recommended. If nothing else, try to use symbols, caps, lowercase and numbers.
Starting the Encryption
Now, we will actually start the encryption process itself.
- Now you will need to move your mouse around the TrueCrypt window to create a unique pool of characters. This is important to the strength of the encryption keys TC will use.
- Once you are satisfied, click the ‘Format’ button. You will be presented with a box saying that all data will be lost NOT encrypted. If you followed along from the start, you’ve already moved all your data off the drive and this won’t be a problem and you can click ‘Yes‘
- TrueCrypt will now begin to encrypt the drive. Mine was only 128MB so it only took a few minutes. Your time will vary
- If everything went well, you should see a box saying the encryption was successful!
Mounting the Drive
The first thing you will probably notice is that Windows doesn’t recognize the drive like it normally did. You can click on the drive letter it assigns it, but it’s just going to ask you if you want to format it. Don’t! Here’s what you do.
- Make sure the drive is still plugged in and the main TrueCrypt window is open. Also, select a drive letter in the list, I highlighted ‘Y’
- Click the ‘Auto-Mount Devices‘ button. It’s going to ask you for the passphrase you created earlier, so enter that.
- Your drive should now be mounted as whatever letter you choose (in my case ‘Y’)
- Your drive will now be able to be accessed just like any other drive on your system!
There really isn’t much to encrypting your data with TrueCrypt, but that doesn’t diminish the need for strong encryption on all of our portable (and non-portable) devices. A couple of final notes:
- Make sure you ‘Dismount’ the thumb drive before pulling it out by selecting the volume in the main TrueCrypt window and clicking on the ‘Dismount’ button.
- Also remember that you need TrueCrypt installed on every computer you will be using your thumb drive one. Sounds like a no-brainer, but be aware if your IT department won’t allow you to install extra software on your work machines.
If you’re as paranoid as I am, you more than likely appreciate the advancements that the TrueCrypt team has made with version 5.0. For me, the greatest thing they did was making whole disk encryption dead simple. Here’s how you do it.
- First you will need to visit the TrueCrypt site and download and install it on your system. I’m going to be using Windows XP for my demonstration, but they have since released very good and stable version for Mac OSX and Linux.
- Next, go ahead and open the main window by clicking on the TrueCrypt logo in the system tray. The window should look like this
Setting Up the Encryption Settings
- Click the the ‘Create Volume ‘ button
- On the next window, choose the radio button next to ‘Encrypt the system partition or entire system drive ‘
- You now have the option to ‘Encrypt the Windows system partition’ or ‘Encrypt the whole drive ‘. We will be choosing the latter for this example.
- For the next screen you can choose ‘Single Boot ‘ or ‘Multi-Boot’. More than likely you are only running one OS on your computer, so we will choose Single Boot.
- Now you can choose the encryption settings. Unless you really know what you are doing, the default settings are fine. AES is an incredibly powerful encryption algorithm and should be all you need. I would also leave the Hash Algorithm at RIPEMD-160
- Next you will need to create a password. Depending on how paranoid you are, you should choose a passphrase close to 20 characters in length. I would also recommend using Steve Gibson’s Perfect Passwords Generator to make sure you create a completely unique phrase.
- Next you will need to move your mouse around the TrueCrypt window to create randomized data. This is fairly important, so spend a minute or two moving your mouse to make sure you really randomize things.
- The next window should simply be showing you the keys that were generated for you. You can simply click next here.
Creating the Rescue Disk
- The next step is to create what TrueCrypt calls the ‘Rescue Disk’. This disk will be used in case the boot loader or Windows become corrupt or infected with malware, yu will always have a way to decrypt the system. This step is extremely important, and TC will not let you proceed until it is satisfied that you did everything correctly. Begin by clicking the ‘Browse ‘ button. This will bring up a dialog box. Browse to your desktop and name the file something like rescueDisk.iso. IMPORTANT: remember to append the .iso or your file will not work correctly.
- You should now see a window telling you the file was created successfully. It’s now time to burn the newly created .iso file to a cd. I strongly recommend using ImgBurn . If for some reason that doesn’t work, you can use something like CD Burner XP Pro . Click next
- Make sure you have a blank CD in your drive and open ImgBurn. Click on ‘Write image file to disc’
- Next click on the ‘Browse for a file’ button
- Finally click the giant ‘Write’ button towards the bottom
- After you have the disc burned, leave it in the drive and click ‘Next’ in the TrueCrypt window
- If all went well you will be notified that the Rescue Disk was successfully verified
Pretest and Installing the Bootloader
- You can choose to wipe the drive to really give you an incredibly secure hard drive, or just choose none if you aren’t storing government secrets on your computer (not that the government is intelligent enough to encrypt hard drives).
- Next TC will begin the pretest to make sure everything is in working order before it begins the encryption process. This will also install the TrueCrypt boot loader on the boot sector of your hard drive. This is a major reason why this encryption is so great. There is virtually no way to boot into the Windows file system without having the decryption key. Click ‘Test ‘
A friendly warning:)
- After TC runs a few things you will be presented with a window to restart. Click ‘Yes ‘
- After the computer boots back up, you should see a black and white screen. Enter your passphrase you created earlier.
- If all went well you will now see a new dialog box saying the pretest was completed successfully.
- Click ‘OK’ on the Rescue Disk information window
Finally! Encrypting the Drive
- Whew! If you’ve made it this far, congratulations! We are now ready to encrypt the drive. You should see a window similar to the one below. Simply click the ‘Encrypt’ button and depending on your wipe mode and your encryption algorithms, go have a cup of coffee or go to sleep and let it run overnight.
- When everything is done, you should see this
If you were able to get through this tutorial, you should now feel much safer with your data knowing it’s now gone from incredibly insecure, to even the DOD or NSA would have trouble getting in (unless of course there was water boarding involved).
This is really helpful if you travel a lot and carry a laptop all the time. If something were to happen and it gets lost or stolen, yes, you lose the data but at least whoever has it can’t get it either. Of course this means we need some training in the art of backing up;)