Using Truecrypt to Encrypt Your Entire Hard Drive

If you’re as paranoid as I am, you more than likely appreciate the advancements that the TrueCrypt team has made with version 5.0. For me, the greatest thing they did was making whole disk encryption dead simple. Here’s how you do it.

Getting Started

  1. First you will need to visit the TrueCrypt site and download and install it on your system. I’m going to be using Windows XP for my demonstration, but they have since released very good and stable version for Mac OSX and Linux.
  2. Next, go ahead and open the main window by clicking on the TrueCrypt logo in the system tray. The window should look like this
    truecrypt whole disk encryption

Setting Up the Encryption Settings

  1. Click the the ‘Create Volume ‘ button
  2. On the next window, choose the radio button next to ‘Encrypt the system partition or entire system drivetruecrypt encrypt the system partition or entire drive
  3. You now have the option to ‘Encrypt the Windows system partition’ or ‘Encrypt the whole drive ‘. We will be choosing the latter for this example.truecrypt encrypt the whole drive
  4. For the next screen you can choose ‘Single Boot ‘ or ‘Multi-Boot’. More than likely you are only running one OS on your computer, so we will choose Single Boot.truecrypt encrypt the system partition or entire drive
  5. Now you can choose the encryption settings. Unless you really know what you are doing, the default settings are fine. AES is an incredibly powerful encryption algorithm and should be all you need. I would also leave the Hash Algorithm at RIPEMD-160
    truecrypt with AES and RIPEMD-160
  6. Next you will need to create a password. Depending on how paranoid you are, you should choose a passphrase close to 20 characters in length. I would also recommend using Steve Gibson’s Perfect Passwords Generator to make sure you create a completely unique phrase.
    truecrypt passphrase password random number generator
  7. Next you will need to move your mouse around the TrueCrypt window to create randomized data. This is fairly important, so spend a minute or two moving your mouse to make sure you really randomize things.
    truecrypt random number pool
  8. The next window should simply be showing you the keys that were generated for you. You can simply click next here.
    truecrypt generated keys

Creating the Rescue Disk

  1. The next step is to create what TrueCrypt calls the ‘Rescue Disk’. This disk will be used in case the boot loader or Windows become corrupt or infected with malware, yu will always have a way to decrypt the system. This step is extremely important, and TC will not let you proceed until it is satisfied that you did everything correctly. Begin by clicking the ‘Browse ‘ button. This will bring up a dialog box. Browse to your desktop and name the file something like rescueDisk.iso. IMPORTANT: remember to append the .iso or your file will not work correctly.
    truecrypt rescue disk
  2. You should now see a window telling you the file was created successfully. It’s now time to burn the newly created .iso file to a cd. I strongly recommend using ImgBurn . If for some reason that doesn’t work, you can use something like CD Burner XP Pro . Click next
    truecrypt iso recording imgburn
  3. Make sure you have a blank CD in your drive and open ImgBurn. Click on ‘Write image file to disc’
    truecrypt iso recording imgburn
  4. Next click on the ‘Browse for a file’ button
    truecrypt iso recording imgburn
  5. Finally click the giant ‘Write’ button towards the bottom
    truecrypt iso recording imgburn
  6. After you have the disc burned, leave it in the drive and click ‘Next’ in the TrueCrypt window
    truecrypt iso rescue disk verify
  7. If all went well you will be notified that the Rescue Disk was successfully verified
    truecrypt rescue disk successfully burned

Pretest and Installing the Bootloader

  1. You can choose to wipe the drive to really give you an incredibly secure hard drive, or just choose none if you aren’t storing government secrets on your computer (not that the government is intelligent enough to encrypt hard drives).
    truecrypt wipe mode
  2. Next TC will begin the pretest to make sure everything is in working order before it begins the encryption process. This will also install the TrueCrypt boot loader on the boot sector of your hard drive. This is a major reason why this encryption is so great. There is virtually no way to boot into the Windows file system without having the decryption key. Click ‘Test
    truecrypt pretest boot sector
    A friendly warning:)
    truecrypt boot warning
  3. After TC runs a few things you will be presented with a window to restart. Click ‘Yes
    truecrypt restart
  4. After the computer boots back up, you should see a black and white screen. Enter your passphrase you created earlier.
    truecrypt boot loader
  5. If all went well you will now see a new dialog box saying the pretest was completed successfully.
    truecrypt pretest completed successfully
  6. Click ‘OK’ on the Rescue Disk information window
    truecrypt rescue disk

Finally! Encrypting the Drive

  1. Whew! If you’ve made it this far, congratulations! We are now ready to encrypt the drive. You should see a window similar to the one below. Simply click the ‘Encrypt’ button and depending on your wipe mode and your encryption algorithms, go have a cup of coffee or go to sleep and let it run overnight.
    truecrypt begin the encryption
  2. When everything is done, you should see this
    truecrypt successfully encrypted

In Closing

If you were able to get through this tutorial, you should now feel much safer with your data knowing it’s now gone from incredibly insecure, to even the DOD or NSA would have trouble getting in (unless of course there was water boarding involved).

This is really helpful if you travel a lot and carry a laptop all the time. If something were to happen and it gets lost or stolen, yes, you lose the data but at least whoever has it can’t get it either. Of course this means we need some training in the art of backing up;)

  • Dave

    I have encrypted my entire hard drive with TC. Now Windows does not start anymore and I want to decrypt the entire drive to access it with another system. Unfortunately my rescue disc is not accessible at the moment. Can I just create another rescue disc with a different computer system and use this to permanently decrypt the drive of the system that does not start anymore? Or will this method destroy my encrypted disc entirely?

  • Pingback: Truecrypt in Arch - No option to encrypt system drive

  • http://www.facebook.com/dumdarweep Hi Lowe

    Bad news and good news (maybe).  The key you type into truecrypt is really a key to a key.  The key you type in unlocks the key file on the drive which then decrypts the fully encrypted drive as it reads it.  If your problem is with your computer and not a physical problem with the hard drive, you can put the drive into another computer and it should at least boot to the truecrypt screen and ask for a password, at which point you can type it in.  That’s the good news.  The bad news is, no, you cannot make another rescue disk, but you really should not need the rescue disk.  It is extremely rare that the key file on the drive becomes corrupted such that you even need the rescue disk.

  • Possltd2

    Please help me! I have 2 hard drives each 160GB that i use for my netbook by  sliding each on in the hard-drive bay.. I encrypted the whole hard-drive  that has windows 7 , everything work fine for 2 months until I did this. My net-book was in sleep mode with win 7 non-encrypted hard drive. I took out the hardrive and installed the encrypted one press the power key….A blue screen came on and I knew I what I did wrong so i turned off the power restarted the computer now there was an error loading. I What should I do? Thanks

  • Mike

    Dear Randy,

    I would like to ask if I can re-encrypt my HDD.I created a hidden volume and
    now I want to have encrypted the whole HDD without a hidden volume.
    Do I need to reformat it first(fast or full format),or I can just encrypt it as
    usual as it will overwrite the previous encryption.

    Thank you for your help in advance.

    Mike

  • Mike

    Dear Randy,

    I forgot to add.The encrypted HDD is an 500 GB external USB drive(non-system,just storage).Hidden volume is about 230GB (that was the max allowed).

    Thanks.

    Dear Randy,

    I would like to ask if I can re-encrypt my HDD.I created a hidden volume and
    now I want to have encrypted the whole HDD without a hidden volume.
    Do I need to reformat it first(fast? or full format?),or I can just encrypt it as
    usual as it will overwrite the previous encryption.

    Thank you for your help in advance.

    Mike

  • http://www.cranehardware.com/ the crane stand

    hen you stand on your toes, you shift your weight from your larger thigh muscles to the calves and ankles. Working these muscles will help to support your legs completely.

  • Jfackler

    I tried to encrypt my entire external drive and it worked fine up until 99.225%.  Then it said that there are bad sectors on the drive.  I have tried several times to have TC write zeros to those sectors to no avail.  TC will not finish the encryption due to bad sectors and therefore I cannot mount to decrypt of unencrypt the device.  It is a 500gb lacie hd.  It shows up as drive N: and says 0 bytes for used and free space.  Windows wants me to format the drive but I do not want to lose the 300gb worth of data on it.  Is there anyway to recover the data that has already been encryted without formatting the drive or finishing the encryption process.

  • Jfackler

     Also can encryption process be finished/reversed on a different PC(laptop) as i will be traveling soon and TC was started on my desktop pc.

  • Uchenskoya

    So can Passware crack or bypass truecrypts security ?

  • Sinkhole000+randyjensenonline

    First of all, thank you for a nice tutorial.  I use TC extensively and like it a lot.
    Recently I have my computer stolen, and it made me think more about encryption and physical security.
    I know this was written back in 2008, but I just want to mention some physical attack methods out there that could potentially compromise full drive encryption.  Don’t get me wrong, TC in my opinion is till one of the best drive encryption software out there.  However, do not let this sense of security affect your judgement about physical security of you computer in any way.  

    Any way, two methods that I came across are Evil Maid and Cold Boot Attack.  As far as I know these are physical attack methods that require someone who has physical access to you computer.  

    Info on Evil Maid here:
    http://theinvisiblethings.blogspot.com/2009/10/evil-maid-goes-after-truecrypt.html

    Info on Cold Boot Attach can be found here:
    https://citp.princeton.edu/research/memory/ 

  • Aman

    Thanks, so helpful

  • bibicadrx

    Hello,

    I have a question. I have encrypted all my hdd that includes C: and D: . Now, I have format my laptop but only C: and now I installed truecrypt back but I can’t access D:

    Can anyone help me ? Just tell me if I lost everything on D: after I formatted my C:

    Thank you !

  • Jason

    The way I see it is as you are using a laptop. D:/ is partitioned onto the same hard drive as C:/ so when you formatted the hard drive, all partitions under it will be formatted. C:/ and D:/ included. So the D:/ you may be trying to access may not be the same one you encrypted.

    Its hard to say really, there isn’t a great deal of info to go by. But that would be my guess.

  • Pingback: Encrypting Computers for Security |Secret Done

  • DragonFartOutLoud

    “If you were able to get through this tutorial, you should now feel much
    safer with your data knowing it’s now gone from incredibly insecure, to
    even the DOD or NSA would have trouble getting in (unless of course
    there was water boarding involved).”
    LMAOF!

  • service

    I have used truecrypt to create a hidden operation system. Is it possible to copy file form hidden os to hd or usb flash disk? Now the software say to me: “this hd is read-only”.

    Move a file from decoy os to hidden os is simple, but to move a file form hidden os to decoy os i don’t know how it do.

  • Pingback: Secure My Computer | GlynRob

  • Alexandru Stan

    Hello and thank you. Now I saw your answer. Sorry for my late response.

    I wasn’t able to recover D: but I formatted once in the past C: and I had the whole hdd encrypted with truecrypt. After format I installed truecrypt and I was able to view D: with my old password and worked. That’s why I did the recent format and I was sure I won’t lose D:. Anyway thanks for your help :)

  • Alexandru Stan

    I forgot the pass for bibicadrx but I login with my facebook :)

  • Shoana Leigh

    So… I encrypted my partition after I formatted and reinstalled an OS (Windows7). All this was done and working (restarting, etc.) perfectly before I started the encryption.

    I had run through the steps posted above, and yes, I made it through – as per your post – however;
    “tricky hobitses”

    The laptop (Campaq presario CQ56) on pressing the on button, starts (light flash as per normal), a blank black screen and blinking cursor appears, and then the COMPAQ “Q” Splash screen appears and stays (it seems to freeze here.)

    Timeline
    pushing the on button
    3seconds for blank screen to appear
    4seconds for the splash screen

    freezing seems to take place between 4-5seconds.
    Meaning pressing the del, F2, F11 only works within this second, but then freezes before entering any startup check, startup, bios or recovery.
    The only reason you see that you have selected something different is that the message on the splash screen (bottom left) changes.

    So…
    I am stuck.
    - Assuming I “should have turned off the splash screen” is a silly reason for it to have frozen, but completely possibly why it has.
    - That the partition is encryped and so can not access any menu’s to choose different options to start with, for e.g. the rescue disc
    - The laptop only responds within a 1second timeline, but freezes anyway

    How screwed am I?
    How would i be able to re-format the partition (I would not be losing any data as there was no data to start off with as the system is newly formatted).
    Can someone slap me on the wrist for doing this and tell me there is a solution.
    :( Thanks