This month's topic is TrueCrypt, a truly affordable hard drive, laptop and USB Drive encryption software for your business critical data.
Lost or stolen laptops are a privacy and security nightmare, especially for small to mid-size organizations that handle customer data and/or are bound to one of the numerous regulatory requirements. Smaller companies cannot afford the tangible and branding costs associated with breach notification or incident response. Encryption of data at rest or on mobile resources is a logistical nightmare for most businesses. Fortunately for them there is a free, open source laptop or software encryption option available in TrueCrypt.
TrueCrypt is no secret. It has been downloaded more than 10 million times, and that is all the proof that it is a worthy alternative for companies unwilling to shell out for some of the more expensive commercial products. TrueCrypt is not an enterprise product. It lacks the central management, key management, reporting, access control features and scalability of enterprise commercial products. But for small to mid-size companies, this is an ideal solution. Multiple users can share access to the encrypted data by presenting key-files in addition to their own passwords. You can create any number of key-files using TrueCrypt's built-in random number generator. While not necessarily enterprise-ready, TrueCrypt's use of cryptographic algorithms and encryption methodology is comparable to many of its commercial counterparts and may be easier to use.
The mode of operation TrueCrypt uses for encrypted partitions, drives and virtual volumes is XTS, XTS mode uses two independent keys, specifically, its own secret key, or so called "tweak key," that is independent from the primary encryption key. "Tweak" refers to a block cipher that can accept a second input (the tweak) in addition to its plain-text or cipher-text input. Encryption algorithms include AES, Serpent and Twofish, while ciphers can be cascaded, that is, used in combination--AES-Twofish, Serpent-Twofish-AES, etc. For example, a 128-bit block is first encrypted using Twofish (256-bit key), then with AES (256-bit key). the hash algorithms, which include RIPEMD-160, SHA-512 and Whirlpool, are utilized during volume creation, password changes and key-file generation. That is enough "geek speak" for now.
TrueCrypt supports Windows Vista, XP, MacOSX and Linux distros. Installation on Windows is as simple as downloading TrueCrypt, executing the installer, accepting the license, choosing the Install radio button, and accepting default options for the last step. You can utilize installers for Windows Vista/XP/2000, Mac OS X 10.4 and 10.5, and Linux OpenSUSE and Ubuntu. You could use operating system options like Vista/Server 2008's BitLocker or Mac OS X's FileVault to create encrypted volumes, partitions and disks, but TrueCrypt offers the benefit of being platform agnostic, where as you can mount a TrueCrypt volume on any supported OS. You can create two types of volumes: file-hosted (container) or partition/device-hosted. A file-hosted volume is simply a normal file that contains an entirely independent virtual disk device and can be maintained on any storage device. More simply, imagine it as a secure area on your hard drive or USB device for your business critical information. You can also utilize TrueCrypt to encrypt an entire partition or hard drive or USB thumb drive. Further, you can create TrueCrypt volumes as being Standard or Hidden. A Standard volume is a normal, visible volume; a Hidden volume is nestled within another TrueCrypt volume. Even if you reveal your password, it's invisible to a third party. The trick here is that free space on any TrueCrypt volume is always filled with random data when the volume is created. No part of the (dismounted) hidden volume can be distinguished from random data.
The TrueCrypt interface is simple and intuitive, allowing you to easily implement the encryption method of your choice. Before beginning, choose a location in your file system where you'd like to store your TrueCrypt volume(s) and create a new empty file. To create a file-hosted volume, just click the Create Volume button to launch the Volume Wizard in a separate window, select the Create a File Container radio button, and then decide between Standard and Hidden volume. Next, choose the empty file you created and answer "yes" when asked if you'd like to replace it with your newly created TrueCrypt volume. You'll then be presented with encryption options. The default options are AES for the encryption algorithm and RIPEMD-160 for the hash algorithm. Since we are extremely "paranoid", we prefer three ciphers in cascade, but there are performance impacts as you add more complex combinations. Using the TrueCrypt benchmark feature, you can determine an appropriate compromise between encryption and performance. You can now choose a hash algorithm. I really like SHA-512, which is slightly faster than Whirlpool and more secure than RIPEMD-160.
Next comes volume size. Besides the space you think you'll need, one consideration might be how portable it is. You might choose 3,9 MB for a 4 GB USB drive, as an example. Now, choose a strong password. TrueCrypt will grade you on the password, so this to me is the most important step (think pass-phrase). If you choose a password of fewer than 20 characters, you will be scolded for your "wimpiness" and reminded that it might be easily brute-forced. We recommend using key-files as well. In addition to allowing shared access, as discussed earlier, key-files provide protection against keystroke loggers and brute force attacks that might crack your password. Finally, choose your volume format (FAT, NTFS or none) and cluster size (up to 64 KB). You'll see the Random Pool in this window, representing the random number generator (RNG) used to generate the master encryption key; note the difference in entropy while your system is at rest versus moving your mouse rapidly. The more you move your mouse, thus creating more randomness (entropy) for the RNG, the stronger your key will be. And last, but not least. format the volume.
Once your volume is created, return to the primary interface, navigate to your newly created volume and mount it. You'll be prompted for your password and you'll also have the chance to select more advanced mount options, including mounting the volume as removable media. This option is important when you wish to prevent Windows from automatically creating the Recycled and/or System Volume Information folders on the volume (these folders are used by the Recycle Bin and System Restore facilities).
Now comes the "real cool" feature of TrueCrypt, Traveler Mode which runs from the USB drive itself. This feature allows for true portability and, should you choose this option, we recommend a minimum of a 8 GB USB 2.0 storage device. In Traveler Mode, TrueCrypt does not need to be installed on the operating system it is running on. If, heaven forbid, you choose to use a kiosk or cafe machine, this may prove quite useful. For a great example, let's say you travel with your data to your West Coast branch office, but leave your laptop behind. Traveler Mode allows you to plug the USB thumb drive you installed TrueCrypt on into a PC and directly run TrueCrypt from the thumb drive. TrueCrypt does not need to be installed on the PC. That is cool! The Traveler Mode creation process is also wizard-driven and simple to follow.
So, there you have it. Whether you choose to encrypt an entire drive, a disk partition or just a file-hosted container, you'll be glad you decided to use TrueCrypt. If you carry private or confidential company data, and/or personally identifiable information, TrueCrypt's robust methodology will protect it as long as you implement it properly and utilize strong password practices.
To find out more about TrueCrypt, go to the following site:
To view more articles:
or to inquire about an on-site presentation, please feel free to call me at 508-995-4933 or email me at email@example.com.
Until next time.....
Founder & Principal Consultant
Managing Your Security and Risk Needs
Got something to add? Send me email.
More Articles by Michael Desrosiers © 2011-03-20 Michael Desrosiers
It is the the duty of a Webmaster to allocate URIs which you will be able to stand by in 2 years, in 20 years, in 200 years. (Tim Berners-Lee)