How to Install and Configure TrueCrypt Disk Encryption - Part 2
In Part 1 (Issue 39 – August 1, 2008), I promised to show you how to use TrueCrypt, the free open source encryption program, to encrypt an entire drive. (If you haven't read that issue, please do so now, as this article assumes you've already installed TrueCrypt.) Data breaches caused by lost or stolen USB flash drives seem to be the latest trend (see below). So, rather than showing you how to encrypt a hard drive, I'm going to show you how to encrypt a USB flash drive so that anything you store on it will be unreadable to anyone but you (or someone who has the passphrase). I'll cover full-drive encryption on hard drives in Part 3.
TrueCrypt allows you to encrypt entire partitions, complete hard drives, or USB flash drives (which, after all, look like hard drives to the system). Most of you won't need to encrypt your PC's entire hard drive--a simple encrypted volume where you store your sensitive information is usually sufficient. For those who own laptops that have sensitive personal or business information on them, full-drive encryption is recommended. If you travel frequently with a laptop, then full-drive encryption is essential. Likewise, if you back up sensitive data to a USB flash drive, you'll want to encrypt the whole thing. Flash drives are small and easily lost or stolen; in fact, USB flash drives have been the cause of serious data breaches. The Privacy Rights Clearinghouse (PRC) states that over 93 million data records of U.S. residents have been exposed due to security breaches since February 2005. According to Beth Givens, Director of the PRC, “The latest trend to show up is the loss of memory sticks.”
Creating an encrypted USB flash drive is a little different than creating an encrypted hard drive because it has to be portable: i.e., the TrueCrypt program must reside on the flash drive. That way, no matter where you plug it in, you'll be able to open your files. Any flash drive should work, but you want to be sure to copy any data off of it before you encrypt it because the procedure I'm about to give you will erase everything on the drive.
The first thing you need to do is locate the following three files: TrueCrypt Format.exe, TrueCrypt.exe, and truecrypt.sys. The easiest way to find them is to search your hard drive using "truecrypt*.*" as the search term.
(click the image for a larger view)
Copy these to your flash drive. In my case, the drive letter was F:\.
Now, run TrueCrypt Format.exe. Leave the default “Create a standard TrueCrypt volume” radio button selected, then click Next:
After you click next, you'll see the device selection screen. Leave “Never save history” checked and click “Select File”:
Navigate to your drive letter, if necessary, enter the name you want for your encrypted volume in the filename box and click Open:
Note that your drive and filename is now shown as the volume location. Go ahead and read the information on the screen and click Next:
The default Encryption Options are more than sufficient, but you can change them if you want. If you don't want to change them, just click Next:
Now, you'll specify the size for your encrypted volume. You need to leave the TrueCrypt files in unencrypted space. In version 6.0a, these files take up 1.48 MB on your drive. I recommend you set the volume size to 5 MB less than what TrueCrypt reports as free space. In my case, free space is 960.57 MB, so I'm going to specify my volume size as 955 MB. Click the “MB” radio button and enter your volume size in the box. Click Next:
Now, you're going to enter a password. Read all of the information on the screen and note that 20 characters is recommended. You can check the “Display password” box to make it easy for you to enter your password. See How to Create Secure Passwords That You Can Safely Write Down (Issue 35 - March 15th, 2008) for some secure password tips. Another good article is How to Write Down Your Passwords and Not Worry About Someone Stealing Them at Ask the Geek. I recommend you write your password down or take a screen shot and store it in a safe place—if you forget your password, there's no way to recover your data. The password I entered is 34 characters, upper/lower case and special characters. Click Next.
Now, you'll be prompted to select your file system. I chose the default, FAT, but you can also select NTFS if you wish (MAC and Linux users will have other options). Click the “Format” button:
The screen will begin to change and will report the progress of the encryption. This may take awhile, depending on the size of your drive. Just let it go until it's complete:
You'll see this report. Read it and click OK:
At the next screen, click Exit and you've successfully created an encrypted flash drive volume.
To use your new encrypted flash drive, just plug it into any USB port, open up the drive letter and double-click truecrypt.exe. Select any available drive letter and then click Select File:
Select the name of the volume you created:
Note the drive letter/file you selected and click Mount:
Enter your password. Click “Display password” if it helps you to enter your password correctly. Click OK when you're done:
Your encrypted volume is now mounted and you can minimize TrueCrypt:
Your mounted drive will show up in My Computer. The K:\ drive is the encrypted drive; F:\ is the unencrypted portion of the flash drive:
Anything you store on the K:\ drive (or whatever drive letter you've chosen) will be encrypted.
When you're finished storing data, access the TrueCrypt screen again, select your encrypted drive letter, and click “Dismount:”
Once you've dismounted the drive, it's safe to remove it. A word of caution: Never try to remove the flash drive from the system until you've dismounted it—you can lose data or corrupt your encrypted volume.
Ken Harthun is the Security Editor for Daves Computer Tips. He also writes about security issues for IT Knowledge Exchange and blogs on general Geek things at Ask the Geek. You can read more about Ken here.