February 14, 2007

Filesystem encryption in mixed environments with TrueCrypt

Author: Anze Vidmar

If you want to encrypt your sensitive files so that no one can access them without your personal password or decryption key, you have several options. But if you want a free, cross-platform, open source encryption application, try TrueCrypt.

TrueCrypt encrypts and decrypts files on the fly, as they are loaded or saved, without user intervention. TrueCrypt can encrypt files and store them in a container file that acts as a virtual disk, or make an entire partitions or disk into an encrypted volume in both Microsoft and Linux. The software depends on a personal password or key that you create when configuring a TrueCrypt volume. Without this key, no data on an encrypted volume can be read (not even offline).

Before you get started, consider some precautions you need to be aware of:

  • There is a chance that Windows will write the opened cache file in a page file, rather than in RAM, thus exposing your data or key.
  • Avoid using hibernation when using TrueCrypt because at hibernation time the unsaved data is written to hard disk.
  • Content of a mounted TrueCrypt volume is visible (accessible) to all of a system's logged on users.

If those don't deter you, download the software. TrueCrypt offers binary packages for Fedora, openSUSE, and Ubuntu distributions. Detailed setup instructions can be found on TrueCrypt's Beginner's guide page. I tested the TrueCrypt under Ubuntu 6.10 system.

When you're done installing it's time to create and configure a TrueCrypt volume using a simple command-line tool called truecrypt. You can see the command's options by typing truecrypt without any additional options. For a detailed help, use --help, see the man page, or visit the TrueCrypt documentation page.

Let's say you want to create a password-protected TrueCrypt volume on the first partition of your second drive (/dev/hdb1). Start the configuration procedure by entering the following command in the shell, and prepare yourself for eight simple questions:

sudo truecrypt --create /dev/hdb1

You'll be asked to choose whether this will be a normal or a hidden partition. Hidden partitions allow you to hide encrypted volumes, in case you have to reveal your password or someone gets ahold of it. For non-paranoid people I suggest accepting the default choice -- a normal partition.

Next, choose the filesystem type. The default is FAT. You can reformat the filesystem later, so go ahead and choose the default.

In the third step you are asked to choose the hash algorithm you want to use for your encryption type. The default selection (RIPEMD-160) is good enough, but you can study the difference between the algorithms.

In the next step you are asked to choose the encryption algorithm. You have quite a few options, from 128-bit to 256-bit algorithms. Study the differences, but you can be comfortable with the default (AES) algorithm, which provides a 256-bit key.

Next, enter a personal password for accessing the volume. Make sure you choose a password that you won't forget, or you'll have no way to recover the data on the encrypted volume.

In the next step, you can specify a keyfile location, if you want to use one instead of a password. If you're planning to use TrueCrypt volumes for personal use, and only you will ever be authorized to access the files, just use a password.

In the last step, you need to generate at least 320 randomly chosen characters. If you have a mouse connected to the computer, you can move the mouse around to generate the characters. Otherwise, you'll have to type the characters by hand. This step is important for the quality of the encryption key -- the longer you move the mouse, stronger the key will be.

Finally, TrueCrypt will create the volume. Depending on your volume size, this might take a few minutes. When it's done, you'll be notified, and you can start using the volume.

Before you can start copying sensitive data on your newly created TrueCrypt volume, you need to mount it first, using a command like:

sudo truecrypt /dev/hdb1 /mnt/
Enter password for '/dev/hdb1':

Once you type in your password, the new volume is mounted on /mnt, and you can copy, move, and create files on it just as you would on any other volume. When you're done with your sensitive files, unmount the volume so that other users who are logging on to your system can't see the volume content:

sudo truecrypt --dismount

TrueCrypt can be useful for securing data on a server or on a laptop that can boot both Windows and Linux. You can have a special partition on your disk that contains a TrueCrypt volume that holds your sensitive data, and it can be accessed from both Windows and Linux.


  • Security
Click Here!