By jeremy at 2008-12-15 15:24
On-the-fly Encryption with TrueCrypt
Let's face it - these days it’s almost a certainty that some information on your computer is not for public consumption. Be it your accounting data on a personal machine or valuable trade secrets on a corporate machine, for better or worse, computers are part of our daily lives. In many cases, the theft of that data could have serious repercussions. The situation is exacerbated by the fact that a greater and greater percentage of computers sold are laptops. Losing a laptop now has the potential to make national news and could even result in a costly lawsuit.
With this information in mind, it makes more and more sense to utilize some level of disk encryption on your machine. TrueCrypt is a software system for establishing and maintaining an on-the-fly-encrypted volume. On-the-fly encryption means that data is automatically encrypted or decrypted right before it is loaded or saved, without any user intervention. No data stored on an encrypted volume can be read without using the correct password/keyfile(s) or correct encryption keys. All encryption is automatic, real-time and transparent. Available from here, TrueCrypt is available under the TrueCrypt Collective License and works with Linux, OS X and Windows. It can use AES, Serpent and Twofish as encryption algorithms and supports RIPEMD-160, SHA-512 and Whirlpool hashing. When used in “traveler” mode, it does not even have to be installed on the machine on which it is run.
The TrueCrypt download section contains binary packages for some popular Linux distributions. If your distribution does not have a package available, you’ll need to install from source. Further instructions for source installation can be found in the included Readme.txt. Note that to use TrueCrypt you’ll need to have the FUSE library available.
Once installed, the truecrypt binary supports both a graphical and text user interface. It will run in graphical mode by default and automatically fall back to text mode if needed. You can use the -t flag to force text mode. TrueCrypt can either encrypt entire storage devices/partitions or create virtual file hosted volumes. You should be aware that if you encrypt a partition or device, all data will be lost. To create a new volume from the GUI, select Tools->Volume Creation Wizard.
The first step of the wizard will ask if the volume should be standard or hidden. A hidden volume is basically a volume within another volume, and is one of the two ways TrueCrypt provides you with plausible deniability (the other is that it is impossible to identify a TrueCrypt volume). The next step is to select a file or device. In this example we’ll create a virtual file-based volume. Keep in mind the file can have any extension and location, so is extremely easy to conceal. Next, you’ll need to pick a volume size. For this test we’ll create a 10M volume. You’ll now need to choose the encryption algorithm and hash algorithm. The defaults are acceptable is most cases. Finally, you need to create a volume password using the guidelines given by the wizard. The volume will then be created and formatted. Now that the volume is created, you can mount it via the mount button.
A volume can also easily be created and mounted in text mode.
Both the GUI and text mode support additional functionality such as using keyfiles and passing specific mount options to the OS. For a full list of options, run truecrypt -h. Note that when using TrueCrypt to backup critical information, it’s important to backup both the volume and volume headers. The online documentation walks you through how to do this properly. Before using TrueCrypt I also recommend you read the online FAQ, which contains a lot of useful information.
To create a volume: truecrypt -t -c
To mount a volume: truecrypt /truecrypt/linuxmag.tc /media/truecrypt1
A little bit of time spent implementing TrueCrypt to encrypt your sensitive data on the fly could save you a huge amount of time and money in the long run. Don’t leave your data at risk.