Note that this tutorial was written for TrueCrypt v4.1. Since then, many things have changed in TrueCrypt but the principle features discussed in this article remain the same. Also note that I do not attempt to explain the concept of cryptography. Read on the fundamental concepts of cryptography before you proceed if it is an unfamiliar concept to you. The tutorial will assume that you understand the basic concepts and importance of cryptography.
From bank account information to intimate personal letters, from company secrets to diaries, and from incriminating documents to MP3 collections -- we all have things that we'd perfer be kept private to us, and to us alone. To protect such things in the physical world, we use strong safe boxes that open only when introduced to the correct key key. Protecting such data in the digital world is very similar concept.
In this tutorial I will examine how to encrypt files using a program called TrueCrypt. TrueCrypt is a free, open-source encryption program that has won the respect of the general cryptographic-savvy public, and recognition by cryptographic experts such as Bruce Schneier. It is currently maintained by a group of anonymous programmers who have shown themselves to be quite crypto-savvy over the time they have managed the TrueCrypt project.
This tutorial has been split into several main sections.
- General Overview
- How to Create Encrypt Volumes
- How to Use Encrypted Volumes
- What's Better?
Hopefully I will address everything you need to know in order to use TrueCrypt comfortably and with confidence. Contact me if I am too vague or unclear at any point in this tutorial, so that I can fix it if necessary.
Unlike the physical world, in the digital world it is impossible to create a literal physical safe box to store data in. Instead, we create what you might call a "virtual" safe box. In the physical world, objects are placed in a single container, such as a safe. This safe acts as a singular entity and binds all the objects in it together, separating the objects from the rest of the world by strong walls, walls that will open only when presented with the correct key. Likewise, in the digital world, data placed in a "virtual box" will be placed into a single container which acts like a safe. This "virtual safe" acts as a singular entity and binds all the data in it together. It separates the data from the rest of the world by using an algorithm to scramble the original data values so that they are not recognizable unless you have the right key to unscramble it.
This safe box concept is the idea behind encrypted volumes, which is the method TrueCrypt uses for encryption. There are programs that exist for encrypting a single file individually, but managing encrypted files individually is not always reasonable. Oftentimes many, many files must be encrypted, and they must be viewed, edited, added to, and subtracted from, frequently. Each file could be manually managed, but it would take a lot of time (and could even cause technical difficulties) to do so. And when you have, say, an entire hard drive full of files that need to be encrypted, it's not even humanly possible to attempt to manage them individually. Thus, the solution is to mass-manage them together in one encrypted safe box, a.k.a, an encrypted volume.
There are two types of encrypted volumes: files and partitions. With a file, the encrypted volume will be nothing but an ordinary computer file containing the encrypted data placed in it. This file can be copied across drives, downloaded, anything that can be done with a normal computer file. (You could think of it as being basically just like a ZIP or RAR archive, as the concepts of encrypted volumes and compressed archives are very similar.) With a partition, the encrypted volume will be a literal partition on your hard drive, and it will behave just like one.
Don't be intimidated by the fact that you'll be using volumes -- dealing with encrypted volumes is very simple.
First, you choose the volume you wish to encrypt, whether it be a file or a partition. Then you specify some of the details you want to use (more on those later). Most importantly, you specify a password key that will be used to encrypt the volume. This key will not be stored in any way in the volume, so it is unrecoverable. TrueCrypt then creates the specified volume with the details you provided, encrypts said volume, then writes some encrypted data to the header section of the volume. Of specific interest, in the header there exists something called the "master key". This master key is what is actually used to encrypt the contents of the volume. The key you entered is used to decrypt the master key, and the master key is used to decrypt the volume. (This means that if you change your key, the entire volume does not have to be decrypted and re-encrypted the new key, just the small header part with the master key needs to re-encrypted.)
After the volume has been created and encrypted, you can easily use it by mounting it with TrueCrypt. Mounting a volume is essentially telling the operating system to treat that volume as an actual disk partition, allowing you to access and manage it just like a normal partition. To mount a volume, all you have to do is select the volume and provide your original key. Once the volume has been mounted, it will appear as a normal drive on your operating system and you can treat it just like one in all regards. You can copy files to it, delete files from it, edit files in it, run programs from it, etc. As far as your operating system is concerned, this drive is just like any other drive it manages.
The mounted drive is nothing more than an interface to the encrypted volume, be it a file or an actual device. Thus, all data in the mounted drive resides actually resides in the encrypted volume. If your encrypted volume is a file, ie, whenever you move data to the mounted drive it is actually being moved to the file.
Encrypting and decrypting data on a volume is as simple as moving the data to and from the mounted drive just like you normally would any normal drive. When a volume is mounted, TrueCrypt acts as a middleman between the operating system and the mounted volume, similar to how virtual disk drive emulators, such as Daemon Tools, work. When data is saved to the drive, TrueCrypt encrypts it before saving it to the volume. When data is requested from the drive, Truecrypt decrypts it before giving it to the operating system to give to you. It's drag-n-drop simple.
This is a walk-though for creating an encrypted volume, regardless of whether the volume is a file or partition. Windows users, note that you must have admin privileges to use TrueCrypt.
- (This first step is only for file volumes. If you are using a partition, skip this step.) Create a file to use as the encrypted volume -- it can be a new text document, a recycled old PDF, it doesn't matter. Just note that the file's original contents will be overwritten and lost. This file you create/choose will be the file you will use as your encrypted volume.
- Open TrueCrypt and select the "Create Volume" option. (Click "Next".)
- Select the "Create a standard TrueCrypt volume" option. (It is possible to create a "hidden" volume only if you are creating it in a location where a standard volume already exists. More on hidden volumes follows later.) (Click "Next".)
- File volume: Click "Select File" and find the file you created in the first step.
Partition volume: Click "Select Device" and choose the drive/partition you wish to encrypt. You can select an entire drive or just a partition. However, if you wish to encrypt an entire drive, it is recommended that you first create a normal partition on the entire drive and then encrypt that partition, rather than encrypting the drive itself directly. There is no difference security or usability-wise, but it can avoid problems where Windows will automatically try initialize a disk that it doesn't detect to be formatted.
Note that when creating a volume, all data on the drive or in the file you choose will be lost. (Click "Next".)
(A more comprehensive comparison between the advantages/disadvantages of using file volumes and physical device volumes can be found later in this tutorial.)
- Select the encryption algorithm you wish to use. While selecting the perfect algorithm is a very complex subject, suffice it to say that there is no wrong choice here because all algorithms TrueCrypt employs have been professionally created, tested, and approved. The "official" recommendation, however, is AES, as it is currently accepted by the general security community as the most secure algorithm in today's world, with Twofish probably being the closest runner-up. You will note that some of the algorithms consist of two names separated by a dash, such as "AES-Blowfish" -- these options mean that both of the algorithms will be used in the order they are listed. While using two, or even three, layers of encryption is unnecessary, it may be a prudent precaution for anyone who either knows they have very smart and powerful adversaries, or is just plain paranoid.
- Below the choice of encryption algorithms, there is a choice to select the hashing algorithm to be used. Again, there is no wrong answer. These hashes won't be used to actually store or authenticate data, so don't worry about that. (The fact that SHA-1 has been somewhat compromised is not of any concern at all in this specific context.) (Click "Next".)
- Next you will need to determine how large the encrypted volume should be. This size will be permanent and cannot be changed, so choose a size that provides as much space as you may ever need. (Unused space on the volume will always be filled with random garbage, so if you're dealing with a file volume its size will always be the same, regardless of how much data you're actually storing in there.) (Click "Next".)
- Now you will create a key to use to encrypt your files, the step you no doubt have been anticipating all along. (This key, is what will be used to encrypt the master key, which is generated later.) This is, obviously, the most critical step to the security of your encrypted volume, as your goal is to select a key that won't be breakable by an adversary, yet still something you can remember. When creating a key, you obviously have the text portion of the key, but TrueCrypt also allows you to mix the contents of a normal file in with your key, making it basically such that your text key combines with the file's contents to yeild the final key. Thus both your text key and the file will be necessary to decrypt the volume. If you opt to use a file, check the "Use Keyfiles" box then click the "Keyfiles" button. Use the "Add File" button to add individual files to the keyfile list or use the "Add Path" button to add entire folders of files. If you want to generate a new file just to serve as a keyfile, click "Generate Random Keyfile" in the bottom-right corner, save the new file, then select it with "Add File". (Click "Next".)
- Finally, choose which file system and cluster size you wish the volume to use to store data. Unless you're familiar with file systems and cluster sizes, I'd recommend keeping the cluster setting at whatever TrueCrypt recommends by default. The only security difference between FAT32 and NTFS is that NTFS does not support hidden volumes, so you can't add one later.
- Below the file system settings, there will be a random data pool with a long hexadecimal string that keeps changing. This is some of the random data that will be used in the encryption process and the master key that will be used for encryption. The master key will be automatically managed and encrypted by your user-specified key, all you have to remember the text and whatever keyfile(s) used for your key. All mouse and keyboard activity you generate in the window during this time will add to the entropy (randomness) of the data, so be sure to wave the mouse around at least a few times to help generate unique entropy.
- Next there is a checkbox that gives you the option to perform a quick format. A quick format will only initialize the file system of the volume and will be much faster. Leaving the quick format choice off will perform a full format, in which random data will be written to every bit (literally) of the volume. Doing this ensures that, at a later time, an attacker looking at the contents of the encrypted volume will not be able to tell how much data is in the volume and where it's stored, because encrypted data looks exactly like random data. Not performing a full format means that it is very likely the unused portions of the volume will not contain random-looking data, and an attacker will be able to make decent guesses as to how much data is stored in the volume. This may not seem like a big deal, but the smallest bit of information can sometimes be much more than you want an adversary to know. For example, if they know you're only storing one file in the volume and they can figure out exactly how big it is, that may tell them everything they need to know about it. Always perform a full format unless you know that the volume is already full of random data, such as when you are re-formatting an existing volume.
- When you are done, click "Format" to create the new encrypted volume. When the format process has completed, click "Exit" if you do not wish to encrypt another volume, or "Next" to create another volume using these same steps.
NOTE: When TrueCrypt creates an encrypted volume, it encrypts the entire volume, including the file system. This means that, if the encrypted volume is a physical drive/partition, when you connect the drive to your computer, your operating system will not recognize the drive as formatted and will not be able to read from or write to it. This is how it is supposed to be, the only way to access the volume is through TrueCrypt -- so don't panic. And above all, don't take Windows' suggestion to format the disk, as this will erase everything on it.
Once you've created an encrypted volume, you will no doubt need to actually use it. All management of the encrypted volume's contents must be done while the volume is mounted as a drive by TrueCrypt. This will provide a walk-through for how to mount a volume, and how to manage it once it's mounted.
- Open TrueCrypt and look at mid-bottom of the window for a rectangular region with the TrueCrypt logo on the left. On the right side there will be two buttons: "Select File" and "Select Device". Use the first button if you wish to mount an encrypted file, use the second to mount an encrypted drive/partition.
- Select the encrypted file/partition/device you wish to mount.
- Once the volume has been selected, look at the very top of the window and notice the long list of letters. These are all the drive letters that are either empty or currently being used by TrueCrypt. Select an unused drive letter to mount the volume as. This will be the drive letter the operating system assigns to it (and no, there is no need to always mount a drive under the same letter, unless there are shortcuts that point to that specific drive).
- When the volume and the drive letter to mount it as have been selected, click the "Mount" button at the bottom-left of the window. You will be prompted to enter the password/keyfile you used when you created the volume originally. (If you used a keyfile, you will need to locate it on the drive where it is stored.) If you present the correct key, the drive will be mounted. If you enter the incorrect password, you will be prompted to try again. (If you enter an invalid password several consecutive times, double-check that the file you're trying to mount is actually an encrypted volume. Without a correct password, TrueCrypt has no way of knowing whether a volume is encrypted or not, and thus, if you're accidentally trying to mount a file/partition that is not encrypted, it has no way of informing you that you're on an impossible mission.)
- Once the drive has been mounted, you will see its basic stats listed next to its respective drive letter in the list of drive letters at the top. This list allows you to assess and access all of the encrypted volumes you're managing at a glance.
- To manage the contents of the volume you mounted, just use the drive like you would any other. Encrypt files by copying them to the drive, and decrypt files by reading them from the drive. You can access the drive yourself via "My Computer" and your programs can access the drive and write files to and/or read files from it. As far as Windows is concerned, it's a perfectly normal, average drive, and can be treated just like one. NOTE: Once a drive has been mounted, you do not need to leave the TrueCrypt program running in order to use the drive. Closing TrueCrypt will not dismount the drive. When you re-open TrueCrypt, it will still recognize the encrypted volume and you will be able to dismount the drive.
- When you're done using the volume, dismount it by hitting the "Dismount" button at the bottom. The drive will disappear into thin air and no longer be accessible. Simply shutting down the computer will dismount the volume, which will not be automatically remounted when Windows starts again.
NOTE: It is possible that, while a disk is being used, some file contents that are being used will be stored in the computer's virtual memory. Since everything being read from the volume is automatically decrypted, and because virtual memory exists on the operating system's hard drive, this means that file contents stored in virtual memory will be stored unencrypted on the hard drive. This is obviously undesireable, so users are encouraged to disable their virtual memory systems before managing mass amounts of encrypted data. (Windows users: Start > Control Panel > System > Advanced > Settings > Advanced > (Virtual Memory) Change > No Paging File > Set.)
There are three important choices that you must make when creating an encrypted volume: You must choose between using a file or a physical device, a standard or hidden volume, and a password or a keyfile. Here I will examine the pros and cons of both options for both of these choices in depth, as I skipped over these subjects earlier. I address these issues in what I believe to be the order of their importance.
Standard vs. Hidden volumes:
There are two modes you can have an encrypted volume in: standard and hidden, also called "outer" and "inner", respectively.
A standard volume is just a normal encrypted volume that TrueCrypt creates. All your data is simply encrypted and stored to it. Since the advantage of using standard volumes is dependent on hidden volumes, so I will address it in the context of a hidden volume.
The disadvantage of using standard volumes is that any adversary analyzing a disk where an encrypted volume is stored would be able to detect the presence of encrypted data of some sort, because all of the data in that location will be conspicuously very random. If they know you have a copy of TrueCrypt, they would probably assume that you have a TrueCrypt encrypted volume in that "random" space. An adversary may then force you (by legal or physical means) to reveal your encryption key for the volume. If you comply (having your fingernails ripped off via pliers can be very motivating) and all your important data is in this volume, then all is lost.
This is why hidden volumes exist. Hidden volumes are encrypted volumes within encrypted volumes -- but they are impossible to detect. Thus, you can place your most important secrets in there and even if your standard volume is breached, the secrets in the hidden volume remain intact. This concept is called "plausible deniability".
It is possible to all but prove the actual existence of a standard volume, but it is impossible to prove the existence of a hidden volume. Thus, an adversary could potentially force you to reveal the key that decrypts the outer volume, but they would have no way of forcing you to reveal the key for the inner volume, because they do not even know that an inner volume exists. If they are familiar with TrueCrypt, they will know that the potential for an inner volume exists, but they have no proof that you have utilized this function.
Thus, by storing some semi-serious data in the outer volume and the serious data in the inner volume, you can protect your most critical data even if the outer volume is compromised. Hopefully the assailants will assume that they have found everything you have to offer and not press beyond that, as there is no way they can prove you have anything more to offer.
Keyfile vs. No Keyfile:
When creating a key for an encrypted volume, TrueCrypt offers the option to add to the text key (the key entered via keyboard into the prompt) by using keyfiles. Keyfiles are just normal computer files that TrueCrypt adds the contents of to the normal text key. Together the keyfile and the text key are used to generate the master encryption key that would otherwise be generated from only the text key. There is no limit to the number of keyfiles that can be used. However, only the first 1024 bytes of each file are actually used (which is from there compressed down to the maximum key length of 64 bytes), so data beyond those bytes is irrelevant.
The main disadvantage of using a keyfile is that it causes inconvenience. Since the keyfile is a part of the key, it must always be present when you wish to mount the volume. Thus, if you move the volume from one computer to another, you must find a way to transport the keyfile along with it. In addition, the keyfile must be kept secret, which introduces a range of security problems regarding how you can keep the keyfile itself physically safe. (This is for you to sort out on your own, as physical security is a totally different topic. All I'll say is that it might be wise to make use of floppies and to keep a heavy magnet close by. It might also be worth looking into a program called SecureTrayUtil.) Another disadvantage of using a keyfile is that if any of the file's first 1024 bytes are changed (due to any cause, including file corruption), it is impossible to mount the encrypted volume.
One major advantage of keyfiles is that they allow for an encryption key to be split up over more than just one user. If two people wish to encrypt a volume such that it is impossible for just one of them to decrypt it alone, they could both contribute a keyfile when creating the encryption key, and use both keyfiles when creating the volume's key. Then, the volume cannot be decrypted without the keyfiles of both people. Another advantage is that keyfiles protect against keylogging, because the keylogger will only log the part of the key entered via the keyboard, it will not detect the part of the key that is contributed by the keyfile.
The biggest advantage of using keyfiles is that they allow for the user to use a longer password with a more diverse byte value range. Creating a long, good password can be difficult to do ("long" here being at least 20 characters), especially if it's something that you have to mentally remember. Invoking keyfiles provides a way to easily use a long sequence of random values without having to remember them. Plus, the text password from the keyboard is limited to ASCII values, meaning that it is impossible to take advantage of a byte's full 256 value range. Using a binary keyfile allows you to inject more diverse bytes values into the key. Thus, keyfiles allow for an easy way to use long, diverse keys.
In the end, the decision to use keyfiles or not is up to you. Before making your decision, consider what your text key will be (and how strong it is), how you will securely store/hide the keyfile, and how you might be able to securely transport the keyfile if needed. In the end, it's probably worth throwing a keyfile into the mix if you cannot think of a reason not to.
Do not rely on your keyfile, however, for good security. It is still highly recommended that you make your text key as good as possible. And yes, it is possible to use just a keyfile, with no text password, as the key, but this is strongly not recommended. If you need help creating a good password, I've written somewhat extensively on the subject.
File vs. Device Volumes:
The main advantage of using files is that they're more flexible. You can copy them, delete them, and move them at will. This allows you to create backups, easily give copies to colleagues, and such. Another very important advantage is that it allows you to "hide" volumes as other files. Because encrypted volumes stand out as being suspiciously random to anyone analyzing the drive in which volume is located on, you can put a DLL extention on the end of the volume's file name, put it in the Windows\system32 directory, and it hopefully will never be questioned as being valid. This trick has limitations, though, and obviously doesn't work for 900MB file volumes on a 1GB USB flash drive, and similar senarios.
The disadvantage of using files is that whenever you move or copy the file, if you do not wish for the presence of the file to be detected, you have to securely delete the original file, otherwise it might be recoverable by someone else. The file will still be encrypted and unreadable to them (unless they have the password), but sometimes you don't even want another party to know that you have the encrypted file in the first place. And if you create a file volume larger than 4GB, it obviously won't be able to exist on a FAT32 file system, which may or may not inconvenience you. Also, if your volume becomes heavily fragmented, file volumes will run a bit slower (defragging can easily solve this, though).
Dealing with physical drives/partitions is slightly different. It prevents copies from easily being made, which can be a good thing if you have reason to want the data to remain in one and only one location.
It's not really a big deal which type of volume you choose. The only real issues are the easy of copying a volume, and the convenience of using it. Before creating the volume, you should consider whether or not you (or anyone) will want to copy it in the future, and how convenient it would be to manage a physical device instead of a file.
As it is with any program, there are details about TrueCrypt that the newer user might not notice. Hopefully this list of tips will help enhance your experience with TrueCrypt, although this is by no means comprehensive of all the goodies TrueCrypt offers. I won't explain how to do everythin;, you can figure that out on your own (remember, TrueCrypt has an official manual). Rather, I'll simply let you know what options exist that I recomment you research.
- TrueCrypt does not have to be installed on a machine in order to function. -- Because it can be annoying to install programs on every computer you need to use them on, and also because merely the presence of TrueCrypt residue on your system might give away more information to your opponents than you would like, TrueCrypt does not have to be installed in order to work. It can operate as stand-alone set of executables. Thus, it is possible to run TrueCrypt on-the-fly from a USB flash drive (or even a floppy) without the bother of installation.
- Back up your encrypted volume's header. -- TrueCrypt offers a wonderful option to back up the critical, encryption-related data for a volume. Having a volume's header backed up is extremely handy if some accident (or malicious attack) occurs and changes part of the volume's encryption-related data. If the volume header were to be damaged in such an accident, you would be unable to mount the volume and retrieve whatever non-damaged portions still exist. But if you had a backup, you could simply use TrueCrypt to restore the header data from the backup data and you would be back in business. The option for this can be found under Tools -> Backup Volume Header.
- Keep a list of "favorite" volumes. -- If you have several (or even just one) encrypted volumes that you consistently need to mount, you can create a "favorites" list of all the volume locations and the drive to mount them as. Then you can simply select the option to mount all favorite volumes, and then just enter the key for each one, without having to manually select each volume and its drive letter.
- Do not upgrade the moment a new version comes out. -- You must fight your inner-geek tendencies to upgrade TrueCrypt the instant the newest version is released. This is because, tragically, TrueCrypt does not have a great track record of producing stable new releases. If you rush off to get the newest version, you may find yourself upgrading once or twice in the next couple weeks -- especially if the upgrade was to a whole new major version number. Give every new TrueCrypt release at least a week to be examined for flaws by the rest of the public before bothering to upgrade. I have nothing against TrueCrypt, its just that there have been unstable releases in its past, but these errors are always corrected quickly.
- Q: How secure is TrueCrypt? Is it good enough to protect my very sensitive data?
A: TrueCrypt is recognized as one of the best encryption programs available to the public. It has been written, scrutinized, and heartily endorsed by many security experts. The fact that it is open source means any expert with the ambition has the ability to analyze TrueCrypt from the inside out - which is a big plus in matters of security. The creators of TrueCrypt have done an excellent job thus far analyzing and improving upon potential weaknesses, and the program has a very loyal, intelligent following of users. All in all, TrueCrypt comes highly recommended.
- Q: Is it possible to analyze a hard disk and determine for sure whether or not there is an encrypted file/partition?
A: No. Encrypted data looks just like random data, and the entire volume is encrypted, so no plaintext flags or marks exist that identify it as being encrypted. However, it is very unusual for existing files, and even drives, to be filled with perfectly random data. So an adversary would probably (and rightfully) assume that such a region contains encrypted data. I personally would recommend renaming an encrypted file volume to have a file extension that is known for containing basically random data, such as DLL. An adversary can always check to see if the file is indeed valid for the extension it is listed as, but if you put it in a non-conspicuous place (such as a system or a video game folder), hopefully it will be overlooked as nothing abnormal. Drives/partitions have no easy method of disguise.
- Q: I have a normal partition that I would like to encrypt, is it possible to convert it to an encrypted partition volume without losing my data?
A: No, the partition will have to be completely reformatted in order to be used as an encrypted volume. To convert a non-encrypted partition to an encrypted partition, you will need to copy all of your files to another location, encrypt the original partition, and then copy all the files back. Programs like SyncBack can aid you with this. You might even want to consider creating another encrypted volume to temporarily house the files you're copying while you format the original partition, so that the sensitive data is not left exposed. After you're completely done, depending on where you copied the files to, it might be smart to shred them using a program like Eraser.
- Q: Can I change my encryption key after I create an encrypted volume?
A: Yes, but only if you know the original key. There are no backdoors built into TrueCrypt, so your key is the only thing that can unlock the volume contents.
I didn't come close to covering everything about TrueCrypt, but then I didn't try to. Remember that TrueCrypt has an official user's manual and an extensive FAQ of its own, and it contains technical details that I didn't mention here. Consult these if you plan to make good use of this fine program.
Any questions you have should be directed at the fine members of the official TrueCrypt forums, I even hang out there a bit myself.
And although I didn't touch on this subject during the tutorial, as it is long enough already, I must state, in closing, that the concept of encryption is very important. Information is power, and the ability to control information is power as well. The more you control what information you do/don't disseminate to others, the more power you reserve for yourself and deny to potential adversaries.
Encryption is the main (but not only) tool to limit information dissemination. Use it, value it, protect it, know it -- both your information and encryption techniques. Sometimes you don't fully appreciate how valuable your information is until it falls into the wrong hands. Don't let that happen to you.