Install and Use TrueCrypt Data Encryption Software
Do you store sensitive data on your computer? Each year, there is a significant increase in the number of security breaches at higher ed institutions. IT strongly encourages anyone who stores sensitive or confidential data on their desktop or laptop computer, or on an external device such as a hard drive or USB flash drive to encrypt* the data.
*Encryption is the process of scrambling stored or transmitted information so that it is unintelligible until it is unscrambled by the intended recipient.
Information Technology offers FREE data encryption software – TrueCrypt. If you would like to install the software yourself, follow the instructions below. To receive assistance with installation of the software, contact the Help Desk at 766-4357, option 1. IT Computer Support Specialists have been trained on the software and are available to assist you. Also, the Computer Training Department offers free training workshops on TrueCrypt three to four times per year. Check out the free training workshops for the latest training schedule.
TrueCrypt can be used in several ways, the two most common are that it can encrypt an entire disk volume - such as a USB thumb drive, floppy disk, or an entire hard disk if you like - or, it can create an encrypted virtual disk.
An encrypted virtual disk is simply a file that TrueCrypt "mounts" as an additional drive letter on your machine. You specify the pass phrase when the virtual drive is mounted and thereafter everything you access from there is automatically DEcrypted and anything you place there is ENcrypted.
For example, you might have TrueCrypt create an encrypted drive as c:\windows\secritstuf. If someone were to look at the contents of that file directly, they would see only random gibberish - the result of encryption. When using TrueCrypt to mount that file as a virtual drive, (for example selecting the drive letter "P:") then P: would look and operate like any other disk, and would contain the contents of the encrypted drive. Encryption is as simple as moving a file to the drive.
The trick, then, is to never mount the drive automatically. When your machine boots up, "P:", for example, would be nowhere to be found, and the encrypted file c:\windows\secritstuf would be present, but only visible as gibberish. If someone stole your machine that's all they would find.
Now, a couple of caveats:
- Encryption does not make a bad password any more secure. If you choose an obvious password or pass phrase, a dictionary attack can certainly be mounted that could unlock your encrypted volume.
- An encrypted volume does you no good if the files you care about are also elsewhere on your machine.
- That being said, make sure you have secure backups, updated regularly. Preferably keep them UNencrypted, but secure in some other way, in case you lose your encrypted volume or forget your password. Without the password, the data is not recoverable.
- That last statement is technically inaccurate. You should always be aware that things are never 100% secure. All encryption can, theoretically, be hacked. The purpose of encryption is to make the cost of that hacking so astronomical as to be impractical. For example, spending a calendar year on a brute force hacking attempt is pointless to discover next month's sales forecasts. Similarly hiring the expertise required to attempt such a recovery might also be astronomically costly.
- In the event you forget your password or keyfile (if one is being used) TrueCrypt allows for recovery of the encrypted data. The installation instructions below direct you on the steps to accomplish this by backing up the header file and storing that on the IT server.
Data encryption is an important part of an overall security strategy. Keeping your sensitive data secure requires a little forethought and planning. With viruses and spyware running amok, not to mention the theft scenario, there's no excuse not to take the time and save yourself some grief later if the unthinkable happens.*
* From: http://ask-leo.com/how_can_i_keep_data_on_my_laptop_secure.html
Also see http://www.TrueCrypt.org for additional information.
If you would like to install the software yourself, follow the instructions below. If you would like assistance with installation of the software, contact the Help Desk at 766-4357, option 1. IT Computer Support Specialists have been trained on the software and are available to assist you. Also, the Computer Training Department offers free training workshops on TrueCrypt three to four times per year. Check out the free training workshops for the latest training schedule.
- Download and install TrueCrypt.
- Click START, RUN, and enter \\uwapps\encryption\install files\TrueCrypt Files\6.1.
- Double-click the TrueCrypt Setup 6.1 file to install the program.
- Create a volume
- Launch TrueCrypt by double-clicking the TrueCrypt shortcut on your Windows desktop.
- The main TrueCrypt window opens. Click Create Volume.
- Choose an encryption type
- The TrueCrypt Volume Creation Wizard window will appear.
Choose what type of TrueCrypt volume to be created. A TrueCrypt volume can reside in a file, which is also called a container, in a partition or a drive. The Create an encrypted file container option creates a TrueCrypt volume within a file. As this option is selected by default, you can just click Next.
Note: In some of the following steps, the screenshots will show only the right-hand part of the Wizard window.
- Choose a volume type
- Choose whether to create a standard or hidden TrueCrypt volume. The Standard TrueCrypt volume option creates a standard TrueCrypt volume. As this option is selected by default, you can just click Next.
- Choose a volume location
Note: a TrueCrypt container is just like any normal file. It can be moved, copied and deleted as any normal file. It also needs a filename, which you will choose in the next step.
- Click Select File.
The standard Windows file selector will appear (while the window of the TrueCrypt Volume Creation Wizard remains open in the background).
- Create your TrueCrypt volume in the folder D:\My Documents\ and the filename of the volume (container) will be My Volume. You may, of course, choose any other filename and location you like (for example, on a USB memory stick). Note that the file My Volume does not exist yet – TrueCrypt will create it.
Note: TrueCrypt will not encrypt any existing files. If you select an existing file, it will be overwritten and replaced by the newly created volume (so the overwritten file will be lost, not encrypted). You will be able to encrypt existing files later on by moving them to the TrueCrypt volume that you are in the process of creating.
Select the desired path (where you wish the container to be created) in the file selector.
Type the desired container filename in the File name box and click Save.
- The file selector window will disappear and we return to the TrueCrypt Volume Location window. In the Volume Location window, click Next.
- Choose encryption algorithm and hash algorithm options
- If you are not sure what to select here, you can use the default settings and click Next.
- Specify volume size
- After you type the desired numeric value in the input field and select the units, click Next.
- Specify volume password
- This is one of the most important steps. Here you need to choose a good volume password. Read carefully the information displayed in the Wizard window about what is considered a good password. For the moment, use the following string of characters as the password (you will change it later):
Note: You can highlight the text from this web page, and then copy and paste it into the password text fields in the TrueCrypt wizard.
Note: After you've typed in the password, it is a very good idea to copy and paste this to notepad, as you'll need to reenter the password numerous times throughout this process and it will be much easier to copy and paste the password as needed.
Note: The Next button will be disabled until passwords in both input fields are the same.
Enable the check box Use Keyfiles and click Keyfiles. For added security, IT recommends the use of keyfiles in addition to a strong password.
- Click on the Generate a Random Keyfile button.
As the Keyfile Generator is creating the keyfile, move the mouse around on the screen. This helps create a more secure and complex keyfile.
- Browse to the location where you will store the keyfile and type in a file name.
In this example, we will create an encrypted file named username.M in the folder Secure. You may name
it with any extension (or no extension) as you like. However, for recovery purposes, name this file with
your username and drive letter (i.e. user.M). As this is a random file, IT can use this as your
container’s unique identifier (instead of the password). Send this file, along with the backed up volume header
generated later (step 13) in the instructions, to IT.
- Click Save, then OK.
- Choose the volume file system format
- Change the Filesystem selection from FAT to NTFS for XP systems! NTFS allows you to take advantage of other XP security options.
Move your mouse as randomly as possible within the Volume Format window at least for 30 seconds. The longer you move the mouse, the better. This significantly increases the cryptographic strength of the encryption keys (which increases security).
- Volume creation should begin. TrueCrypt will now create a file called My Volume in the folder C:\My Documents\ (as we specified in Step 5). This file will be a TrueCrypt container (it will contain the encrypted TrueCrypt volume). Depending on the size of the volume, the volume creation may take a long time. After it finishes, the following dialog box will appear:
Click OK to close the dialog box.
- You have just successfully created a TrueCrypt volume (file container). In the TrueCrypt Volume Created window, click Exit.
In the remaining steps, you will mount the volume you just created. The main TrueCrypt window should still be open. If it is not, repeat Step 1 to launch TrueCrypt and then proceed to Step 10.
- Mount a TrueCrypt volume
- Select a drive letter from the list and click Select File...
Note: In these procedures, we chose the drive letter M, but you may of course choose any other available drive letter.
- The standard file selector window should appear. In the file selector, browse to the container file (which we created in Steps 4-9) and select it. Click Open.
- In the main TrueCrypt window, click Mount. The Password prompt dialog window should appear.
- Type the password – or copy and paste the password you specified in Step 8 – in the password input field. Also, make sure the Use keyfiles option is selected and click the Keyfiles button.
- Click the Add Files button, locate and select the keyfile created earlier in the process (step 8) and click Open.
- Your keyfile will now be displayed in the Keyfiles window. Click the OK button to return to the password screen.
- Click OK in the password prompt window. TrueCrypt will now attempt to mount the volume. If the password is incorrect (for example, if you typed it incorrectly), TrueCrypt will notify you and you will need to repeat the previous step (type the password again and click OK). If the password is correct, the volume will be mounted.
- You have successfully mounted the container as virtual disk M. The virtual disk is entirely encrypted (including file names, allocation tables, free space, etc.) and behaves like a real disk. You can save (or copy, move, etc.) files to this virtual disk and they will be encrypted on the fly as they are being written. If you open a file stored on a TrueCrypt volume, for example, in media player, the file will be automatically decrypted to RAM (memory) on-the-fly while it is being read.
Note: when you open a file stored on a TrueCrypt volume (or when you write/copy a file to/from the TrueCrypt volume) you will not be asked to enter the password again. You need to enter the correct password only when mounting the volume.
- Opening a mounted volume
- You can browse to the mounted volume the way you normally browse to any other types of volumes, for example, by opening My Computer and double clicking the corresponding drive letter (in this case, it is the letter M).
Note: You can copy files to and from the TrueCrypt volume just as you would copy them to any normal disk (for example, by simple drag-and-drop operations). Files that are being read or copied from the encrypted TrueCrypt volume are automatically decrypted on the fly (in memory/RAM). Similarly, files that are being written or copied to the encrypted TrueCrypt volume are automatically encrypted on the fly (right before they are written to the disk) in RAM.
Note: TrueCrypt never saves any decrypted data to a disk – it only stores them temporarily in RAM (memory). Even when the volume is mounted, data stored in the volume is still encrypted. When you restart Windows or turn off your computer, the volume will be dismounted and all files stored on it will be inaccessible (and encrypted). Even when power supply is suddenly interrupted (without proper system shut down), all files stored on the volume will be inaccessible (and encrypted). To make them accessible again, you have to mount the volume. To do so, repeat Step 10.
- Closing a mounted volume
- To close the volume and make files stored on it inaccessible, either restart your operating system or dismount the volume. To dismount the volume select the volume from the list of volumes in the main TrueCrypt window and then click Dismount. To make files stored on the volume accessible again, you will have to mount the volume. To do so, repeat Step 10.
- Backing up the volume header for recovery purposes
In the event you forget your password or keyfile (if one is being used) you must back up the header information to allow for recovery of the encrypted volume. Follow the steps below to have the header information saved securely on the IT storage server.
- From the Tools Menu, click Backup Volume Header. Select Yes.
- Select the location to store the header from the Save in: list, name the header file Sample_Header and click Save.
Note: This header file and the random keyfile will need to be sent to IT to assist IT in case it becomes necessary to recover the encrypted volume. (See step 16)
- You can now change your password to something meaningful to you and easy to remember
- From the Volumes menu click Change Volume Password. Input the current information (the password above, and the generated keyfile). Input the new information (new password and keyfiles).
- Run Environment variable registry.reg to set the environment variables for temp (t:) and secure(s:) - (located in \\uwapps\Encryption\Install Files\UW Documents). This script also disables the paging files and hibernation.
- Enable TrueCrypt to start automatically and mount drives when logging into windows
- Open TrueCrypt. Click on the Settings menu, select Preferences.
- In the Preferences window check the Start TrueCrypt and Mount favorites checkboxes. Click OK.
- From the Settings Menu again, select Default Keyfiles. By selecting the keyfile you created earlier in the install, this will allow TrueCrypt to automatically enable your encrypted folder (volume) when you log on to Windows.
- After you have mounted all your volumes, select Save currently mounted volumes as favorites from the Volume menu. When you log on to your computer, you will be greeted by TrueCrypt trying to mount drives. It will ask for the password (and keyfiles).
Once mounted, TrueCrypt will store the password in its memory until you log out, reboot, or tell TrueCrypt to wipe the passwords.
- Submit the header file and keyfile to IT for recovery purposes
- Zip your random keyfile and your backed-up header. We have provided the password in this document. To ‘Zip’ a file, find the files in My Computer. Right-click on the files and select Send to – Compressed (zipped) folder.
- Rename the zipped file with your username and the drive letter (i.e. usernameM).
- Go to START, RUN. Open the folder \\uwapps\Encryption. You can now click and drag the zipped folder of your header information (created in Step 13) to the ClientKeyfiles folder in the \\uwapps\Encryption folder.
Note: you will not be able to open this folder or to retrieve your files. Please disregard any errors that allude to such. This is for the security of your data. Only IT domain administrators (not your user consultants) have access to this data. If you ever recreate a drive, you will have to submit the new files to IT. In the case of recovery, IT will verify your identity before providing the files to unlock your data. If you do not provide, or provide the wrong files, IT has no way to retrieve your data.
How to Create and Use a TrueCrypt Partition/Device
Instead of creating file containers, you can also encrypt physical partitions or drives (i.e., create TrueCrypt device-hosted volumes). To do so, repeat the steps 1-9, but in the step 3 select the second or third option, and in all relevant steps, instead of clicking Select File, click Select Device.
Frequently Asked Questions
Also see: http://www.truecrypt.org/faq.php and \\uwapps\Encryption\Install Files\UW Documents\Encryption FAQ.doc
Why should we encrypt at all?
Security is an evolving process. As security gets tighter, the attacks are more advanced, and vice versa. Over the years, security experts have found limits with certain security protocols and have lessened the problem. For example, consider the following progression of a confidential file on a network server:
- A file is placed on a server.
Attack: malicious user directly accessing the file.
- An access control list is placed on the file.
Security: discretionary access.
Attack: con a valid user to read it, hack an admin account to access the file directly.
- The file is encrypted from non-authorized users without a key.
Attack: con a valid user to read, hack an admin account to hijack, create keyfile (hard), or get keyfile (easy).
- The key for the file is removed and placed elsewhere: the process starts over again, protecting the key.
Security is never 100% (unless usability is 0%). Security comes in part by increased layers of indirection, with the hope that an event will be triggered at some level. Encryption is a deterrent, not a proven method. The secure period for encryption may be 100+ years, but still, it is not infinite.
What can we do to prevent theft?
First and foremost, follow other established security guidelines.
- Practice good physical security. Physically control who has access to your computer.
- Don't leave passwords lying around (under the keyboard, on the whiteboard, or on the monitor).
- Lock your office when not there.
- Make sure that your computer is in a place that it is difficult to open. (Not on top of the desk with nothing around it)
- Choose good passwords that combine letters, numbers, and symbols.
- Choose to limit the data stored on your computer.
- Store confidential files in secure places.
- Limit access to your computer whenever needed.
- If a task doesn’t require admin privileges, don’t use them.
- Don’t allow modification of log files.
- If you are not using software, turn it off/uninstall it.
For instance, if you are not currently accessing your TrueCrypt files, don’t have your TrueCrypt drives mounted. If the drive is not mounted, your access keys may not be in memory, and are unavailable for the cold-boot drive encryption attack.
The idea is to make it harder for thieves to steal data.
Can my computer be 100% safe?
Unfortunately, NO! A computer that is 100% safe is 100% unusable. A 100% safe computer will be protected from physical threats (fire, flood, failure, EM fluctuations, etc), user security (unauthorized access, admins, backup tape handlers, etc) and logic security (OS, Antivirus, accidental delete scripts, etc). Computer experts can in no way predict and prevent all possible security problems and allow user access at the same time.
Thieves will generally go for the easiest way to get something. Breaking encryption is hard. Obtaining a key to unlock encryption is much easier. Safeguarding the keys will help secure data.
Reviewed: 0809 By: GG, DR