Thursday, June 15, 2006
TrueCrypt - Encrypted USB Drive
TrueCrypt comes in handy for securing external USB or Firewire drives. Especially when those drives are used for backups of sensitive files or if you are going to ship the drives from point A to point B. Or even if you are worried about someone swiping the drive and mounting it on another workstation to access files that you have stored there.
Plus, as long as you know the passphrase and/or have the keyfiles used to decrypt the volume, you can move the USB device from workstation to workstation without losing access to the content.
A. right-click on My Computer, choose "Manage"
B. Create the new partition on the USB drive
C. Create the TrueCrypt drive on the partition
Once the partition has been formatted with TrueCrypt you can then return to the TrueCrypt window and mount the drive to a drive letter. If this drive is always connected to the system you may wish to mount it upon login by making it a "favorite" volume in TrueCrypt.
Plus, as long as you know the passphrase and/or have the keyfiles used to decrypt the volume, you can move the USB device from workstation to workstation without losing access to the content.
A. right-click on My Computer, choose "Manage"
- Under "Storage", go to "Disk Management"
- Find the USB drive that you wish to convert to TrueCrypt (note that this will DESTROY all data on the USB drive)
- Remove any existing partitions / drive letters assigned to the USB drive.
B. Create the new partition on the USB drive
- Right-click, New Partition
- Create a "Primary" partition
- Use the entire drive (or only part of the drive if you wish)
- Do not assign a drive letter
- Do not format the partition
- Click "Finish", note the "Disk #"
C. Create the TrueCrypt drive on the partition
- Open up TrueCrypt, click on "Create Volume"
- Create a standard TrueCrypt volume
- Click on "Select Device" and choose the empty USB disk and partition
- Double-check that you've selected the correct device
- Encryption algorithm: AES, Hash: RIPEMD-160
- Size cannot be adjusted
- Enter your passphrase twice
- Begin the format (NTFS for anything over a few gigabytes)
Once the partition has been formatted with TrueCrypt you can then return to the TrueCrypt window and mount the drive to a drive letter. If this drive is always connected to the system you may wish to mount it upon login by making it a "favorite" volume in TrueCrypt.
Labels: Encryption, Security, TrueCrypt
Thursday, March 09, 2006
TrueCrypt - Basic Thoughts
Probably the easiest way to get started with on-the-fly encryption is to create a TrueCrypt volume file and mount that as a Windows drive letter. The volume file (i.e. "mydrive.tc") can be stored on any hard drive and can be easily backed up as long as the volume is not mounted. Controlling who can mount a volume can be limited by using either a passphrase and/or a set of "keyfiles".
Once you have created the volume, you can store files inside it (using the mounted volume's drive letter) just like you would store files on any regular hard drive, USB/Firewire drive, or network share. It's completely invisible to the application. This makes it ideal for storing application data such as e-mail, financial programs, or other sensitive data.
For starters, I recommend creating a volume file that is protected with only a passphrase. This file should be small enough to copy off to CD or DVD media as a periodic backup. The passphrase should be something easy to remember, but difficult to guess. Punctuation and mixed-case should be part of the passphrase.
Once you have a good passphrase, you should guard against its discovery or loss. A good way of doing this is to write the passphrase down on an 3x5 index card. Fold the card in half and place it inside a folded piece of letter-sized paper. Place all of that inside a security envelope (security envelopes have a printed pattern on the interior which is designed to make it difficult to shine light through the envelope to read the contents). Seal the envelope and write your name or information over the edge of the flap, then place clear packing tape over the flap edge. Store the envelope in a secure location such as a bank vault or document safe. You should be reasonably secure against someone opening it up without discovery.
Creating and mounting the volume file:
Now you are ready to mount your new volume:
Once you have created the volume, you can store files inside it (using the mounted volume's drive letter) just like you would store files on any regular hard drive, USB/Firewire drive, or network share. It's completely invisible to the application. This makes it ideal for storing application data such as e-mail, financial programs, or other sensitive data.
For starters, I recommend creating a volume file that is protected with only a passphrase. This file should be small enough to copy off to CD or DVD media as a periodic backup. The passphrase should be something easy to remember, but difficult to guess. Punctuation and mixed-case should be part of the passphrase.
Once you have a good passphrase, you should guard against its discovery or loss. A good way of doing this is to write the passphrase down on an 3x5 index card. Fold the card in half and place it inside a folded piece of letter-sized paper. Place all of that inside a security envelope (security envelopes have a printed pattern on the interior which is designed to make it difficult to shine light through the envelope to read the contents). Seal the envelope and write your name or information over the edge of the flap, then place clear packing tape over the flap edge. Store the envelope in a secure location such as a bank vault or document safe. You should be reasonably secure against someone opening it up without discovery.
Creating and mounting the volume file:
- Open up the TrueCrypt window.
- Click the "Create Volume" button, this opens up the TrueCrypt Volume Creation Wizard
- Create a standard TrueCrypt volume, click "Next"
- Pick a location for your volume file. I would recommend an easy to locate folder such as C:\ or C:\Data. Give the file a reasonable name that is not overly specific (i.e. "ZDrive.tc"). You can use a file extension other then ".TC", but a determined attacker will be able to find out which files are TrueCrypt volumes anyway. Click "next" once you have specified where the volume file will be created.
- Choose your encryption and hash algorithms. The defaults (AES and RIPEMD-160) are generally good enough. Click "Next" when done.
- Enter your volume size. 650MB (CD-sized) or 4050MB (DVD-sized) are good values which allow you to easily backup your volume file to optical media. You can always create another, larger, volume later and copy your data from the old one to the new one. Click "Next" when ready.
- Enter your passphrase that you picked earlier. Click "Next" when ready.
- Now you are ready to format the encrypted volume. For smaller volumes (less then 1GB), I would recommend FAT. Click "Format" when finished.
- Click "Exit" to leave the wizard.
Now you are ready to mount your new volume:
- In the "Volume" section at the bottom of the TrueCrypt window, click on the "Select File..." button.
- Browse to and select your volume from the list.
- Choose an unused drive letter in the upper window.
- Click on the "Mount" button.
- You will be prompted to enter your passphrase for the volume.
- You may now start copying data to your new encrypted volume.
Labels: Encryption, Security, TrueCrypt
Sunday, March 05, 2006
TrueCrypt
I've been looking for a good disk encryption system for a while. In the past few years, I've been using PGP's PGPDisk tool with good success, but there have been a few annoyances.
- Difficulty interacting with WindowsXP, drives have to be mounted at bootup or they won't show up after being mounted. This made it difficult to keep PGP volumes on DVD-R for ad-hoc mounting to refer to information contained within the encrypted disk.
- PGPDisk does not remember how to mount disks at the previously mounted drive letter. (Something that DriveCrypt did very well.)
- Pricing. The PGP suite with PGPDisk has gotten more and more expensive over the years. It used to be available for well under US$100 with no subscription but now costs US$80/yr for each user. That cost precludes using it for more then a handful of users.
So, with all that in mind, I've been looking at TrueCrypt which is a replacement for the PGPDisk tool. It offers the same functionality, but is open-source and free.
Note: Disk encryption works in two ways.
1) You create a file on your hard drive that contains a virtual drive. The PGPDisk / TrueCrypt / DriveCrypt software allows you to mount this file as a drive letter on your system. Any data inside of that virtual drive is encrypted on the fly. When the drive is not mounted, the data is safe from prying eyes.
2) You create an encrypted partition on a dedicated hard drive (or a partition on a hard drive). This is called "whole disk encryption" by some vendors. It has some advantages over the file-based method but mostly works in an identical manner.
...
So why should someone use disk encryption?
The easiest scenario to sell is with someone who uses Quicken or MS Money to manage their finances. This is the primary reason that I started using disk encryption back in 2000. Since I keep my Quicken program on my laptop, I want to protect my financial data in case the laptop gets stolen. By storing my Quicken files inside of an encrypted volume that is rarely mounted, a thief who steals the laptop will not have access to those files.
In addition, if the hard drive fails, I don't have to worry about getting it back up and running to wipe the data before getting a replacement.
- Difficulty interacting with WindowsXP, drives have to be mounted at bootup or they won't show up after being mounted. This made it difficult to keep PGP volumes on DVD-R for ad-hoc mounting to refer to information contained within the encrypted disk.
- PGPDisk does not remember how to mount disks at the previously mounted drive letter. (Something that DriveCrypt did very well.)
- Pricing. The PGP suite with PGPDisk has gotten more and more expensive over the years. It used to be available for well under US$100 with no subscription but now costs US$80/yr for each user. That cost precludes using it for more then a handful of users.
So, with all that in mind, I've been looking at TrueCrypt which is a replacement for the PGPDisk tool. It offers the same functionality, but is open-source and free.
Note: Disk encryption works in two ways.
1) You create a file on your hard drive that contains a virtual drive. The PGPDisk / TrueCrypt / DriveCrypt software allows you to mount this file as a drive letter on your system. Any data inside of that virtual drive is encrypted on the fly. When the drive is not mounted, the data is safe from prying eyes.
2) You create an encrypted partition on a dedicated hard drive (or a partition on a hard drive). This is called "whole disk encryption" by some vendors. It has some advantages over the file-based method but mostly works in an identical manner.
...
So why should someone use disk encryption?
The easiest scenario to sell is with someone who uses Quicken or MS Money to manage their finances. This is the primary reason that I started using disk encryption back in 2000. Since I keep my Quicken program on my laptop, I want to protect my financial data in case the laptop gets stolen. By storing my Quicken files inside of an encrypted volume that is rarely mounted, a thief who steals the laptop will not have access to those files.
In addition, if the hard drive fails, I don't have to worry about getting it back up and running to wipe the data before getting a replacement.
Labels: Encryption, Security, TrueCrypt
Monday, February 20, 2006
Cryptography, Security and Privacy
infoAnarchy Wiki
Eraser - File Wipe Tool (Note: I would recommend not using the new 5.8 beta until all the bugs are worked out.)
Wikipedia - File Wiping
Also, the GnuPG folks have upgraded their tools to be a little more integrated with Windows. See GPG4Win which includes WinPT, GPG and a few other tools collected into an easy to use and easy to install package. It's a lot nicer then the old system where WinPT called the commandline version of GnuPG.
...
Encryption 101
TrueCrypt - allows you to create "virtual" hard drives where the contents are fully encrypted. The simplest method is to create a virtual drive as a file on a hard drive. This file is then mounted and assigned to a drive letter. Once mounted, applications can use it just like any other drive with no compatibility issues. These drives are typically protected by pass phrases that you type in to mount the drive. Virtual drives can be configured to automatically dismount after a period if inactivity.
GPG4Win - e-mail / clipboard / file encryption. Requires the creation of a public/private keypair. The public key can be published and does not need to be kept secret at all (in fact, it's most useful when public). The private key needs to be kept secure and protected with a strong passphrase. Items encrypted with the public key can only be decrypted with the private key. For e-mail, someone would encrypt the contents of the e-mail with your private key, send it to you with the assurances that only you can decrypt the contents of the message (using your private key). In addition, messages can be encrypted with multiple public keys allowing them to be decrypted by any of the matching private keys (one message, multiple recipients). Individual files can also be encrypted by GPG/PGP, but must be decrypted before use.
Windows EFS (Encrypting File System) - A component of Windows 2000 / Windows XP. It allows you to flag individual folders or files on a hard drive for encryption on-the-fly. This allows you to work with encrypted files without having to manually decrypt/re-encrypt them. The downside is that it's difficult to backup the EFS keys, the keys can be compromised easily, and if the host O/S dies or is reinstalled you will lose access to the files. Mostly useful as a slight speedbump or in cases where you are concerned about data being left on a dead hard drive after it fails. Data kept safe using EFS must be backed up regularly (such as copying it to a TrueCrypt volume) in order to avoid data loss.
...
Practical uses:
A) Encrypted USB backup drive. I have a USB hard drive hooked up to my laptop. This drive contains a single TrueCrypt volume that I mount at login and use as a backup target every few hours. So if the laptop dies, I just install TrueCrypt on the new laptop/hard drive, mount the backup drive, and I can restore my data. But I don't have to worry about anyone else getting at the data and restoring it.
B) Encrypted volume on my laptop's hard drive. I have financial data stored on my laptop (since it's my primary machine). Needless to say, if someone were to steal my laptop, I worry greatly about their access to that information. So I have a TrueCrypt volume file in the root of my C: (C:\Personal.tc) that I mount to a drive letter whenever I need to access my financial records. In order to keep this data safe, I periodically copy the TC file to another drive or to CD-R.
Eraser - File Wipe Tool (Note: I would recommend not using the new 5.8 beta until all the bugs are worked out.)
Wikipedia - File Wiping
Also, the GnuPG folks have upgraded their tools to be a little more integrated with Windows. See GPG4Win which includes WinPT, GPG and a few other tools collected into an easy to use and easy to install package. It's a lot nicer then the old system where WinPT called the commandline version of GnuPG.
...
Encryption 101
TrueCrypt - allows you to create "virtual" hard drives where the contents are fully encrypted. The simplest method is to create a virtual drive as a file on a hard drive. This file is then mounted and assigned to a drive letter. Once mounted, applications can use it just like any other drive with no compatibility issues. These drives are typically protected by pass phrases that you type in to mount the drive. Virtual drives can be configured to automatically dismount after a period if inactivity.
GPG4Win - e-mail / clipboard / file encryption. Requires the creation of a public/private keypair. The public key can be published and does not need to be kept secret at all (in fact, it's most useful when public). The private key needs to be kept secure and protected with a strong passphrase. Items encrypted with the public key can only be decrypted with the private key. For e-mail, someone would encrypt the contents of the e-mail with your private key, send it to you with the assurances that only you can decrypt the contents of the message (using your private key). In addition, messages can be encrypted with multiple public keys allowing them to be decrypted by any of the matching private keys (one message, multiple recipients). Individual files can also be encrypted by GPG/PGP, but must be decrypted before use.
Windows EFS (Encrypting File System) - A component of Windows 2000 / Windows XP. It allows you to flag individual folders or files on a hard drive for encryption on-the-fly. This allows you to work with encrypted files without having to manually decrypt/re-encrypt them. The downside is that it's difficult to backup the EFS keys, the keys can be compromised easily, and if the host O/S dies or is reinstalled you will lose access to the files. Mostly useful as a slight speedbump or in cases where you are concerned about data being left on a dead hard drive after it fails. Data kept safe using EFS must be backed up regularly (such as copying it to a TrueCrypt volume) in order to avoid data loss.
...
Practical uses:
A) Encrypted USB backup drive. I have a USB hard drive hooked up to my laptop. This drive contains a single TrueCrypt volume that I mount at login and use as a backup target every few hours. So if the laptop dies, I just install TrueCrypt on the new laptop/hard drive, mount the backup drive, and I can restore my data. But I don't have to worry about anyone else getting at the data and restoring it.
B) Encrypted volume on my laptop's hard drive. I have financial data stored on my laptop (since it's my primary machine). Needless to say, if someone were to steal my laptop, I worry greatly about their access to that information. So I have a TrueCrypt volume file in the root of my C: (C:\Personal.tc) that I mount to a drive letter whenever I need to access my financial records. In order to keep this data safe, I periodically copy the TC file to another drive or to CD-R.
Labels: Encryption, GnuPG, Security, TrueCrypt, WindowsEFS
Sections:
Recent posts:
Samba3: Upgrading to v3.2 on CentOS 5
LVM Maximum number of Physical Extents
Xen - Issues with Windows DomU client clocks
Update #1 to Current frustrations with Thunderbird...
Current frustrations with Thunderbird
Annual Index:
Monthly archives:
2003/04
2003/05
2003/06
2003/07
2003/08
2003/09
2003/10
2003/11
2003/12
2004/01
2004/02
2004/03
2004/04
2004/05
2004/06
2004/07
2004/08
2004/09
2004/10
2004/11
2004/12
2005/01
2005/02
2005/03
2005/04
2005/05
2005/06
2005/07
2005/08
2005/09
2005/10
2005/11
2005/12
2006/01
2006/02
2006/03
2006/04
2006/05
2006/06
2006/07
2006/08
2006/09
2006/10
2006/11
2006/12
2007/01
2007/02
2007/03
2007/04
2007/05
2007/06
2007/07
2007/08
2007/12
2008/01
2008/03
2008/04
2008/05
2008/06
2008/07
2008/08
2008/09
2008/10
2008/11
2008/12
2009/01
Copyright 2003-2006, Thomas G. Harold, All Rights Reserved
