Please note that this tutorial does not attempt to explain the concept of cryptography. Read more on cryptography and encryption before you proceed if it is an unfamiliar concept to you. The tutorial will assume that you understand the basic concepts and importance of cryptography.
From bank account information to intimate personal letters, from company secrets to diaries, and from incriminating documents to MP3 collections -- we all have things that we'd perfer be kept private to us, and to us alone. To protect such things in the physical world, we use strong safe boxes that open only when introduced to the correct key key. Protecting such data in the digital world is very similar concept.
In this tutorial I will examine how to encrypt files using a program called TrueCrypt. TrueCrypt is a free, open-source encryption program that was won the respect and praise of many experts in the field of cryptography. It is currently maintained by a group of anonymous programmers who have shown themselves to be quite crypto-savvy over the time they have managed the TrueCrypt project.
This tutorial has been split into several main sections.
- General Overview -- The concept of how TrueCrypt works.
- How to Create Encrypt Volumes -- Creating an encrypted container to hold your encrypted data.
- How to Use Encrypted Volumes -- Using an encrypted container once it has been created.
- What's Better? -- This is a more comprehensive breakdown between the advantages of file volumes vs physical volumes, standard volumes vs hidden volumes, and keyfiles vs no keyfiles. (For clarity's sake, I skim over these topics when they are first introduced so they can be covered more extensively in their own section.)
- Tips -- My personal tips for helping you get started learning what all that TrueCrypt has to offer.
- FAQ -- Answering the questions you are most likely to have.
Unlike the physical world, in the digital world it is impossible to create a literal physical safe box to store data in. Instead, we create what you might call a "virtual" safe box. In the physical world, objects are placed in a single container, such as a safe. This safe acts as a singular entity and binds all the objects in it together, separating the objects from the rest of the world by strong walls, walls that will open only when presented with the correct key. Likewise, in the digital world, data placed in a "virtual box" will be placed into a single container, which acts like a safe. This "virtual safe" acts as a singular entity and binds all the data in it together, separating the data from the rest of the world by a strong algorithm that scrambles the original data values so that they are not recognizable unless you have the right key that can descramble the data.
This safe box concept is the idea behind encrypted volumes, which is the method TrueCrypt uses for encryption. There are programs that exist for encrypting a single file individually, but managing encrypted files individually is not always reasonable. Oftentimes many, many files must be encrypted, and they must be viewed, edited, added to, and subtracted from, frequently. Each file could be manually managed, but it would take a lot of time (and could even cause technical difficulties) to do so. And when you have, say, and entire hard drive full of files that need to be encrypted, it's not even humanly possible to attempt to manage them individually. Thus, the solution is to mass-manage them together in one encrypted safe box, aka, an encrypted volume.
There are two types of encrypted volumes: files and partitions. With a file, the encrypted volume will be nothing but an ordinary computer file containing the encrypted data placed in it. This file can be copied across drives, uploaded over a network a network, anything that can be done with a normal computer file. (You could think of it as being basically just like a ZIP or RAR archive, as the concepts of volumes and archives are very similar.) With a partition, the encrypted volume will be a literal partition on your hard drive, and it will behave just like one.
Don't be intimidated by the fact that you'll be using volumes -- dealing with encrypted volumes is very simple.
First, you choose the volume you wish to encrypt, whether it be a file or a partition. Then you specify how large you want the given volume to be and some of the encryption details you want to use (more on these later). Last, you specify a password key that will be used to encrypt the volume. This key will not be stored in any way in the volume, so it is unrecoverable. TrueCrypt then creates the specified volume with the details you provided and encryptes the drive. It then writes some encrypted data to the header section of the volume. Of specific interest, in the header there exists something called the "master key". This master key is what is actually used to encrypted the contents of the volume. The key you entered is used to decrypt the master key, and the master key is used to decrypt the volume. (Meaning that changing your test key doesn't mean the entire volume has to be decrypted and re-encrypted the new key, just the small header part needs to be.)
After the volume has been created and encrypted, you can easily use it by mounting it with TrueCrypt. To mount a volume, all you have to do is select the volume and provide the original password. Once the volume has been mounted, it will appear as a normal drive in Windows (or Linux) and you can treat it just like one in all regards. You can copy files to it, delete files from it, edit files in it, run programs from it, etc. As far as your operating system is concerned, this drive is just like any other drive it manages.
Everything moved to the mounted encrypted volume is automatically encrypted, and everything read from it is automatically decrypted. When a volume is mounted, TrueCrypt acts as a middle-man between the operating system and the actual volume, similar to how virtual disk drive emulators, such as Daemon Tools, act. Encrypting a file to an encrypted volume is as simple as copying the file to that "drive" via your operating system, because TrueCrypt manages access to the virtual drive and will intercept the data and encrypt it before physically writing it to the volume. Similarly, decrypting the file is just as simple as accessing the file, because TrueCrypt will intercept the data as it's being read from the volume and decrypt it before passing it along to whatever application asked for it. When the volume is mounted, encrypted/decrypting files is as simply as drag-n-drop, or even just accessing data normally.
How To Create Encrypted Volumes:
This is a walk-though for creating an encrypted volume, regardless of whether the volume is a file or partition. Windows users, note that you must have admin priviledges to use TrueCrypt.
- (This first step is only for file volumes. If you are using a partition, skip this step.) Create a file to use as the encrypted volume -- it can be a new text document, a recycled old PDF, it doesn't matter. Just note that the file's original contents will be overwritten and lost. This file you create/choose will be the file you will use as your encrypted volume.
- Open TrueCrypt and select the "Create Volume" option. (Click "Next".)
- Select the "Create a standard TrueCrypt volume" option. (It is possible to create a "hidden" volume only if you are creating it in a location where a standard volume already exists. More on hidden volumes follows later.) (Click "Next".)
- File volume: Click "Select File" and find the file you created in the first step.
Partition volume: Click "Select Device" and choose the drive/partition you wish to encrypt. You can select an entire drive or just a partition. However, if you wish to encrypt an entire drive, it is recommended that you first create a normal partition on the entire drive, then encrypt that partition, as opposed to just encrypting the drive itself directly. There is no difference security or usability-wise, but it can avoid problems where Windows will automatically try initialize a disk that it doesn't detect to be formatted.
Don't forget that, either way, all data on the drive / in the file you choose will be lost! (Click "Next".)
(A comprehensive comparison between the advantages/disadvantages of using file volumes and physical device volumes can be found later in this tutorial.)
- Select the encryption algorithm you wish to use. While selecting the perfect algorithm is a very complex subject, suffice it to say that there is no wrong choice here because all algorithms TrueCrypt employs have been professionally created, tested, and approved. The "official" recommendation, however, is AES, as it is currently accepted by the general security community as the most secure algorithm in today's world, with Twofish probably being the closest runner-up. You will note that some of the algorithms consist of two names separated by a dash, such as "AES-Blowfish" -- these options mean that both of the algorithms will be used in the order they are listed. While using two, or even three, layers of encryption is unnecessary, it may be a prudent precaution for anyone who either knows they have very smart and powerful adversaries, or is just plain paranoid.
- Below the choice of encryption algorithms, there is a choice to select the hashing algorithm to be used. Again, there is no wrong answer. These hashes won't be used to actually store or authenticate data, so don't worry about that. (The fact that MD5 and SHA-1 have been somewhat compromised is not of any concern at all in this specific context.) (Click "Next".)
- Next you will need to determine how large the encrypted volume should be. This size will be permanent and cannot be changed, so choose a size that provides as much space as you may ever need. (Unused space on the volume will always be filled with random garbage, so if you're dealing with a file volume its size will always be the same, regardless of how much data you're actually storing in there.) (Click "Next".)
- At last, we have arrived at the step you have no doubt been anticipating all along: The step where you get to choose your key. This is, obviously, the most critical step. In addition to using a user-entered text key, you also have the option to add "keyfiles" to your key. Keyfiles are normal computer files that have their first 1 KB of data combined with your normal keyboard-entered password, providing an enhanced password. You do not have to use keyfiles if you do not want to. (A comprehensive comparison between the advantages/disadvantages of using keyfiles can be found later in this tutorial.) If you do want to use keyfiles, check the "Use Keyfiles" box then click the "Keyfiles" button. Use the "Add File" button to add individual files to the keyfile list, and use the "Add Path" buttom to add entire directories of files. If you want to generate a new file exclusivly for the purpose of serving as a keyfile, click "Generate Random Keyfile" in the bottom-right corner, save the random file, then select it with "Add File". (Click "Next".)
- Finally, choose which file system and cluster size you wish the volume to use to store data. Unless you're familiar with file systems and cluster sizes, I'd recommend keeping the cluster setting at whatever TrueCrypt recommends by default. Use FAT32 or NTFS depending on the size of volume you've created. (Note that NTFS does not support hidden volumes, so you can't add one later.)
- Below the file system settings, there will be a random data pool with a long hexadecimal string that keeps changing. This is some of the random data that will be used in the encryption process (specifically, it will be related to the IV), and the master key that will be used for encryption (this key will be automatically managed, all you have to remember is the key you origonally entered and whatever keyfile(s) you used). All mouse and keyboard activity you generate in the window will add to the entropy of the data, so be sure to wave the mouse around at least a few times for good measure.
- Next there is a checkbox that gives you the option to perform a quick format. A quick format will only initialize the file system of the volume and will be must faster. Leaving the quick format choice off will perform a full format, in which random data will be written to every bit (litterally) of the volume. Doing this ensures that, at a later time, an attacker looking at the contents of the encrypted volume will not be able to tell how much data is in the volume and where it's stored, because encrypted data looks exactily like random data. Not performing a full format means that it is likely the unused portions of the volume will not contain random-looking data, and an attacker will be able to make decent guesses as to how much data is stored in the volume. (This may not seem like a big deal, but the smallest bit of information can sometiems be way more than you want an adversary to know. For example, if they know you're only storing one file in the volume, and they can figure out exactily how big it is, that may tell them everything they want to know about it. Always perform a full format unless you know that the volume is already full of random data, such as when you are re-formatting an existing volume.)
- When you are done, click "Format" to create the new encrypted volume. When the format process has completed, click "Exit" if you do not wish to encrypt another volume, or "Next" to create another volume using these same steps.
NOTE: When TrueCrypt creates an encrypted volume, it encrypts the entire volume, including the file system. This means that, if the encrypted volume is a physical drive/partition, when you connect the drive to your computer, your operating system will not recognize the drive as formatted and will not be able to read from or write to it. This is how it is supposed to be, the only way to access the volume is through TrueCrypt -- so don't panic. And above all, don't take Windows' suggestion to format the disk, as this will erase everything on it.
How To Use An Encrypted Volume:
Once you've created an encrypted volume, you will no doubt need to actually use it. All management of the encrypted volume's contents must be done while the volume is mounted.
- Open TrueCrypt and look at mid-bottom of the window for a rectangular region with the TrueCrypt logo on the left. On the right side there will be two buttons: "Select File" and "Select Device". Use the first button if you wish to mount an encrypted file, use the second to mount an encrypted drive/partition.
- Select the encrypted file/partition/device you wish to mount.
- Once the volume has been selected, look at the very top of the window and notice the long list of letters. These are all the drive letters that are either empty or currently being used by TrueCrypt. Select an unused drive letter to mount the volume as. This will be the drive letter the operating system assigns to it (and no, there is no need to always mount a drive under the same letter, unless there are shortcuts that point to that specific drive).
- When the volume and the drive letter to mount it as have been selected, click the "Mount" button at the bottom-left of the window. You will be prompted to enter the password/keyfile you used when you created the volume originally. (If you used a keyfile, you will need to locate it on the drive where it is stored.) If you present the correct key, the drive will be mounted. If you enter the incorrect password, you will be prompted to try again. (If you enter an invalid password several consecutive times, double check that the file you're trying to mount is actually an encrypted volume. Without a correct password, TrueCrypt has no way of knowing whether a volume is encrypted or not, and thus, if you're accidentally trying to mount a file/partition that is not encrypted, it has no way of informing you that you're on an impossible mission.)
- Once the drive has been mounted, you will see its basic stats listed next to its respective drive letter in the list of drive letters at the top. This list allows you to assess and access all of the encrypted volumes you're managing at a glance.
- To manage the contents of the volume you mounted, just use the drive like you would any other. Encrypt files by copying them to the drive, and decrypt files by reading them from the drive. You can access the drive yourself via "My Computer", or you programs can access the drive and write files to and/or read files from it. As far as Windows is concerned, it's a perfectly normal, average drive, and can be treated just like one. NOTE: Once a drive has been mounted, you do not need to leave the TrueCrypt program running in order to use the drive. Closing TrueCrypt will not dismount the drive. When you re-open TrueCrypt, it will still recognize the encrypted volume and you will be able to dismount the drive.
- When you're done using the volume, dismount it by hitting the "Dismount" button at the bottom. The drive will disappear into thin air and no longer be accessible. Simply shutting down the computer will unmount the volume, which will not be remounted when Windows starts again.
NOTE: It is possible that, while a disk is being used, some file contents that are being used will be stored in the computer's virtual memory. Since everything being read from the volume is automatically decrypted, and because virtual memory exists on the operating system's hard drive, this means that file contents stored in virtual memory will be stored unencrypted on the hard drive. This is obviously undesireable, so users are encouraged to disable their virtual memory systems before managing mass amounts of encrypted data. (Windows users: Start > Control Panel > System > Advanced > Settings > Advanced > (Virtual Memory) Change > No Paging File > Set.)
There are three important choices that you must make when creating an encrypted volume: You must choose between using a file or a physical device, a standard or hidden volume, and a password or a keyfile. Here, I will examine the pros and cons of both options for both of these choices in depth, as I skipped over these subjects earlier. I address these issues in what I believe to be the order of their importance.
Standard vs Hidden volumes:
A standard (also called "outer") volume is just a normal encrypted volume that TrueCrypt creates. The advantage to using standard volumes to house all your critical data is really a disadvantage of a hidden volumes disadvantage (double negative, in a way), so I will address it in the context of a hidden volume.
The disadvantage of using standard volumes is that any adversary analyzing a disk where an encrypted volume is stored would be able to detect the presence of encrypted data of some sort, because all of the data in that location will be conspicuously very random. If they know you have a copy of TrueCrypt, they would probably assume that you have a TrueCrypt encrypted volume in that "random" space. An adversary may then force you (by legal or physical means) to reveal your encryption key for the volume. If you comply (having your fingernails ripped out via pliers can be very motivating) and all your important data is in this volume, then all is lost.
This is where hidden (also called "inner") volumes enter the scene. Hidden volumes are encrypted volumes within encrypted volumes -- but they are impossible to detect. Thus, you can place your most important secrets in there and even if your standard volume is breached, the secrets in the hidden volume remain intact. This concept is called "plausible deniability".
It is possible to all but prove the actual existence of a standard volume, but it is impossible to prove the existence of a hidden volume. Thus, an adversary could potentially force you to reveal the key that decrypts the outer volume, but they would have no way of forcing you to reveal the key for the inner volume, because they do not even know that an inner volume exists. If they are familiar with TrueCrypt, they will know that the potential for an inner volume exists, but they have no proof that you have utilized this function.
Thus, by storing some semi-serious documents in the outer volume and the serious stuff in the inner volume, you can protect your most critical data even if the main volume is compromised. Hopefully the assailants will assume that they have found everything you have to offer, and not press beyond that.
Keyfile vs No Keyfile:
When creating a key for an encrypted volume, TrueCrypt offers the option to add to the text key (the key entered via keyboard into the prompt) by using keyfiles. Keyfiles are just normal computer files that TrueCrypt adds the contents of to the normal text key. Together the keyfile and the text key are used to generate the master encryption key that would otherwise be generated from only the text key. There is no limit to the number of keyfiles that can be used. However, only the first 1024 bytes of each file are actually used (which is from there compressed down to the maximum key length of 64 bytes), so data beyond those bytes is irrelevant.
The main disadvantage of using a keyfile is that it causes inconvenience . Since the keyfile is a part of the key, it must always be present when you wish to mount the volume. Thus, if you move the volume from one computer to another, you must find a way to transport the keyfile along with it. In addition, the keyfile must be kept secret, which introduces a range of security problems regarding how you can keep the keyfile itself physically safe. (This is for you to sort out on your own, as physical security is a totally different topic. All I'll say is that it might be wise to make use of floppies and to keep a heavy magnet close by. It might also be worth looking into a program called SecureTrayUtil.) Another disadvantage of using a keyfile is that if any of the file's first 1024 bytes are changed (due to any cause, including file corruption), it is impossible to mount the encrypted volume.
One major advantage of keyfiles is that they allow for an encryption key to be split up over more than just one user. If two people wish to encrypt a volume such that it is impossible for just one of them to decrypt it alone, they could both contribute a keyfile when creating the encryption key, and use both keyfiles when creating the volume's key. Then, the volume cannot be decrypted without the keyfiles of both people. Another advantage is that keyfiles protect against keylogging, because the keylogger will only log the part of the key entered via the keyboard, it will not detect the part of the key that is contributed by the keyfile.
The biggest advantage of using keyfiles is that they allow for the user to use a longer password with a more diverse byte value range. Creating a long, good password can be difficult to do ("long" here being at least 20 characters), especially if it's something that you have to mentally remember. Invoking keyfiles provides a way to easily use a long sequence of random values without having to remember them. Plus, the text password from the keyboard is limited to ASCII values, meaning that it is impossible to take advantage of a byte's full 256 value range. Using a binary keyfile allows you to inject more diverse bytes values into the key. Thus, keyfiles allow for an easy way to use long, diverse keys.
In the end, the decision to use keyfiles or not is up to you. Before making your decision, consider what your text key will be (and how strong it is), how you will securely store/hide the keyfile, and how you might be able to securely transport the keyfile if needed. In the end, it's probably worth throwing a keyfile into the mix if you cannot think of a reason not to.
Do not rely on your keyfile, however, for good security. It is still highly recommended that you make your text key as good as possible. And yes, it is possible to use just a keyfile, with no text password, as the key, but this is strongly not recommended. If you need help creating a good password, I've written somewhat extensively on the subject.
File vs Device volumes:
The main advantage of using files is that they're more flexible. You can copy them, delete them, and move them at will. This allows you to create backups, easily give copies to colleagues, and such. Another very important advantage is that it allows you to "hide" volumes as other files. Because encrypted volumes stick out as being suspicious to anyone analyzing the drive the volume is located on, you can stick a DLL extention on the end of an encrypted file volume, stick it in the Windows\system32 directory, and it may never be questioned as being valid -- hopefully. This trick has limitations, though, and obviously doesn't work for 900MB file volumes on a 1GB USB flash drive, and similar senarios.
The disadvantage of using files is that whenever you move or copy the file, if you do not wish for the presence of the file to be detected, you have to securely delete the original file, otherwise it might recoverable by someone else. The file will still be encrypted and unreadable to them (unless they have the password), but sometimes you don't even want another party to know that you have the encrypted file in the first place. And if you create a file volume larger than 4GB, it obviously won't be able to exist on a FAT32 file system, which may or may not inconvenience you. Also, if your volume becomes heavily fragmented, file volumes will run a bit slower (defragging can easily solve this, though).
Dealing with physical drives/partitions is slightly different. It prevents copies from easily being made, which can be a good thing if you have reason to want the data to remain in one and only one location.
It's not really a big deal which type of volume you choose. The only real issues are the easy of copying a volume, and the convenience of using it. Before creating the volume, you should consider whether or not you (or anyone) will want to copy it in the future, and how convenient it would be to manage a physical device instead of a file.
As it is with any program, there are details about TrueCrypt that the new user might not notice. Hopefully this will help enhance your experience with TrueCrypt, although this is by no means a comprehensive list of all the goodies TrueCrypt offers. I won't explain how to do everything, you can figure that out on your own (remember, TrueCrypt has an official manual). Rather, I'll simply let you know that these options exist so that you know to research them on your own.
- TrueCrypt does not have to be installed on a machine in order to function. -- Because it can be annoying to install programs on every computer you need to use them on, and also because merely the presence of TrueCrypt residue on your system might give away more information to your opponents than you would like, TrueCrypt does not have to be installed in order to work. It can operate as stand-alone set of executables. Thus, it is possible to run TrueCrypt on-the-fly from a USB flash drive (or even a floppy) without the bother of installation.
- Back up your encrypted volume's header. -- TrueCrypt offers a wonderful option to back up the critical, encryption-related data for a volume. Having a volume's header backed up is extremely handy if some accident (or malicious attack) occurs and changes part of the volume's encryption-related data. If the volume header where to be damaged in such an accident, you would be unable to mount the volume and retrieve whatever non-damaged portions still exist. But if you had a backup, you could simply use TrueCrypt to restore the header data from the backup data and you would be back in business.
- Keep a list of "favorite" volumes. -- If you have several (or even just one) encrypted volumes that you consistently need to mount, you can create a "favorites" list of all the volume locations and the drive to mount them as. Then you can simply select the option to mount all favorite volumes, and then just enter the key for each one, without having to manually select each volume and its drive letter.
- Do not upgrade the moment a new version comes out. -- You must fight your inner-geek tendencies to upgrade TrueCrypt the instant the newest version is released. This is because, tragically, TrueCrypt does not have a great track record of producing stable new releases. If you rush off to get the newest version, you may find yourself upgrading once or twice in the next couple weeks -- especially if the upgrade was to a whole new major version number. Give every new TrueCrypt release at least a week to be examined for flaws by the rest of the public before bothering to upgrade. I have nothing against TrueCrypt, its just that there have been unstable releases in its past, but these errors are always corrected quickly.
This is a quick list of the most common, natural questions new users have about TrueCrypt.
- Q: How secure is TrueCrypt? Is it good enough to protect my very sensitive data?
A: TrueCrypt is recognized as one of the best encryption programs available to the public. It has been written, scrutinized, and heartily endorsed by many security expert (the fact that it is open source means any expert with the ambition has the ability to analyze TrueCrypt from the inside out - which is a big plus in security matters). The creators of TrueCrypt have done an excellent job thus far analyzing and improving upon potential weaknesses, and the program has a very loyal, intelligent following of users. All in all, TrueCrypt comes very highly recommended.
- Q: Is it possible to analyze a hard disk and determine for sure whether or not there is an encrypted file/partition?
A: No. Encrypted data looks just like random data, and the entire volume is encrypted, so no plaintext flags or marks exist that identify it as being encrypted. However, it is very unusual for existing files, and even drives, to be filled with perfectly random data. So an adversay would probably (and rightfully) assume that such a region contains encrypted data. I personally would recommend renaming an encrypted file volume to have a file extention that is known for containing basically random data, such as DLL. An adversay can always check to see if the file is indeed valid for the extention it is listed as, but if you put it in a non-conspicuous place (such as a system or a video game folder), hopefully it will be overlooked as nothing abnormal. Drives/partitions have no easy method of disguise.
- Q: I have a normal partition that I would like to encrypt, is it possible to convert it to an encrypted partition volume without losing my data?
A: No, the partition will have to be completely reformatted in order to be used as an encrypted volume. To convert a non-encrypted partition to an encrypted partition, you will need to copy all of your files to another location, encrypt the original partition, then copy all the files back. Programs like XXClone can aid you with this. You might even want to consider creating another encrypted volume to temporarily house the files you're copying while you format the original partition, so that the sensitive data is not left exposed. After you're completely done, depending on where you copied the files to, it might be smart to shred them using a program like Eraser.
- Q: Can I change my encryption key after I create an encrypted volume?
A: Yes, but only if you know the original key. There are no backdoors built into TrueCrypt, so your key is the only thing that can unlock the volume contents.
Yes, even I cannot go on for forever on this subject. Hopefully I did not overcomplicate the process, as my only intention was to simply it. But I will let the reader be the judge of that. In the end the concept is simple: Create a safe, create a key, open/close the safe adding/removing valuables as necessary.
I did not come close to covering all of the aspects of TrueCrypt that exist, but then, I didn't try to. Remember that TrueCrypt has an official user's manual (that covers everything I covered and more) and an extensive FAQ. Consult these if you plan to make good use of this fine program.
Any further questions you have can be directed at me (in a public venue, such as a forum, don't contact me privately) or at the fine gurus at the official TrueCrypt forums (I hang out there a bit as well).
And although I didn't touch on this subject during the tutorial, as it is long enough already, I must state, in closing, that the concept of encryption is very important. Information is power, and the ability to control information is power as well. The more you control what information you do/don't disseminate to others, the more power you reserve for yourself and deny to potential adversaries.
Encryption is the main (but not only tool to limit information dissemination. Use it, value it, protect it, know it -- both your information and encryption techniques. Sometimes you don't fully appreciate how valuable your information is until it falls into the wrong hands. Don't let that happen to you.
Your geeky security nut,
This tutorial (as a potentially updated version) can also be located on my website.