Tuesday, December 11, 2007

TrueCrypt Is Cool

My business requires me to safeguard the security of certain files. For years I have used Encrypted Magic Folders (EMF) from PC-Magic to encrypt those files, and to hide them from the view of an interloper. I loved it, because files were always encrypted on disk and yet were fully accessible to applications. However, when I upgraded to Vista 64, the new EMF crashed my system so completely that it was unbootable even in safe mode. I tried it twice, recovered twice with some difficulty, and gave up on EMF.

In the meantime I had heard about TrueCrypt, an open-source disk encryption package for Windows and Linux. It's free! I must admit that after I downloaded it, I needed some time to get my mind around it.

Here are the basics:
  • Using the TrueCrypt application you create a large "container" file on your system, larger than you will need to hold your encrypted files. It can be on any read/write disk, even a memory stick, and is initially filled with random data.
  • The container file can be copied, moved, deleted, or renamed just like any other file. It's not fragile. It can have any name and any file extension. You can have more than one.
  • With the TrueCrypt application, you mount that container file as a disk volume with its own drive letter. You choose the letter.
  • The TrueCrypt application runs in the background and manages TrueCrypt volumes.
  • Within the TrueCrypt volume you create folders, or copy them in, and create or copy in any files that ought to be encrypted. A TrueCrypt volume behaves exactly like any other disk, even though it's really just a file on your hard drive or mem stick. Every file within it is totally encrypted, including file names and even its file system.
  • Unused space in the TrueCrypt container file is filled with random data which cannot be distinguished from actual encrypted files.
  • When you open an encrypted file in an application, such as a wordprocessor or graphic editor, the file is decrypted on the fly so that the application sees it decrypted.
  • The file is never decrypted on disk, however, unless the application keeps temporary backup copies, and of course you should tell your applications to keep those in an encrypted volume too.
  • Backup of encrypted data is easy: Just dismount the encrypted volume and copy its container file, still encrypted, to the backup medium.
  • If the backup medium is another disk, mem stick, DVD, or CD-ROM, you can actually mount that backup container file whenever you want without ever copying it back to the original hard disk.
TrueCrypt Application Window
That's the simple view of TrueCrypt. There is lots more. For example:
  • Anyone examining your system or your disk can tell that you use TrueCrypt, and can probably even identify the container files.
  • However, you can host a TrueCrypt volume within another truecrypt volume in a manner that makes the internal volume both hidden and undectable even if the outer volume is mounted and visible. Really cool. The TrueCrypt people call this "plausible deniability," and consider it quite important.
  • Example: An adversary points a gun at you and demands to see your encrypted files. You can give them the password to the outer encrypted volume without ever revealing that an inner, hidden volume even exists. It's invisible. I don't actually see the need for a hidden volume in my business, but evidently some folks do.
  • You can host a truecrypt volume on a public computer, or another person's computer, without installing any software on that computer, so your encrypted files are portable.
  • You can tell TrueCrypt to mount certain TrueCrypt volumes automatically at bootup, though you will be required to enter a password to complete the mounting process.
  • TrueCrypt allows you to use any of eight different encryption algorithms and three different hash algorithms, making decryption by an adversary even more difficult.
I love it, and in fact am using it for my encrypted files on my new computer. It works very well indeed, even on Vista 64. It is certainly no more trouble than EMF was, and backup is much simpler. It is far better than Windows Encrypted File System (EFS) because: (1) EFS files are always available when you log on, whereas TrueCrypt files require you to enter another password; and (2) EFS files cannot easily be backed up in their encrypted form. TrueCrypt is also much simpler than Windows BitLocker encryption, which requires you to partition your drive and poses some risk of losing the entire drive if something goes wrong.

No comments: