In the meantime I had heard about TrueCrypt, an open-source disk encryption package for Windows and Linux. It's free! I must admit that after I downloaded it, I needed some time to get my mind around it.
Here are the basics:
- Using the TrueCrypt application you create a large "container" file on your system, larger than you will need to hold your encrypted files. It can be on any read/write disk, even a memory stick, and is initially filled with random data.
- The container file can be copied, moved, deleted, or renamed just like any other file. It's not fragile. It can have any name and any file extension. You can have more than one.
- With the TrueCrypt application, you mount that container file as a disk volume with its own drive letter. You choose the letter.
- The TrueCrypt application runs in the background and manages TrueCrypt volumes.
- Within the TrueCrypt volume you create folders, or copy them in, and create or copy in any files that ought to be encrypted. A TrueCrypt volume behaves exactly like any other disk, even though it's really just a file on your hard drive or mem stick. Every file within it is totally encrypted, including file names and even its file system.
- Unused space in the TrueCrypt container file is filled with random data which cannot be distinguished from actual encrypted files.
- When you open an encrypted file in an application, such as a wordprocessor or graphic editor, the file is decrypted on the fly so that the application sees it decrypted.
- The file is never decrypted on disk, however, unless the application keeps temporary backup copies, and of course you should tell your applications to keep those in an encrypted volume too.
- Backup of encrypted data is easy: Just dismount the encrypted volume and copy its container file, still encrypted, to the backup medium.
- If the backup medium is another disk, mem stick, DVD, or CD-ROM, you can actually mount that backup container file whenever you want without ever copying it back to the original hard disk.
That's the simple view of TrueCrypt. There is lots more. For example:
- Anyone examining your system or your disk can tell that you use TrueCrypt, and can probably even identify the container files.
- However, you can host a TrueCrypt volume within another truecrypt volume in a manner that makes the internal volume both hidden and undectable even if the outer volume is mounted and visible. Really cool. The TrueCrypt people call this "plausible deniability," and consider it quite important.
- Example: An adversary points a gun at you and demands to see your encrypted files. You can give them the password to the outer encrypted volume without ever revealing that an inner, hidden volume even exists. It's invisible. I don't actually see the need for a hidden volume in my business, but evidently some folks do.
- You can host a truecrypt volume on a public computer, or another person's computer, without installing any software on that computer, so your encrypted files are portable.
- You can tell TrueCrypt to mount certain TrueCrypt volumes automatically at bootup, though you will be required to enter a password to complete the mounting process.
- TrueCrypt allows you to use any of eight different encryption algorithms and three different hash algorithms, making decryption by an adversary even more difficult.
No comments:
Post a Comment