TrueCrypt Is Cool

My business requires me to safeguard the security of certain files. For years I have used Encrypted Magic Folders (EMF) from PC-Magic to encrypt those files, and to hide them from the view of an interloper. I loved it, because files were always encrypted on disk and yet were fully accessible to applications. However, when I upgraded to Vista 64, the new EMF crashed my system so completely that it was unbootable even in safe mode. I tried it twice, recovered twice with some difficulty, and gave up on EMF.

In the meantime I had heard about TrueCrypt, an open-source disk encryption package for Windows and Linux. It's free! I must admit that after I downloaded it, I needed some time to get my mind around it.

Here are the basics:

• Using the TrueCrypt application you create a large "container" file on your system, larger than you will need to hold your encrypted files. It can be on any read/write disk, even a memory stick, and is initially filled with random data.
• The container file can be copied, moved, deleted, or renamed just like any other file. It's not fragile. It can have any name and any file extension. You can have more than one.
• With the TrueCrypt application, you mount that container file as a disk volume with its own drive letter. You choose the letter.
• The TrueCrypt application runs in the background and manages TrueCrypt volumes.
• Within the TrueCrypt volume you create folders, or copy them in, and create or copy in any files that ought to be encrypted. A TrueCrypt volume behaves exactly like any other disk, even though it's really just a file on your hard drive or mem stick. Every file within it is totally encrypted, including file names and even its file system.
• Unused space in the TrueCrypt container file is filled with random data which cannot be distinguished from actual encrypted files.
• When you open an encrypted file in an application, such as a wordprocessor or graphic editor, the file is decrypted on the fly so that the application sees it decrypted.
• The file is never decrypted on disk, however, unless the application keeps temporary backup copies, and of course you should tell your applications to keep those in an encrypted volume too.
• Backup of encrypted data is easy: Just dismount the encrypted volume and copy its container file, still encrypted, to the backup medium.
• If the backup medium is another disk, mem stick, DVD, or CD-ROM, you can actually mount that backup container file whenever you want without ever copying it back to the original hard disk.

That's the simple view of TrueCrypt. There is lots more. For example:

• Anyone examining your system or your disk can tell that you use TrueCrypt, and can probably even identify the container files.
• However, you can host a TrueCrypt volume within another truecrypt volume in a manner that makes the internal volume both hidden and undectable even if the outer volume is mounted and visible. Really cool. The TrueCrypt people call this "plausible deniability," and consider it quite important.
• Example: An adversary points a gun at you and demands to see your encrypted files. You can give them the password to the outer encrypted volume without ever revealing that an inner, hidden volume even exists. It's invisible. I don't actually see the need for a hidden volume in my business, but evidently some folks do.
• You can host a truecrypt volume on a public computer, or another person's computer, without installing any software on that computer, so your encrypted files are portable.
• You can tell TrueCrypt to mount certain TrueCrypt volumes automatically at bootup, though you will be required to enter a password to complete the mounting process.
• TrueCrypt allows you to use any of eight different encryption algorithms and three different hash algorithms, making decryption by an adversary even more difficult.

I love it, and in fact am using it for my encrypted files on my new computer. It works very well indeed, even on Vista 64. It is certainly no more trouble than EMF was, and backup is much simpler. It is far better than Windows Encrypted File System (EFS) because: (1) EFS files are always available when you log on, whereas TrueCrypt files require you to enter another password; and (2) EFS files cannot easily be backed up in their encrypted form. TrueCrypt is also much simpler than Windows BitLocker encryption, which requires you to partition your drive and poses some risk of losing the entire drive if something goes wrong.

RAID Backup

Working perfectly!

Usually, a person needs a backup when their disk drive fails. All disk drives fail sometime - there is no escape from that truth. But there are other reasons for keeping good backups:

• Total disaster, such as a fire or flood that destroys the whole computer and all nearby backups.
• Deliberate mischief, such as a virus that deletes important files.
• Accidental deletion or modification of one or more files.

I'm sure there are more reasons, but if we cover these we'll probably have the rest covered.

Drive Failure:

Disk drive failure can mostly be avoided by using two mirrored drives in a configuration known as RAID 1. RAID means Redundant Array of Independent Drives, and has several well-defined levels. RAID 1 is a simple comfiguration with two drives which always contain exactly the same information, hence the term "mirrored." If either drive fails, the other simply becomes the system's sole drive and takes over without a hitch. Since the probability of two drives failing at once is very small, RAID 1 pretty well covers that problem. The new computer here employs RAID 1.

Total Disaster:

If the building burns down or floods, the only solution is to have a separate backup stored offsite. This can be on the internet, another building some distance away, or perhaps in a fire- and water-proof safe. At this office a flood is highly unlikely, so we store encrypted DVD backups of most user files in a fire-resistant safe in the basement, and we occasionally put a DVD in a safe deposit box at the bank. I have just set up an upload account and I may stop putting DVDs in the safe deposit box. We'll see.

Deliberate Mischief, or Accidental Deletion or Modification:

RAID disks don't help here, because the RAID disk controller keeps the two mirrored disks identical even when the files themselves are deleted or corrupted. This is where Windows System Restore can be very handy indeed. I have several times seen a serious problem solved by restoring a system to a previous date and time. System Restore works, though it has the disadvantage that the whole drive reverts to a selected time in the past, even if you only need to recover one file.

But if System Restore isn't the solution, then backups are the answer. DVD and internet backups can be used to restore user data, but what about all of the rest of the system? I started a full backup once, but quit when the backup wizard pointed out that I would need 19 DVDs. Enter "RAID Backup" with a third identical disk drive. At some reasonable interval (every day, every week, every month) I can disconnect the power to one of the two mirrored disks and connect the third disk. The disconnected disk is instantly a complete backup of everything, and the newly-connected disk will soon be overwritten and re-mirrored to the remaining good disk in the RAID 1 pair. Voila - complete backup in about five minutes for a one-time cost of about $80. It does actually take about 2 hours and 15 minutes to re-mirror, but the system is usable, if slower, while that takes place. And the third disk, with no power, is safe from any mischief.

It Works!:

I wasn't entirely sure that the Intel software would be totally cool with what I wanted to do, but I tried it last night and today. The system has three identical 320 Mb Western Digital hard disk. Steps in the experiment:

• Disk Drives A and B were mirrored, drive C was powered up as a spare but had never been used.
• I shut down the computer, disconnected power on B, rebooted the computer. The Bios complained that the RAID 1 pair was "degraded" and gave me a chance to deal with it in the Bios, but I declined and let the bootup proceed.
• The computer booted normally, and the Intel monitor software presented a pop-up balloon that said the RAID 1 disk was degraded but could be repaired.
• I clicked on the balloon and followed the instructions to restore disk C to mirror the good disk in the RAID pair, disk A. Two and a quarter hours later, A & C were a mirrored RAID pair and B was a complete backup. Job done.
• As an experiment, however, I shut down again and disconnected all EXCEPT disk B, then rebooted. Again the Bios complained and the on-line software did too, but the system functioned normally on just the "backup" disk. As far as I could tell, all files were accessible. The RAID software, apparently confused, also created a second RAID array at this point, consisting of Disk B and a "missing" disk. Duh.
• I rebooted with only A & C connected, and everything worked once again, no complaints.
• Then I connected B as well, rebooted, and got some complaints about a degraded pair in the second RAID array (disk B), but the system ran normally and all files on all disks seemed to be accessible, including the files on disk B.
• Finally, I disconnected disk C, leaving A & B connected, and rebooted once again. The Bios and the Intel application software both complained about degraded RAID arrays. But it allowed me to delete the second RAID array, consisting of only disk B. That done, it allowed me to re-mirror B to the good disk in the original RAID pair, disk A, even though disk B contained lots of valid data. I was concerned that it might not let me destroy data, and I think there were at least four warnings that data would be destroyed on disk B if I proceeded, but it finally let me do it. Now disk C is again the full backup and the system is back to a RAID array of disks A & B.

From now on the procedure will be much simpler: Shut down, disconnect B or C (whichever was connected), reconnect the disk that was disconnected, reboot, and tell the Intel application to restore the RAID array. The biggest hassle is moving the computer to a position where I can open the side panel and disconnect / reconnect drives. I can handle it.

Windows Experience Index:

Before these little experiments, the system's Windows Experience Index was 5.4, limited by the disk subscore of 5.4. I ran the tests several times. Since the experiments, the Windows Experience Index is 5.5, limited by both the processor and gaming graphics, with the disk subscore improving to 5.7. Why did the disk subscore go up from 5.4 to 5.7, using exactly the same disks? Only Microsoft knows.

The Computer Is Built!

And I'm pleased with it.

Performance:

The overall Windows Experience Index is 5.4, which I believe is pretty good. The limiting subscore (5.4) is the disks, actually, and they are very high-speed SATA II 7200-RPM drives, though you can get 10,000 RPM drives which should be faster yet. The highest subscore is the Windows Aero graphics, 5.9. Everything else falls between, so the system is reasonably well balanced.

Quietness:

When there is nothing else going on in the room, TV and the old computer turned off, sitting at my desk, I can hear a faint, low-pitched roar similar to the sound you hear by holding a large seashell up to your ear, but certainly not that loud. It has a resonance to it, despite my efforts to dampen sounds inside the box. I think that the rear fan is the origin of most of the noise. It's not objectionable, because it's faint, but I will probably try to do more to limit the sound, such as:

• Add more sound-deadening material inside the box; there is room on the side cover for more;
• Play with fan speeds. The computer reports its own temperatures at several places including the CPU, graphics card, and motherboard, and those are quite comfortably within spec right now, so I could choose a lower speed for the rear fan;
• Cover the strange hole pattern on the back of the case, for which there seems no purpose; and
• Replace or rewire the rear fan. The motherboard came with a fan-control connection for that fan, but oddly, that fan did not come with a connector for the fan control. It may be easier for me to order a fan with the right connector rather than a conversion cable.

Bottom Line:

It's a good computer. Luckily there were no DOA (dead-on-arrival) parts, and it came right up and ran. The only problems were software ones, after Vista was installed and not to be discussed here (though I may yet post a rant about Vista. It is SO awkward and obtuse). I think that once a person has the proper parts on hand, one could put a computer like this together in an hour or two, including the initial Vista installation.

Below is a pictorial of the build process, in reverse order. Click on the Materials List on the side panel to see what went into the computer.


After powering up the disks, this screen in the BIOS allowed the association of drives A and B as a single fault-tolerant 320 Gb RAID disk before anything was ever written to the disks.


When first powering up the system, I had disconnected all of the disk drives and some other stuff to see if the CPU and motherboard would POST (power-on self test). THEY DID! This screen proves that a lot of stuff was working:

• Power supply;
• Motherboard;
• CPU;
• Graphics card, at least sufficient to display to the generic screen; and
• USB ports and keyboard-handling firmware on the motherboard;
• Fans (I could see them turn).

The box is fully wired and ready to test.


The motherboard is installed and screwed in place.


The three 320 Gb hard drives are in place and wired up. Two drives are for the fault-tolerant RAID disk, and a third will be used as a backup.


It's still hard for me to reconcile this palm-sized, silent, extremely fast 320 Gb drive with the washing-machine-sized sub-Gb drives I cut my computer teeth on years ago. And in just a few years, even these will be replaced with much faster flash drives having no moving parts at all.


Sound-deadening material stuck to the back side of the hard-drive cage. A similar piece is attached to the side door covering the drives on this side, and on the bottom and top of the cage. I attached this material on all interior surfaces wherever it could be attached without getting in the way or interfering with the passage of cooling air.


Sound-deadeing felt. Found in the local Menards hardware store, not for the purpose of deadening sound, but I think it should work. I liked the black better, but the store didn't have much so I bought some of both.


Front fan installed inside of the hard drive cage, to pull air across the drives and blow it toward the graphics card and CPU. See earlier posts for other views of the entire case.

Everything is Here

The Intel E6750 Boxed CPU and three Western Digital 320-Gb SATA hard drives arrived today, and now all of the parts are here. I set everything except the case out on the picnic table for a photo. Out of several photos, my sweetie liked this one with fall color in the background :-)

Then I downloaded an Intel video that demonstrates how to install the processor and "thermal solution" (fan + heat sink) on the Intel DP35DP motherboard. After playing the video once, I played it again and did the installation while watching the video. What makes it tricky is that dozens upon dozens of tiny pins on the motherboard socket must match up with a similar number of contact lands on the CPU wafer, without bending any of the pins.

And the CPU is just a wafer at this point, not fragile exactly but the motherboard pins are. You are supposed to set the square wafer straight down on the pins without sliding it at all, but I must admit that when I set it down it wasn't perfectly aligned and it did slide slightly. I hope those pins handled it - I didn't look.

After inserting the wafer you close a little door and then a little spring handle to press the door and wafer down tightly against the socket pins. Then you put the heatsink on top of it all and fasten it down with its own little plastic clips, plug the heatsink fan into the appropriate connector, tie off any spare wire, and job done. I hope. I'll feel a little better when I power it up and get a BIOS screen.

By comparison, the 4 Gb of G.Skill RAM seemed quite easy to install. Just push it carefully into the socket.

On another note: My first experience with computers was in 1962, 45 years ago, when disk drives were barely on the horizon. We used a magnetic tape operating system, and wrote programs on punched cards or paper tape. Later, about 28 years ago, I bought my first computer while working at 3M, with 64 Kb of RAM (yes RAM, not core), and a 5-Mb disk drive which was too heavy for one person to manage alone. These palm-sized disks each have 64,000 (sixty-four thousand) times as much disk capacity, and the CPU will enjoy 62,500 times as much RAM. Oh, and the RAM is about 800 times faster, while the CPU is easly 2500 times faster and there are two in the chip. Isn't technology stunning?

Choosing a Hard Disk

How does one choose the hard disk drive (HDD) from all of the available vendors and capacities? First, it's important to recognize that it's not a highly critical decision; I'm not likely to choose a vendor or capacity that is unsuitable, and drives are not a huge expense any more, so I can add or replace drives later (or sooner) if necessary.

My existing system has 23 Gb available out of 100 Gb total capacity, so I'm using about 77 Gb. Disk usage has grown from about 15 Gb in 1999 to 77 this year, which means that it grew by a factor of five in the intervening eight years. That suggests I should buy five times the amount of disk that I am now using, or about 400 Gb, to last the next eight years. Maybe so.

But maybe not. New technology is on the horizon. It is already possible to buy a 64 Gb flash drive with no moving parts for about $900. How soon will the price/performance curve of flash or some even-better technology approach that of moving-head disk drives? Probably sooner than later.

For now I'm going with 320 Gb drives, a relatively mature technology, available from several manufacturers, with modest power and heat dissipation needs. That's a safe choice.

So whose drives? To simplify things I've narrowed the field to three manufacturers: (1) Samsung, (2) Seagate, and (3) Western Digital, in alphabetical order. Hitachi and Maxtor make appropriate drives too, as do other manufacturers, but I've seen nothing to indicate that any of those would be a better choice than the best of the first three. If you have other information, please comment. The drives will all have:

• 320 Gb capacity.
• SATA 3.0 Gb/s interface.
• 7200 RPM and attending latency.
• Average seek time less than 10 ms.
• 16 Mb cache.

The following table shows some additional information about each drive. Prices are all from NewEgg, as is the user comment information. Other data comes from the manufacturers' specification sheets:

Brand	Model#	Price	Warranty	Five*	Comments
Samsung	HD321KJ	$74.99	1 yr	80%	20
Seagate	ST3320620AS	$79.99	5 yr	76%	1887
Western Digital	WD3200AAKS	$74.99	3 yr	80%	144

The Five* column is the percentage of reviewers who gave the drive five stars out of five, i.e. the best possible rating. I realize that some people rarely give the highest rating to anything, so the system may be biased, but I also saw a comment from a reviewer who gave four stars for a drive which was dandy until it failed after one day's use. So it balances out.

In any case the reviewers' ratings don't give much guidance, all between 76% and 80%. The Seagate drive is by far the most popular, but comments indicate that it has been received dead on arrival in many recent cases. One commenter said that it is made in China. Further, and significantly, many reviewers comment that the Seagate drive is noisy. I don't like that, and I'm leaning a bit toward WD. I wonder where theirs are made?

Suppliers like NewEgg have a 30-day return policy on drives (probably on everything), so I suppose I won't be buying any drives until the rest of the system is nearly assembled and ready to test. By then things may have changed. Perhaps Seagate will correct their quality problem, or prices will change enough to make one drive more attractive on that basis.