Lost or stolen laptops are a privacy and security nightmare, especially for midmarket companies that handle customer data and/or are bound to regulations. Smaller companies cannot afford the tangible and reputational costs associated with breach notification. Fortunately for them, there is a free, open source laptop encryption option available in
TrueCrypt is no secret; it has been downloaded more than 9 million times, and that's proof positive it's a worthy alternative for companies unwilling to shell out for expensive commercial products. TrueCrypt is not an enterprise product. It lacks the central management, key management, reporting, access control features and scalability of enterprise commercial products. But for small office or workgroups, it's ideal. Multiple users can share access to encrypted data by presenting keyfiles in addition to their passwords. You can create any number of keyfiles using TrueCrypt's random number generator.
While not necessarily enterprise-ready, TrueCrypt's use of cryptographic algorithms and encryption methodology is comparable to its commercial counterparts and may be easier to use.
The mode of operation TrueCrypt uses for encrypted partitions, drives and virtual volumes is XTS, a variant of Phillip Rogaway's XEX mode. XEX mode uses a single key for two different purposes, while XTS mode uses two independent keys, specifically, its own secret key, or "tweak key," that is independent from the primary encryption key. "Tweak" refers to a block cipher that can accept a second input (the tweak) in addition to its plaintext or ciphertext input. The tweak, along with the key, selects the permutation computed by the cipher. XTS mode is the IEEE 1619 standard for cryptographic protection of data on block-oriented storage devices as of December 2007.
Encryption algorithms include AES, Serpent and Twofish, while ciphers can be cascaded, that is, used in combination--AES-Twofish, Serpent-Twofish-AES, etc. For example, a 128-bit block is first encrypted in Twofish (256-bit key), then with AES (256-bit key).
Hash algorithms, which include RIPEMD-160, SHA-512 and Whirlpool, are utilized during volume creation, password changes and keyfile generation.
All these hash algorithms are considered secure, given that it is computationally infeasible to find the message that produced the message digest. However, SHA-512 and Whirlpool meet NESSIE (New European Schemes for Signatures, Integrity and Encryption) standards because they are collision resistant, while RIPEMD-160 does not meet NESSIE standards because its output is only 160 bits.
TrueCrypt a Platform-Agnostic Encryption Option
TrueCrypt supports Windows Vista, XP, MacOSX and Linux. Installation on Windows is as simple as downloading TrueCrypt, executing the installer, accepting the license, choosing the Install radio button, and accepting default options for the last step. You can utilize installers for Windows Vista/XP/2000, Mac OS X 10.4 and 10.5, and Linux OpenSUSE and Ubuntu.
Alternatively, you can use operating system options like Vista/Server 2008's BitLocker or Mac OS X's FileVault to create encrypted volumes, partitions and disks, but TrueCrypt offers the benefit of being platform agnostic--you can mount a TrueCrypt volume on any supported OS.
TrueCrypt allows you to create two types of volumes: file-hosted (container) or partition/device-hosted. A file-hosted volume is simply a normal file that contains an entirely independent virtual disk device and can be maintained on any storage device. More simply, imagine it as a secure area on your hard drive or portable storage device for your sensitive data. Alternatively, you can utilize TrueCrypt to encrypt an entire partition or entire hard disk, or any other type of storage media.
Further, you can create TrueCrypt volumes as Standard or Hidden. A Standard volume is a normal, visible volume; a Hidden volume is nestled within another TrueCrypt volume. Even if you are obliged (or forced) to reveal your password, it's invisible to a third party. The trick here is that free space on any TrueCrypt volume is always filled with random data when the volume is created. No part of the (dismounted) hidden volume can be distinguished from random data.
Interface Simplifies Encryption Implementation
The TrueCrypt interface is simple and intuitive, allowing you to easily implement the encryption method of your choice. Before beginning, choose a location in your file system where you'd like to store your TrueCrypt volume(s) and create a new empty file.
To create a file-hosted volume, just click the Create Volume button to launch the Volume Wizard in a separate window, select the Create a File Container radio button, and then decide between Standard and Hidden volume.
Next, choose the empty file you created and answer "yes" when asked if you'd like to replace it with your new TrueCrypt volume. You'll then be presented with encryption options. The default options are AES for the encryption algorithm and RIPEMD-160 for the hash algorithm. Since we are paranoid, we prefer three ciphers in cascade, but there are performance impacts as you add complexity. Using the TrueCrypt benchmark feature, you can determine an appropriate compromise between encryption and performance. For example, the performance indicators on our test system ranged from a 64.7 MB/s encrypt/decrypt mean for AES alone, to a 14.5 MB/s mean for AES-Twofish-Serpent, so AES-Twofish gives reasonable balance.
You then choose a hash algorithm; we like SHA-512, which is slightly faster than Whirlpool and more secure than RIPEMD-160.
Next comes volume size. Besides the space you think you'll need, one consideration might be portability. For example, you might choose 1,800 MB for a 2 GB USB drive.
Now, choose a strong password. TrueCrypt will grade you on the password, so step up here (think passphrase). If you choose a password of fewer than 20 characters, you will be scolded for your wimpiness and reminded that it might be easily brute-forced. We recommend using keyfiles as well. In addition to allowing shared access, as discussed earlier, keyfiles provide protection against keystroke loggers and brute force attacks that might crack your password.
Finally, choose your volume format (FAT, NTFS or none) and cluster size (up to 64 KB). You'll see the Random Pool in this window, representing the random number generator (RNG) used to generate the master encryption key; note the difference in entropy while your system is at rest versus moving your mouse rapidly. The more you move your mouse, thus creating more randomness (entropy) for the RNG, the stronger your key will be. Choose format as your final step.
Once your volume is created, return to the primary interface, navigate to your newly created volume and mount it. You'll be prompted for your uber-password and you'll also have the chance to select more advanced mount options, including mounting the volume as removable media. This option is important when you wish to prevent Windows from automatically creating the Recycled and/or System Volume Information folders on the volume (these folders are used by the Recycle Bin and System Restore facilities).
TrueCrypt Traveler Mode Runs Product from USB
TrueCrypt allows for true portability and, should you choose this option, we recommend a minimum of a 2 GB USB 2.0 storage device. In Traveler Mode, TrueCrypt does not need to be installed on the operating system it is running on.
If, heaven forbid, you choose to use a kiosk or café machine, this may prove quite useful. Let's say you travel with your data to your overseas office, but leave your computer behind. Traveler Mode allows you to plug the USB stick you installed on into a destination PC and directly run TrueCrypt from the USB device. TrueCrypt does not need to be installed on the destination PC. The Traveler Mode creation process is also wizard-driven and simple to follow.
Whether you choose to encrypt an entire drive, a disk partition or a file-hosted container, you'll be glad you decided to use TrueCrypt. If you carry private or confidential company data, and/or personally identifiable information, TrueCrypt's robust methodology will protect it, so long as you implement properly and utilize strong password practices.
This was first published in March 2009