TrueCrypt
I consider TrueCrypt (or at the very least, some sort of similar strong encryption software) to be one of the most important pieces of software that a computer user should have installed, especially people who use laptops, usb keys, or any other type of portable data. (laptops can be stolen, usb keys easily get lost, etc.) It’s what they call an “on the fly” encryption program, meaning that once a TrueCrypt volume is mounted, it then works in the background, unencrypting your files as you use them, and encrypting them automatically as you write data back to the hard disk.
It is totally free software, both cost wise and open source. Which means that since the source is available to anyone who wishes to examine it, I feel pretty confident using it and knowing that there isn’t some sort of back door for use by the government or someone else, like there very well may be in a closed-source package.
Performance and Usability
I’ve found that the performance hit is negligible on any modern PC, and is well worth it. With version 5 the TrueCrypt developers introduced Full Drive Encryption, giving you the option to totally encrypt the partition that Windows resides on, requiring a password at boot up before Windows will even begin to boot. If the password is not entered, the drive will be completely unreadable, even if it is removed from the PC and installed into another system.
Plausible Deniability
In addition to the benefits of strong, free encryption, it has a fantastic plausible deniability feature built in. That is to say that it can be set up in such a way that it is impossible for an adversary to prove that you even have specific encrypted data on your disk.
One way this works is that it is not possible to determine whether or not an unmounted totally encrypted drive (I’m not talking about the drive you’re running windows from here) is full of encrypted data, or is just random unpartitioned and unused noise. This works if you 1: live in a country where it is not legal for the authorities to put you in jail or cut off your head for refusing to supply your password to them (As of the time of this writing, in the United States the police or government isn’t supposed to do this… Whether or not they really won’t is another discussion, I believe Great Britain can jail you for a couple years. I’m scared to think what some of the more…nutty countries’ governments would do to you if you didn’t give them what they wanted.), and 2: don’t foresee a situation where someone trying to steal data from you would potentially try to force you to reveal a password due to threat of bodily harm or some other threatening action.
The problem is that once someone notices that you have the TrueCrypt program installed, if they then see an apparently empty non-used drive, they can be pretty sure that it is in fact an encrypted container, and won’t be very inclined to believe that you have a blank, unpartitioned hard disk just sitting in your computer or a blank usb drive full of random noise.
This leads to the 2nd plausible deniability feature of TrueCrypt. A fantastically clever solution to the problem mentioned above. This is the way that I understand it works (I have not actually tried this, as I haven’t ever felt the need for this level of secrecy.) You make an “outer” container, 40 gigabytes large for example, and assign it a password that you would be willing to tell an adversary. Put a few files in there that you would plausibly want to keep secret, but would be willing to let a potentially oppressive government or thief, or whatever other adversary have access to. (old bank statements, documents that look like confidential company files, love letters to your girlfriend, some random smut videos (as long as you’re not traveling to a country where even mainstream porn is illegal), whatever.. just use something that’s legal where you are, but embarrassing enough that it would be convincing to an adversary that it’s really something you would want hidden from “prying eyes.”
Then you instruct TrueCrypt to make a 2nd, “inner” volume inside the unused space of the “outer” volume. Assign it a different password than the outer volume, and use it for the information you really want to keep private. As long as the inner volume is not mounted, it will be impossible to prove that it even exists. It just looks like random noise, just like the empty space of a standard TrueCrypt volume would look like anyway. When mounting the volume, whether or not the outer or inner volume gets mounted, depends simply on which password you provide. If an adversary tries to force you to give up your password, you simply give them the password to the outer volume, and your “real” private data remains private.
If you want to write files to your “outer” volume, you should use the option to “protect” the inner volume. Otherwise simply writing files to the outer volume could destroy the inner volume. (If an adversary makes you mount your outer volume, you obviously can’t go checking the “protect the inner volume” option, or you would give away the fact that it exists, so it would potentially be destroyed If the adversary then writes to the outer volume. Another reason to always keep a backup of your important irreplaceable data.)
For a more detailed description of how this works, go to http://www.truecrypt.org/docs/ and click on the hidden container documentation under the plausible deniability section of the documentation.
How I use TrueCrypt
How you decide to implement an encryption solution such as TrueCrypt is completely up to you. Whether you want to encrypt the entire system drive and take a minimal performance hit with everything (but be sure that everything is always secured), or just encrypt a container (or containers) and mount them when needed.
On my desktop and Windows laptop, I simply encrypted the entire drive. The only time I notice that it’s even been done is when I reboot and have to enter a pass phrase to boot up the computer.
On my Intel Macbook Pro, which dual-boots Mac OS and Windows Vista, full disk encryption isn’t possible due to a technical limitation of the dual boot system. So I instead made a large 60 gigabyte container. I have a 60 gigabyte TrueCrypt file, when I mount that file, it becomes my “T” drive.
I just use my “T” drive as a general purpose storage area, keeping most everything in there. All my documents, whether I consider them private or not go there, so I don’t have to worry about keeping private stuff separate, or whatever. I just encrypt everything and then it doesn’t matter.
I also have a copy of Firefox Portable installed to the encrypted drive. This way any passwords, history, or whatever else from my online use get saved to the encrypted location.
Wrapping Up
Anyone who does anything on their system that they wouldn’t want other people to see, whether it’s accessing bank accounts or other private web pages, or just don’t want people snooping around their stuff, should definitely check TrueCrypt out. It is one of the most fantastic pieces of free and open software that I’ve ever used.
Every time I read or hear on the news about a computer being stolen from somebody or some corporation, and now the guy’s identity has been stolen, or all the company’s customers’ personal information has been leaked, I think to myself how simple it would have been for the owner of that laptop to encrypt it. It really is trivial to do with tools like TrueCrypt.
If you live in a country where encryption software is legal, and you have any sensitive information, or just value your privacy, you do not have an excuse not to use it.
Download it at http://www.truecrypt.org/