TrueCrypt is an easy, convenient, highly reliable way for Windows and Linux users to encrypt their data on-the-fly. TrueCrypt is perfect for:

• Road warriors who worry about what would happen if their laptop gets lost or stolen.
• Anyone who works with sensitive data of any nature (proprietary business data, trade secrets, medical information) in an open office environment where the workstations are not behind locked doors.
• Anyone who uses Quicken, or similar software, to keep track of personal financial information, especially if others have access to the same computer.
• Anyone he carries sensitive information around on a external storage device (USB drive).

TrueCrypt basically works in one of two ways: it can encrypt an entire existing hard disk partition, or it can create a “TrueCrypt Container” file within a partition, where that file gets treated as a second, virtual partition.

Working with Encrypted Drives: The contents of an encrypted drive are accessed by a “mount” operation. The mounting process asks you for the password and then assigns a drive letter to the encrypted data. (You can choose which letter.) From then on, the encrypted data is treated just like another hard disk. You can drag and drop files via the Windows Explorer, refer to the drive letter on the command line, or in a batch file, … whatever. The data within the partition remains accessible until such time as you shut down or reboot the computer, or you specifically dismount the volume (for example, if you leave for lunch, or you just know that you won’t need access to the data for a while).

Hard Disk Configuration Options: As I mentioned before, TrueCrypt can work to encrypt either a physical partition or a virtual partition. For example, say that your computer has a 250 GB hard disk that is currently divided into two partitions: a 40GB C: drive and a 200GB D: drive. And, say that you are about to work on a sensitive project that’s going to need 20GB of secure storage space. You have three options: (1) You could use TrueCrypt to encrypt the entire D: partition (all 200GB) and store your project files there. (2) You could repartition the hard disk so that the D: partition is 180GB, and a new E: partition is assigned the other 20GB, and then encrypt the E: partition. (3) you can have TrueCrypt create a 20 GB file on the D: partition that is itself a virtual partition, and have TrueCrypt mount it as the E: drive.

Each of these solutions have different drawbacks: Choice #1 means that you have to provide the password or encryption key every time you boot the computer and you want to work with files on the D: drive, even if you aren’t working on that secure project. Choice #2 means that you have to decide in advance how much space to allocate between the partitions. Choice #3 takes a slight performance hit. On-the-fly encryption of physical partitions performs better than virtual partitions. A major advantage of choice #3 is that, since a TrueCrypt container is just another file, it can be copied, moved, backed up, replicated, etc. — just like any other file.

Removable/USB Drive Configuration Options: Similar to above, a removable drive can either be encrypted in its entirety, or a portion of it can be encrypted as a TrueCrypt container. The former requires that TrueCrypt is preinstalled on whatever computer is going to access of the encrypted data on the removable drive. The latter allows for something called “traveler mode.” In traveler mode, part of the unencrypted portion of the USB drive contains the TrueCrypt software, which then allows you to gain access to the encrypted TrueCrypt container contents.

Encryption Algorithms: TrueCrypt offers 3 different encryption algorithms and 3 different password hash algorithms. The encryption algorithms can be combined in a cascade, for a total of 9 different choices. A benchmark tool lets you see how your particular CPU handles the various options so you can decide if you can live with the time penalty for stacking multiple encryptions. (Most users will choose th defaults.)

Tip #1: Before creating a virtual partition file, run a defrag utility on the physical partition that will contain the virtual partition. This way, you’ll ensure that the virtual partition file is contiguous. (Important: whenever running a defrag utility on a physical partition that already contains TrueCrypt containers, make sure those TrueCrypt partitions are dismounted first.)

Tip #2: Make an extra effort to come up with an especially strong password — one that uses mixed upper and lower case letters, as well as numbers and symbols, and is at least 20 characters long. It doesn’t matter how good the encryption algorithm is if you don’t feed it a nice, strong password.

Tip #3: Be careful when moving files between encrypted and unencrypted volumes. To the operating system, a “move” operation is the same as a “copy” followed by a “delete”, and deletes are easy to “undelete.” Even if the delete operation bypasses the recycle bin, or you actively empty the recycle bin afterwards, an undelete is still possible with a trick known as “dirty disking.” So, when first loading up your newly encrypted volume, use copy, not move, and then use a “wipe” utility to delete the original files. Unfortunately, TrueCrypt does not come with a wipe utility, but there are plenty of freeware wipe utilities available, such as the one included in bfaCS. (See Software Review: File Encryption with Blowfish Advanced CS (Windows).)

Tip #4: Another concern is that many software programs write data to temporary files while they work. Much of the time this temporary data is written to the same location as the real data (just with a different file name extension, for example). If that is the case, then you’re fine, because the temporary data is encrypted as well. However, if the temporary data is written to a different location, e.g. some “temp” folder, and that temp folder is on an unencrypted volume, then we are back to the “dirty disking” susceptibility mentioned in the previous tip. Likewise, the software may be doing you a “favor” by saving backup copies of your data as you go along (e.g. with the filename extension of “.BAK”). If the software is configured to save these BAK files to a location that is unencrypted, then, once again, the encryption of the final data is defeated.

TrueCrypt

Latest Version: 4.3a (May 3, 2007)
Platform: Any version of Windows, including Vista, or any version of Linux
Price: Free (FOSS)
Download Link: www.truecrypt.org