In Part 2 of this article, I went over some different ways to setup TrueCrypt. In this part of the article, I will be doing the actual encryption.
I thought it would be helpful if everyone knew what hardware I was doing this on. Currently, I’m using an Acer Aspire Timeline X 4830T that I bought in June 2012. Specs are as follows:
- Intel Core i3-2350M (2nd generation) @ 2.3GHz
- Upgraded to a smaller, but faster, Western Digital Scorpio Black
- Upgrade to 8GB of RAM
I mention this because it’s particularly important to note the CPU specs. This particular CPU doesn’t support the AES instruction set that applications use to increase the speed of AES encryption and decryption. Because my CPU doesn’t have this, TrueCrypt can’t take advantage of this hardware acceleration to do the encryption faster. As such, my times here are probably going to be slower than yours.
Start TrueCrypt by going to Menu–>Accessories–>TrueCrypt and select Create Volume.
Step 1 – Select a volume type
At the volume creation wizard, choose Create a volume within a partition/drive. Again, I chose this option over using a file container.
Select Standard TrueCrypt volume. You can read more about hidden volumes here.
Step 2 – Select your device
Select your device and proceed. Please don’t blindly select /dev/sdb without checking your system first. This process will destroy any data on the device you select.
You’ll need to accept the warning that recommends you use a file container.
Enter your password (this is why you need sudo access).
Step 3 – Encryption options
I’m not going to write (yet) about which encryption algorithms are strongest/best. But, in my opinion, you should use a least two cascading ciphers. In the event that one algorithm is broken, flawed, or backdoored by the NSA, you’ll still have one or more algorithms protecting you. Same goes for your hash algorithm.
Protip: Use the Benchmark option to see how your system performs with various configurations.
Step 4 – Passwords and keyfiles
This is the most important step, because no matter which algorithm(s) you choose, it won’t do you any good if you have a weak password. TrueCrypt has some handy tips when it comes to choosing a good password. The key here is randomness and length. Size does matter, gentlemen.
- Something only the user knows (password, PIN, pattern, etc…)
- Something only the user has (keyfile, hardware or software token, SMS confirmation code, smartcard, USB token, etc…)
- Something only the user is (biometrics, e.g. fingerprint, iris scan, etc…)
When you combine two or more factors, you decrease the chance of being hacked. In this case, we’ll be using a password as well as a keyfile. When you want to decrypt your drive, you’ll need to provide both. In the event someone were to obtain your keyfile, they wouldn’t be able to decrypt your drive without knowing the password, and vice versa. However, once you create a keyfile, you cannot edit it. I would also recommend keeping multiple copies of the keyfile (email to yourself, store in a secure cloud service, etc…).
Instead of choosing an existing file, I chose Generate Random Keyfile.
Select a mixing PRF, and start moving your mouse around like crazy! If you’re curious, what you’re doing here is increasing the entropy, which is basically the “randomness”, of the keyfile. Computers can’t generate a truly random number, so at best, they are called psuedo-random. Typically, they start with a seed (e.g., time of day) and run that seed through an algorithm, then run that output through another algorithm, and so on. However, if someone knew the initial seed, and which algorithms were used, they would be able to generate the exact same output. To circumvent this, we need something that is more random. The path your mouse takes while you’re moving it around like a madman is considered to be random enough that it can’t be reproduced.
Save your keyfile and add it to the list of keyfiles.
Step 5 – Filesystem options
TrueCrypt will present you with a few options to determine which filesystem to use.
Step 6 – Push the button!
Again, more entropy-creating goodness. Once you’re ready, click Format to begin.
As you can see, my CPU was pretty much consumed during this process. I let this run overnight.
In Part 4 of this article, I’ll show you how to use your newly encrypted drive.
UPDATE – Since TrueCrypt went offline, I won’t be posting a Part 4 of this series. I’m looking into a replacement for TrueCrypt.