TrueCrypt full-system encryption

Update 2014-05-29!
The TrueCrypt project has been suddenly dropped by it’s developers. While we wait for more news it is advisable to refrain from using it to encrypt your system. See this Krebs article for more information. If there are any updates or if there is a successful fork of the code to a new project I will update this post.

This link is to the last known good binary and source distributions of TrueCrypt_v7.1a.zip for all platforms.
SHA1: 1d503ddb5f619ca868ea42bd7435f0dff5975997
and also signed with my public key


encryptdisk_86678512Let’s say you need to encrypt your entire hard drive to protect it from “something” or “someone”. TrueCrypt full-disk encryption is a great secure choice and works with many operating systems (even allowing for dual booting). If you have a laptop with any sort of private or sensitive information it’s a must, and there is nearly no performance hit on newer machines. Machines with multiple internal (and external) drives are also a candidate since a computer with an encrypted system drive can also automatically mount any additional disks when a few requirements are met (including a special case for Windows 8/8.1).

This is not a full guide to the process, but an explanation of what to expect along the way, some suggestions for settings to use, and some fixes for problems you might run into while following the built-in assisted setup.

Performance

TrueCrypt_benchmarkModern Intel and AMD CPU’s have AES hardware acceleration called AES-NI. This gives us a significant performance boost (about 5x the next fastest in my example here). It also means you don’t need to sacrifice your SSD’s throughput to keep it secure.

If your system lacks AES-NI then Twofish will likely be the quickest candidate. Run the benchmark a few times yourself to be sure. Not after speed? You can stack 2 (or 3) different algorithms to defend against unknown future vulnerabilities.

The last performance note is related to initial encryption time. The boot disk encryption happens in the background and you can continue to use your machine in the meantime, but any other disks you encrypt have to be processed ‘offline’. This means any secondary drive will be inaccessible for the duration of the in-place encryption and it could take upwards of 10 hours/TB to complete. If you are adding a new blank disk you can choose to “Create encrypted volume and format it” and save a lot of time.

Limitations

Any of the encryption algorithms can be used for your system drive, but the hashing algorithm used for the pseudo-random number generator is limited to RIPEMD-160. Most people I’ve talked to or read the opinions of online like the Whirlpool option better. If you are going to have other non-boot disks with full encryption you can still use Whirlpool on them.

Also know than any secondary drives you want to have mounted at boot-time will have to have the same password as your system disk. They will still have different keys (your password protects the actual key) and can also have different encryption algorithms.

Finally, if you are working with an SSD there are a greater number of caveats about information leakage.

Passwords

The data on your disk is going to be safe from (nearly) all known direct attempts to decrypt it. The password you use is the weakest link, so you are going to need a long passphrase with upper- and lower-case letters numbers and symbols. Even if you are using a keyfile to amplify your entropy (which you currently cannot use with full system encryption) you should still have a good passphrase! If it’s something you will be remembering then a string of words (augmented with some numbers and punctuation) is your best bet. Length wins over complexity pretty quickly and you can have up to 64 characters in your passphrase. The additional diversity in the types of characters helps to increase the “search-space” for a brute force attack, multiplying the time needed (which is what we want).

If you don’t want to remember (or have to type) a long passphrase you can use a device like a Yubikey which has multiple programmable ‘slots’ where you can store a long random key and have it type it for you.

Mount all the disks

There are options under favorites for “system favorite volumes”. When you include your secondary drives in this list it will mount them at start up and all your drives will be waiting for you when you login. On windows machines this means you can preserve drive letters as well.

Windows 8 and 8.1 (and likely later versions) have a feature called hybrid shutdown that reduced bootup time by storing the kernel session and driver state on disk. Unfortunately this prevents your system favorites from mounting on start up. The quick fix is to disable that feature. Press the windows key and type ‘power’ – this quick search will have in the results “Change what the power buttons do” from Control Panel\Hardware and Sound\Power Options\System Settings. Just uncheck “Turn on Fast Startup” near the bottom of the page and then Save changes. On next boot all your drives should be there.