Security is about controlling data. Gone are the days when administrators could build walls around their data....
Mobility has broken down those walls. With your data mobile, your best method of protection is through encryption.
When it comes to encryption, many of the tools out there are either overkill or don't quite fit the bill. Personal and professional file-encryption utilities encrypt files just fine, but the mere presence of an encrypted file can be enough to tip off an intelligent hacker. Disk-level encryption systems do exist, but they are usually hardware-based, and can be too expensive for casual or noncommercial use.
TrueCrypt 4.1 is a free and open source encryption tool, for both Windows and Linux, that bridges a lot of the gaps left by conventional encryption applications. It lets you create a password-protected encrypted disk -- either in a standalone file, or on an entire physical partition or volume on a device -- which is then mounted, read and written to just like a regular drive. Any file and any device that can be mounted as a filesystem can be used, from regular hard disks to USB flash drives.
The user can choose one of several heavily-tested algorithms -- Serpent, AES, DES, Blowfish, etc. -- for encryption, and even run tests to determine the speed of each algorithm for real-world use. The encryption itself is handled entirely in realtime by a file-system driver and is totally transparent to the end user.
The most important feature of all is that every TrueCrypt volume is indistinguishable from random data. No volume created by TrueCrypt, whether in a standalone file or on a device, can be identified until it's mounted and the right password is supplied.
Other TrueCrypt features
TrueCrypt has several other features that make it genuinely useful and powerful:
Keyfiles: TrueCrypt volumes are normally password-protected, but for additional security you can apply a keyfile. The keyfile is hashed against the password and used to unlock the volume, so without the keyfile the volume won't be readable. Any file -- an .MP3 file, a picture, you name it -- can be used as a keyfile. This provides an additional level of protection that cannot be defeated by, for instance, a keylogger or other surveillance.
"Traveller" mode: TrueCrypt can be installed on a volume (such as a removable drive) and used on systems where TrueCrypt itself is not present. The user will usually need to have administrative privileges to do this, however.
"Steganography" mode: Any TrueCrypt volume can have another, hidden TrueCrypt volume concealed inside it. The only way to access the hidden volume is through its own private password, which is not possible to determine by analyzing the volume. This is useful if you are coerced to reveal a password for a given volume, or if the password gets exposed. The "outer" volume can contain some superficially important data while the hidden "inner" volume contains what you're really hiding.
TrueCrypt comes with a number of wizards to automatically create and configure volumes. For practice, it's best to work with a file-based volume, but for the best possible security you will want to use a device-based volume. There are three major advantages to using a device volume:
- It's practically impossible to tell a TrueCrypt volume from random data. Therefore, if an encrypted disk falls into the wrong hands there will be no way to determine if it is indeed valuable data or simply a disk that has been erased using a random-erasure algorithm. An individual file might be suspicious (especially if it seems to serve no real purpose), but an entire volume is harder to judge.
- The hidden-volume feature lets you conceal additional data on a partition or device without openly betraying this particular fact due to disk size. If you place a hidden volume inside a TrueCrypt file volume, rather then a partition or device volume, it's possible to look at the size of the file volume and calculate that the data in it doesn't take up all the allocated space -- and thereby infer that a hidden volume may be present.
- Device volumes are a little faster than file volumes, since there's less file-system overhead.
TrueCrypt's one major drawback at this time is that it is not possible to use it at the OS level -- for instance, you can't create an encrypted Windows system volume with it, only data volumes. It would be possible to use a program like Virtual PC to create a system image on an encrypted disk and boot that, although the virtualized OS would probably take a performance hit.
Serdar Yegulalp is editor of the Windows Power Users Newsletter. Check it out for the latest advice and musings on the world of Windows network administrators -- and please share your thoughts as well!