Creating a Hidden Encrypted Partition with TrueCrypt
Welcome to the third part of a three-part series on encrypting partitions with TrueCrypt. In this part, you'll learn how to create a hidden encrypted partition that even TrueCrypt won't know is there, and how to mount your partitions.
Contributed by Jeff Prater Rating: / 3 February 16, 2010
As I mentioned in the introduction to the first part, TrueCrypt can create two types of partitions: a standard partition and a hidden partition. The down side to creating a hidden partition is the encryption process will destroy all the data on the partition. If you do not mind losing all the existing data on your partition, or if you require the protection a hidden volume provides, then a hidden partition may suit your needs just fine. If you do not need the security of a hidden partition, skip this section and read the second article, which covered creating a standard encrypted partition. Otherwise, follow the steps below to create a hidden partition.
Just a reminder: this method will destroy all the data stored on the partition. If you need to keep this data, you must back up the partition prior encrypting it.
From the TrueCrypt main window, click the "Create Volume" button. This will start the wizard which will guide you from start to finish.
Creating an encrypted partition can be accomplished through the "Encrypt a non-system partition/drive" option. I will discuss "Encrypt the system partition or entire system drive" in a future article. Once you have selected the appropriate option, click the "Next" button.
Just as you did with the flash drive in the previous tutorial, you are going to create a hidden volume in this tutorial as well. Remember, having a decoy volume allows you to maintain plausible deniability against the existence of incriminating evidence or the existence of a hidden volume. Once you have selected the "Hidden TrueCrypt volume" option, click the "Next" button.
Since you are creating a new volume, select the "Normal mode" option. You would select the "Direct mode" option if you wanted to create a hidden volume inside an existing standard encrypted partition. Once you have made your selection, click the "Next" button.
Next, you will select the location of the partition. Click the "Select Device..." button to select your partition.
Depending on your computer's setup, your dialog box may differ. One aspect of the information presented that will remain the same is the breakdown of hard drives and partitions. These can be identified by the following terms:
· Harddisk X
· DeviceHarddiskXPartitionY
Harddisk X : Depending on the number of hard drives connected to your system, you may see Harddisk 0 , Harddisk 1, Harddisk 2, etc. These represent the physical hard drives attached to your computer, regardless of whether they are connected internally or externally through USB. Each hard drive will be assigned a unique number. Any hard drive identified by the number 0 (zero) usually refers to your operating system drive (C:).
DeviceHarddiskXPartitionY: Whenever an item begins with Device, it represents a partition on a hard drive. It is easy to identify which hard drive a partition belongs to because the X in DeviceHarddiskX will match the same X in the physical Harddisk X mentioned above. Each partition is identified at the end as DeviceHarddiskXPartitionY. Similar to hard drives, partitions are also assigned a unique number.
A typical system with multiple hard drives installed may look like this:
· Harddisk 0
o DeviceHarddisk0Partition1
o DeviceHarddisk0Partition2
· Harddisk 1
o DeviceHarddisk1Partition1
· Harddisk 2
o DeviceHarddisk2Partition1
o DeviceHarddisk2Partition2
o DeviceHarddisk2Partition3
o DeviceHarddisk2Partition4
To help identify the correct partition, the drive letter for each corresponding partition is listed in the "Drive" column. To reiterate what I discussed above, my Harddisk 0 contains three partitions, and Harddisk 4 (a portable hard drive) contains a single partition. Since I have assigned my new partition drive letter H:, I am going to select that partition from the list. If you are encrypting a partition on a removable hard drive, you would select that partition (you should be able to identify the partition via the "Drive" column). Once you have selected your partition (or hard drive), click the "OK" button, and then click the "Next" button.
You will now configure the outer volume. You are not required to complete any tasks for this step, so simply click the "Next" button.
Now you will select the encryption method you wish to apply to the outer volume. The default "AES" encryption algorithm and "RIPEMD-160" hash algorithm are proven and recommended for their robust protection and performance. Once you have made your selections, click the "Next" button.
Unlike the previous tutorials where you created a hidden volume, when you create an encrypted partition, you cannot specify the outer volume's size. The size of the volume will be determined by the size of the partition. Click the "Next" button to continue.
Now you will enter the outer volume's password. This is the password you can divulge should the situation arise. Remember, it is impossible to identify the hidden volume unless the hidden volume's password is entered. Even though this is the password for the outer volume, you should always use a strong password. Once you have entered your password, click the "Next" button.
You will now be asked if you intend to store files larger than 4 GB on the outer volume. You are asked this because the FAT and NTFS file systems differ greatly with regards to how and where they store data on the hard drive.
Because of a limitation posed by the NTFS file system, the overall size of your hidden volume will be severely limited should you choose this file system. Since this is the decoy volume, you should not be storing too much information, especially files larger than 4 GB.
The FAT file system is even recommended by the TrueCrypt developers. But, if you absolutely must store files larger than 4 GB on the outer volume, select "Yes" (you will be presented with a warning); otherwise, select "No." Once you have made your selection, click the "Next" button.
Next, you will select the file system for the outer volume which you determined previously. As suggested earlier, TrueCrypt recommends you use FAT for the outer volume because NTFS significantly decreases the size of the hidden volume. This is an NTFS limitation, not a limitation of TrueCrypt. You can, however, use NTFS on the hidden volume without any limitations.
Just as you did when you formatted your new partition, you have the option to perform a "Quick Format" of the outer volume. When this option is unchecked, the entire volume will be formatted and filled with random data. While performing a quick format is much faster, it is less secure, because it will be possible to identify how much data the volume contains based on the abrupt disappearance of random data from certain locations on the partition. Besides , when you are creating an encrypted partition which contains a hidden volume, you are required to leave this option unchecked.
This step also generates a random number from your mouse movements based on the hash algorithm you selected earlier. It is important to move your mouse around the window a few times so a truly random number can be generated. You will see the "Random Pool" change whenever you move your mouse.
Once you have selected your desired file system, click the "Format" button. The formatting process can vary depending on the size of your partition and the speed of your hard drive. After you click the "Format" button, you will receive a warning message stating the partition will be completely erased, and you will be given the option to cancel the format.
As you can see in this example, it will take roughly 30 minutes to format my volume.
When the formatting process is complete, TrueCrypt will mount the outer volume under drive letter Z: and ask you to store some data on the volume. Clicking the "Open Outer Volume" button will open the volume in Explorer. Once you have finished storing some data on it, click the "Next" button.
You will now configure the hidden volume. You are not required to complete any tasks for this step, so simply click the "Next" button.
Just as you did with the outer volume earlier, you will now set the encryption options for the hidden volume. Keep the default "AES" encryption algorithm and "RIPEMD-160" hash algorithm, as these are very robust encryption methods. Click the "Next" button to continue.
Now you will set the maximum size for the hidden volume. Since you cannot input decimals (.) into the size box, you may need to adjust the "KB, MB, and GB" options to suit your needs. When selecting a size, enter a size slightly smaller than the maximum size. This will allow the outer (decoy) volume to expand should you ever need to update the existing files or add newer files. Depending on how much space you left available, TrueCrypt may display a warning message informing you of the dangers of not leaving enough expansion space. Once you have entered the size, click the "Next" button.
<insert image35.png>
<insert image36.png>
Now you will select a password for the hidden volume. Just as you did with the outer volume, select a good, strong password. Do not use the same password you used for the outer volume. Once you have selected and entered a new password, click the "Next" button.
<insert image37.png>
Just as you did with the outer volume, you will need to determine if you need to store files larger than 4 GB on the hidden volume. The hidden volume is not affected by the NTFS limitations posed during the format of the outer volume, so you can freely choose between FAT and NTFS for your hidden volume's file system. Once you have selected your desired file system, click the "Next" button.
<insert image38.png>
Depending on your selection from the previous step, TrueCrypt will automatically select the best file system for you. Just as you did with the outer volume, be sure to move your mouse around the window so you can generate a truly random number. Since the entire volume has been created, the formatting process will be completed quickly. Once you have made your selection, click the "Format" button.
<insert image39.png>
<insert image40.png>
Once the formatting process is complete, you will be presented with two warning messages.
The first warning message reminds you that your volumes cannot be accessed via the partition's current drive letter (H: in this example). When you mount your volumes, you will mount them on a drive letter other than this one, because drive letters can only refer to one physical location. The only time you need to access the partition directly is to format the partition to remove the encryption. Click the "OK" button to close this warning.
<insert image41.png>
Just as you did with flash drives, the hidden volume needs to be protected whenever the outer volume is mounted. When the outer (decoy) volume is mounted, TrueCrypt has no way of knowing the hidden volume exists unless you mount the outer volume a specific way. You will learn how to do this in the next section. Click the "OK" button to close the warning.
<insert image42.png>
If you open Computer, you will notice your partition has maintained its original drive letter. If you try to open this partition directly, Windows will display a warning message stating it does not recognize the file system.
<insert image43.png>
Now that you are finished creating your outer and hidden volumes, click the "Exit" button. To mount the volumes, follow the steps in the next two sections.
Up to this point, you have successfully created a hidden encrypted partition or a standard encrypted partition. All you need to do now is mount these volumes so you can access your encrypted data. Since the steps to mount a hidden or standard volume are the same, you can use this guide to learn how to mount both types of volumes.
TrueCrypt features the ability to automatically mount partitions without having to manually select them from a list of available devices. (You can manually select the partition by clicking the "Select Device..." button on the main window). After you enter a password, TrueCrypt scans the headers of all the available partitions (including non-encrypted partitions) as it tries to mount every available partition. This process can take a considerable amount time on a slow computer with many partitions, so you may need to mount your partitions manually depending on your system.
With the TrueCrypt main window open, select a drive letter to mount the volume under, then click the " Auto-Mount Devices" button.
<insert image45.png>
When the password dialog box opens, enter the hidden or standard volume's password. As you may recall from my previous article on protecting flash drives, the hidden volume does not require any additional settings in order to mount it --only the outer (not to be confused with standard) volume requires special settings. This is to protect your hidden volume from any unnecessary damage or corruption. Once you have entered your password, click the "OK" button.
<insert image48.png>
Once you have entered the correct password, your volume will be listed in the TrueCrypt main window. If you are mounting a hidden volume, you can confirm this by verifying the value in the "Type" column. You can now access your volume by either double-clicking on it in the TrueCrypt main window, or you can access it through Computer.
<insert image49.png>
<insert image50.png>
Once you are finished working with your volume, you can dismount it through the TrueCrypt main window by selecting the volume in the list, then clicking the "Dismount" button.
Even though you may seldom mount the outer volume, it is extremely important that you learn how to mount it correctly. As you may recall, when the outer volume is mounted, TrueCrypt has no way of knowing the hidden volume exists unless you explicitly tell TrueCrypt it exists. This can cause irrecoverable damage to the hidden volume without any warnings from TrueCrypt.
To mount the outer volume, select a drive letter to mount the volume under, then click the "Auto-Mount Devices" button. When you are prompted to enter a password, enter the outer volume's password, then click the "More Options..." button.
<insert image52.png>
In the "Mount Options" window, you are going to tell TrueCrypt that a hidden volume exists. In the "Hidden Volume Protection" section, check the option "Protect hidden volume against damage caused by writing to the outer volume." You will now enter the hidden volume's password in the password field directly below the check box. Now that TrueCrypt knows a hidden volume exists, you can interact with the outer volume without risking any damage or corruption to the hidden volume. Click the "OK" button after you have entered the hidden volume's password, then click the "OK" button on the password box to mount the volume.
<insert image53.png>
If the outer volume is mounted successfully, and the hidden volume is protected, TrueCrypt will prompt a warning message. If you try to write more data than is available on the outer volume, TrueCrypt will write-protect the hidden volume. This will cause Windows to report "Delayed Write Failed" errors. This could indicate a hard drive, or it could indicate that a hidden volume exists, which could adversely affect plausible deniability. This is exactly why you left expansion room when you set the size of the hidden volume. Click the "OK" button to close the warning message.
<insert image54.png>
Once you have entered the correct password, your volume will be listed in the TrueCrypt main window. You can confirm this is the outer volume by verifying the value in the "Type" column.
<insert image55.png>
If you open your mounted volume, you should see all the same files you copied over at the beginning of this tutorial. Keep in mind that the outer volume has limited available space, so use it sparingly. From time to time, you should open and modify these files so their timestamps are more current, reinforcing the notion that a hidden volume does not exist.
<insert image56.png>
When you are finished working with the outer volume, dismount it from the TrueCrypt main window by selecting your mounted volume from the list, then clicking the "Dismount" button. Even though you were required to mount the outer volume a specific way, no special steps are required to dismount it.
Summary
In this tutorial, you learned how to encrypt your partitions so your data remains safe should you ever be required to produce private or sensitive information. Storing your data on hard drives and partitions allows you to encrypt much more data than standalone volumes can effectively and efficiently store. When performing housekeeping on the outer volumes, always remember to protect the hidden volume first, because this can cause irrecoverable damage to it.
While you may seldom mount the outer volume, it is important to update the timestamps so your volume continuously looks "used" should you ever be required to divulge your password. Also remember that standard volumes do not contain a hidden partition, so make sure to use an extra-strong password.
In my next article, I will take these concepts further and show you how to encrypt an entire hard drive. While the steps will be similar to those here, hard drives must be prepared a certain way, which was beyond the scope of this article. In my final article in the TrueCrypt series, you will learn how to encrypt your Windows operating system, and even create a hidden operating system which can be used to fool hackers.
Windows Security 
Encrypt Local ASP.NET File System Folders Using TrueCrypt
