Encrypting Flash Drives with TrueCrypt
(Page 1 of 4 )
In my previous article, "Introduction to TrueCrypt," I showed you the basics of encryption, how to install and use TrueCrypt, and how to mount and dismount standalone volumes. In this article, we will examine the basics of encrypting portable USB flash drives. Unlike the previous article, you will create a hidden volume to provide an extra layer of security. If you recall, hidden volumes can be stored inside standalone volumes and inside partitions and entire hard drives.
When using hidden volumes, TrueCrypt actually creates two separate volumes: an outer (decoy) volume and a hidden volume. This allows you to store data in two separate locations. Each volume is comprised of its own individual settings, from the file system used, to the level of encryption you require.
The outer volume is used to store non-sensitive or non-incriminating files should you ever be required to divulge your password. In other words, if you are ever required to provide your password to authorities (or another authoritative figure), you will provide them with the password to the outer volume.
Since this password will decrypt the outer volume, you can maintain plausible deniability to the existence of the hidden volume. The hidden volume is used to store sensitive files, and is protected by a completely separate password. In fact, TrueCrypt has no way of knowing the hidden volume exists when the outer volume is mounted.
The only down side to using TrueCrypt on a flash drive is you will need administrative rights on any computer on which you intend to mount your volume. This is not a limitation of TrueCrypt, but rather a security feature of Windows. If you need to use your flash drive on a computer other than your own, you will need administrator privileges on that machine.
Preparing the Flash Drive
To get started, you will need a USB flash drive. In this tutorial, I am using a 4 GB Cruzer Micro already populated with files. Before you continue with this tutorial, you may want to copy all the files stored on your flash drive to your computer. You want to maximize your flash drive's free space so you can create the largest standalone volume possible. Once you have copied all your files, delete all the files from the flash drive.
If you do not want to delete everything on your flash drive, you have the option to continue the process. You will, however, be limited to the maximum possible size of the volume. You are not required to create a volume as large as your flash drive; you can define a size that suits your needs. The only reason I encourage you to use all the space on the flash drive is to discourage you from unintentionally storing any files on the unencrypted portion.
You may remember that in the previous tutorial, you created a standalone volume. I also said this volume could be stored anywhere: on your desktop, a flash drive, or even the "cloud." In this tutorial, you will be creating another standalone volume, with the addition of a hidden volume. Because a flash drive can be easily misplaced or stolen, you are going to use the highest level of security TrueCrypt offers. TrueCrypt has a built-in tool that is specifically designed for portable hard drives.
After you have finished removing all the necessary files from your flash drive, check the amount of available space, as this will determine your volume's maximum size. This will also help you decide whether or not you need to remove additional files from the drive, depending on the overall size of an encrypted volume you need. You can find your flash drive's available space by viewing it in Computer/My Computer. My flash drive has 3.75 GB of available space.
In order to use TrueCrypt, you must first install it. If you have already installed TrueCrypt, you can skip this step. TrueCrypt is available for free at its website: http://www.truecrypt.org/. The TrueCrypt installation is very simple. Follow these steps and you will have it installed and running in no time.
Download TrueCrypt; double-click "TrueCrypt Setup 6.3a.exe."
If you are warned by Windows' User Access Control, click the "Yes" button.
Accept the license agreement.
Choose the "Install" option (I will discuss the "Extract" option in a later article).
Keep the default installation directory and make sure all the check boxes are checked. Click the "Install" button.
Wait for the installer to finish. Click the "OK" button when the installation completes.
When prompted to read TrueCrypt's Beginner's Guide, you can select either "Yes" or "No" depending on whether you would like to read the guide now or bookmark it for future reading. This tutorial should, however, serve as a decent starter's guide.
Click the "Finish" button.
Once the installation is complete, run TrueCrypt by clicking the icon for the installer created on your desktop, or by clicking the icon created in the Start menu.
As I mentioned earlier, TrueCrypt has a built-in tool specifically designed for preparing flash drives. You can access this tool by going to Tools > Traveler Disk Setup... on the main menu.
The Traveler Disk Setup window will now open. The first thing you need to do is specify the location of your flash drive. TrueCrypt will copy all the necessary files to your flash drive so you can use TrueCrypt on a computer that does not have it installed. Only about six files are copied, totaling about 4 MB, so very little space on your flash drive is consumed by TrueCrypt. Click the "Browse..." button to select the root of your flash drive.
Select your flash drive, then click the "OK" button.
Now, let's discuss some of the options available in the Traveler Disk Setup tool. By default, the "Include TrueCrypt Volume Creating Wizard" option is already checked. This option will copy the necessary files, allowing you to create more TrueCrypt volumes directly from the flash drive. This is completely optional and will not affect the integrity of the volumes already stored on your flash drive.
TrueCrypt also has several mounting options. Unfortunately, due to new security improvements, none of these options work on computers running Windows 7 (Windows 7 has disabled AutoPlay and AutoRun on USB devices). On the bright side, these options will work on Windows Vista and XP.
Since this flash drive will be used to encrypt all its contents, you are going to enable auto-mounting of the TrueCrypt volume. What this means is, right after you connect the flash drive to the computer, TrueCrypt will be automatically launched, allowing you to use your volume with minimal effort. TrueCrypt will prompt you for your password; however, your volume will not be mounted until the password for the volume has been verified by TrueCrypt. Select the "Auto-mount TrueCrypt volume" (specified below) option in the "AutoRun Configuration" (autorun.inf) section, and click the "Browse..." button once the "Mount Settings" section is no longer grayed out.
You will now choose a name and location for your volume. Store your volume in the root of your flash drive for easy access. In this example, I am naming my volume "data.txt." During this step, you need to remember the name and location of your volume because this tool will not create your volume. You will still need to create the actual volume using the Volume Creation Wizard. Click the "Open" button once you have created a name for your volume.
There are still a few more options to configure before we can finish this step:
Mount volume as drive letter: This option will let you select a custom drive letter to mount your volumes on. Keep this set to "First available" in case the drive letter you select is being used by another device.
Open Explorer window for mounted volume: When this option is checked, after you have successfully entered your volume's password, Windows will open your mounted volume in Explorer so you can quickly and easily browse your files.
Mount volume as read-only: This option is self-explanatory: you will not be able to create, modify, or delete any information on the volume while it is mounted.
Cache password in driver memory: If you recall from my previous article, this option will allow you to remount your volume without using a password after it has been recently dismounted. For security purposes, you never want to leave this option checked, because it would allow someone to mount your volume on the the same computer and not be required to enter a password.
Once you have verified that your settings look similar to those shown below, click the "Create" button.
You should see a message saying the traveler disk was successfully created. It also informs you that TrueCrypt must be run with administrator privileges when run from a flash drive, as discussed earlier. Click the "OK" button to close the window, then click the "Close" button on the Traveler Disk Setup tool.
If you open your flash drive from Computer, you should see two items created by TrueCrypt: a folder called "TrueCrypt" and a file called "autorun.inf."
If you open the "TrueCrypt" folder, you will see four additional files, all of which are required for mounting and dismounting your volumes.
Now that your flash drive is prepared, you are ready to create the volume.
Next: Creating the TrueCrypt Volume >>
More Windows Security Articles
More By Jeff Prater
