I’ve been a long-time believer in the need to encrypt your data but the question has always been, at what cost? Do I slow my access to the data down? Do I store it on a separate hardware encrypted device? Can I recover the data if something becomes corrupt? These are all important questions to ask one’s self when deciding on the level of protection of your data. TrueCrypt has won a new place on my shelf on security tools.
TrueCrypt has been one of the most intriguing programs I have used over the past few years. It has the ability to created encrypted containers to store data in that can be auto-mounted as drives during Windows logon, it’s cross platform, it allows encryption of full partitions and most recently in v5 had the addition of full system encryption (including a Windows partition). It does this in a seemingly easy but secure way.
The process starts by downloading and installing a 5MB program. Once installed (no reboot required — I like), a user can choose to “Encrypt System Partition/Drive” from the “System” menu. A quick series of questions runs through in a clean, wizard interface and it sets up the new boot loader for the computer. Next, it requires a reboot to ensure that the boot loader works OK. This is an important step that I’m glad that the developers added in. It means that I can’t encrypt my drive before I make sure that the boot loader is compatible with my setup. The second to last step is the annoying one. TrueCrypt creates an ISO that can be burned as a recovery disk — and then requires the user to burn the disk (this can be overcome with ISO mounting software). This is great for a normal user but if used in a corporate environment, I’d rather just save the ISOs to a network location for burning later (if needed). Finally, the program goes through and encrypts the entire drive. My Dell Latitude D400 encrypted AES at 60MB/sec (your mileage may vary).
Poof, you’re done. The next time the computer is rebooted, it will have an entirely encrypted drive. While it does give you the option of skipping the boot loader, it is not helpful unless you have another drive or partition in the computer, otherwise you get a “No OS found” message at the boot screen. The recovery disk (since 5.0a) works like a charm in every computer I have tried. It can rewrite the Windows boot loader, rewrite the encryption keys (if a password was changed and forgotten) and reload some of the system tools necessary in case the drive gets messed up. With this setup, a user can treat their computer (once booted) as normal. Defrags work fine, disk cleanups and anything else a user can throw at it doesn’t seem to phase the system.
I recommend this software for most of your encryption needs. If you need a system with recoverable keys and passwords from a central repository, you may be better off going with a commercial tool like PGP. They allow a central repo for storing both keys and passwords and recovery of that info at a moment’s notice. Personally, I’d stick with having to keep a 1.8MB recovery ISO around just in case I somehow forget my password.
