Whole Drive Encryption with TrueCrypt 5.1a (Part 3 of 3)
Posted by: Chris in Adventures in IT, tags: mobile, security(Part 1 of 3) (Part 2 of 3) (Part 3 of 3)
GParted did the job! I was able to resize my partition. At first I was a bit nervous booting into GParted (I used the automatic boot, worked fine) because I saw a lot of command-line text as it was booting. And then I saw a Linux bash prompt. I cringed, thinking “Oy, I’m going to have to learn some esoteric command line stuff in order to resize this partition…” and just a couple seconds after that I saw a GUI interface come up. Hmm, quite nice. I clicked on my drive, found my partition and was able to actually just use the mouse to resize my partition with a click on the edge of the partition and then dragged it larger. Very nice! I was able to use some finer controls below the graphic interface with some numbers in it (representing the size of the partition) to leave myself 8 GB of space at the end of the drive (that’s 8192 MB). I decided I would put the virtual memory here in a 4GB virtual memory file, leaving 4 GB of space left on that partition as well. Following the prompts on the screen I was able to do what I needed to resize the partition! I was very happy as I’ve been searching for a free partition manager for years. I’m glad the folks at Clonezilla led me to GParted.
So what about the actual whole drive encryption? Well, this is currently only available to do in Windows. Since I’m using XP, I was okay with this. I installed TrueCrypt version 5.1a and started going through the prompts to encrypt the whole drive. OK, before you try this on your own, you’re going to need the ability to burn a recovery CD. The program will not allow you to finish whole drive encryption until it can verify that you’ve created a TRD (TrueCrypt Recovery Disk). So if your laptop won’t burn CDs (like my refurbished one here doesn’t) then you’ll need a USB key or some other means (I used a mapped network drive) to move the .ISO file to another computer to be able to burn the TRD. You’ll also be asked to choose a passphrase of 20 or more characters! Ouch… well, I decided to use 3 of my strong passwords strung together. You can get by with less, but I don’t recommend it. Just DON’T FORGET YOUR PASSPHRASE, or you will lose access to all data on the drive. Important data should be backed up somewhere, maybe an offsite file backup like MozyPro.
One of the things I was worried about was the data. The whole idea of whole drive encryption is to make sure the data on the hard drive is encrypted and not readable. But when you write data to a drive, there is a possibility of data still being read off the drive, even if it has been overwritten (see this article for a little more information on this). I don’t have much information on my laptop that I’m worried about, so in essence I’m not overly concerned with the data on my own drive. However, I am concerned with the data on my customers’ drives. Many of them are bound by HIPAA and have access to an abundance of sensitive data. Laptops get stolen. So, not encrypting your data is not quite like leaving your car door unlocked in the Bronx, it’s more like leaving the car door locked (because you try to be careful with your laptop), but having built the car so you don’t need a key to start it - just a big red button that says ‘Start’.
Luckily, TrueCrypt offers 3 methods of wiping the drive as it encrypts the drive. I was pretty happy to see this as an option. I was trying to figure out how to use Darik’s Boot and Nuke system to wipe the data on the drive, then encrypt it - but that wouldn’t help me because after a wipe I’d have to replace all the data on the drive. Well, TrueCrypt offers a 3-pass, 7-pass and a 35-pass option for wiping the data ‘beneath’ the data the operating systems can use. I was happy to use the 7-pass option. When I started, it said it would take 8 hours to complete! Well, good thing I started the process late at night. After an hour of operation, I went back to check the computer and it said only 7 hours left! It was accurate - and typically I find the time estimations of software to be very inaccurate. So I went to bed, safely secure in the knowledge that my system would be ready when I woke up. And it was!
I didn’t notice any speed enhancement with the TrueCrypt drivers for access to my hard drive (nor do they actively advertise the fact), but I didn’t think they’d be noticable anyway. Maybe with a faster drive, like 7200 RPM or a nice SATA interface you may notice a difference. But I just don’t need my laptop for much more than writing here on IT Legends, so I don’t need that faster hard drive.
