Information Security

Defending the digital infrastructure


Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

TrueCrypt an open source laptop encryption choice for SMBs

TrueCrypt eases security and privacy concerns. The open source security software encrypts a dedicated space on your hard drive, a partition or the whole disk, as well as removable storage devices.

Here's an important encryption algorithm for you to memorize:
PD – (p0l1cy & enc) = br3ach

Just kidding; the translated version may be less silly, but no less accurate: Portable devices without clear policy and encryption enabled may well lead to a data breach.

A June 2008 study conducted by the Ponemon Institute on behalf of Dell found that more than 12,000 laptops are lost by users each week as they pass through airports.

What to do? While more corporations are deploying commercial encryption solutions, it's not general practice. If you want to do something for yourself and perhaps your small business or circle of executives, consider TrueCrypt ( TrueCrypt is free, open source, on-the-fly encryption software for your laptop. Using TrueCrypt, you can encrypt a dedicated space on your hard drive, a partition or the whole disk, as well as removable storage devices. TrueCrypt will help assuage your concerns about security, as well as privacy, and perhaps point your enterprise down the road of portable device best practices.

Keeping Track
Open source Adeona keeps tabs on your wandering laptop.

You've taken the steps to encrypt your data with TrueCrypt, now take the time to make use of Adeona (http://adeona., the open source "LoJack" for your laptop. This unique project's approach to system tracking also manages to preserve your privacy.

Only you, or someone you choose to act on your behalf, can track your laptop with Adeona. Mac users will love the fact that Adeona can make use of the built-in iSight camera and capture pictures of your laptop's thief in action.

The Adeona client uses OpenDHT to store location updates sent from your laptop and regularly monitors its location, including current IP addresses and local network topology. In order to maintain privacy during this process, Adeona utilizes cryptographic methodology to ensure that you (or your agent) are the only ones that can use the Adeona system to reveal where the device has been.


TrueCrypt is not currently geared toward the enterprise, but if you are concerned about sensitive business and personal data, or aren't satisfied waiting for corporate to roll out a commercial solution, TrueCrypt is a worthy alternative.

While it lacks the central management, key management, reporting, access control features and scalability of enterprise commercial products, it's suitable for small office or workgroup scenarios. Multiple users can share access to encrypted data by presenting keyfiles in addition to their passwords. You can create any number of keyfiles using TrueCrypt's random number generator.

While not necessarily enterprise-ready, True-Crypt's use of cryptographic algorithms and encryption methodology is comparable to its commercial counterparts and may be easier to use.

The mode of operation TrueCrypt uses for encrypted partitions, drives and virtual volumes is XTS, a variant of Phillip Rogaway's XEX mode. XEX mode uses a single key for two different purposes, while XTS mode uses two independent keys, specifically, its own secret key, or "tweak key," that is independent from the primary encryption key. "Tweak" refers to a block cipher that can accept a second input (the tweak) in addition to its plaintext or ciphertext input. The tweak, along with the key, selects the permutation computed by the cipher. XTS mode is the IEEE 1619 standard for cryptographic protection of data on block-oriented storage devices as of December 2007.

Encryption algorithms include AES, Serpent and Twofish, while ciphers can be cascaded, that is, used in combination--AES-Twofish, Serpent-Twofish-AES, etc. For example, a 128-bit block is first encrypted in Twofish (256-bit key), then with AES (256-bit key).

Hash algorithms, which include RIPEMD-160, SHA-512 and Whirlpool, are utilized during volume creation, password changes and keyfile generation.

All these hash algorithms are considered secure, given that it is computationally infeasible to find the message that produced the message digest. However, SHA-512 and Whirlpool meet NESSIE (New Euro-pean Schemes for Signatures, Integrity and Encryp-tion) standards because they are collision resistant, while RIPEMD-160 does not meet NESSIE standards because its output is only 160 bits.

TrueCrypt allows three basic volume choices: a file container, partition or whole disk.

Installation on Windows is as simple as downloading TrueCrypt, executing the installer, accepting the license, choosing the Install radio button, and accepting default options for the last step. You can utilize installers for Windows Vista/XP/2000, Mac OS X 10.4 and 10.5, and Linux OpenSUSE and Ubuntu.

Alternatively, you can use operating system options like Vista/Server 2008's BitLocker or Mac OS X's FileVault to create encrypted volumes, partitions and disks, but TrueCrypt offers the benefit of being platform agnostic--you can mount a TrueCrypt volume on any supported OS.

TrueCrypt allows you to create two types of volumes: file-hosted (container) or partition/device-hosted. A file-hosted volume is simply a normal file that contains an entirely independent virtual disk device and can be maintained on any storage device. More simply, imagine it as a secure area on your hard drive or portable storage device for your sensitive data. Alternatively, you can utilize TrueCrypt to encrypt an entire partition or entire hard disk, or any other type of storage media.

Further, you can create TrueCrypt volumes as Standard or Hidden. A Standard volume is a normal, visible volume; a Hidden volume is nestled within another TrueCrypt volume. Even if you are obliged (or forced) to reveal your password, it's invisible to a third party. The trick here is that free space on any TrueCrypt volume is always filled with random data when the volume is created. No part of the (dismounted) hidden volume can be distinguished from random data.

Paranoia? Perhaps, but consider a scenario in which you are traveling overseas and your laptop has been identified as "of interest" and confiscated for review. As a cooperative soul, you give up your password to the first TrueCrypt volume. Finding some innocuous decoy data, the reviewing party is satisfied. But unbeknownst to them, you've utilized the Hidden volume option with a different password, and it remains safely hidden.

The TrueCrypt interface is easy to use.

The TrueCrypt interface is simple and intuitive, allowing you to easily implement the encryption method of your choice.

Before beginning, choose a location in your file system where you'd like to store your TrueCrypt volume(s) and create a new empty file.

To create a file-hosted volume, just click the Create Volume button to launch the Volume Wizard in a separate window, select the Create a File Container radio button, and then decide between Standard and Hidden volume.

Next, choose the empty file you created and answer "yes" when asked if you'd like to replace it with your new TrueCrypt volume. You'll then be presented with encryption options. The default options are AES for the encryption algorithm and RIPEMD-160 for the hash algorithm. Since we are paranoid, we prefer three ciphers in cascade, but there are performance impacts as you add complexity. Using the TrueCrypt benchmark feature, you can determine an appropriate compromise between encryption and performance. For example, the performance indicators on our test system ranged from a 64.7 MB/s encrypt/decrypt mean for AES alone, to a 14.5 MB/s mean for AES-Twofish-Serpent, so AES-Twofish gives reasonable balance.

You then choose a hash algorithm; we like SHA-512, which is slightly faster than Whirlpool and more secure than RIPEMD-160.

Next comes volume size. Besides the space you think you'll need, one consideration might be portability. For example, you might choose 1,800 MB for a 2 GB USB drive.

Now, choose a strong password. TrueCrypt will grade you on the password, so step up here (think passphrase). If you choose a password of fewer than 20 characters, you will be scolded for your wimpiness and reminded that it might be easily brute-forced.

We recommend using keyfiles as well. In addition to allowing shared access, as discussed earlier, keyfiles provide protection against keystroke loggers and brute force attacks that might crack your password.

(Note: There is no password recovery mechanism or facility if you lose your password or keyfile.)

Finally, choose your volume format (FAT, NTFS or none) and cluster size (up to 64 KB). You'll see the Random Pool in this window, representing the random number generator (RNG) used to generate the master encryption key; note the difference in entropy while your system is at rest versus moving your mouse rapidly. The more you move your mouse, thus creating more randomness (entropy) for the RNG, the stronger your key will be. Choose format as your final step.

Once your volume is created, return to the primary interface, navigate to your newly created volume and mount it. You'll be prompted for your uber-password and you'll also have the chance to select more advanced mount options, including mounting the volume as removable media. This option is important when you wish to prevent Windows from automatically creating the Recycled and/or System Volume Information folders on the volume (these folders are used by the Recycle Bin and System Restore facilities).

Use the benchmark feature to choose encryption that strikes the right balance of security and performance.

Mounting your volume offers advanced options, including mounting as removable media.

TrueCrypt allows for true portability and, should you choose this option, we recommend a minimum of a 2 GB USB 2.0 storage device. In Traveler Mode, TrueCrypt does not need to be installed on the operating system it is running on.

If, heaven forbid, you choose to use a kiosk or café machine, this may prove quite useful. Let's say you travel with your data to your overseas office, but leave your computer behind. Traveler Mode allows you to plug the USB stick you installed on into a destination PC and directly run TrueCrypt from the USB device. TrueCrypt does not need to be installed on the destination PC. The Traveler Mode creation process is also wizard-driven and simple to follow.

Whether you choose to encrypt an entire drive, a disk partition or a file-hosted container, you'll be glad you decided to use TrueCrypt. If you carry private or confidential company data, and/or personally identifiable information, TrueCrypt's robust methodology will protect it, so long as you implement properly and utilize strong password practices.

In Traveler Mode, you can install TrueCrypt on a USB drive and run it on any system.

Article 2 of 15

Dig Deeper on Open source security tools and software

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.

Get More Information Security

Access to all of our back issues View All