TrueCrypt Full Disk Encryption
Notes and Instructions

Why you may want to encrypt your data

If a device containing data is lost or stolen, the data on the device is at risk of exposure. If the confidentiality of the data is subject to laws or regulation, this loss may constitute a breach. Encrypting the data on the device is a great way to mitigate this risk. Many regulations and laws encourage or require encryption.

Encryption does ...

Full Disk Encryption (FDE) will encrypt all the data stored on the computer's internal drive. If the computer were stolen, the data on the drive would be unreadable without the password or encryption keys.

Encryption does not ...

A first step in managing risk is to eliminate unnecessary risk. Just because a laptop is encrypted does not mean any data stored on that computer is safe. Even an encrypted computer is vulnerable to viruses, Trojans and other malware. In general, Full Disk Encryption does not protect the data when the computer is on.

Here are some tips to suppliment the encryption:

Do not store your encryption password or computer password near the computer. The theft of an encrypted drive along with the password/keys may be considered a breach.
Make sure you have a screen saver that requires a password to access the computer.
Make sure you require a password to access the computer when it comes out of suspend mode.

Testing Status

A few employees in the WFU IS department are currently testing TrueCrypt for Full Disk Encryption (FDE). So far, there are no problems. The only noticeable difference is that the computer takes a little longer to come out of hibernation.

Software Cost

Free.

Support

WFU IS is not currently able to fully support TrueCrypt.

Key Management

What is key management? An encryption key is a series of numbers that is used to decipher the encrypted data. Each encrypted laptop should have a unique key. Key Management is the method by which these keys are allocated, revoked, and restored. Good key management is an significant factor is the success of encryption deployment. TrueCrypt does not support a central software management system for key management. However, a manual method may be used for key recovery.

TrueCrypt requires you to create a Rescue CD as part of the encryption process. The Rescue CD along with the initial password will permit access to the encrypted computer. It is recommended that this Rescue CD and the initial password be stored together in a safe place. This CD and password will be the only method to access the data if an employee forgets the password or should a more serious situations arise such as termination or death.

It is the responsibility of the department to safely store the CD and password. After the computer is encrypted, the user may change the password.

Dual Boot

TrueCrypt FDE uses a bootloader written to the Master Boot Record of the disk. This can conflict with other bootloaders. Special measures are needed to support dual boot systems. Please contact IS for special instructions.

Instructions

Throughout this section, you will see icons such as this

. Click this icon to see a screenshot for additional information. Click the larger image to close the image.

Before encrypting your drive with TrueCrypt,

you must make a backup of your data,
you will need to perform a chkdsk of the C: drive, and
you should defrag the C: drive.

Do not continue if you have any disk errors! Also, you will need a blank CD and a permanent marker.

If you have a dual boot system, please contact IS for special instructions.

Download and install TrueCrypt from www.TrueCrypt.org.
Execute the TrueCrypt program. You should see the following application window.
Select "System" from top menu bar. Then select the option "Encrypt System Partition/Drive".
Select "Normal" for the type of system encryption and press "Next>"
In the Area to Encrypt window, select "Encrypt the whole drive" and press "Next>"
The WFU standard laptop does not use a Host Protected Area. However, select "Yes" for this option and press "Next>"
The Detect Hidden Sectors feature may lock up you computer. A standard WFU laptop does not have any hidden sectors. Therefore, you should skip this test.
This screenshot shows the message received when you run TrueCrypt after a crash due to the detection of hidden sectors.
The standard WFU computer is a single boot system. You should select "Single-boot" unless you installed additional operating systems on your computer.
Select the type of encryption you wish to use. AES is probably the fastest. You can select the Benchmark button to see a speed comparison.
You will use this password to boot up your computer. After encrypting the drive, you may change this password. To permit key recovery, you should write this password on the Rescue CD (created later) and store the CD in a safe. If the "Next >" button is not enabled, then you should retype your new passwords. (We do not recommend using key files)
Truecrypt uses random events from the computer to select a good encryption key. One way that TrueCrypt collects random events is by watching your mouse movements. On this screen, move the mouse around a few seconds to ensure a good random key. Select, "Next >" The next screen verifies the keys were successfully created. Select "Next >"
You must create a rescue CD. TrueCrypt will create a disk image that you will burn to a CD. The TrueCrypt Rescue CD image will be created in the location specified on this screen. In this example, the image is stored in C:\Userdata\TrueCrypt Rescue Disk.iso Select the desired location and press "Next >".
You should now see this screen . This Rescue Image must be written to the CD in a special format.
- Execute the "Backup/RecordNow Data" item from the Start menu. This will launch the Sonic Multimedia Center.
- Select "Copy" and then "Burn Image".
- For this example we told TrueCrypt to save the Rescue CD image in C:\Userdata\TrueCrypt Rescue Disk.iso. We do the following to select this file:
  - Select "Browse"
  - Select "Userdata"
  - select the file "TrueCrypt Rescue Disk.iso"
  - select "Add"
- Press the big red button in the bottom right of the window to burn the image to the CD. This should complete in about 1 minute. .
- Eject the disk.
- Write your password on this disk. This disk is only useful in conjunction with the original password.
- Select "Done" and exit the Sonic/RecordNow application.
Insert the CD back into the computer. You should now be able to select "Next >" . to advance to the verification screen. . Eject the CD after the verification screen.
Select "Wipe mode: None (fastest)". . And, select "Next >"
TrueCrypt will install a bootloader onto the C: drive. When the computer restarts, this bootloader will execute and prompt the user for a password. The TrueCrypt bootloader will then execute the Windows operating system.
This next step is a test of this bootloader. . Select "Test" to reboot your computer. Be sure the Rescue CD is no longer in the drive. You may print the notes that follow.
TrueCrypt is now ready to encrypt the C: drive. This will take about three hours to complete. Press "Encrypt" to begin. .
This screen will show the progress as the drive is encrypted. . You may print the notes that follow.