A simple way to encrypt data on Linux, OS X and Windows desktops and servers
Everyone has sensitive data on their desktops and servers, be it tax records, paychecks, social security data, credit card information, etc. This information is your lifeblood, and if it fell into the wrong hands your life could be turned upside down. In this day of portable laptops this problem has been amplified. One wrong move on your part and a thief could walk off with your laptop and your precious data. So what does this leave you to do?
There are several pays to protect data on your Linux, Windows and OS X hosts. You can encrypt data by hand with the openssl and gnupg utilities, or you can use an encrypted file system (bitlocker, file vault, fuse encryption plug-ins, etc.) that allows you to transparently encrypt data as it's read or written to a file or device. Of the various solutions I've used, I find the opensource Truecrypt package to be the most versatile of the bunch.
Truecrypt provides a command line and graphical interface that can be used to easily set up an encrypted device to store your data. The software can be downloaded as a package for Windows, Linux or OS X, or you can download the source code and build the software yourself. Once the software is installed you can start the Truecrypt utility from your application menu or by running the Truecrypt executable from a command prompt. This will pop up the Truecrypt main screen as shown here:
To create an encrypted volume, you will need to pick a slot and click "Create Volume". This will pop up a screen similar to the following:
From this screen you can tell Truecrypt to encrypt a partition/drive or a file. When you specify "Create a volume within a partition/drive", Truecrypt will encrypt the entire device. When you select "Create an encrytped fiel container", Truecrypt will create a new file and use that to store all of your encrypted data. In both cases Truecrypt provides transparent access to the contents of devices or files, so the decision to use one over the other really depends on how you want to access your data.
Once you decide between a device or file, you will then be asked if you want to create a standard or hidden volume. A standard volume will allow you to mount the volume and access all of the storage inside of it, while a hidden volume will allow you to mount a volume with a limited set of data and then optionally mount a second volume that is hidden inside that volume. This option provides an additional level of security, since someone who breaks into the main Truecrypt volume won't know anything about the hidden volume.
If you choose to use a file, you will then be asked to pick a location to store the file. I typically place my Trucrypt files on RAID-protected storage to avoid losing my data in the case of a disk failure. The following screen shows the file selection window:
Once you pick a file or device and click next, the Truecrypt interface will ask you to select the encryption algorithms you would like to use to encrypt your data. I'm always a fan of using strong encryption algorithms that were developed in the public domain, so I usually use AES and RIPEMD-160. Here is the selection screen:
Next you will need to tell Truecrypt how much space you want to dedicate to your encrypted device. Truecrypt will then pre-allocate a file of this size, and initialize it's contents. Here is the space allocation screen:
To protect your Truecrypt volume, a password or keyfile needs to be specified. If you use a password you should use a cryptographically strong one, and ensure that it is a large passphrase that uses a good mix of characters, alphanumeric and metacharacters.
Truecrypt will also ask you if you want to store files larger than 4GB inside your encrypted volume. If you think you will ever need to do this, you should choose the 4GB option now.
Here is the passphrase selection screen:
Since Truecrypt will mount the device or file as a usable file system, you will need to choose the type of file system you want to use. For Linux hosts you can create an EXT3 or EXT4 file system, for OS X you can create a Mac OS journaled file system and for Windows hosts you can choose FAT. Here is the selection screen:
If you need to take the Truecrypt volume and mount it on other platforms (Windows, Linux, BSD, etc.), you see need to select the mount on other platforms option on the next screen. If not you can use the only mount the volume on OS X or Linux. Here are the screenshots from these screens:
On the final screen, you will need to move your mouse to generate entropy (random data) that can be used to generate strong encryption keys. Once you have wiggled your mouse randomly for a minute or two, you can click the "Format" box to initialize your Truecrypt device. Formatting will take quite some time depending on the size of your Truecrypt volume, and you can monitor progress through the formatting screen:
Once Truecrypt finishes initializing your device, you can return to the main screen and mount the device. To mount the volume from the main screen, you will need to select a slot, the file you specified during the set up process and the password or key you associated with this device. If the heavens align and you input all of this data correctly, the Truecrypt volume should be mounted and you can start writing data to it. The following screen shows how I typically access Truecrypt devices on my Linux desktop:
And through the good old CLI:
You can access your devices in OS X through finder and Windows explorer, or via a command prompt. You gotta love choices!
Truecrypt is truly a remarkable piece of software, and it truly makes securing your data a trivial process. There are a slew of options to control how Truecrypt works (e.g., should the device be unmounted after periods of inactivity, is it ok to cache passwords, etc.), and I'll cover those in a follow up blog post. If you aren't using Truecrypt you are truly missing out! If you have questions or comments on the article, please feel free to E-mail the author.
- Applied cryptography
- Real world uses for openssl
- Reversing: Secrets of Reverse Engineering
- Security Engineering: A Guide to Building Dependable Distributed Systems
- The Shell Coder's Handbook
- The Web Application Hacker's Handbook: Discovering and Exploiting Security Flaws