Encrypting your entire computer
Take away point: All computers should be encrypted so that they need a password to boot up.
From part 6 of this series, you saw some examples of how messy operating systems are at leaving activity traces everywhere. The simplest solution is to encrypt the entire hard drive of your computer with military grade encrypting so that you need a pass phrase to start it. If it is stolen or confiscated, absolutely nothing will be recoverable.
This example is uses a DELL XPS laptop with Windows Vista.
Start by running your copy of truecrypt that you downloaded and verified in part 4 of this series and press the create volume button and select “Encrypt system partition or entire system drive”. You should see the following:
Next select “Normal”. Hidden partitions are great but we want to keep things simple at this point.
Choose “encrypt the whole hard drive”
Select “no” to be safe.
Select “single boot”. If you already have multiple operating systems running on your laptop, it is highly unlikely you need this tutorial!
Select the default value, AES. The general consensus seems to be that AES is good and reasonably fast. However, it is always a good idea to do search on terms like Truecrypt best algorithm to see if there is anything new on this issue.
Choose a pass phrase. A long sentence with a few numbers and symbols thrown in is best. Use a unique password — not something that is the same as your twitter account. Many systems are hacked this way. Sometimes for example, you can select “forgot my password” on a web site and it will mail you your password! Assume the passwords you use on many web sites are actually stored unencrypted and that people with power can simply ask for them and get them no questions asked. Once they get a password of yours, they will try it out on every other account or encrypted file you own just to see if you reused it.
Move your mouse around for half a minute to generate random data.
Save the rescue image somewhere where you can burn a CD. You will need to burn this CD and let Truecrypt verify it before you can continue.
On this laptop, there was something installed that wanted to install a disk burning program. I decided to try it out and it worked fine. Normally I would let windows burn the iso image directly or use a third party product like Nero to burn the CD.
If you remove the disk after burning or burn it elsewhere, you will get this message. Truecrypt wants to verify the rescue disk so put it in the computer that you are encrypting.
I didn’t bother with the wipe. If you have previously had sensitive data on your drive and expect powerful enemies then use the wipe. Encryption takes about 4 hours on the DELL laptop and the 3-pass algorithm will make that take more like 16 hours to complete.
Once you have rebooted and the pre-test was successful, then encryption will begin. The first screen is very slow to appear so don’t lose patience and reboot. Once the system is encrypting, you will see the following screen. you can use the computer in the meantime but I chose to just let it run. It may also be wise to disconnect it from the internet in case you get some windows update that wants to run automatically and reboot your computer automatically afterwards.
This process is well automated — the truecrypt wizzard is very well done. While there are many really clever options like decoy operating systems and hidden volumes, most of the benefit will be gained by using the simple option of encrypting the entire volume. If has very little affect on the speed of the computer and guarantees that if someone takes your computer it will be useless without the encryption pass phrase. There is no way your adversary is going to crack a strong password. Far more likely they would resort to extortion or installing spy cameras in your house to watch you type or maybe install a hardware keystroke logger in parallel with your keyboard or use a method called a “cold boot attack”.
Another point to consider — don’t travel internationally with laptops. You can always encrypt the files you need into a file container and upload it somewhere for later download. A good way to do this is to create a gmail message and attach your file but leave it as a draft.