• E-mail this page
• |  Print this page
• | 
• | 
• | 

Hands-On With TrueCrypt 5: Open Source System-Wide Encryption

Scarcely a week goes by these days without word of the theft of a computer with sensitive personal information on it.  It's gotten that much easier to protect such data with whole-drive encryption, but those kinds of solutions have typically been proprietary, like Windows Vista's BitLocker (which isn't available in all versions of Vista, either).  Now comes version 5 of the free and open source encryption system TrueCrypt, which features -- you guessed it -- whole-drive encryption.   My associate George Hulme touched on TrueCrypt before, but I decided to try encrypting my Windows notebook with it and see how it held up.

TrueCrypt itself has been around for some time now, and runs on all major OSes (Win/Lin/Mac).  Instead of encrypting individual files, it lets you create a virtual volume -- either stored in a file or directly on a disk partition -- which is encrypted on the fly as you read from and write to it.  The biggest new feature in TrueCrypt 5 is the ability to encrypt a system's boot volume -- exactly the same feature as Windows Vista's BitLocker, but without the premium cost involved.  And in this case, it doesn't even require Vista.  Windows XP, Windows 2003 Server, and Vista are all supported.

The encryption process for a drive can be done in the background while you work, and even suspended and resumed across multiple user sessions.  This is the slow and boring part; you'll probably want to set this up to run overnight.  You can do work with the system while it's being encrypted, but at a performance penalty.

Another thing I like about TrueCrypt is that there's been some thought lent to disaster recovery.  Any time you encrypt a whole boot volume, you'll also be required (not "allowed," required) to build a rescue disc that can be used to boot or repair the system safely in the event the volume header gets damaged.

When encryption concludes and you reboot the system, you're presented with TrueCrypt's boot loader program, which requires that you supply a volume password before the OS itself can be booted.  (Side note: I confess that I haven't done any direct investigation into how secure this part of the program is, since it seems like one of the first and most likely vectors for attack.)  The boot loader can be multi-OS aware, so if you boot Windows plus something else on the same system you won't be left out in the cold.

If it weren't for the icon in the system tray, I'd scarcely be able to tell a TrueCrypt-encrypted system from an unencrypted one based on performance.  Barring a somewhat slower boot-up, most everything runs with no perceptible performance loss, although I'd hazard a guess you'd see different results depending on the hardware and the encryption standard used.  (I chose AES with a 256-bit key, the fastest-benchmarked algorithm available through TrueCrypt.)

One major drawback for notebook users: Hibernation is not yet supported.  If you attempt to put the system into hibernation mode, it will force a shutdown instead.  Best to disable hibernation entirely on encrypted notebooks until they get this particular feature ironed out.

« My (Latest) Ugly American Moment | Main | What Hath Roger Clemens Wrought? »