Fortunately, on-the-fly data encryption is no longer some exotic, costly beast. Rather than just encrypting single files, some applications are able to create virtual disks, either within a file or directly on a partition, where everything written to the disk is automatically encrypted. On modern hardware, the overhead for encryption is minimal; you no longer need dedicated hardware to make this happen.
In this review I've looked at several programs for creating and managing encrypted volumes, from Windows Vista's own BitLocker encryption to PGP's full-blown desktop suite for encrypting e-mail and instant messaging. You can even get remarkably strong, well-implemented whole-disk encryption without having to pay for it -- although in a corporate setting, features like manageability or support are well worth paying for.
TrueCrypt makes an incredibly strong case for being the first whole-disk or virtual-volume encryption solution to try out. Aside from being free and open source (two big pluses), it's full of smartly written usability and data-protection features and is an effective way to encrypt a whole system, including the OS partition.
TrueCrypt lets you use your choice of AES, Serpent, and Twofish algorithms, either singly or in various combinations ("cascades"), along with the Whirlpool, SHA-512, and RIPEMD-160 hash algorithms. The actual encryption can work in one of three basic ways: it can mount a file as a virtual encrypted volume; it can turn an entire disk partition or physical drive into an encrypted volume; and it can encrypt a live Windows operating system volume, albeit with some limitations.
Encrypted volumes can be protected with a password and optionally a keyfile for additional security -- for instance, a file on a removable USB drive, which lets you create a form of two-factor authentication. If you create a standalone virtual volume, you can use a file of any size or naming convention. The file is created by TrueCrypt itself and then formatted to ensure that it appears to be nothing more than random data.
TrueCrypt is designed in such a way that no encrypted volume or disk can be casually identified as such. There is no obvious volume header, required file extension, or other distinguishing mark. The one exception is encrypted boot volumes, which have the TrueCrypt boot loader -- but it wouldn't be impossible in future versions of the product to conceal the entire volume and use an external boot loader from a USB thumb drive or CD. On that note, it's also possible to create a self-encrypted USB drive which runs in "traveler mode" -- it contains a copy of the TrueCrypt executable and can be mounted and run on any Windows machine where the user has admin privileges.
TrueCrypt also includes what it bills as "plausible deniability" features, the most significant being the ability to hide volumes inside each other. The hidden volume has its own password, and there's no way to determine if a given TrueCrypt volume has a hidden volume somewhere in it. If you write too much data to the outer volume, however, there's a chance you can damage the hidden one -- but, as a protection measure, TrueCrypt optionally lets you mount the hidden volume as read-only when mounting the outer volume.
If you're using system-disk encryption, the actual encryption process takes a while, but it can be suspended and resumed on demand (you may want to do it overnight with the PC in a locked room), and the program insists on creating a rescue CD that can be used to boot the computer in the event of a disaster. (One disadvantage: you can't encrypt a Windows system that's dual-booted from a non-Windows bootloader.)
We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.