2008/12/02

TrueCrypt Deployment Tips

I already knew about TrueCrypt a couple years ago, but last week I decided to try it for real. So I started by patiently reading the whole online documentation, which fortunately I understood the most, except for the equations, of course, je. So finally, I decided to encrypt four of my hard disk partitions: pictures, videos, music and a partition in a second drive where I keep a current backup of the previous three.

To keep things simple, I assigned a single password for all the partitions. Else I would have to type four different passwords everytime I started Windows just to have those partitions mounted. Still, I had to type that password four times, something tedious, even if I saved them as TrueCrypt favorites and only had to click on "Mount all favorites" to have TrueCrypt prompt for their password and take care of drive letter assignment.

Seeking efficiency, I created a script that pops up a dialog where I can securely type the password just once, which is cloaked by circles as I type, and then, using TrueCrypt command line arguments, it mounts the four partitions using specific drive letters. To make it more user friendly, the script plays a chime through Media Player Classic when it has finished.

But that's not all the script does, I have found that shares created within encrypted partitions are lost once the partition is restarted, since I guess Windows looks for shares on start up, when then those partitions are not available. So those shares need to be set up again once encrypted partitions are mounted, which can be done easily via the command line and added to a script. So just after the script mounts the partitions it recreates the shares I need.

Encrypted partitions, even if not accesible, keep for themself the drive letter they used before they were encrypted, so if your unencrypted partition used drive letter G and you want the decrypted partition to use the same letter, you have to previously assign a different letter to the encrypted partition, something which I recommend to keep some programs happy, like ACDsee database, else it won't be able to locate my images and will have to catalog them again, just because I changed the drive letter.

You'd be tempted to change the location of the image, music and videos folders of your Windows account directly to the partitions where you have those kind of media, but you'll just confuse Windows because if those locations are encrypted, they will be unavailable to Windows when on start up, and no matter if you mount them immediately, Windows will have a hard time making those personal folders accesible again. So I suggest to restore those folders to their default location within your user folder and then place link to decypted locations where appropiate. For example, within my Pictures folder, I've created a link named More to the root of my decryipted pictures partition. Yes, it's one more click away, but it's the only way to keep Windows from loosing track of those locations.

To make this deployment more secure, I used Bat To Exe Converter to easily compile my script into an executable file, so an attacker will not be able to read the code. Then, instead of placing a link to this executable file in the desktop or the start menu, I just copied the file in Windows' directory, so I can call it by typing its name from the start menu. Yes, the name of the file tells nothing about what it does or where it comes from ;-) so don't name your script something like "mount-encrypted-partitons"!

And finally, of course I keep the source code of my script in a password locked archive. Using rar as archive format via Winrar, you can also encrypt the content list of the archive, so no one will be able to see what's inside that archive until they entered the correct password.

The only disadvantage of having partitions encrypted is that they can not be resized in their encrypted state, since partition programs just see encryption data as unformatted space and they require the partition to be formatted before they are able to operate on it. So, the best way to resize an encrypted partition is to move its decrypted content to another encrypted partition or file based encrypted container in a different drive, format the partition to be resized and finally, when it's already resized, copy back its content from the backup and re-encrypt the partition.