How to Encrypt and protect your private documents and data

Some of us have jobs that we want to work at home on, or travel with our project
files on our laptops, but have grave security concerns. In fact several times
this year I've seen news reports of a company or government agency employee
taking some work home, and finding that his laptop or computer were stolen,
along with what turned out to be rather sensitive data (at least sensitive to
the agency or company it concerned).

One use for a small encrypted area is a place to keep all of your passwords
and login names for bank and website subscriptions.

There are lots of reasons to want secure areas on our computers. I have several
reasons. None of them are very interesting. I just want to know that if my laptop
finds its way into someone else's hands, that data will not be available to
them, no matter who they are. However, no matter what your reasons are for wanting
some privacy there are some great tools out there which provide exactly that,
and the privacy they provide is some serious encryption protected drive space.

Generally speaking there are two types of encrypted areas provided by encryption
software. There are file types, and drive types.

A file type is simply a file name on your computer. The file can be anywhere
you would like it to be, and named anything you want to name it. For example
you could put a file called, 'kids_soccer_show.ppt' inside your My Documents
folder. These files are actually encrypted drive areas, which can be mounted
by your computer system as Drive spaces. Once mounted, they act like any other
drive. Unmounted they are just another file name taking up space on your hard
drive.

If you use the file type, I've found that it is more effective to use Power
Point extensions or some other type of large image file extensions, so as not
to attract attention to the file, and keep them under 5 gigs in size.

The drive types are usually external drives, or USB stick drives, which are
formatted and created as secure drive spaces. You can use an internal drive,
and you can even partition your hard drive using something like Partition Magic,
and create that partition as a secure drive area.

The best software I've come across for the creation of these encrypted drive
spaces, of both types, with the best encryption available to the public is called
TrueCrypt, and it also has the advantage of being OpenSource and free for private
use. http://www.truecrypt.org/

TrueCrypt is very stable and encrypts and decrypts files as you use them, bringing
files up in RAM only, and not using the cache files Windows normally tries to
use. This brings up one of the first requirements for using encrypted data,
and that is a lot of RAM. You are going to want at the very least 1 GIG of Ram
if you are going to be using encrypted drives.

Using encryption also will slow the opening and saving of files, so keep that
in mind, and let the file saves complete before shutting down.

TrueCrypt can also create Hidden Encrypted Drives, which are encrypted drives
residing in a disk space that can not be seen, at all. Until they are mounted,
these drive areas simply do not exist. This is a very cool feature, and if you
are really serious about no one being able to find particular files, this is
a very real solution for you.

So, what kind of encryption are we talking about here?

AES

In June 2003, after the NSA (US National Security Agency) has conducted a review
and analysis of AES, the U.S. CNSS (Committee on National Security Systems)
announced in that the design and strength of AES-256 (and AES-192) are sufficient
to protect classified information up to the Top Secret level. This is applicable
to all U.S. Government Departments or Agencies that are considering the acquisition
or use of products incorporating the Advanced Encryption Standard (AES) to satisfy
Information Assurance requirements associated with the protection of national
security systems and/or national security information.

Blowfish

Designed by Bruce Schneier in 1993. Blowfish is unpatented, license-free, and
available free for all uses. TrueCrypt uses Blowfish with 16 rounds and a 448-bit
key. Mode of operation is LRW (see the section Modes of Operation).

CAST5

CAST5, alias CAST-128, was designed by Carlisle Adams and Stafford Tavares,
and published in 1997. It uses a 128-bit key, 64-bit block, and operates in
LRW mode. This encryption algorithm is described in U.S. patent number 5,511,123.
However, CAST5 is royalty-free both for commercial and non-commercial uses [6].
It is also one of the encryption algorithms that are officially used by the
Canadian government to cryptographically protect sensitive (unclassified) information.

Serpent

Designed by Ross Anderson, Eli Biham, and Lars Knudsen; published in 1998.
It uses a 256-bit key, 128-bit block, and operates in LRW mode. Serpent was
one of the AES finalists. It was not selected as the proposed AES algorithm
even though it appeared to have a higher security margin than the winning Rijndael.
More concretely, Serpent appeared to have a high security margin, while Rijndael
appeared to have only an adequate security margin. Rijndael has also received
some criticism suggesting that its mathematical structure might lead to attacks
in the future.

These three types of encryption are very strong, and will stand up to some
very tough cracking attempts. If you use strong keys and long pass phrases,
then the likelyhood of anyone (and I do mean... anyone) getting usable data
off these drives is very slim.

I use the AES, first of all because it is considered very safe, and it is also
the default. I use it in 128 bit mode for speed reasons (governments and serious
crackers aren't interested in my information, its just for personal privacy
on my computers). I also use long pass phrases.

Pass phrases are different than passwords. In TrueCrypt you can use a pass
phrase of up to 64 characters long. The easiest way to use these long passwords
is to use instead a phrase you can remember easily and type quickly. Examples
of good pass phrases might be:

th3 b3ll tolls for you

1 can not f1nd the end of the hall

d0wn the rabbit h0le went Alice

You will notice that there are spaces between the words, this is okay with
TrueCrypt. You will also notice that I've substituted some numbers for letters
in these phrases. This practice makes the phrase even harder to crack using
brute force methods. Indeed, any of these three would take decades to crack
using brute force, and by that time I won't care much that you did the deed.

Some tips you might find useful:

Move My Documents to the encrypted drive

In Windows 2000 and XP you can move the location of the special “My Documents”
folder to another drive. Just right-click on the folder and select “Move”.
All the files will be moved. Move the laptop user’s “My Documents”
to the encrypted drive to make it the default location for saving files. If
the drive is not mounted, the user will get an error, reminding them to mount
the drive.

Create a “mount” icon

Mounting an encrypted drive with the TrueCrypt dialog boxes takes too long.
Help the user by creating a Windows Shortcut icon with the “Target”
property like this:

"C:\Program Files\TrueCrypt\TrueCrypt.exe" /q /auto /m rm /letter
f /v "C:\files\private.tc"

The above instructs the TrueCrypt executable to mount the volume “C:\files\private.tc”
as drive letter F: Create the about as a shortcut and put it in the “Quick
Launch” toolbar next to the Windows “Start” button. When the
user clicks it, they are prompted for their passphrase and the encrypted drive
is mounted for them.

You can also copy the shortcut to the “Startup” folder so the user
is prompted to mount the encrypted drive each time they log in.

Set Automount in TrueCrypt

On the FAQ page for Truecrypt it does have this option :

Q: Can I configure TrueCrypt to start, prompt me for password(s), and

mount my volume(s) automatically whenever Windows starts?

A: Yes. To do so, follow these steps:

1. Mount the volume(s) and then select ‘Volumes’ -> ‘Save
Currently

Mounted Volumes as Favorite’.

2. Select ‘Settings’ -> ‘Preferences’. In the 'Preferences'
window in

the section 'Actions to perform upon log on to Windows' enable the

following options:

o 'Start TrueCrypt'

o 'Mount favorite volumes'

3. In the ‘Preferences’ window, click 'OK'.

Alternatively, if the volume(s) is/are partition/device-hosted and if

you do not need to mount it/them to particular drive letter(s) every

time, you may skip step 1 and in the 'Preferences' window in the

section 'Actions to perform upon log on to Windows' enable the option

'Mount all devices-hosted TrueCrypt volumes' (instead of 'Mount

favorite volumes').

http://www.truecrypt.org/faq.php

The popularity and need for encryption software packages is growing, so if you
work for a company that deals with sensitive information of any type, it might
be wise for you to become familiar with how the drives are setup, and how they
are used.