Note: This tutorial is aimed at people wishing to fully encrypt their computer via Full Disk Encryption (System encryption). If you are wanting to instead only encrypt certain files or folders, then please refer to my tutorial here that uses Axcrypt. If you are wanting to encrypt an external HDD, then use TrueCrypt in Portable Mode (not explained here), or if you are using Windows 7 Ultimate or Enterprise, then use the build in BitLocker which is very simple to use.
Having my computer secure and protected is a big thing for me as it gives me peace of mind just in case it is stolen and my personal details are compromised, like passwords, login details, bank statements, photos etc.
A note on using TrueCrypt on SSD’s
Due to the way data is written to an SSD, it is advisable to encrypt the drive (using full-disk encryption) after the OS has been installed and before any sensitive data has been written to the drive. This way any data that is written to the drive after it has been encrypted, will be encrypted on-the-fly by TC making recovering the information impossible without the decryption key. The reason for this is due to most SSD’s utilizing wear-leveling mechanisms to extend the lifetime of the storage device and the way that data is written to the device. Please read this article regarding using TrueCrypt on an SSD. Also, if you require Plausible Deniability then please don’t use TrueCrypt on devices that utilize wear-leveling.
I have used Truecrypt for many years now and is also on all our machines at work and my machines at home. The reason I have used this program is mainly for its simple use when it comes to full disk/ system encryption and knowing that should my computer be stolen that the contents of the hard drive will be next to impossible to access, as the encryption key has to be entered before you can access the operating system (when Windows or your OS starts). This is also the reason I would never leave my computer on whilst being away for too long, as the password has to be entered every time the system is started. Please note that Mac OS X and Linux users won’t be able to use FDE (full disk encryption) as it is not supported. Full support for Windows 8 users is planned though.
The following Platforms are supported:
- Windows 2000
- Windows XP (32 and 64bit)
- Windows Vista (32 and 64bit)
- Windows 7 (32 and 64bit)
- Windows Server 2003 (32 and 64bit)
- Windows Server 2008 (32 and 64bit)
- Mac OS X 10.6 Snow Leopard (32bit) – (Full Disk Encryption is not supported)
- Mac OS X 10.5 Leopard – (Full Disk Encryption is not supported)
- Mac OS X 10.4 Tiger – (Full Disk Encryption is not supported)
- Linux (32 and 64bit versions, kernel 2.4, 2.6 or compatible) – (Full Disk Encryption is not supported)
Before you start this tutorial & use this program, please make sure you have backed up first. I have written a tutorial on how to back up here using Backup Maker (it’s free for Home use, not commercial) if you need it. You should also create a system restore point as well.
I have used Windows 7 Ultimate x64 for this tutorial and Truecrypt version 7.0.1 (latest version). You will also need a blank CD or DVD ready, as you will be creating a Rescue Disk during the process. One big thing to remember about this program is, is that there are NO back doors to it. This means that if you forget your password, and you don’t back up on a regular basis, then there is not a chance in hell you are going to be able to access your data. So please, make sure you back up first before encrypting your system; make sure that you have a reminder of what your password is for your soon to be encrypted drive and have it somewhere safe. I don’t want to put people off doing this tutorial, but I have to make this clear as I’d hate to see anyone lose their password and then realise that they have lost all their documents. But, on the flip side, if your laptop/ desktop is stolen, there isn’t a chance anyone else will be able to access it either. I include the government in that as well. (as long as your password is good enough of course. More on that in a bit)
Right, you can download Truecrypt here. It’s free and Open Source and can be used for home and commercial use. If you wish to view the licence, you can find it here. Once you have downloaded and run the program, you will see the main window.
Now, as we are going to encrypt the entire computer, go to the top of the window and select System>Encrypt System Partition/ Drive as shown below
This will start the system encryption wizard.
You will now be asked which type of system encryption you want. For most people (like me) the first option ‘Normal’ is the one to check. This is also the default choice. You can choose the second choice if you wish which will create a hidden operating system, which can be used if you find yourself in a situation where you have to decrypt the system either by the police or some form of extortion. I will not be going into that in this tutorial though, so if you chose the ‘Normal’ option and then click Next, you will see the next window where you are asked the ‘Area To Encrypt’.
Select the second option ‘Encrypt The Whole Drive’ and then Next
You are now asked if you want to encrypt the Host Protected Area. Select ‘No’ if you are unsure. I select ‘No’ every time I encrypt a computer, but the choice is yours. If you want further information about what the Host Protected Area is and what programs require its use, you can read the Wiki article on it here. Click Next to move on
This is where it will ask you if you have multiple operating systems on your computer. I only have Windows 7 running on mine so I chose the first one. I do have Windows XP Mode enabled on my system, but that is a virtulized environment, so does not classify as an Operating System in the true sense of the word here. If you duel/ multi or quad boot, then choose the second option. If you chose the ‘Single Boot’ option and click Next, you will come to the next window
You will now be asked to choose your method of encryption (which algorithm to use) Again, I have always chosen AES as my preferred algorithm. If you are interested in how the other algorithms will perform on your system, you can do a quick benchmark, by clicking the ‘Benchmark’ button to the right of the window. Here is what mine was based on my system specs below:
- Processor Intel Core 2 Quad Q6600 @ 2.4GHz (Kentsfield 65nm)
- RAM 4GB DDR2 @339MHz (5-5-5-15)
- HDD 1.5TB (SATA)
- Encryption Algorithm used: AES (Best method)
Next you will come to one of the most important parts. Choosing a decent password. You are advised to enter a password which at least 20 characters long consisting of upper and lower case letters plus using numbers and symbols such as (*£^[email protected]+_|\) The maximum password length you can use is 64 characters long. I normally use somewhere between 26 and 30 for mine. Don’t use names, places, or simple ones like that, but if you have to, mix them up with upper and lower cases, numbers and symbols interspersed. The most important this to remember though is NOT to lose this password. You will get a chance to test this in the following steps. If your password is too short, you will be asked to improve it. It is up to you if you choose to ignore this. You can also use Keyfiles as well. For more information on using Keyfiles (images, MP3 etc) go to the Truecrypt FAQ’s. For this tutorial I didn’t, so click Next, to move on
Next, you will come to the ‘Collecting Random Data’ window. Just move your mouse around a bit (20 seconds will do) in different patterns to increase the cryptographic strength of the encryption keys, then when you are ready click Next
This will show you a portion of the keys you have just generated. Next….
The program will now create a Rescue Disk (hopefully you will never need it, but I have on one occasion, but that was down to me playing about in the registry, making windows un-bootable. Meh, you live and learn) on Click Next
On a side note, if you don’t have a DVD drive or it’s broken, you can still create the Truecrypt Rescue Disk ISO, burn it to CD/DVD on another machine, and then verify it on the machine you are working. If you don’t have another machine to hand, then you can trick TrueCrypt into thinking that the Rescue Disk has been burned to a CD/DVD by doing a virtual mount. This is pretty simple, just download Virtual CloneDrive (it’s free) and install. Once it’s installed, locate the TrueCrypt Rescue.iso that TC created and right-click on it. Select Mount Virtual CloneDrive E: your drive letter may be different.
Now when you click Next on the verify window that TC shows, it will think that you have burned it to CD/DVD. Now make sure that you copy the actual TC Rescue Disk.iso (by default it is created in your My Documents) to a USB and keep it in a safe place as without it, you may never be able to recover your data should you have a problem with TrueCrypt in the future.
I personally use ImgBurn (it’s free) when burning ISO’s as I trust it more than any other software in its category, but I will first show you the Windows 7 default burning software way and then the ImgBurn method. In either way, click OK.
If you are going to use the Windows default burner, which you probably will if you haven’t previously downloaded a similar program before, you will see the following window
Check the ‘Verify disk after burning’ box and hit Burn. It’s a fairly quick process. Once it’s completed you will see the finished window
If you are going to use ImgBurn, (download it and run the program) open it up and choose ‘Write image file to disk’. You may want to use this should you not have a built-in burner like in XP etc.
Which will lead to the next window
In ‘Source’ locate your Rescue Disk ISO, the ‘Destination’ will be your CD/DVD tray. Set the Write Speed settings to x4, (always burn disks nice and slow, so as to avoid mis-writes) check the ‘Verify’ box and then click the green arrow (start) at the bottom.
Once it’s finished you will see the success screen
Once you have done this, you will need the Truecrypt program to verify that you have indeed burned the Rescue Disk ISO to disk correctly (This is a good thing as some people may choose to skip this part, and not create one, but believe me if you ever need it, you’ll regret not having it) Click Next
Rescue Disk verified
Click Next to move on to where you will choose your ‘Wipe Mode’. Personally I always just choose the default option of ‘None’ Fastest. Hit Next to move on to the system encryption pretest.
This checks to see if you have done everything correctly thus far. If you do, don’t panic as this is a pretest and you are not actually beginning to encrypt yet. If something does go wrong (forgotten the password etc) and you can’t boot into Windows, then press ESC which will make Windows start as normal (if you have a multi-boot set-up, choose the OS that you were doing this in) You may want to print the screen below off just in case. Hit ‘Test’ when ready.
Hit ‘OK’ and you will be asked to reboot
Once you reboot, you will see this screen (get used to this, as this is the first screen you will see every time you boot as this is where you need to input the password you created during the previous stages. Simply type it in, and hit Enter/ Return
If everything went well (and you should be fine) you will see the following window
Now, you begin to encrypt. Hit the ‘Encrypt’ button and you will be given printable instructions on how to use the rescue disk, should you need to. Print this off is if you can and keep it somewhere just in case you ever need it. If you lose it, just head over to the FAQ’s on the site or the forums for any advice on using the Rescue Disk
Once you click on ‘OK’ as shown in the image above, Truecrypt will begin to encrypt your computer.
Now, on my computer, the encryption time took about 4hrs. Decrypting (which I had to do to get these images for the tutorial) too longer at nearly 6hrs. It’s a 1.5TB disk which is quite large, so yours may be a lot quicker. Once it has finished encrypting you will see the final window
Just click ‘OK’ and then ‘Finish’ on the main Truecrypt window
Note: If you ever need to create an other copy of your Truecrypt Rescue Disk you can do this in the main Truecrypt menu System>Create Rescue Disk. Also, if you ever change your password for whatever reason, you must create a new Rescue Disk, as the encryption headers will be based on the current password. This also applies if you have to use the rescue disk to repair the MBR, as again the information on the disk will have the current MBR on it, that was originally written to it. More on that below in the tutorial.
That’s it, you’re done!
Some of the systems I have done have completed in under 3hrs, but that will mainly depend on the size of the HDD. I find that not running too many programs increases the speed of the encryption as it will have fewer interruptions. If you have a disk defragmentation program that runs in the background (like Smart Defragg), you may want to disable it during the initial process, although I can normally get on with working in Excel/ Word plus surfing and not have too much effect on it. One important thing to note is that once the encryption process is complete, and you use you computer as normal, you shouldn’t notice any speed slowdowns of your system, unless it’s really old. It encrypts on the fly, so once it has finished, anything you add to your computer will be encrypted without any input from you which is great. You can pause this at any time, or choose to defer the encryption process (say you need to leave the office or need to turn the machine off for some reason) and simply resume the encryption process from where you left off once you reboot. If you do choose to defer and then reboot, you will see the following window reminding you that you still need to finish the encryption process. Simply click ‘Yes’ and carry on or, in the main Truecrypt menu when you start it up, go System>Resume interrupted Process
Now, please. Remember to make backups regularly, which you should anyway. If the worst were to happen and you lost complete access to your disk, at least you will have a recent backup of your important data.
How to decrypt your disk
This is a fairly simple procedure. In the main Truecrypt window, go System>Permanently Decrypt System Partition/ Drive
Followed by a confirmation prompt
Click Yes, when you are sure you want to decrypt the drive and let it work. Again, this may take some time; on my 1.5TB HDD it took about 6hrs, but I did pause it quite a few times, but on some of the machines at work with much smaller HDD’s it only took about 2hrs. If you have to do the decryption via the CD in an emergency, the time will be a lot longer as the read/write speeds of CD’s are much slower than your hard drive.
Now, let’s have a quick look at the Rescue Disk screens. If you need to use the disk ever, make sure that you place the disk in the tray, and set your computer to boot from CD instead of the hard disk. When you do this you will see Rescue Disk screen instead of the usual ‘Password’ screen
Hit F8 to view the Rescue Disk options, or ESC to cancel this and reboot.
If you have forgotten your password, you are not going to be able to access any information again (hence you need to remember it and keep a reminder of it in a safe place) If you ever have to use the Rescue Disk to decrypt with then it can take a long time indeed (choose Option  Permanently Decrypt System Partition/ Drive). I tested it once and it took a fraction over 3 days to do due to it having to do it via the CD and not from the much faster HDD. But hey, if I was forced to go that route due to my OS being beyond repair, at least it’s not a total loss.
One of the reasons that people end up having to use their Rescue Disks can be down to a corrupted MBR which can be caused by many things, one of which includes flashing the firmware of your hdd. Also, using the ‘Compress this drive to save disk space’ utility in Windows will also cause you boot loader issues, but can be corrected by using this disk and restoring the boot loader that you used when encrypting originally. I would also hope that if you are a Windows 7 user, that you have at the very least created a Rescue Disk for your Windows OS. If you haven’t, then I have written a tutorial on how to create one here. You don’t have to have Windows 7 Ultimate to create one either, as the awesome people over at neosmart.net, have created both 32 and 64bit versions that will work on all versions of windows 7. Vista versions can be found here. If you don’t want to use P2P, then I have upload all of them here that you can directly download via a server instead (very quick). If you ever need to create another copy of your Truecrypt Rescue Disk you can do this in the main Truecrypt menu; System>Create Rescue Disk. Also, if you ever change your password for whatever reason, you must create a new Rescue Disk, as the encryption headers will be based on the current password.
Remove any mention of Truecrypt in the pre-boot screen
If for whatever reason you don’t want people knowing that you have either used encryption or Truecrypt as a method of encryption to be shown in the pre-boot screen, then you can do this by going
Check the top box ‘Do not show any text in the pre-boot authentication screen (except the below custom message) and type something in there (max 24 characters). Leave the other two at the bottom alone. This will show you a warning window. Read It. It basically tells you that you will only see a flashing cursor in the pre-boot screen, no asterisks will show as you type your password, and if you in-put your password incorrectly, you will not be told about it. It will appear to be frozen instead. So, as long as you can input your password correctly you will be fine.
Well, if you have made it this far, excellent. It’s a bit of a long-winded tutorial, but I did want to try to be as thorough as I could be. I will be updating this tutorial from time to time as and when I can think of other things that may help.
If you have any questions or comments, please feel free to add them below & I will try to help, but otherwise, please use the official Truecrypt forums where the experts will guide you.
I hope this has helped.