David Szpunar: Lead Engineer, PC Help Services

David's Church Information Technology

February 7th, 2008 at 1:33 am Print This Post Print This Post

TrueCrypt 5: Whole Disk Encryption and OS X Support (updated)

TrueCrypt Logo Version 5.0 of the TrueCrypt encryption software was released on Feb. 5th. I ran into this news on Hackzine where they mentioned Mac OS X support as a new TrueCrypt feature. That’s cool, but I don’t use Mac, so what? I’ll upgrade soon, since I’ve been using TrueCrypt for over a year and love it, but what’s the hurry? But at the end of the article, I spotted a blurb about a much more exciting feature:

In the Windows and Linux versions a special bootloader is available that lets you encrypt your entire system drive. It doesn’t look like that option is available in the OS X version.

What? Whole-drive encryption of the system drive is now available in Windows and/or Linux? (Clarification: Only Windows is supported right now.) This I’ve gotta see. I’ve looked at some laptop disk encryption tools in the past, and they’re nice but generally not cheap (whether software or specialized hardware). But open source is better than cheap, and TrueCrypt is already considered to be high quality. It’s written well (important where security software is concerned) and is in active development. The new version also promises significant speed increases.

I’ve installed the new version on my laptop. Do I dare try out the encryption feature? I do have most (not all) of my data backed up, the important stuff at least. Maybe I’ll investigate this through the weekend, make a decision, and possibly try it out. Possibly. Fire is fun to play with and very powerful, but you have to know what you’re doing!

UPDATED after a night’s sleep: Yes, I dared. Before going to bed I started the process to encrypt the entire system partition on my laptop. I don’t know precisely how long it took; it was projecting 2-3 hours left when I went to bed (shortly after starting it) and was done when I got up. The process is slick, I’ll give them credit for that. They require that you burn a recovery disc (and verify it) before you can continue, just in case, and they also verify that the bootloader works before allowing the encryption process to begin. I haven’t used the system enough to know whether there is a significant speed penalty when the partition is encrypted. It seems a touch sluggish but still responsive, but within the normal operating parameters depending on the day! The biggest downside: hibernation is no longer supported. Standby is an option, but the system will not hibernate (if you try, TrueCrypt stops you and provides a helpful message about why it won’t work). I generally hibernate all the time when not using my laptop. I’ll try using Standby for a while and see how happy I am with it. Not sure if it’s a deal-breaker yet.

As a precaution, the boot loader offers the option to, with the correct password, decrypt the entire disk without needing to boot into Windows, if Windows gets corrupted. There are several other handy “rescue” methods in the boot loader (on the hard drive and on the bootable rescue disc). I am extremely impressed with the quality of the thought and effort put into this whole-disk encryption feature, and although I haven’t tried the Vista Bitlocker method, TrueCrypt certainly sounds a bit easier (but it doesn’t integrate with the TPM chip, if one exists). There are options in the setup to set up encryption to work with multi-boot systems, but it warns that this requires advanced knowledge to set up. And, of course, you need a dual-boot system, which I don’t have at the moment.

UPDATE: The new version 5.1 has hibernation support, and version 5.1a Beta actually makes it work on my laptop. I’m back encrypted!