- David's Church Information Technology - https://infotech.davidszpunar.com -

TrueCrypt 5: Whole Disk Encryption and OS X Support (updated)

TrueCrypt Logo [1] Version 5.0 of the TrueCrypt [1] encryption software was released on Feb. 5th. I ran into this news on Hackzine [2] where they mentioned Mac OS X support [3] as a new TrueCrypt feature. That’s cool, but I don’t use Mac, so what? I’ll upgrade soon, since I’ve been using TrueCrypt for over a year and love it, but what’s the hurry? But at the end of the article, I spotted a blurb about a much more exciting feature:

In the Windows and Linux versions a special bootloader is available that lets you encrypt your entire system drive. It doesn’t look like that option is available in the OS X version.

What? Whole-drive encryption of the system drive [4] is now available in Windows and/or Linux? (Clarification: Only Windows is supported [5] right now.) This I’ve gotta see. I’ve looked at some laptop disk encryption tools in the past, and they’re nice but generally not cheap (whether software or specialized hardware). But open source is better than cheap, and TrueCrypt is already considered to be high quality. It’s written well (important where security software is concerned) and is in active development. The new version also promises significant speed increases.

I’ve installed the new version [6] on my laptop. Do I dare try out the encryption feature? I do have most (not all) of my data backed up, the important stuff at least. Maybe I’ll investigate this through the weekend, make a decision, and possibly try it out. Possibly. Fire is fun to play with and very powerful, but you have to know what you’re doing!

UPDATED after a night’s sleep: Yes, I dared. Before going to bed I started the process to encrypt the entire system partition on my laptop. I don’t know precisely how long it took; it was projecting 2-3 hours left when I went to bed (shortly after starting it) and was done when I got up. The process is slick, I’ll give them credit for that. They require that you burn a recovery disc (and verify it) before you can continue, just in case, and they also verify that the bootloader works before allowing the encryption process to begin. I haven’t used the system enough to know whether there is a significant speed penalty when the partition is encrypted. It seems a touch sluggish but still responsive, but within the normal operating parameters depending on the day! The biggest downside: hibernation is no longer supported. Standby is an option, but the system will not hibernate (if you try, TrueCrypt stops you and provides a helpful message about why it won’t work). I generally hibernate all the time when not using my laptop. I’ll try using Standby for a while and see how happy I am with it. Not sure if it’s a deal-breaker yet.

As a precaution, the boot loader offers the option to, with the correct password, decrypt the entire disk without needing to boot into Windows, if Windows gets corrupted. There are several other handy “rescue” methods in the boot loader (on the hard drive and on the bootable rescue disc). I am extremely impressed with the quality of the thought and effort put into this whole-disk encryption feature, and although I haven’t tried the Vista Bitlocker method [7], TrueCrypt certainly sounds a bit easier (but it doesn’t integrate with the TPM chip, if one exists). There are options in the setup to set up encryption to work with multi-boot systems, but it warns that this requires advanced knowledge to set up. And, of course, you need a dual-boot system, which I don’t have at the moment.

UPDATE: The new version 5.1 has hibernation support [8], and version 5.1a Beta actually makes it work on my laptop. I’m back encrypted!

5 Comments (Open | Close)

5 Comments To "TrueCrypt 5: Whole Disk Encryption and OS X Support (updated)"

#1 Pingback By TrueCrypt Whole-Disk Encryption: Why I Turned It Off On February 18, 2008 @ 12:29 pm

[…] days ago, I posted about TrueCrypt’s new whole-disk encryption. I encrypted my laptop and started using it. Speed didn’t seem to be an issue (or much of […]

#2 Pingback By foXnoMad » The Top 12 Applications That Fit On A USB Drive For Travelers On March 5, 2008 @ 8:33 am

[…] you do end up bringing a laptop, keep in mind that TrueCrypt disables the hibernate function. You’ll have to shut down when you’re not plugged […]

#3 Comment By Linus Fernandes On March 19, 2008 @ 12:58 am

What’s the configuration of your lap-top?

#4 Comment By David Szpunar On March 20, 2008 @ 4:17 pm

My laptop is a Lenovo 3000 V100 with factory-installed Windows XP Pro Service Pack 2, 100GB hard drive, 1GB RAM. Did I miss anything?

Also, while hibernation didn’t work at first when they added support for hibernation in 5.1 (it would not resume), it does work now with version 5.1a Beta, which is nice!

#5 Comment By David Szpunar On April 28, 2008 @ 8:42 pm

In case anyone cares, I just put a 2GB stick of RAM in my laptop, bringing it up to 3GB. Encryption still works fine :-) Also, everything I could find online said that 2GB was the maximum RAM supported in the 3000 V100 laptop, but apparently that’s not true, since 3GB works just fine. And I’m now running TrueCrypt 5.1a, full version (not beta), without problems. I’ve also installed Vista on the laptop, on a new hard drive, and I have TrueCrypt encrypting that drive as well (actually just the system partition in this case).

I also discovered that at least in TrueCrypt 5.1a, you can mount another whole-disk encrypted harddrive as an external or secondary drive and use the option on the System menu in TrueCrypt to “Mount Without Pre-Boot Authentication…” and you can mount that drive as a drive letter, great for transferring data from old drive to new (as I’m doing with XP-to-Vista)! The TrueCrypt folks seem to have thought of everything! No performance hit noticed in Vista after drive encryption, and both Hibernate and Sleep work fine (although Sleep doesn’t prompt for encryption password, it just wakes up instantly, which is to be expected but be aware that Sleep mode does not protect you as much as Hibernate or powering off!).