The last three iterations of my main computer have been notebooks, rather than desktops. Although there are some major disadvantages to that (limited expandability, limited graphics capabilities, much harder to repair or swap parts), there’s one huge advantage — portability. I can literally take my work with me anywhere, even to places that don’t have any electrical outlets, within limits.
There’s a corresponding drawback though: it’s a lot easier for the system to get stolen. Although my paranoid backup systems ensure that I’d lose little or no data if it is, I was a little concerned that the thief would have access to it as well. And although I know that most computer thieves are only interested in the hardware, I’d always be worried about where the data would end up if the system were stolen.
As such, I decided long ago that all my personal and professional data had to be stored encrypted. Notebook and desktop systems both, so if someone ever broke into my office and stole all the hardware, the very act of unplugging or turning off the systems would lock the data, requiring passwords from me to access it again.
The next question was how. A program like GPG is great for individual files, but quickly becomes tedious when you’re talking about hundreds or thousands of files. In the disk-encryption arena, there were commercial solutions, including some that were highly regarded, but most of them weren’t all that flexible, they only worked on full partitions or drives, and only offered a single encryption algorithm. There were also very few of them that worked on both Windows and Linux, and I didn’t want to be locked into only one OS — even then I was thinking about moving some of my systems to Linux. And I had no idea whether they were trustworthy… all it takes is one weakness, and all the data is available to anyone who gets the hardware.
After quite a bit of research, I decided on TrueCrypt. Between being open-source and having a lot of people able to easily examine the code, I was pretty sure it was trustworthy; it could operate on full partitions or “virtual disk” files (files that acted like partitions); it had support for a number of encryption algorithms; and it was available for both Windows and Linux. I encrypted a 6GB partition, moved my “My Documents” folder to it, and started storing all of my personal and professional data there. The only disadvantage to it was that I had to enter a password every time the system rebooted… a small price to pay for the peace of mind that it gave me.
Enter Linux, at long last.
After setting everything up, I decided it was time to encrypt my Linux data partition. TrueCrypt was easily available, and although the Linux version didn’t have an easy-to-use GUI, that wasn’t a major problem for me. (There is one, called ForceField, but it doesn’t seem to work for me.) I didn’t need to share this encrypted drive with Windows, and I needed Linux permissions, so I decided to replace the FAT filing system (the only one that TrueCrypt offers by default under Linux) with ext3. That’s where the problems came in, as will be described in part 2.
In theory, doing this isn’t difficult, but figuring out how is… interesting. It’s a several-step process, and the remainder of part 1 will describe how to do it.
The first step is creating the encrypted container; the command for that is:
sudo truecrypt -c
Then answer the questions, preferably saying “none” when it asks what file system to use in the new container. (Remember the passphrase that you select for it!) Then you half-mount the encrypted container:
sudo truecrypt container
where container refers to the filename or partition name of the container. You have to half-mount it, instead of fully mounting it, because there’s no file system on it yet; if you had let TrueCrypt format it to the FAT file system, then you could fully mount it, but since you can’t format a fully mounted file system, that doesn’t help here.
Next, you need to figure out the half-mounted container’s ID:
sudo truecrypt -l
That’s a lower-case letter L. That will show you something like /dev/mapper/truecrypt0, which I’ll refer to as the idstring below. Then you format it to the file-system you want:
sudo mkfs.filesystem idstring
(Here’s where I ran into trouble, which I’ll describe in the part 2 of this entry. For now, I’ll simply say that the ext2 and ext3 file systems may or may not work with this, and may lock your entire system up.)
Then unmount the half-mounted container with
sudo truecrypt -d idstring
and mount it fully with the full-mount command and the passphrase:
sudo truecrypt -u container mountpoint
container is, again, the filename or partition name of the container, like /media/disk/private. mountpoint is the place in the file system that you want to mount it (such as /mnt/private), and has to be an existing directory, the same as with a mount
command. The -u option is necessary so that users (i.e. you) can write to the drive, without having root privileges.
When you want to unmount it again, you can use a standard umount
command:
sudo umount /mnt/private
Re-mounting it later is simply a matter of re-issuing the full-mount command described above and giving the passphrase that you assigned to the drive; the rest of that runaround is only necessary for formatting.
Now that that’s over with, on to part 2, and the trouble.
Slight correction to the above: you have to use
sudo truecrypt -d
to unmount a TrueCrypt drive properly. Just using theumount
command listed above won’t fully unmount it.The Linux kernel now has native encrypted filesystem support that should work more smoothly, I think you can even encrypt everything (except perhaps /boot if using GRUB). Disadvantage of course – you can’t run it under Windows.
I can’t use this one under Windows either, since there’s no Windows support for the JFS file system. But considering how easy it is to transfer files between this virtual Linux system and the host Windows system using VMware 6, that’s hardly a problem right now. If I wanted a drive I could use under both systems, I’d go with vfat, ext2, or even ntfs — both systems support all of those. (Unfortunately, I don’t think you can format ext2 under Windows, or that might have solved the problems I was having.)
Yes, I’ve seen the dm-crypt option described, and I’ve got a book that describes how to use it too. I prefer TrueCrypt though, because I’m already quite familiar with it and I trust it — any other encryption system, I’d have to study for a while before I could decide if it were trustworthy as well.