TrueCrypt is an open source (meaning free) encryption tool for encrypting folders or entire disk partitions. It creates virtual encrypted volumes that can be mounted as drives. You can use either passwords or keys to access your encrypted volumes. Keys require the normal key management (storage, backup, etc.) that would be required with Microsoft's EFS or other encrypting system that is key-based. With passwords, TrueCrypt becomes a true on-the-fly encryption tool. TrueCrypt is an open source project, and the download is available from SourceForge.
The recent news of laptops filled with thousands and millions people's private information being stolen is disturbing. Each issue of SANS NewsBites generally has one article dealing with a recent theft of identity information. In many cases, the issue would have been mitigated by the simple encryption of the laptop hard drive or partition, or encryption of the volume containing the sensitive information. TrueCrypt makes this amazingly simple and transparent to the authorized user, and impossible, or near that, to the unauthorized user.
Here is the TrueCrypt home site: http://www.truecrypt.org/
1. As with any encryption that you might do on your laptop, home system or work system with TrueCrypt or any other encryption system, always have an unencrypted copy of the information available in a backup media (CD, Tape or other system). The encrypted copy of the files should never by the only copy of the files that you have. That is just a disaster waiting to happen.
2. Key management is tricky. Lose a key and you very likely will not be able to recover your files protected by that key. Same with password protection. Back up your keys to reliable media or record your passwords in some secure way so that you have a way to recover your files. Encryption can be a one-way road to hell if you don't plan ahead.
TrueCrypt must be installed on the workstation with local administrator credentials. I installed it on my laptop. Fine. I needed to request that our support dude install it on my work system. (I will be installing it on my home system and a couple Linux VMs to test the cross-platform stuff later)
It is a simple installation and is over in less than a minute. Once installed, it can be run by the limited user with no problem.
For the first test, we'll make a volume on your C: drive. Launch TrueCrypt and click Create Volume. For now, we just want a standard volume, so just click Next. The Location of the volume can be a bit confusing to the first time user. I was for me. Don't select a device. Just click Select File, then browse to a directory on your C: drive and type in a file name. Click OK, then click Next. Choose the encryption algorithm and a hash algorithm. There are a lot of options for encryption. We can use AES for this example. Play with the rest later to find something that suits you. There are three options for hash, RIPEMD-160, SHA-1, and Whirlpool. Experiment with various combinations and check the performance of the system when opening and closing files in encrypted volumes.
There is a Test button and a Benchmark button that will evaluate the combinations based on your system. On my system, AES is the fastest at encryption, but slower than Blowfish and Twofish at decryption. AES is second fastest overall in Mean Speed, behind Blowfish. You will choose your combinations by making the required tradeoffs between performance and strength.
Once you get the combination set, click Next and set the size of the virtual volume. For this test, I set 50 MB. Click Next, then enter your encryption password. You can choose, at this point, to use keyfiles. For our test, though, we'll stick to passwords. Click Next. This next screen allows you to select an NTFS or FAT file system (use NTFS). Before you click for Format button, move the mouse around, or (as I'm doing now) type characters on the keyboard. This adds "salt" to the encryption. When you click Format, it takes about 6 to 10 seconds to format the 50 MB, depending on your system. Then, click Exit.
The process is about the same with thumb drives, SD or other memory cards. The main difference is that some devices cannot be fully encrypted. I tried to fully encrypt my little 32 MB thumb drive, but got errors when I tried to format either as FAT or as NTFS. I was successful when I created a 15 MB file on the thumb drive (I had to leave some normal space on the device for it to work) instead, and formatted as NTFS. I mounted the drive as above, using another drive letter, and was able to move files in and out of the encrypted volume. TrueCrypt will successfully format some mobile media completely, but you'll have to try yours out.
Aside from those issues, setting up a virtual volume on mobile media is the same process as with setting up the hard drive.
The Help file that comes with TrueCrypt is full of great ideas for using this tool, including setting up a traveller disk. Since this is an open source project, there are new features planned and on the wish list. But, as it stands, it is a very useful and reasonably complete package.