When I read about a new release of TrueCrypt (open source, free ...), and found out that using this software you could essentially have a hidden OS and a visible OS both on the same PC, I was intrigued. Intrigued enough to take a look ...
TrueCrypt 6 Installation/Hidden OS image gallery
The idea behind this new TrueCrypt feature is fascinating:
If your system partition or system drive is encrypted using TrueCrypt, you need to enter your pre-boot authentication password in the TrueCrypt Boot Loader screen after you turn on or restart your computer. It may happen that you are forced by somebody to decrypt the operating system or to reveal the pre-boot authentication password. There are many situations where you cannot refuse to do so (for example, due to extortion). TrueCrypt allows you to create a hidden operating system whose existence will be impossible to prove (provided that certain guidelines are followed — see below). Thus, you will not have to decrypt or reveal the password for the hidden operating system.
The theory -->
Before you can have a hidden OS you need to have your system set up a particular way. Specifically you need to have two partitions, the first containing your OS and a second (which must be 5% larger than the primary partition if it is formatted using FAT or 110% larger if formatted using NTFS). The second partition must be the first partition behind the primary one.
Setting up a hidden OS sounds more complicated than it actually is because the process is entirely wizard driven and it seems well laid out and robust. Once you've gone through the wizard you end up with the following system layout:
- A boot loader is installed which allows you to boot into two different operating systems.
- The first OS is called a decoy OS, which is the main OS that you boot into on the system. This OS resides on the primary partition. No sensitive stuff is stored on this OS.
- The hidden OS, which is the one that contains sensitive material, is stored on the second partition inside a hidden TrueCrypt volume which resides inside an outer TrueCrypt volume wrapper.
- Which OS you boot into depends on which password you end when starting the system up. However, because the hidden OS is stored on a TrueCrypt volume, its presence is undetectable unless you have the right password.
- In order to make the outer wrapper that holds the hidden OS seem valid, you will need to add some sensitive-looking files to this volume.
Going through this process leaves you with three passwords:
- A password that allows access to the decoy OS - This is the password that you'll use when you want to access the regular, non-sensitive OS so when someone asks you for the boot-up password, you give them this.
- A password that allows access the hidden OS - This is the password that you use to access the secret OS containing the secret data.
- The password that allows access to the outer volume containing the hidden OS and also containing the sensitive-looking (but which are not in fact sensitive) files - This is the password that you hand over to someone should they want to know what's hidden inside the TrueCrypt volume.
In practice -->
In practice, setting up TrueCrypt to hide an OS isn't hard, but there are a number of things that you need to bear in mind before starting:
- Consider carefully before starting whether you need the hassle of a hidden OS - it offers far more security than most people will ever need.
- Get your partitions figured out in advance - to do this you may need to wipe your system and restart (if you've had secret data on your system then you should wipe your drives securely and reinstall the OS).
- The process is quite involved and not something that you should attempt during a lunchtime!
- Follow all the directions given to you by the wizard carefully - you don't want to foul up!
- Figure out what your three different passwords are going to be in advance. Also, get yourself some sensitive-looking data ready. The robustness of your security relies on you having data in that outer volume (the one that contains the hidden OS) that looks sensitive enough to warrant having all that encryption loaded onto your system in the first place.
- There's a LOT of on-screen reading, and it's vital that you understand what you are doing. I'd recommend reading the manual before starting, and also consulting the online documentation.
- The process of copying your operating system to the hidden volume can take a long time. It took me an hour to copy a clean Vista install on a fast PC. This process could take you hours!
- To get the best security that TrueCrypt can offer you need to make sure that you follow all the best practices outlined in the manual.
- If you lose a password you are in deep, deep trouble!
- It might be a good idea to experiment with TrueCrypt on a virtual machine system before trying it out on a physical system. I know I felt much better about it after a dry run.
- TrueCrypt 6 has some features that certainly seem impressive, but I have no way of knowing if these features are bullet-proof ... so use at your own risk!
<< Home >>