Website for David Bolton, software developer in London, England


Permission is granted to reprint/use these on the web so long as there is a link to my website.

Protecting Your Personal Data (2006)

Back to Article Index


In these post 9/11 days, intrusion and lack of privacy are often justified by the glib phrase "If you have nothing to hide why worry?" Yet all of us at some time or other have something to hide without being a criminal. What if you’re planning a surprise party, buying presents or arranging a secret holiday? Or perhaps you are being very naughty - hiding photos of your girlfriend from your spouse, which if not exactly nice, is not usually a crime.

The best reason of all is for personal security - ID theft is at an all time high and keeping important information secure is not that easy these days. Even if you trust your firewall, anti- spy ware, etc, what if your pc or laptop was stolen? Could you be absolutely sure that no one could read your files, or access your passwords, business accounts, salary files, and new business ideas?

What if you could hide your most cherished information so securely that it couldn't even be detected? Well now you can, thanks to open source and it won't even cost you a cent. All you need is a PC running Windows or Linux and the Truecrypt application.

Truecrypt is a remarkable piece of free software that can be downloaded from truecrypt.org and I fully recommend it. It uses the best security methods- algorithms like ES-256, Blowfish, CAST5, Serpent, Triple DES, Twofish, AES-Serpent, and AES-Twofish-Serpent. Even the source code is available to examine or alter. Don't worry if you don’t know what these names mean; they are all well established and verified means of encrypting data. You can find out more about them on the Truecrypt website or use Google.

There is a very dodgy practice in security- known as "security through obscurity" that works by not revealing how the secured data is stored. It relies on that secrecy to protect your data. This is snake oil. Many programmers think they can write their own encryption algorithms and sell them but it is actually pretty hard to develop robust and secure algorithms. It’s considered far better to use tried and tested methods and keep your passwords secret. That’s what Truecrypt does. There is nothing wrong with hiding the files as well but you should not rely on keeping files hidden as your only means of protection.

Truecrypt is excellent at disguising its encrypted files. It doesn't use any special type of file so the presence of a Truecrypt file cannot be easily spotted. It is possible to detect that you have used Truecrypt on a Windows PC by looking in the registry but those registry keys can be found and removed if you are really security conscious and know how to use regedit.

In Windows Explorer if you see a file ending in .txt, it is usually a text file, just as .xls is an excel file, .doc is for word etc. With a file named kernel.sys, you might think it is part of Windows. But it could equally be a Truecrypt file. Examining the bytes in a Truecrypt file with a hex editor will not reveal what the file contains or even identify it as a Truecrypt file. You'll just see random byte values. The whole file is encrypted and only your password can decrypt it. As your password isn't stored anywhere that means if you forget it, the data is irretrievably lost. There is no back door or recovery utility that you can use.

Unusually for software of this complexity, Truecrypt is very easy to use. It can make use of a file, an entire disk or even a USB drive to hold encrypted files. My preference is to use a file, as it's easy to make backup copies.

Each Truecrypt file or drive is actually a "volume", similar to a root folder that holds other files and folders. Each ‘volume’ has to be prepared once- just enter a password and it is filled with random data in a few minutes. "Volume" files can be pretty small - a few hundred kilobytes or very large- up to gigabytes. The overall size obviously depends on what you want to hold in it but as a general rule, keep it as small as you can- certainly don't make it very big "just in case". Big files stick out like a sore thumb. Certainly avoid using file extensions that are easy to check. You might be tempted to hide a Truecrypt file in a folder full of large spreadsheets. But Excel would not be able to load your file and that might be a clue.

The Windows folder for instance is full of large files such as win32.fts, a 16 megabyte file that is part of the Windows XP help system. Do you know how to use an fts file? I certainly don't. So creating a Truecrypt file with an fts extension in the Windows folder is one place to hide files.

Once a file has been prepared, it just needs mounting to make it usable. Select the file, choose the drive letter it will use and enter your password. One second later you’ll have a new drive show up in Windows Explorer. This drive can be reformatted, compressed and used just like a real disk. You can copy your files on to it or work directly on it- it's as fast as a normal disk and just as safe. How do I know? I‘ve used one for over a year and have never lost any data.

Certain countries have laws - the U.K. for instance, that can force you to reveal your passwords to authority if they demand it. If you don't, you may go to jail. However Truecrypt can provide "plausible deniability". You can store a secret volume within a Truecrypt volume using a second password. If the first password is used, only the files in the visible part are revealed and you can claim that you have complied with the law. Unless the secret volume takes up a large amount of space, like finding a hidden room in a house, it will be impossible to detect if a secret volume is present.

Using Truecrypt is of course no excuse to avoid the usual security processes like firewalls and anti-virus. Neglect those and you might end up with a key logger on your PC that would record everything you did including your passwords.

I've used Truecrypt to secure a large list of website usernames and passwords. It has proved to be extremely robust and reliable. If you’ve got personal data that must be kept private - Truecrypt is one of the best ways to do it. Just don't forget your password!

 

Back to Article Index

Permission given to reprint/use on the web so long as it includes a link to my website.
If you like this article, share it by bookmarking- click an icon below

Bookmark Protecting your Personal Data at del.icio.us    Digg Protecting your Personal Data at Digg.com    Bookmark Protecting your Personal Data at Reddit.com    Bookmark Protecting your Personal Data at Spurl.net    Bookmark Protecting your Personal Data at Simpy.com    Bookmark Protecting your Personal Data at NewsVine    Blink this Protecting your Personal Data at blinklist.com    Bookmark Protecting your Personal Data at Furl.net    Fark Protecting your Personal Data at Fark.com    Bookmark Protecting your Personal Data at YahooMyWeb