In a previous tutorial, I showed you how to set up password protected vaults on your Mac. One of the methods used TrueCrypt. In that tutorial I mentioned that TrueCrypt was capable of levels of security far in excess of what most Mac users need.
In this tutorial, I am assuming you are a secret agent and need those extreme levels of security. I'll show you how to use TrueCrypt to store files as securely and secretly as possible. I’ll also show you how to use hidden TrueCrypt volumes to give yourself plausible deniability if you are subjected to extortion or torture.
TrueCrypt Volumes Revisited
TrueCrypt volumes are encrypted disk images. They take up a fixed size and are always filled with data. When you create a new volume, that data is just random ones and zeroes. As you add files to the volume, the random data is replaced with real data.
While the volume remains encrypted, it is impossible to tell what is real data and what is random data; it all just appears as garbage. The difference is only apparent when you decrypt the volume.
For this tutorial, I assume you have read the previous tutorial which goes through, step by step, how to install and setup a basic TrueCrypt volume. If you have not, please read it before continuing as I will not be retreading the basics.
Hiding a TrueCrypt Volume
A TrueCrypt volume has a fixed size, and can have any filename and extension, so it can easily be camouflaged among genuine files. What volume size you require determines what kind of files you hide it among. I find the the two best kinds of camouflage are RAW image files and movie files.
RAW Image Files
A RAW image from my Canon 650D is anywhere between 17 and 24 megabytes when converted to Adobe’s .DNG format. If you are storing a few small images, text files or PDF documents, 20 megabytes is more than large enough.
To use RAW files for camouflage, have a folder containing 100 or more images with a sequential naming system; such as IMG_1200 through to IMG_1300. Make a random image file somewhere in the middle your TrueCrypt volume. Make sure that when you create your volume, that its size also fits in with the camouflage files.
Tip: When you’re accessing your TrueCrypt volume, open a few of your camouflage files too so that someone can’t find your volume by just sorting by most recently opened. Occasionally open a few of your camouflage files without touching your vault to generate a natural use pattern for the files.[/tip]
If a 20 megabyte vault isn’t going to be enough, it’s time to go big. A lot of people have a folder on their computer filled with movie files from questionable sources. For a large TrueCrypt volume, you can use one of them.
Generally these films come with additional files, such as descriptions, subtitles or movie covers. For maximum security, leave those files intact and create your TrueCrypt volume to replace the main video file. Your vault is a 700MB+ “movie” with the genuine trappings, in a folder filled with other movies. Even better, because there are a number of different media encodings, it is not uncommon for video files to be un-openable.
More Secure Encryption Algorithms
In the earlier TrueCrypt tutorial, I advised you to stick with the default encryption settings. For most people that is the best balance of convenience and security. As this, however, is a tutorial for super-spies, we need to take things further.
Instead of just using one encryption algorithm, TrueCrypt can stack multiple algorithms on top of each other. This is the best way to really lock down the volume.
TrueCrypt takes the volume and runs each block of data through one algorithm to create an encrypted result. It then takes this, already encrypted data, and passes it back through a different algorithm. Finally, it repeats the process again. The resulting encrypted file is almost impossible to bruteforce.
This, however, significantly affects the read/write times of the volume. To see the speed differences between the different algorithm options and combinations, click on Benchmark to run TrueCrypt’s Encryption Algorithm Benchmark on your system.
If you are storing text files in a small volume, lower read/write speeds will not be as inconvenient as if you are storing high-resolution spyplane video in a multi-gigabyte vault.
In addition to a password, you can use keyfiles. Keyfiles are just regular files that, when you enter the password to access your vault, you have to point TrueCrypt to as well. They are essentially digital keys. Unlike TrueCrypt volumes, keyfiles remain normal files when they are used.
While you can just use this to add an extra layer of security to your personal volumes, you can use it to do other things too.
If two people both have the volume on their computer as well as one of the two keyfiles, neither can open the volume without the other being present. This is a similar principle to the multiple keys method used in securing nuclear weapons.
If you are worried about your data being intercepted, you can send an encrypted TrueCrypt volume over the internet and post a USB key with the keyfiles. Even if someone intercepts the internet data and somehow gets the password, they won’t be able to open it without the USB key’s contents.
To add keyfiles to your TrueCrypt volume, create one as normal. When setting the password:
- Check the Use keyfiles option and click on Keyfiles to open the keyfile selection menu.
- Click the Add Files… button and browse to the files you want to use. Click Open to select them.
- Select OK to confirm your choice.
Tip: While keyfiles remain regular files, it is important to note that they are sensitive to change. If the first 1024 kilobytes get modified, the keyfiles will no longer work. For this reason, it is better to use files you do not intend to modify.
To access a volume that is protected by keyfiles, mount it as normal and when you enter your password, click the Use keyfiles… checkbox and then the Keyfiles button. This brings up the same menu you get when you originally added the keyfiles. Navigate to them and click Open followed by OK. Finally, click OK to open your volume.
If you do not select the correct keyfiles, the volume will not mount even if you enter the correct password.
Hidden TrueCrypt Volumes
The weakest point of any encryption system is the person. It is all well and good an encrypted volume that no computer can crack, but if enemy agents are torturing you, or a former business partner extorting you, very little is likely to stop you giving up the password and the keyfiles. This is where hidden TrueCrypt volumes come in.
A hidden TrueCrypt volume is a TrueCrypt volume nested inside the random data of a containing TrueCrypt volume. It has a separate password to the external containing volume. When you mount the volume, whichever password you enter corresponds to the volume that TrueCrypt will mount. You can put seemingly important files in the outer container and give up that password while still keeping the access details to, and the existence of, the vault containing the really important stuff secret.
How TrueCrypt works means it is impossible to detect if there is a hidden volume in the random data of another TrueCrypt volume. By revealing one password, you gain plausible deniability as to the existence of another volume.
Setting Up Hidden Volumes
When you create a hidden volume you create two TrueCrypt volumes, one, the outer container, to contain decoy files, and the other, the nested hidden volume, to contain the important ones. To set up a hidden volume:
- Start to set up a TrueCrypt volume as normal. When you are asked to specify a Volume Type choose a Hidden TrueCrypt volume.
- TrueCrypt then takes you through the regular procedure for setting up an encrypted volume for the outer container.
- When you have the outer container created, TrueCrypt prompts you to open it and add some files that look sensitive. While you can add files later, it runs the risk of overwriting the contents of the hidden volume so it is inadvisable.
- Once you’ve added your decoy files, click Next. TrueCrypt scans the remaining space in the volume to calculate the maximum size for the hidden volume.
- Setting up the hidden volume is the same as setting up a regular TrueCrypt volume. The only difference is to ensure the hidden volume has a different password to the outer volume.
Using a Hidden Volume
To use a hidden volume, ignore the outer container and only access the hidden inner portion with the appropriate password. When you are threatened or extorted, into revealing your TrueCrypt vaults location and password, instead reveal the outer container’s password.
With the decoy files in the outer volume, make sure they are a plausible size for the volume. A 200 megabyte volume containing a single embarrassing file is not likely to fool enemy agents, instead, have a volume that’s 50% or more filled with decoy files.
In this tutorial I’ve shown you how to use TrueCrypt to secure your files like a super-spy. Most people are never going to need anywhere near this level of security. By looking at, and understanding, the most extreme security methods, you can make conscious decisions as to what level of security you need, rather than just assuming that what you have is okay. It is also fun to play around with these sort of things!