Update February 20, 2014
Note that TrueCrypt is incompatible with Windows 8. See here for details. The following instructions are however generally valid for Windows XP and Windows 7.
In a previous post, I provided the rationale for setting up Full Disk Encryption (FDE) on all of your Windows computers using freely available software known as TrueCrypt. Today, I’m going to take you step-by-step through the process of installing TrueCrypt and encrypting the system partition on a computer running Windows XP Home Edition. There are quite a few steps but the process is relatively painless. Once you see how easy it is to encrypt your drives, I believe you will conclude, as I have, that there really is NO excuse for not doing it!
- Backup your data! There is always risk of something going wrong and losing data when you’re doing these kinds of things so be sure to backup your data! You have been warned!
- Read my previous post on PC Hardware Checkup and make sure you have sufficient RAM and disk space for running FDE.
- Go here and download the latest version of TrueCrypt for Windows XP. For reference, the example below is based on TrueCrypt Version 7.0a encrypting a Windows XP Home Edition (SP2) machine.
Step 1. Start the TrueCrypt installer. You should see a screen like this. You must click the check box and the “Accept” button to proceed.
Step 2. Next you are presented with the option to install or extract. Choose “Install” and click “Next” to continue.
Step 3. After clicking next you will see this dialog. I recommend using the default settings. Click “Next” to proceed.
Step 4. After the installation is completed you will be presented with an OK box to confirm that the installation was successful and a second OK box suggesting you review the manual. Even though you have this tutorial, I still strongly suggest that you read the manual! The main window will also show a completed installation as shown below.
Now that the installation is complete you will start TrueCrypt to configure the encryption options for various folders or drives.
Setting Up Full Disk Encryption
Step 1. Start TrueCrypt using the icon placed on the desktop or the Start menu. You should see a dialog like the one below. Click the “Create Volume” button to launch the Volume Configuration Wizard.
Step 2. The aim here is to encrypt the system partition or the entire system drive so check the appropriate box as shown below and click “Next”.
Step 3. Next the program prompts you to use either normal encryption or hidden encryption. In my opinion there is little value in the “Hidden” option for the vast majority of people. So unless you’re super paranoid and working as a spy I suggest that you opt for “Normal” here and then click “Next” to proceed.
Step 4. In this step you will tell TrueCrypt which area of the disk to encrypt. You have the option of encrypting the whole disk or just the Windows system partition. I recommend choosing “Encrypt the Windows system partition” to avoid potentially messing up other partitions that might be used for other operating systems or system recovery partitions. You can go back later and encrypt your data partitions very easily once the primary system partition is encrypted. Click “Next” to continue.
Step 5. In this step you must tell TrueCrypt if you have a single boot or a multi-boot machine. I developed this example with a single boot installation of Windows XP Home Edition so I have selected “Single-boot”. If you’re bold and using more than one OS then choose the other option. Note, I’ve generally found that multi-boot systems can be problematic so I’ve switched to using a single host OS and running alternatives in Virtual Machines with VMWare. There are of course certain hardware situations that preclude that option so dual-boot is sometimes an unfortunate necessity. Click “Next” to continue.
Step 6. Now you will configure the encryption algorithm and hash algorithm. I recommend using the default AES encryption algorithm and RIPEMD-160 hash algorithm. You are of course free to choose one of the alternatives based on information supplied by TrueCrypt. Click “Next” to continue.
Step 7. This probably the most important step. You must select a strong password that you will need to enter every time you want to start the computer. Pick a good one that you won’t ever forget because if you do there is no way that you or anyone else will ever be able to unlock the data on the encrypted drive again. Let me emphasize the point. There is no backdoor. If you forget your password your data will be lost forever. Click “Next” when you’re sure you’ve a password you’ll never forget.
Note: TrueCrypt also gives you the option to use keyfiles. Using those is beyond the scope of the current tutorial but I will discuss them in a future post.
Step 8. TrueCrypt now needs to collect some random data to help form the cryptokeys. Simply move the mouse around in the numerical array for a minute or so and click “Next”.
Step 9. TrueCrypt now shows you the keys it generated. I have turned off the display just so someone out there doesn’t try to do anything with the keys used in my example. You can safely click “Next” to continue.
Step 10. Create a rescue disk. This is important and you can’t proceed without creating one. Save the ISO image first and then click “Next”.
Step 11. Rescue Disk Recording. If you don’t already have software on your machine capable of burning an ISO image to CD then you will need to download and install such a program. Conveniently, TrueCrypt provides a link to some free programs at the bottom of the dialog box.
Optional Step. Download and install Third-Party CD/DVD Recording Software. You only need to do this if you don’t have a suitable program already installed. Since I was using a fresh Windows install I chose to download and install ISO Recorder. Setup is easy but it does NOT place an icon on the desktop or start menu so don’t look for one.
Step 12. Now simply select the TrueCrypt Rescue Disk ISO file. Right click with the mouse and choose “Copy Image to CD” as shown below. The process may be different if you’re using your own software.
Step 13. The CD Recording Wizard will start up as shown below. Insert a blank CD if you’ve not already done so and click “Next”.
Step 14. After the CD has been burned you will need to click “Next” in the TrueCrypt – Rescue Disk Recording dialog box shown earlier. It should then verify that the burn was successful as shown here:
Step 15. Now you will need to specify the wipe mode. Wiping is important to ensure that existing data on the drive is not readable after TrueCrypt encrypts the drive. A 3-pass wipe should be sufficient for nearly everyone but the super paranoid. To save some time, I opted not to wipe the drive since it was brand new with a fresh install of Windows XP. If you’re encrypting a working system you will need to use at least a 3-pass wipe to be sure nothing is readable.
Step 16. System Encryption Pretest. Here you will test everything to be sure it works before actually encrypting the drive. Click “Test” to continue.
As part of this step you will be presented with some IMPORTANT NOTES that you should print out for reference.
After clicking OK, you will be prompted to reboot your machine. Upon reboot you will be immediately be prompted for the password you configured earlier. Yes, the one you must never forget. If you can successfully enter it and start the machine you should see the following dialog after you log in.
Step 17. This is it, you’re finally ready to encrypt your Windows system partition. Just click “Encrypt” to start the process. You can keep using the computer while it is being encrypted. If necessary, you can defer the encryption to shutdown or reboot. The progress window is shown below. A small partition with only a few GB can be encrypted in just a few minutes. On a large partition (e.g. 500 GB) with a lot of data it could be 6 to 10 hours or more before the encryption is complete. You should bear this in mind since, even though you can use the computer while it is encrypting, there will be a performance penalty.
When the encryption is complete you will receive a message of successful completion and be reminded that other TrueCrypt volumes can be mounted automatically by configuring them as Favorites in TrueCrypt. I will discuss that process in a future post.
Step 18. It has been my experience that the encryption process tends to leave Windows thinking that the file system is severely fragmented. I recommend that you defragment the Widows system drive immediately after the encrypting process is done to realize best performance.
That’s it! You’ve encrypted your Windows system partition and you’re well on your way to securing your computer! Please check back again for more posts that will help you secure your digital life!