I synchronize everything in my documents folder on Linux to a 16 gigabyte SD card on a daily basis. That way, I can have all my homework, assignments, and other assorted school materials with me while I’m am at school, but still be able to keep up-to-date versions on my regularly backed up server for access from my desktop (of course I could mount the drive over sshfs, but the wireless connection on campus isn’t up to the task).
This comes with the inherent risk that I will lose the SD card, which also has the risk that someone will plagiarize my work, a situation which likely would not end well for me. So, since no completely foolproof method of keeping the card from getting lost or stolen exists (at least that leaves the card useful), I decided to work on making the contents of the card unreadable to anyone who doesn’t have all the right information.
All of the following was done in Ubuntu Linux 10.10, but is likely similar on other distributions and platforms.
Having heard about the the advantages of TrueCrypt (truecrypt.org), I decided to download the Linux version, and install it on my laptop and desktop. The installation was simle, essentially only requiring the user to run the file, enter the administrator password, and hit enter when prompted. After that, it added itself to the Accessories sub-menu in the Applications.
Having installed TrueCrypt it was time to encrypt my SD card. I started TrueCrypt, and clicked the “Create a Volume” button.
As you can see, the default is to create an encrypted file. What this means is that TrueCrypt will create and encrypt a file which, after mounted with TrueCrypt, can be treated just like any drive. This means that you can store data inside the file, and it will be encrypted by TrueCrypt.
Once you’ve selected one of those options, you have another choice to make. Do you make a standard volume or a hidden one? A standard container just encrypts the files within, but a hidden volume is one which also employs stenography, that is to say the hidden volume attempts to conceal its existence by create a larger encrypted volume in which to “hide”. The idea here is that you could give a password which reveals less sensitive data, while hiding the existence of more sensitive data, tricking your enemies (for lack of a better word). However, this hidden volume is detectable through certain methods (forensicinnovations.com), so its usefulness in limited (one more instance in the centuries of secret keeping in which stenography shows itself to be far weaker than cryptography).
I selected the standard encryption for my SD card - the only purpose for a hidden volume would be to play around with, and I don’t keep toys like that on my SD card.
The next step allows you to select the location that the encrypted volume will be created in. If you selected the encrypted file container option, this can be any location, if you are actually reformatting a partition you have to select a valid file partition.
After selecting the location you pick the encryption protocols you desire to use. You can choose from AES, Serpent, Two-Fish, or a number of permutations of the three. AES (wikipedia) is the standard for the U.S. government, and Serpent (wikipedia) and Twofish (wikipedia), both of which were runners up in the contest that selected AES. If you are concerned that some flaw might exist in AES letting it be decrypted then consider using the combinations, however none of the three have any publicly known attack which can successfully decrypt them.
Also on this page is the selection for the hashing algorithm for the keys. Information about these hashes is provided on TrueCrypt.org.
You also can run a benchmark in this portion of the volume creation. By clicking on the benchmark button and selecting a buffer size, you can get information on the transfer rate available when using the encryption protocols and their permutations. The heavier the security you use, the slower the speed will be.
Once you’ve made these selections, you select a size for the file container (unless you are formating a partition instead).
The next window allows you to set the password and key files. The volume can either rely on just a password, just a keyfile(s) or use both. You can also use several key files. The volume will require all files and the password to be decrypted and mounted, so make sure you remember your password and set files that will not change or be deleted.
The next page lets you select what filesystem you wish to use within the volume. If you plan on using the volume in Windows at any point, you probably should format to FAT. Otherwise, its probably best to choose the filesystem that best suits your needs (If you don’t know the difference between the filesystems and are using Linux, you probably should use ext3 or ext4).
Having done that, you come to the couple of steps. First you must move your mouse around randomly to generate a random number for the encryption algorithm to use as a seed. TrueCrypt recommends that you move the mouse around for as long as possible before you click the format button.
Once you’ve clicked format, the TrueCrypt does just that. Soon (or later if you’re encrypted a large or slow drive), you should get a dialog box that tells you the TrueCrypt volume has been successfully encrypted.
Now you need to exit out of the Volume Creation dialog, and open up TrueCrypt.
To open the encrypted volume click on Select File if you created a file container, or on Select Device if you encrypted a partition.
Find your encrypted volume and select open. Now double click on one of the slots in the main part of the window.
Enter your password, and/or check the box by “Use keyfiles” and select all of your keyfiles. Once you have successfully done this, TrueCrypt will mount the volume as a drive, which is mounted as
/media/truecrypt# where # corresponds to the slot number you selected before.
At this point you can treat the encrypted volume just like you would any partition.
Once you are done with the drive, go back to TrueCrypt, right click on the slot you placed the drive in, and select dismount.
Always make sure to dismount the drive before removing it. This ensures that all data is written to it before it is removed.