Though not a comprehensive guide on using TrueCrypt, I wanted to explain why and how you would use this great tool to protect your data. Primarily we will look at data protection on a portable computer. These devices may be stolen or you may be forced to give up your password for some reason. There is a way to use TrueCrypt so that you can surrender a legitimate password but not compromise sensitive information.
As missionaries we may travel to places where we are subject to search and seizure of our computer equipment. The searches we can be subject to may or may not have a “due process” associated with them. In other words, just by carrying a computer through certain countries or institutions you may be forced to surrender passwords to encrypted data that would reveal information about Christians. This leak could cause them to be persecuted for the faith. Even if you aren’t personally at risk of persecution, your data can be used to harm others.
The truth is that we all live with the possibility that a computer can be stolen and our data compromised.
For that reason, I recommend TrueCrypt.
TrueCrypt is a way to encrypt a hard drive or USB flash drive so that the data is protected by a secure password. You can encrypt the whole volume (drive partition) or just a portion of it. There are also various settings in the encryption software that can give you more or less complicated security. Assuming your password is secure, TrueCrypt will protect your data.
Beyond basic data encryption it is also possible to make the secure information almost invisible. This creates a level of complication on your end, but it makes the bad guys look the wrong direction when they are trying to dig into your drives.
The basic way to use TrueCrypt is to create a dummy file on the machine which becomes the encrypted volume. TrueCrypt will mount this volume and make it possible to read and write files to the encrypted partition as long as you are logged in. [“Mount” is what you call it when you connect to a hard drive partition, encrypted or not.] The file you mount in TrueCrypt is actually a secure volume on the drive instead of the simple file it appears to be.
This means that you create a file with a random file name. We will call ours EXAMPLE-FILE. It looks like a normal file when you look at it in your file browser. If you navigate to the file in Windows Explorer, Mac’s Finder or Linux’s Your-Choice-of-File-Browser, the file would look like any normal file named EXAMPLE-FILE. However, using TrueCrypt you can make this normal looking file into a multi-gigabyte hidden hard drive. You can also easily have several of these to hide your data in various places causing the baddies to get frustrated before they finally get to your church member information.
When you open the TrueCrypt program you will tell it where the file/partition is that you want to mount and then you mount it using your secure password. All your data inside that file is now available to you until you reboot the machine or manually unmount the partition.
One thing that the above scenario does not do for you is actually hide the fact that you have a 40 GB file sitting on your computer that the investigators are going to want to inspect. If they know what they are doing, they will want to know why that file is that large and why they can’t open it. Your adversaries will know that the file is probably an encrypted volume and they may have the legal right (in whatever country you are working in) to force you to give up a password so that they can look into the data. If you are using the basic encryption scenario then you may have to give them a password that will reveal all your information.
But there is a way around that. You can create your encrypted volume using two distinct passwords which give two completely different results when used. There is no way for the inspectors to know if there is only one, two or 50 different passwords that will open the volume.
In this “plausible deniability” scenario your basic password can open the volume and show the bad guys the files that you planted there for the purpose of throwing them off guard. You will want to put a few files that look important in there, but that do not reveal anything secret. These could be spreadsheets of financial information (real or bogus), photos, word processing docs, etc. The point is that it looks like a place that you have chosen to store some “sensitive” files as far as they can tell.
Your second password, which you would never use in a hostile situation, will open the volume and let you access your truly secret files. This second password is your plausible deniability. When they force you to divulge a password you give them one. But the one you give is the password that opens the non-sensitive information. They will see everything that they can realistically expect to see. They know you have a 40GB file and they suspect that it is an encrypted, hidden volume. You allow them to see that via the password you provide. There is no way for them to suspect beyond that point that there is anything else to see.
When you use your second password you are able to view the files that really are sensitive.
The Magician’s Bag
The way this double-password/double-volume works is kind of like a magician’s bag. The magician opens the bag and reveals to the crowd that there is nothing inside. However, the bag is actually two bags in one. By moving his fingers slightly the magician can open up a second compartment where the handkerchiefs are hiding. The magician pulls out the hankies making you think he pulled them from an empty bag. Et voilà!
Your basic password reveals an empty bag to the bad guys. Your super-secret password will open the bag for you to read and write your important information.
TrueCrypt is an amazing piece of software that should be on every missionary’s computer. The wonderful thing about TrueCrypt is that it is available for Linux, Mac and Windows. You can use one tool for all your different machines.
[I hope this post doesn’t spoil the surprise for you the next time a magician pulls a hanky from an empty bag.]