helping you stay protected in the digital age

My friend, and ad-hoc accidental hacker slash plumber John Evans, told me about TrueCrypt now encrypting entire Windows OS Partitioned drives! I’m so excited! I’ve been wanting to do this FOREVER but it hasn’t been a possibility. You don’t realize how close I came to actually buying a hard drive with hardware encryption, and for one that is 2.5″ and SATA II it is expensive!

TrueCrypt can on-the-fly encrypt a system partition or entire system drive, i.e. a partition or drive where Windows is installed and from which it boots.

Note that TrueCrypt can encrypt an existing unencrypted system partition/drive in-place while the operating system is running (while the system is being encrypted, you can use your computer as usual without any restrictions). Likewise, a TrueCrypt-encrypted system partition/drive can be decrypted in-place while the operating system is running. You can interrupt the process of encryption or decryption anytime, leave the partition/drive partially unencrypted, restart or shut down the computer, and then resume the process, which will continue from the point it was stopped.

I’m about to install TrueCrypt and try out this entire OS partition encryption. Right now I have some encryption. Here is the order of security prompts that a user of my laptop now encounters:

1. Hard Drive Password Protected – A user of this actual hard drive is required to supply a password to activate the drive. If you pull the drive out and plug it into another computer even as an external drive it will not unlock except for on the host machine. Three times and the drive is locked until reset by an administrator.
2. BIOS User Boot Password – Once a successful hard drive password has been entered, the user must then supply a boot password which is stored in the BIOS (which is also password protected). Granted ANY 8 year old knows how to reset a BIOS password by pulling the CMOS password this provides minimal security. Oh, did I mention I did some re-wiring on my BIOS? Good luck actually finding the battery
3. Windows User Account Password – If the first two password “gates” were successful (letters, numbers, and symbols) then the user must have an account on the domain to log on. Any and all local accounts have been renamed, password protected, then disabled so ONLY domain accounts can log on. My last password was 25 capital letters, lowercase letters, numbers, and symbols. No brute force or dictionary attacks there.

SAM account cracking is a possibility but I’m now hoping that TrueCrypt will protect against that…. hopefully. Blaize got his drive encrypted, wish me luck!

Update #1: So far the preliminary tests worked. After a reboot I was asked to provide a password upon boot and the tests passed. TrueCrypt will now encrypt my hard drive. w00t w00t!

~ by johndball on February 29, 2008.