What is this?
The content of this article revolves around safe data storage. The details here are taken from a very old guide and the outdated elements have been pruned significantly (e.g references to windows 7).
I have pruned it primarily to focus on how to establish TrueCrypt files. Truecrypt development ended on 28/05/2014. It remains the most effective encryption program available given potential issues with programs that have emerged since. The associated program here is Truecrypt 7.1a. This is the last good Truecrypt program before it was compromised in 7.2.
The Truecrypt here to download works on windows OS 7 through to 11.
Perks of truecrypt;
~Multiple passwords with secondary passwords completely unknown.
~Very good encryption choices.
~Files will show up as corrupted unless opened through true crypt.
~Can encrypt entire drives.
~Can run entire computers or virtual machines out of a mounted Truecrypt drive.
The purpose of this guide is to discuss data security.
The broader guide focusses on setting up TOR, setting up a firewall with a small linux OS, running everything through a virtual machine which is located entirely within a truecrypt file.
Given the sheer breadth of that guide and elements of it being dated I’d be happy to go into other aspects on request.
This guide was written over a decade ago. Some of the issues to contend with back then like lack of Ram are less relevant now, there are also new issues not addressed like how SSDs store data. Much of the information is still generally applicable though and it is decent to describe how to set up Truecrypt in different ways.
I have significantly edited what is currently left so it can be followed still.
Why is this important?
The right to an individual’s privacy is extremely important. We are increasingly entering an age on the internet where keeping your data safe can seem very hard. Ideas and information legal today might be illegal tomorrow. In my country (a western liberal democracy) the custom officers can seize electronic devices and attempt to force people to give up passwords.
In Australia for example maritime officers (including customs officers) can take your electronic devices and a password could be considered a “thing” withheld meaning refusal of relinquishing one could come with 2 years in prison and/or a $26,000 fine.
(Searching laws by customs)
Refusal to give up passwords to the police currently sits at 5 years.
It is an offence for a person subject to a digital evidence access order to refuse or fail to provide their phone or computer password, without a reasonable excuse, or to provide false or misleading information, whilst purporting to comply with the order. A maximum penalty of $11,000 fine and/or 5 years imprisonment applies, prescribed by section 76AO of the Law Enforcement (Powers and Responsibilities) Act 2002 (NSW).
The opposition leader Peter Dutton wants to increase that to 10 years. Good luck if your forget your password!
The government has access to at least two years of a range of your personal data without having to justify why they require it; in other words, you don’t have to be suspected of an offence for authorities to access and monitor the information.
• Telephone records,
• The time and length of phone calls,
• The internet protocol addresses (IP addresses) of computers from which messages are received or sent,
• Location of parties making phone calls,
• To and from email addresses on emails,
• Logs of visitors to chat rooms online,
• Status of chat sites – whether they are active and how many people are participating,
• Chat aliases or identifiers (the name a person uses in a chat room online),
• Start and finish times of internet sessions,
• The location of an individual involved in communications, and
• The name of the application someone uses online and when, where and for how long used.
And while meta-data does not encompass the actual content of communications, ISP’s made it clear at the time that filtering content such as text in SMS transmissions and emails for such a large number of users would be a mammoth and potentially impossible task.
The concern is, of course, that all of a user’s requested data would be provided to authorities, and there is currently no information regarding whether or not this is occurring.
This is extremely concerning for so many different professions and means to safely mitigate this tyrannical threat should be taught. It should be concerning to any prole as well.
Imagine if you are dealing with sensitive intellectual property and you can’t surrender that to a nation’s intelligence service?
Imagine if you are a Doctor and the deep state wants access to one of your patient’s health records?
You keep your money on you and don’t want it seized by the state?
What if you are a writer and the contents of your future novel got leaked through data mismanagement outside of your control?
Are there many people who would feel ok forking over the entirety of their chat communications and all of their files to be scanned by new AI looking for anything that could flag you as a dissident?
This guide will discuss data security and how you are best able to secure your system.
Ultimately the hoops most of us would jump through to keep our data safe is a circus to many but it is still good to know how and to have systems in place regardless.
- Securing Your Hard Drive
- Setting up TrueCrypt, Encrypted Hidden Volumes
- Testing TrueCrypt Volumes
- Securing your Hard Disk
- Temporarily Securing Your Disk, Shredding Free Space
=== 1 : Securing Your Hard Drive ===
If you save anything to your computer's hard drive, then it is possible for someone who has confiscated your computer to determine what it was you saved. This is often true even if you delete the content. For example, suppose I use the Tor Browser and I navigate to a website containing a sensitive document that I wish to read. If I saved that document somewhere on my hard drive, then it is possible for someone else to find it. If I delete that document, it may still be possible for someone to undelete it.
Further, even if I never save it to my hard drive but I simply look at it using my word processing software, it may still be saved in a number of ways including:
- Often programs keep records of filenames.
- Often programs keep parts of the content viewed saved for various reasons, such as for searching. This can include random excerpts of text, thumbnails of images, and more. Often this "partial" data is more than enough to prove what the original data was.
- Sometimes, especially if you are running low on system memory, your operating system may choose to use your hard-disk as a temporary RAM. This is known as "SWAP". Normally, whenever you turn off your computer, whatever was in RAM is deleted. However, the data that goes to your SWAP may persist and it may be possible for someone to see what content you had open in your programs if that information is saved in RAM.
Generally speaking, you must have a plan to secure any content that is saved to your hard disk. Therefore, this guide would be incomplete if we did not thoroughly address this. First, there are two kinds of such content:
- Deliberately saved content.
- Inadvertently saved content.
Deliberately saved content refers to content that you have chosen to save on your hard disk so that you can access this content later. We will address how to do this later in the guide.
Inadvertently saved content refers to content that is saved by programs you use, or your operating system. You have no way to even know what this content might be. Therefore, this is the most dangerous.
Content that is inadvertently saved to your harddisk comes in two flavors:
- Content that is saved to your SWAP space.
- Content that is saved by applications running on your computer, including your operating system.
The surest way to prevent content from writing to your SWAP space is to disable your SWAP space altogether. This may result in your computer running a bit slower than normal, and may mean that you cannot use ram intensive games and applications during the time your SWAP is disabled.
Therefore, if you use this method, simply turn back on the SWAP when you want to use those ram intensive applications. Also, you may choose not to take this step.
The next issue we need to address is how to prevent applications and/or your operating system from saving content inadvertently that you do not want saved. For this, we are going to set up a "Virtual Machine".
A "Virtual Machine" is like a computer inside of your computer. Everything you do inside the Virtual Machine (vm for short) will be fully contained within itself and no one will be able to see what the vm has been doing. Ideally, you want ALL of your sensitive computer usage of any kind, TOR or NON TOR, to take place within a vm. In this way, you can keep everything private that you wish while still using your computer fully and getting the most out of it.
=== 2 : Setting up TrueCrypt, Encrypted Hidden Volumes ===
If you save anything on your computer, it is likely that you do not want just anyone to be able to see what you have saved. You want a way to protect that information so that you can access it, and absolutely no one else except those you trust. Therefore, it makes sense to set up a system which protects your information and safeguards it against prying eyes.
The best such system for this is called "True Crypt". "True Crypt" is an encryption software program which allows you to store many files and directories inside of a single file on your harddrive. Further, this file is encrypted and no one can actually see what you have saved there unless they know your password.
This sounds extremely high tech, but it is actually very easy to set up. We are going to do so, right now:
- Download Truecrypt7.1a here. Or anywhere else reputable if you can find a place. The original truecrypt site is dead. It is <Truecrypt [dot] org> if you wish to check it out.
- The file will be called "True Crypt Setup 7.1a.exe" Run this file.
- If prompted that a program needs your permission to continue, click "Continue".
- Check "I accept and agree to be bound by these license terms"
- Click "Accept"
- Ensure that "Install" is selected, and click "Next"
- click "Install"
- You will see a dialog stating "TrueCrypt has been successfully installed." Click "Ok"
- Click "No" when asked if you wish to view the tutorial/user's guide.
- Click "Finish"
At this point, TrueCrypt is now installed. Now we will set up truecrypt so that we can begin using it to store sensitive information.
- Click the "Windows Logo"/"Start" button
- Click "All Programs"
- Click "TrueCrypt"
- Click the "TrueCrypt" application
And now we can begin:
- click the button "Create Volume"
- Ensuring that "Create an encrypted file container" is selected, click "Next"
- Select "Hidden TrueCrypt volume" and click "Next".
- Ensuring that "Normal mode" is selected, click "Next"
- Click on "Select File"
Note which directory you are in on your computer. Look at the top of the dialog that has opened and you will see the path you are in, most likely the home directory for your username. An input box is provided with a flashing cursor asking you to type in a file name. Here, you will type in the following filename: random.txt
You may of course replace random.txt with anything you like. This file is going to be created and will be used to store many other files inside.
Do NOT use a filename for a file that already exists. The idea here is that you are creating an entirely new file.
It is also recommended though not required that you "hide" this file somewhere less obvious. If it is in your home directory, then someone who has access to your computer may find it easier. You can also choose to put this file on any other media, it doesn't have to be your hard disk. You could for example save your truecrypt file to a usb flash drive, an sd card, or some other media. It is up to you.
- Once you have typed in the file name, click "Save"
- Make sure "Never save history" is checked.
- Click "Next"
- On the "Outer Volume" screen, click "Next" again.
- The default Encryption Algorithm and Hash Algorithm are fine. Click "Next"
- Choose a file size.
In order to benefit the most from this guide, you should have at least 10 gigabytes of free disk space. If not, then it is worth it for you to purchase some form of media (such as a removable harddrive, a large sd card, etc.) in order to proceed. TrueCrypt can be used on all forms of digital media not just your hard disk. If you choose to proceed without obtaining at least ten gigabytes of disk space, then select a size that you are comfortable with (such as 100 MB). Ideally, you want to choose enough space to work with. I recommend 20 GB at least. Remember that if you do need more space later, you can always create additional TrueCrypt volumes using exactly these same steps.
- Now you are prompted for a password. THIS IS VERY IMPORTANT. READ THIS CAREFULLY
READ THIS SECTION CAREFULLY
The password you choose here is a decoy password. That means, this is the password you would give to someone under duress. Suppose that someone suspects that you were accessing sensitive information and they threaten to beat you or worse if you do not reveal the password. THIS is the password that you give to them. When you give someone this password, it will be nearly impossible for them to prove that it is not the RIGHT password. Further, they cannot even know that there is a second password.
Here are some tips for your password:
A. Choose a password you will NEVER forget. It may be ten years from now that you need it. Make it simple, like your birthday repeated three times.
B. Make sure it seems reasonable, that it appears to be a real password. If the password is something stupid like "123" then they may not believe you.
C. Remember that this is a password that you would give to someone if forced. It is NOT your actual password.
D. Do not make this password too similar to what you plan to really use. You do not want someone to guess your main password from this one. And with all of this in mind, choose your password. When you have typed it in twice, click "Next".
13. "Large Files", here you are asked whether or not you plan to store files larger than 4 GIGABYTES. Choose "No" and click "Next"
14. "Outer Volume Format", here you will notice some random numbers and letters next to where it says "Random Pool". Go ahead and move your mouse around for a bit. This will increase the randomness and give you better encryption. After about ten seconds of this, click "Format".
15. Depending on the file size you selected, it will take some time to finish formatting.
"What is happening?"
TrueCrypt is creating the file you asked it to, such as "random.txt". It is building a file system contained entirely within that one file. This filesystem can be used to store files, directories, and more. Further, it is encrypting this file system in such a way that without the right password it will be impossible for anyone to access it. To anyone other than you, this file will appear to be just a mess of random characters. No one will even know that it is a truecrypt volume.
16. "Outer Volume Contents", click on the button called, "Open Outer Volume" An empty folder has opened up. This is empty because you have yet to put any files into your truecrypt volume.
DO NOT PUT ANY SENSITIVE CONTENT HERE
This is the "Decoy". This is what someone would see if you gave them the password you used in the previous step. This is NOT where you are going to store your sensitive data. If you have been forced into a situation where you had to reveal your password to some individual, then that individual will see whatever is in this folder. You need to have data in this folder that appears to be sensitive enough to be protected by truecrypt in order to fool them.
Good choices for what to put here include: backups of documents, emails, financial documents, etc.
Once you have placed files into this folder, NEVER place any more files in the future. Doing so may damage your hidden content.
Generally, you want to store data where some individual looking at it would find no cause against you, and yet at the same time they would understand why you used TrueCrypt to secure that data.
Now, go ahead and find files and store them in this folder. Be sure that you leave at least ten gigabytes free. The more the better. When you are all done copying files into this folder, close the folder by clicking the "x" in the top right corner.
17. click "Next"
18. If prompted that "A program needs your permission to continue", click "Continue"
19. "Hidden Volume", click "Next"
20. The default encryption and hash algorithms are fine, click "Next"
21. "Hidden Volume Size", the maximum available space is indicated in bold below the text box. Round down to the nearest full unit. For example, if 19.97 GB is available, select 19 GB. If 12.0 GB are available, select 11 GB.
22. If a warning dialog comes up, asking "Are you sure you wish to continue", select "Yes"
23. "Hidden Volume Password"
IMPORTANT READ THIS
Here you are going to select the REAL password. This is the password you will NEVER reveal to ANYONE else under any circumstances. Only you will know it. No one will be able to figure it out or even know that there is a second password. Be aware that an individual intent on obtaining your sensitive information may lie to you and claim to be able to figure this out. They cannot.
It is HIGHLY recommended that you choose a 64 character password here. If it is difficult to remember a 64 character password, choose an 8 character password and simply repeat it 8 times. A date naturally has exactly 8 numbers, and a significant date in your life repeated 8 times would do just fine.
24. Type in your password twice, and click "Next"
25. "Large Files", select "Yes" and click "Next".
26. "Hidden Volume Format", as before move your mouse around for about ten seconds randomly, and then click "Format".
27. If prompted "A program needs your permission to continue", select "Continue"
28. A dialog will come up telling you that the hidden TrueCrypt volume has been successfully created. Click "Ok"
29. Click "Exit"
Congratulations! You have just set up an encrypted file container on your hard drive. Anything you store here will be inaccessible to anyone except you. Further, you have protected this content with TWO passwords. One that you will give to someone under threat, and one that only you will know. Keep your real password well protected and never write it down or give it to anyone else for any reason.
Now, we should test BOTH passwords.
=== 3. Testing TrueCrypt Volumes ===
Once you have completed the above section, you will be back at TrueCrypt. Go ahead and follow these steps to test the volumes you have made.
- Click "Select File..."
- Locate the file you created in the last section, most likely called "random.txt" or something similar. Remember that even though there is both an outer and a hidden volume, both volumes are contained in a single file. There are not two files, only one.
- Click "Open"
- Choose a drive letter that you are not using (anything past M is probably just fine). Click on that, For example click on "O:" to highlight it.
- Click "Mount"
- Now you are prompted for a password. Read the below carefully:
The password you provide here will determine WHICH volume is mounted to the drive letter you specified. If you type in your decoy password, then O:\ will show all the files and directories you copied that you would reveal if forced. If you type in your real password, then O:\ will show the files and directories that you never intend anyone to see.
- After successfully typing in your password, you will see additional detail to the right of the drive letter, including the full path to the file you selected as well as the kind of volume it is (for example, hidden).
- Right click on your "Windows Logo"/"Start Menu" icon, and scroll down to the bottom where you can see your different drive letters. You will see the drive letter you selected, for example: "Local Disk (O:)". Click on that.
- If you selected your decoy password, you will see all the files and folders that you moved there during the installation phase. If you selected the real password, you will see whatever files and directories you have placed so far into the hidden volume, if any.
If you selected your hidden volume password, you may now begin moving any sensitive information you wish. Be aware that simply moving it from your main hard disk is not enough. We will discuss how to ensure deleted data is actually deleted later in the guide.
"What is happening?"
When you select a file and mount it to a drive, you are telling your computer that you have a new drive with files and folders on it. It is the same thing as if you had plugged in a usb flash drive, a removable harddrive, or an sd card into your computer. TrueCrypt causes your computer to think that there is an entirely new disk drive on your computer. You can use this disk drive just as if it was actually a usb flash drive. You can copy files to it, directories, and use it just as you would use a usb flash drive.
When you are done, simply close all open windows/folders/applications that are using your truecrypt drive letter, and then click "Dismount" from within TrueCrypt while you have the drive letter highlighted. This will once again hide all of this data, accessible only by re-mounting it with the correct password.
VERY IMPORTANT SAFETY INFORMATION
When a true crypt hidden volume is mounted, someone who has access to your computer can access anything that is inside that hidden volume. If for example you left your computer running while a truecrypt volume was mounted, then if someone gained access to your computer they would be able to see everything you have in that volume. Therefore:
ALWAYS REMEMBER TO DISMOUNT ANY TRUECRYPT VOLUME CONTAINING ANY SENSITIVE INFORMATION WHEN YOU ARE NOT USING YOUR COMPUTER
You can tell that it is dismounted because the drive letter inside of "TrueCrypt"'s control panel will appear the same as all of the other drive letters, with no information to the right of the drive letter.
You should practice Mounting and Dismounting a few times with both passwords to make sure you understand this process.
Once you have copied files/folders into the hidden volume, do NOT touch the files or folders in the outer volume anymore. Remember that both volumes occupy the same single file, and therefore changing the outer volume can damage the hidden volume. Once you have copied files/folders into the outer volume during the installation process, that is the last time you should do so. From that point forward, use ONLY the hidden volume. The outer volume exists only as a decoy if you need it.
=== 4. Securing your Disk ===
This is an involved step which many people may not be able to do right away. If you cannot do this step immediately, then see the next section.
At this point you should understand how to create and use TrueCrypt hidden volumes in order to safeguard any sensitive information. Therefore, you should NOT keep any such sensitive information on your hard disk. At this stage, there are two possibilities:
- You have never had any sensitive information on your hard disk. In this case, read this section but you can certainly skip it.
- Up until now, you have stored sensitive information on your hard disk. If so, then you MUST read this section.
If you have ever used this computer to access sensitive information, then all of the security and precautions in the world are totally useless and futile because all someone has to do is access what is left of that sensitive information. I cannot stress this enough. You can have the most secure TrueCrypt volumes, use TOR, and be the safest most secure user in the world. If you have not made sure that ALL remnants of any sensitive information are UTTERLY REMOVED from your hard disk, then all of that effort is totally pointless. You MUST take these actions to safeguard your hard disk, or otherwise you might as well throw away this guide and follow none of the advice herein.
First, I understand that it is troublesome to have to re-format a computer, to back everything up, and reinstall everything. However, if you have ever had sensitive information on your machine, that is what you have to do. Take the following steps:
- Obtain a removable harddrive or usb flash drive large enough to store anything you need to save.
- Set up a truecrypt hidden volume on that harddrive big enough to hold all of that information.
- Set up the truecrypt outer volume as in the previous section. Use the previous section as a guide if you need to.
- Be sure you the hidden volume will have enough space to store all that you are backing up.
- Copy ALL data you need to back up/save into that hidden volume.
IMPORTANT, READ THIS
If you have ever used this system to access sensitive information, then you must assume that the sensitive information or remnants of it can be anywhere on your hard disk. Therefore, you need to move EVERYTHING you intend to save into the hidden truecrypt container. You do not know where sensitive data might be, so you are assuming it can be anywhere. This way you still have ALL of your data and you have lost nothing. A good analogy is toxic waste. You don't know which barrel might contain the toxic waste, so you treat ALL the barrels as potentially toxic. This is the surest way you can protect yourself.
You might be saying, "I have family photos, music, movies that I would have to move to the hidden volume." That is perfectly fine. Remember that you can access that hidden volume just as if it was a drive letter. In fact, ideally, ALL of the content on your computer (assuming you value your privacy) should be protected anyways. You lose nothing by securing all of that data.
- Once you have copied everything you intend to copy. dismount your hidden volume, reboot your computer, and re-mount your hidden volume to make sure everything is there.
- Now it is time to re-format your entire hard drive. Re-install your operating system of choice and start with a clean slate.
- Once you have reinstalled your operating system from scratch, follow sections from the start of this guide to reach this point, and then proceed.
Editor note: The original steps of this guide not included here involved setting up TOR and securing the browser before proceeding further. As that component of the guide is a decade old I thought it would be less than ideal to include such outdated info whereas the truecrypt info is not outdated.
The next steps in the guide included setting up the using file shredder on free space, setting up a VM and firewall.