Introduction
In 2013, amidst the NSA mass surveillance program scandal, uncovered by Edward Snowden, it was also revealed that NSA backdoor operations are intentionally weakening existing encryption methods, for example AES (by NIST ). The other methods of surveillance used (optic fiber beam splitting, backdoors/master keys, brute force cracking of password hashes, forcing US-based CA's to hand data about issued TLS certificates' private keys) may vary, but the outcome is the same - NSA has irreversibly weakened the trust model of commonly used encryption components. Also, as indicated by revelations related to the PRISM data mining program, most large email and instant messaging providers are compromised, due to NSA having or planning to have direct access to the aforementioned service providers' data centers.TrueCrypt and Bitlocker
Built-in into Windows 7 is a full disk encryption software, Bitlocker (though it is only available in the Enterprise edition). Bitlocker, utilizing AES and SHA-256, is relatively easy to enable and has been considered secure. Microsoft's official statement denies the existence of a backdoor in the software. It has, however, been suggested that master keys to bypass authentication exist in many proprietary FDE solutions. According to an ex-Microsoft employee, the FBI has requested the addition of a backdoor to Bitlocker at least once. But there is no substantial evidence of this.
Based on these findings, I decided to enable full disk encryption (FDE) for my personal laptop as an experiment.
TrueCrypt, an open source FDE tool, offers three encryption algorithms: AES (also hardware-accelerated), Twofish and Serpent - and five combination algorithms. As indicated by image 1, AES is superior in terms of performance, when hardware acceleration is turned on. The benchmark was run on a Asus Zenbook UX32VD, with a Intel Core i7-3517U CPU.
At this point we must make the decision to reject AES, for reasons described above. The benchmark clearly shows Twofish as the best alternative in terms of speed.
Image 1: benchmark run
Steps to enable TrueCrypt full disk encryption
Once TrueCrypt has been installed, the first thing you should do is making a backup of your critical data. The full disk encryption process will take a long time to complete and during this time several things can go wrong, which could result in data loss and corrupted partitions. Encrypting these backups, however, is outside of the scope of this post.
Note: If you're using a laptop, plug in the AC adapter to (avoid running out of battery) and make sure you've selected "Best performance" (click the battery/cord icon in the system tray on bottom right to view the options).
We can now start the full disk encryption process by navigating to the System menu in the TrueCrypt main screen, and choosing Encrypt system partition/drive.
Note: If you receive an error with the message "Your system drive has a GUID partition table (GPT)", this means you have to disable UEFI secure boot in your computer's BIOS settings and try again. If that didn't work, the system drive's partition table type must be changed from GPT to MBR, which involves use of external tools (see this guide and follow the steps mentioned there).
1. First you are given the choice of normal and hidden volume (Image 2). The hidden option gives the user plausible deniability in case someone tries to force them to reveal the password. Let's just choose normal here:
Image 2: Choose whether you want plausible deniability or not.
2. After clicking Next, you have the option to select if you want to encrypt just the Windows system partition, or the whole disk (Image 3). It is recommended to encrypt the whole drive, but for my test purposes I chose to encrypt the Windows system partition only. Press Next after you've made your choice.
Image 3: Selection of encryption type.
3. TrueCrypt needs to know if you have more than one operating system installed (Image 4). If you have set up dual boot or triple boot environment, for example Windows on one partition and Linux on the other, select "Multi-boot". Otherwise, select "Single boot".
Image 4: Choosing the number of operating systems.
4. The next dialog is the most important one (Image 5). Here you need to choose the encryption algorithm and hash type. As explained earlier, choose "Twofish" from the list and RIPEMD-160 as the hash algorithm and click Next.
Image 5: Choosing the encryption and hash algorithms.
5. Choose a password for the pre-boot authentication (Image 6). Maximum password length is 64 characters, but about 20 should be enough. If you find long passwords difficult to remember, you could use password management tools like KeePass 2. If you choose to use a key file, the file must be loaded from an USB drive during every boot. Keep that in mind. Click Next when you're done.
Image 6: Password selection
6. Move your mouse in random movements to generate randomness for the key generator, once you're done, click Next.
Image 7: Randomness generator
7. At this point you will be prompted to create a Rescue Disk image, and burn it into a DVD or CD. Follow the on-screen instructions, and you should end up with a .img file of your rescue disc, as well as burning it to DVD or CD. If your computer does not have an optical drive, you can use an emulator, for example Kernsafe TotalMounter. Using this rescue disk, you can recover a fully encrypted drive with a corrupt header. But bear in mind that corruption in key parts of the encrypted partition(s) can lead to total data loss.
Image 8: Rescue Disk verification.
8. Next, TrueCrypt needs to perform a "pre-test". This means your system drive's boot loader will be modified for TrueCrypt's purposes, and the computer will be rebooted. On boot, you are presented with a password prompt, enter the password you specified in step 5 and press Enter. The system should boot normally and TrueCrypt reports that the test was successful:
Image 9: Pre-test completed success message.
9. When you click Encrypt, the process of encrypting your files begins. Since we changed the algorithm from hardware-accelerated AES to Twofish, the process could take several hours. Make sure that your computer is running at maximum performance setting and that a laptop is operating on AC power.
That's it! When encryption has been completed, reboot your machine and enter the password from step 5 to continue.
Conclusions
Your hard disk contents are now strongly encrypted. Assuming you don't write the password down anywhere, you can consider your files to be relatively safe. However, a number of more or less direct attacks against FDE are still possible, for example the cold boot attack unveiled in 2008. Performance using Twofish was found to be fair enough on the testing machine, and can be further improved by using SSD drives.
