Situation

The motivation for hosting data on a USB key or disk are numerous. The simplest is to cease carrying a portable computer that is either too big and heavy or too small for comfort, if by chance one has on one site a bigger and more powerful machine. A portable Firefox (Thunderbird) version will keep your preferences, extensions, passwords etc. which will then be readily available on all your machines. Of course in any case, the key must be encrypted in case it is stolen.

We will describe the complete list of (very simple) operations to perform to encrypt and protect a standard USB key or disk using the TrueCrypt software on Mac OSX. TrueCrypt is available on PCs, and the process should be very close on these machines.

Launch TrueCrypt

Screen_shot_2010-12-04_at_12.44.00.png

An empty 16 Gigas usb key is on board

Screen_shot_2010-12-04_at_12.45.22.png

Choose 'Create Volume'

The volume may be created within a file. This approach is risk free (considering formatting) and allows for using the key normally. This will not be our choice here.

Screen_shot_2010-12-04_at_12.48.17.png

We create the volume on the entire disk

Screen_shot_2010-12-04_at_12.48.33.png

Standard or Hidden?

An 'hidden' volume is stored invisibly using stéganography within a standard volume. This kind of volume offers the added protection of plausible deniability: the (non) existence of the hidden volume cannot be proven. Considering a key formatted a s whole as is our present choice, this offers seldom interest because after formatting, the key will not be recognised by computers and treated as defective. We choose 'standard'.

Screen_shot_2010-12-04_at_12.48.51.png

Next: choose the device

Screen_shot_2010-12-04_at_12.49.11.png

Here is our key

Screen_shot_2010-12-04_at_12.47.30.png

It is now selected

Screen_shot_2010-12-04_at_12.49.39.png

The key is empty, no risk, even for a grand beginner

Screen_shot_2010-12-04_at_12.50.06.png

Yes, sure, no data means no data loss

Screen_shot_2010-12-04_at_12.50.21.png

Choosing algorithms

AES is the best known encryption algorithm. SHA 512 is best among hash algorithms.


Screen_shot_2010-12-04_at_12.51.54.png

Benchmark results

TrueCrypt offers these computations to test your hardware efficiency. All these throughputs are far higher than read/write speeds of our key, on a machine having no hardware acceleration for encryption (TrueCrypt may be set to use such an acceleration)


Screen_shot_2010-12-04_at_12.52.26.png

Algorithm auto test

Testing that everything works well (note: you should have controlled the checksum of the archive you downloaded)

Screen_shot_2010-12-04_at_12.53.28.png Screen_shot_2010-12-04_at_12.53.41.png

Choosing Key files

Keyfiles offer added protection, by restricting the possibility to mount the volume solely on machines that own the file(s). Key files may also be stored using mobility archives like DropBox or Wuala(the safest).

Screen_shot_2010-12-04_at_13.25.25.png Screen_shot_2010-12-04_at_13.26.01.png

Generate a random key file

TrueCrypt also provides support for the generation of randm 1024K key files.

Screen_shot_2010-12-04_at_12.54.36.png

Choosing a password

Using a keyfile may compensate a weak password.

Screen_shot_2010-12-04_at_13.31.19.png

Filesystem features

Opting for more than 4Gigas files will forbid choosing the FAT file system at the next stage. This is useless for a standard configuration, even using thunderbird which may generate rather big mail archives (take care however for compact regularly...).

Screen_shot_2010-12-04_at_13.31.33.png Screen_shot_2010-12-04_at_13.32.56.png

Filesystem selection

One must NOT use fast formatting. Doing so only makes sense if the disk was previously encrypted and only contains digital noise.

Screen_shot_2010-12-04_at_13.33.10.png

Generating a random seed

Screen_shot_2010-12-04_at_13.36.05.png

Latest warning

Screen_shot_2010-12-04_at_13.36.19.png

Formatting

Expect half an hour for 16 gigas. The key is entirely coverd with digital noise, and equipeed with an encrypted header. If ever you change the algorithms or password in the future, the header will be overwrittent randomly 35 times before writing the final data.

Screen_shot_2010-12-04_at_13.36.35.png

Bingo!

Screen_shot_2010-12-04_at_14.32.07.png

Screen_shot_2010-12-04_at_14.32.33.png

We may now mount the volume

This requires to choose a 'slot'

Screen_shot_2010-12-04_at_14.33.40.png

Then choose the device. At that stage, Mac OSX ass for an administrator password.

Screen_shot_2010-12-04_at_14.33.18.png

Password

Screen_shot_2010-12-04_at_14.33.56.png

Yeah, we're set!!!