Has anyone tried encrypting system HDD with Truecrypt?

The newest version of Truecrypt is able to encrypt the whole system drive with the exception of the first cylinder where the Truecrypt bootloader sits.

Has anyone tried this? And if so, after entering the decrypting password is the ThinkVantage boot screen still there or is it replaced by the Truecrypt bootloader?

I want to keep my files secure in case my HDD were to be stolen.

Thanks.


Oh, this would be going in a X61.

 

Wow, that sounds good. I hope the British government start using it. I get exasperated when I hear of laptops (with sensitive, unencrypted data on) going missing. It's not like Truecrypt is expensive or difficult to use!

 

I am a long-term TrueCrypt user. However, the new HDD Encryption capability will not work on my ThinkPad R60.

If you head over to the TrueCrypt forums, you will find many postings by other ThinkPad users (and others too) who are experiencing a black screen and system freeze just after installation of the latest TrueCrypt build.

Many theories have been suggested as to why it's crashing - ATI Drivers and/or Lenovo pre-boot software. Some suggest the HDD encryption works on Vista but not on XP systems. So far, the developers haven't commented, so it remains a mystery.

 

I did it on an X61s and it worked great. Make sure you use version 5.0a though because the initial 5.0 release had problems "Insufficient memory for encryption".

It sits between the Thinkpad (BIOS) screen and your OS - so boot goes like this (if you have it all enabled):

1) Power on
2) Swipe finger/enter BIOS password
3) Truecrypt kicks in - enter Truecrypt password
4) Windows loads - enter Windows password (if necessary)

I noticed very little performance penalty - but it did take a long time to perform the initial encryption.

You lose hibernate, though.

 

If you set HD password in BIOS that should protect the data on the hard drive in case of theft. You can also use BitLocker to encrypt your system partition if you are a Vista Ultimate user.
I've used TrueCrypt only to encrypt external drives so far.

 

I doubt that using the BIOS HD password does anything to protect the data on the disk - so for example you could trivially put the disk in another machine and read it off in the clear.

Personally I used TrueCrypt over BitLocker because a) my partitions weren't suitable for BL and the preparation tool didn't help and b) it's open source and I like that

 

To get round a BIOS password, can't you just take the HDD out and put it in a USB caddy? Or wipe/flash the BIOS? AFAIK, a BIOS password doesn't encrypt data on the HDD.

 

Wow, I really didn't know that data encryption got so complicated. I have never used any encryption software of any kind. I am interested to find out more about how all this works.

 

Nooooo, TrueCrypt is REALLY easy. You should give it a go.

 

Truecrypt released an update to 5.0 it's 5.0A and I have successfully used that to encrypt the system drive on my R61-14w running Vista 64.

Get the update, I was getting the insufficient memory error as well when trying to encrypt the drive with 5.0.

It was actually quite simple to do, it just took a little while to complete. It may be a bit slower, but I can't say I really notice it. I run my system with a bios and boot password, system drive encrypted as well as another file container encrypted inside the encrypted drive. Nothing really sensetive on my comp, I basically did it to see if I could. (have an Acronis true image backup of my fresh install if things go south)

 

paranoid?

 

Great, I think I'm going to give it a try. Are you on Vista or XP? Did you disable HDD password? And what file format did you encrypt in?

I tried to create a encrypted container on 5.0a using NTFS but it would not complete unless I opted to convert to FAT. Any ideas?

P.S. Thanks to everyone and their input.

 

I was using XP but I believe it works on Vista, too.

I wasn't using HDD password, and I used the defaults (AES/RIPEMD-160(?)) for the crypt.

 

hello, i recently downloaded true crypt
i am a newbie user of this program and have been reading
the tutorials and pdf file, and i am seeking trouble shooting
advice.

i have a fujitsu 120gb external hard drive
windows xp SP2 1.6 ghz 256 RAM intel cent Duo processor
i've met the mininmum system requirments for this product.

i extracted TrueCrypt. set up a travel disk on my USB, external HD
created 1. 40mb volume.. it works fine i can mount dismount
without problems. *2* i tried to create a 90gb file container/volume
but in the middle of TC formating the 90gb volume my computer screen
went black and power shut off. the External Harddrive is powered
by a double USB cable and is not supported by and external power
source.


thank you

 

Can someone please tell me why you are trying to use Truecrypt to encrypt your drives when you have a Lenovo Thinkpad that has a Trusted Platform Module (TPM) built right into it?

TPM is a microchip on the motherboard that stores the encryption keys used with Lenovo's Client Security Software. So even if someone takes your harddrive out of your computer and puts it in another computer they won't have the TPM chip and they will not be able to decrypt the drive.



From the Trusted Computing Group Website:
https://www.trustedcomputinggroup.org/faq/

Q. What role does Trusted Computing and the TPM play in authentication?
A. The TPM provides secure storage and key generation capabilities, similar to other hardware authentication devices, so it can be used to create and/or store both user and platform identity credentials for use in authentication. The TPM can also protect and authenticate user passwords, thereby providing an effective solution of integrating strong, multifactor authentication directly into the computing platform. With the addition of complementary technologies such as smart cards, tokens and biometrics, the TPM enables true machine and user authentication.

And incase any of you are thinking of using Vista's Bitlocker I'll post this info as well.

Q. How does Microsoft’s BitLocker technology relate to the TPM and to the efforts of TCG?
A. Microsoft BitLocker™ Drive Encryption is designed to make use of a Trusted Platform Module (TPM) 1.2 and the associated PC Client Specifications developed by TCG to protect critical system files and user data and to help ensure that a computer running Windows Vista has not been tampered with while the system was offline.



Now can anyone tell me why you'd want to use Truecrypt to encrypt an entire harddrive on a thinkpad?

 

TrueCrypt still allows you to move the drive around? And it is much more open as compared to TPM /w BitLocker.

 

Yes, TrueCrypt makes sense for external drives. But in the Original Post rijc99 stated that he wanted to encrypt his system drive (the drive in his notebook comptuer). Why would anyone want to use TrueCrypt to encrypt their system drive if they are already using a Lenovo Thinkpad with a Trusted Platform Module??

 

Maybe it's because they don't want to use lenovo's solution. There are many reasons one can think of...

 

such as? Can you be more specific? I am the IBM Thinkpad T42 user. Thanks

 

I use truecrypt on my x200. It was a little complicated because I have a triple boot system, but I was still able to get it working without too much effort. I encrypted my system drive with Vista (not whole disk), don't encrypt my XP partition (only 3GB), and encrypt using the built in utility on the Ubuntu alternate install disk for Ubuntu.

I also have an encrypted data share partition that I can mount in XP, Vista, or Ubuntu using the truecrypt utility. It works very well, and I can easily boot into any system, and have private sandboxes for some data, and other data that can be viewed by all after entering the password. You can also encrypt individual files and mount them as virtual drives that contain other files.

I decided this was a much more elegant, and probably more robust due to the open source nature, method of encrypting my system than using Vista Bitlocker or other solutions. Further, if my system fails for any reason I can pull my drive out, mount it in a different system, and read the data after entering in the decrypt key. The drive is also effectively pre-wiped because it is covered in random data, and NO-ONE can get into it without the key. Using a TPM for access control is innefective because the data on the drive is unencrypted, and a specialist can pull it off.

You can send me a PM, or post in the forum if you want advice on how to set this up properly (it actually is pretty straightforward).

 

(1) Some people prefer open-source solutions.
(2) Portability -- A Truecrypt encrypted drive can be pulled out, put in an enclosure, and read on any other system provided Truecrypt is running.
(3) Cross-operating system compatibility - some people do use OS's other than Windows and want to access their data.
(2) Unless you're using a drive that supports hardware based encryption, the TPM and CSS does not encrypt the data on the platters. (If I'm wrong, please show how to get CSS to encrypt a regular hard drive)

 

Could you provide directions? I'm plain-jane Vista 64 bit, c: drive and an additional d: drive in the ultrabay.

So it integrates with the fingerprint reader as well upon boot?

Do you lose suspend, or just hibernate?

Thanks.

 

Truecrypt DOES NOT integrate with the fingerprint reader or TPM. It is a software oriented solution and it depends on a "Something you know" (passkey)system, rather than a "something you are system" (Fingerprint), or "something you have" (bitlocker with USB key). The standard method is to overwrite your Vista bootloader with a Truecrypt bootloader. Whenever you turn your system on (from off or hibernate), you are prompted for your passkey. If you type it in everything loads fine, if you don't nothing happens. Hitting escape bypasses the bootloader, and this is how I get into XP, but if you just have 1 OS, you will find a dead screen because your partitions will contain seemingly RANDOM data only.

Both hibernate and suspend work fine. Suspend is technically not recommended because of security considerations (decryption keys and/or files could remain stored in RAM, so a professional might be able to pull them off). However, unless you are truly paranoid, I think it is okay to use suspend mode. Hibernate works just fine. You are prompted for the Truecrypt password when you turn you system back on. After typing it in properly, windows will restore itself.

The actual process for encrypting the drive is somewhat dependent on your setup. According to your description I believe you have a single operating system on an Internal hard drive. Additionally, you have a second physical hard drive in the ultrabay that you use for data storage.

The easiest method is to install truecrypt from within Windows, and select Whole Disk Encryption. This will lock down EVERYTHING on your primary hard drive, including Windows, programs, documents, temp files, and swap files. This is easy and effective, however it does not work if you have multiple operating systems. Additionally, this method will probably break the predesktop utility (blue button) because it is loaded BEFORE you enter your truecrypt password and thus cannot decrypt its partition on the hard drive. However, if you only run 1 OS, and don't need the recovery partition, then this method is the best for you.

If you want the predesktop environment to work, choose SYSTEM PARTITION encryption. The execution will be largely the same, although only your Windows partition will be protected at the boot loader level. You may want to consider traveler mode and/or partition encryption for your secondary hard drive and/or any flash media that you may use.

When encrypting your drive you will be prompted to make a recovery disk in case something bad ever happens to your drive (do this, and save the ISO file in several places [it is small, and you never know if/when you might need it). You will then need to select an encryption method. Any of them will be fine. AES is a US government standard because of its effectiveness and speed. Twofish, and the other options are also both very good. The combination (AES+Twofish, etc) options are more secure against brute force cracks, but can degrade performance as it forces the CPU to double encrypt/decrypt everything. In my experience AES is quick, transparent, and has no negative effect on system performance or battery life. It will also have you move your mouse around to further randomize the encryption key used for your drive. You will be required to reboot your system to verify your password, and that the bootloader works (TrueCrypt takes great care to protect you from yourself). When you re-enter Windows, it will then begin encrypting your entire hard drive. You can continue to work during this time, although performance will be hurt as TrueCrypt will be thrashing your drive during this time. After that is done you are good to go. When you start your computer you enter your Truecrypt password, Windows loads, and that is all you need.

Further information about Truecrypt can be found in Episode #133 of Security Now from the TWiT network.

 

secure ^___^

this life i will die and i can't secure my soul. Lol

 

How about not trusting the reliability of Lenovo's software utilities for mission critical stuff like encrypting your system.

 

Hey jonlumpkin! I tried TrueCrypt on my x200 and got a 'Bios too long in memory' (or something like that) error after trying the first test after install. Did you run into this issue?

 

Thanks for the excellent summary.

 

I did not run into any issue of that nature. The main problem I had was in setting up multi-boot (had to pull out a Vista Beta disk to repair the bootloader a few times). But other than that, no problems to report. That error is odd, because Truecrypt should not touch the BIOS (I don't even think it could if it wanted to).

 

I got that error on my desktop; something about not having enough base memory. I have yet to figure out how to resolve it; possibly by disabling unneeded BIOS options?

Anyway, if anyone's still using TrueCrypt version 5 or older then I suggest looking at upgrading to version 6. The big addition is multi-core optimization; which yields a huge improvement in performance.

 

There seems to be a compatibility problem with Truecrypt and the new Montevina Thinkpads. The posts below were copied from the Truecrypt forum. No solution has been posted to the problem thus far.

(I could not link to the posts since you need to be a registered and approved member to view them ... but hey ... I even color coded them for readability )

So, has anyone here successfully set up system/partition encryption with Truecrypt and a new Thinkpad (e.g. X200) and how did they circumvent the problem posted below?


Error bios memory map too long

selimmel
Member
Hi,

I want to encrypt the window partition using the standard TrueCrypt settings. After creating the rescrue disk, the system restarts to test the boot with the chosen password. When I enter the correct password, I get each time the message:

"Error bios memory map too long."

I press enter and then when windows finishes booting I get a message telling that the boot test failed.

Did anyone get such a message? Do you have any idea where this error comes from?

Thanks.


mfle
Member
Hi,

exactly the same problem on my Thinkpad W500 4GB RAM. Is there any solution here for this problem?

Thanks

bigggape
Member
I have the same error on a lenovo t400.
proc t9400
ati 3470 w/ 256
3 gig pc3-8500 ddr3
2 gig intel turbo memory
client security was disabled


Tired
Regular Member
Please file a bugreport
http://www.truecrypt.org/bugs/

lumberjack2003
New Member
I also have this problem.

Lenovo T500
4 GB Ram
2 GB turbo cache
Vista x64 OS

 

I have an x200 and I was able to setup System Partition Encryption just fine on it. I still have the stock BIOS and did not try anything special. I used Truecrypt 6, w/ AES encryption. If there is a problem with the Montevina Thinkpads and TrueCrypt, I am not aware of it.

My best guess is that maybe your passkey is too long. I would suggest trying a shorter key (10-15 characters) without spaces, and see if that works. Also turn off any hard drive access passwords in the BIOS settings. It should be noted that I do NOT have the fingerprint reader, and this may contribute to my success.

Truecrypt verifies that its bootloader works BEFORE it allows you to encrypt the drive. This is a very good safety feature, and you should not try to bypass it. My full specs are in my sig.

 

I did a whole drive encryption last night on my T61p and it went off without a hitch. I feel so safe now

Took about 3 hours to encrypt the 200Gb drive.

Haven't had a chance to test performance too much, but there were no problems watching a 720p mpeg in VLC.

 

True the BIOS HDD password doesn't encrypt any data, but you still cannot just put the disk in another machine and read the data off it, it's a lot more complicated than that. The HDD password is stored in a chip on the HDD, and the HDD manufacturers will not help you to reset it, even if you can prove the HDD is yours. To actually read the data, you will need to open up the drive physically with special equipments that most people don't have. These equipments are usually used by forensic data recovery companies. But of course, people can pay these companies to recover the data from it.

 

Can someone shed some more light on how this BIOS HDD password works? If it's really that secure, it may be a better option than encrypting since you don't have the performance hit.

 

Um yeah, be careful with this one. The hard drive stopped responding to my correct password.

 

I use TrueCrypt for my USB flash drive. I have a 100MB partition that I have Firefox portable loaded on. I encrypt it because I have stored all of my passwords for things like work, school, email, financial services, ect and it would be very bad if someone stole / I lost my flash drive.

 

It is known as FDE ("Full disk encryption") or BDE ("Bulk Data Encryption") in case of Hitachi. Yes, it can use BIOS password to encrypt/decrypt data on disk on the fly. Though I just read about it, I have no possibility to use it...

 

Those are two seperate technologies.

Thinkpads have offered password protection on hard drives for years. This will protect a drive from being read through software just fine. However, a professional could read data off the platters by disassembling the drive (at least in theory) because the data itself is not encrypted.

Self encrypting hard drives are new. They rely on the same software protection (password or fingerprint) to be read. However, they should be impervious to physically reading data off the platters as the data is automatically encrypted.

However, you currently pay a substantial price premium for self encrypting drives. For that reason I prefer the effectiveness and flexibility of Truecrypt.