Open Source Friday Focus: TrueCrypt
Everyone should be encrypting their sensitive personal data; now they can easily and quickly for free!
By Alan Shimel on Fri, 01/22/10 - 12:11am.Today is the first in what will be a weekly series from me here on Open Source Fact and Fiction. I call it Open Source Friday Focus. Every week we will highlight an open source project that I think exemplifies the best of open source and that you will find useful. You can subscribe to just the Open Source Friday Focus feed if you like by clicking the term in the keywords at the bottom.
Today’s focus is on a great open source application called TrueCrypt. It is a software only, disk encryption solution. It will work on Windows 7/Vista/XP, Mac OS X and Linux. It is fast, easy, secure and free. TruCrypt works on servers, desktops or laptops. It also works on removable media. With TrueCrypt you really don’t have an excuse why you are not encrypting your confidential and sensitive data.
Why encryption you ask? Well let’s start with the many compliance regulations that are mandating encryption of confidential and personal information. PCI is a great example. All cardholder data should be encrypted. On top of this, how many stories have you heard or read over the past few years of lost or stolen laptops, hard drives, backup tapes and other media containing sensitive or even classified data? That media would be useless if encrypted. The US government is mandating data encryption as well. It is not just my security paranoia kicking in here. Encryption is going to be increasingly required in both the commercial and government sectors.
There are some great commercial encryption solutions out there. They work well, but generally are not cheap and not necessarily easy. TrueCrypt is an example of an open source tool that is every bit as good as the commercial products available. It may not have every bell and whistle, but this should get the job done for you whether you are a novice or a pro. The license is a fairly standard open source license, not unduly burdensome. Especially if you are not repackaging TrueCrypt into another product that you are then selling.
TrueCrypt isn’t your Dad’s encryption software either. It is very mature and stable. The current release is version 6.3 and it has been around since early in 2004. It has been downloaded almost 13 million times! It sports on the fly encryption and decryption that uses advanced parallelization and pipelining, allowing data to be read and written as fast as if it were not encrypted. It supports most of the leading powerful encryption algorithms as well.
TrueCrypt actually mounts a virtual encrypted disk within a file and then mounts it as a real disk. It can perform full disk or partition encryption. It can also perform pre-boot authentication, meaning everything from the operating system on up is encrypted. Sounds very secure, doesn’t it?
All of the above are fantastic reasons to use TrueCrypt. But I like it best because it is so darn easy. I actually found out about TrueCrypt from my friend Steve Scop, the CTO of American Bancard down here in Boca Raton. They recently passed their Level 1 PCI audit. As part of being PCI compliant I knew they had to encrypt their cardholder data. I asked Steve what he used. He told me he used an open source product called TrueCrypt. He had it on some servers and a bunch of desktops in their cardholder environment. Steve said it was a breeze to set up and really worked well. I respect Steve’s acumen on all things PCI and know that he takes his security seriously, so I checked TrueCrypt out.
The set up was painless. You download the program, install and launch. There is great documentation both with the product and on line, including a step by step install guide. Here are some screen shots of the set up:
Setting up an encrypted file container. This is where the virtual encrypted disk we create will reside on your hard disk.
You create the file name following the instructions
Pick your encryption algorithm or use the default
Pick the size of encrypted volume. Then pick a password.
Pick a drive letter and put in the location of the file you created to host it. Press mount
Your done!
You just created an encrypted virtual disk. Now just pick out what info you want to put in there.
Pretty easy, huh? Great support, great community. There is of course more to it, but these are the basics. On the TrueCrypt site they have tons more screen shots and great documentation. There is also a FAQ and forum for your benefit.
Now you have no excuse. Go forth and encrypt. Have a great weekend!
- About Open Source Fact and Fiction
As co-founder and Managing Partner at The CISO Group, Alan Shimel is responsible for driving the vision and mission of the company. The CISO Group offers security consulting and PCI compliance management for the payment card industry. Prior to The CISO Group, Alan was the Chief Strategy Officer at StillSecure. Shimel was the public persona of StillSecure as it grew from start up to helping defend some of the largest and most sensitive networks in the world.
Shimel is an often-cited personality in the technology community and is a sought-after speaker at industry and government conferences and events. His commentary about the state of security, open source and life is followed closely by many industry insiders via his blog and podcast, "Ashimmy, After All These Years" (www.ashimmy.com). Alan is now also a regular contributor to The CISO Group’s security.exe blog and podcast.
Alan has helped build several successful technology companies by combining a strong business background with a deep knowledge of technology. His legal background, long experience in the field, and New York street smarts combine to form a unique personality.
Disclosure: The CISO Group sells a software-as-a-service PCI compliance application called SAQPro. The company is independent and does not represent any other vendor's products as a reseller.
Policy on comments: Respectful discussion is welcomed! However comments that use inappropriate language, consist of name calling or personal attacks, or include accusations of wrongdoing are not appropriate. Those comments will be deleted or edited.
Most Discussed Posts
- Blog Roll
-
Network World, Inc
The Connected Enterprise