Keeping Secrets

Confidentiality and integrity are increasingly important when it comes to security. The ability to encrypt data carriers is decisive in this battle, especially for mobile devices. This article shows you how to reliably protect your data and operating system with the open source VeraCrypt tool, as well as how to completely hide the encrypted containers if necessary.

In response to the increase in awareness of IT security, Microsoft began developing the software later known as BitLocker [1] for encrypting files, partitions, or entire hard disks in 2004. BitLocker came under suspicion during the Snowden incident, when it was suspected of possibly providing backdoors or master keys for intelligence services. However, this has never been confirmed and is unlikely to be confirmed any time soon. BitLocker is therefore often used in corporate settings because it gives administrators the ability to create backup keys and store them in Active Directory, for example.

Created at virtually the same time, the free TrueCrypt [2] encryption tool was based on Encryption for the Masses (E4M) source code (which was allegedly stolen from SecurStar) [3]. While it took BitLocker another three years to find its way into Windows, TrueCrypt enjoyed great popularity right from the start, although the developers remained anonymous for a long time and its source code was not freely available. Rumors later confirmed that TrueCrypt's development originally came from criminal circles. TrueCrypt announced the end of development in 2014.

In 2013, VeraCrypt, a fork based on an older, audited version of TrueCrypt, was launched. Today, VeraCrypt is developed by the open source community. Of particular interest, VeraCrypt supports the different Linux derivatives and macOS as operating systems in addition to Windows. As an added bonus, legacy TrueCrypt containers can easily be recycled thanks to VeraCrypt.

Encryption for Data Protection

Data confidentiality and system integrity are fundamental protection goals of IT security and must therefore be taken into account whenever an operating system is installed. Regardless of the industry, virtually everywhere you look there is sensitive data that needs protecting (often for legal reasons). Whether construction plans, customer data, customer projects, or simply internal documents and communication, you don't want this information falling into the wrong hands.

Mobile devices and data carriers in particular are exposed to a greater risk of loss or theft, especially if you have to hand the device over briefly, say, during international travel. In these cases, an encrypted system partition protects against uncontrolled manipulation, such as the installation of malware or spyware. Above all, however, it protects against unauthorized access, for example, to industrial secrets or personal data on the hard drive.

Of course, confidentiality and integrity are only ensured when the computer is switched off. If a device is switched on and the encrypted data is unlocked for daily work with a password, access is possible. A loss of confidentiality due to user error or manipulation by malware is then possible.

Setup and First Steps

Some corporate environments already use VeraCrypt. There are different configurations, depending on the intended use. Various scenarios are outlined below. To get started, you first need to download VeraCrypt for installation on your operating system. Use the official download page [4] provided by the IDRIX developers. This way you can count on having a valid, signed version and avoid the trickery of dubious download platforms.

The installation is child's play: Launch the downloaded file with admin authorization or confirm the prompt during the install. Then select the language that suits you and install VeraCrypt with the standard options. Alternatively, you can download the source code provided on GitHub [5] and create VeraCrypt on your own system.

When you launch VeraCrypt, the program comes up with a tidy interface (Figure 1). You will see an overview of the mounted drives; VeraCrypt uses the classic drive letters from A to Z on Windows and also offers the option of mounting or creating a container or an encrypted partition.

Figure 1: VeraCrypt comes up with a very tidy interface when first launched.

Pressing the Create Volume button opens a dialog that guides you through the process. The first step is to select the type of storage you want for the volume. You can choose between a container file, an encrypted partition on your hard disk, or an encrypted system partition of your Windows operating system. For first time users, it makes sense to create an encrypted container.

Next you need to define your container's volume type. You have two volume options: standard and hidden (Figure 2). Hidden volumes support two protection objectives: plausible deniability and confidentiality. A hidden volume makes it possible to deny the very existence of the encrypted data if someone tries to force you to hand over the data. To do this, you need to create a hidden volume on a standard volume. VeraCrypt creates the matching structures in the container headers regardless of which volume type you choose, so the existence of these structures alone is not credible proof of the existence of a hidden volume. Technically, the internal volume is simply a storage area within a standard volume and is protected with another secret.

Figure 2: Plausible deniability is definitely an option with VeraCrypt.

If you enter both secrets when mounting the volumes, VeraCrypt determines the byte limits of the two volumes within the container and you can safely access both volumes as required. If you only specify the secret for decrypting the outer volume, there is a risk of overwriting the hidden volume. VeraCrypt then knows nothing about the corresponding byte limits and simply fills up the container, possibly also using up the area containing the hidden volume.

Security vs. Performance

For my example, I'll select Standard VeraCrypt volume and then press Next. Then I need to select the container file's storage location and specify the encryption parameters. VeraCrypt offers a choice of algorithms. AES is the globally recognized standard for block encryption. The alternatives, Serpent and Twofish, were also candidates for the AES standard at the time, so they are comparatively secure.

If you do not trust any algorithm on its own, you can also select a cascade of several methods. You have to decide for yourself whether this makes sense cryptographically and for your application. Ultimately, cascading increases key material and eliminates the mathematical uncertainties of individual procedures in an attack scenario. The same applies to the choice of the hash method; again different variants are available. Under normal circumstances, AES and SHA-512 are safe choices that achieve a good compromise between security and performance. I will use these two methods in my example.

As the next step, you need to define the size of the volume based on your estimated needs. Otherwise, you might use up a large amount of storage space on your data carrier just to encrypt a few files or a bunch of small files. VeraCrypt also offers dynamic containers if you can't estimate the exact requirements right now. These containers do not grab the entire storage space when they are created, but simply grow to the specified maximum size as required. Incidentally, you need to choose dynamic containers carefully, because if they end up exceeding the actual hard disk capacity, there is a risk of data loss. I will be using a container size of 1GB.

You now need to select the secret for accessing the volume you created by filling out the two input fields with your choice of password. Be sure to read the info at the bottom of the dialog to help you choose a secure password. Good passwords should not only consist of many different characters, but should also be as long as possible. Password length has a major influence on security (see the "Password Security" box), although you are likely to find different recommendations for this in different places. VeraCrypt warns you if your password has fewer than 20 characters.

As an alternative or in addition to the password, you can select further "secrets" to protect your volume. In addition to a smartcard, any file or the files of an entire folder can be defined as keyfiles (Figure 3). Of course, this increases the size of the input variable for encryption immensely, but limits the secret to be remembered to this one file or the selected combination of files. Because an attacker with access to your computer could try out any file as a secret, it is not a good idea to solely rely on one file as the secret.

Figure 3: Keyfiles can also be used in addition to passwords.

You can enhance security even further by defining the Personal Iterations Multiplier (PIM) yourself and selecting the Use PIM option. This lets you change the number of iterations of the key derivation function that generates cryptographic keys from your input, thus making brute force attacks more difficult. Having said this, the default number of iterations (500,000 rounds) offers a good compromise between performance and security, so I wouldn't change anything here.

FAT, exFAT, or NTFS?

Once you have defined a good password and clicked Next, you can move on to selecting the volume's filesystem. FAT or exFAT can be mounted on almost any other system later. NTFS gives you the ability to use additional authorizations or file attributes on Windows. Choose the filesystem that best suits your requirements. If required, check the boxes for quick formatting and the option to dynamically grow the volume. Next, move your mouse pointer to give the pseudo-random number generator for the crypto operations further random data. Once the bar at the bottom of the window turns green, press Format. After a short time, your volume is ready, and you can press Exit to close the dialog.

After creating your container, you are taken back to the VeraCrypt start window. Now search for your previously created container by clicking on Select File, select the desired drive letter in the area above, and then press Mount. Enter the password in the dialog box or browse to the keyfiles you selected previously for the secret in Keyfiles. Clicking on OK tells the disk manager to automatically mount the volume, which you can access directly.

If you created a hidden volume in the previous step, you will now see two options when mounting. If you want to access the contents of the hidden volume, you need to enter the matching secret in order to mount it directly. The container's outer volume is not displayed or changed. However, if you want to include the outer volume (e.g., to keep up appearances and store files) enter the secret for this outer volume here. In Options, make sure you also specify the secret of the hidden volume for protection to avoid it being accidentally overwritten (Figure 4).

Figure 4: Protect existing hidden volumes against accidental overwrites.

Encrypting Partitions and Hard Disks

If you want to encrypt entire partitions or data carriers, select the Encrypt a Partition/Drive option when creating a new volume. In Windows, again confirm the User Account Control (UAC) dialog to let VeraCrypt access your data carriers. As in a container, you can also create hidden volumes. Then select the data carrier to be encrypted. In my example, I will encrypt a USB memory stick. In this case, it is not necessary to partition the storage space in advance; you can encrypt the entire drive directly. The partitioning can then be changed within the encrypted area. VeraCrypt shows you available storage and partitions for selection.

Next you can choose whether to continue using the files that are already on the data carrier in the encrypted volume (the in-place encryption option). VeraCrypt can create encrypted storage media without you needing to manually temporarily store the files and transfer them back. Note that this only works with NTFS on Windows, because the operating system is only capable of shrinking NTFS filesystems on the fly, which is necessary to free up space for the encrypted volume on the data carrier.

If you want to continue without in-place encryption, select the other option and press Next. Before formatting, you will be warned once again that all data currently on the medium will be permanently deleted. If you are using a USB memory stick, you are also told that a drive letter will still be assigned on Windows. However, you must not use the drive in this way. Windows does not recognize any content and offers to format the stick directly when you connect it, which would delete the encrypted volume.

Protecting the System Partition

Now that you have some experience with VeraCrypt, you can encrypt your entire operating system. To do this, select Encrypt System Partition/Drive from the System menu at the top.

VeraCrypt even offers to install a hidden operating system. This gives plausible deniability at the operating system level to deny the existence of a hidden operating system installation.

For my example, I will use normal encryption and then opt to encrypt the entire data carrier and not just the system partition. The entire data carrier then also includes any recovery or boot partitions, which is why VeraCrypt recommends that you only encrypt the system partition for the recovery. Otherwise, depending on the BIOS configuration, you could lose access to your system completely.

Backup and Recovery

Now is a good time to think about backing up the contents of your hard disk. If something goes wrong with the encryption process, you will want to keep a backup of your files in order to be able to restore the system. The files can (or should) of course also be stored on an encrypted data carrier that can be easily mounted by a booted system.

Next, select whether you have one or several operating systems installed on your data carrier. Then click Next and set the encryption parameters as described above. You are then taken to the PIN entry screen. Of course, you cannot select any files here, because you do not have access to the hard disk at system boot time.

VeraCrypt sets the keyboard layout to English when you enter the password. This is because only the BIOS settings are available at boot time before the operating system possibly adopts your choice of keyboard layout. You need to take this into account, especially if you want to use nonstandard characters in your password. You will normally have an English keyboard layout, but to be on the safe side and make sure that the BIOS is not playing tricks on you with a country-specific language setting, it is a good idea to display the password so that you can enter the password with your local keyboard layout in case of an emergency.

VeraCrypt also lets you create your own VeraCrypt rescue medium. This helps you to repair a defective VeraCrypt bootloader and also – with the correct password, of course – to permanently decrypt the system partition again, for example, to repair a defective Windows system. You need to burn the ISO image you create to a CD/DVD or transfer it to a USB stick. If you encrypt several systems with VeraCrypt, you will need an individual rescue medium for each system.

Before the encryption process starts, you need to define the delete options for the existing system files. You can overwrite files multiple times to prevent an attacker from restoring them – even after overwriting the free disk areas with the encrypted volume. Now take note of the recovery instructions and warnings before starting the obligatory pre-test. The computer reboots and Windows launches again after you enter the password. VeraCrypt displays a success message for the test after the reboot.

Click on Encrypt and say yes to warning prompts. The encryption process then starts. You will need some patience, depending on the size of your data carrier. Once the process has completed, you can close the dialog box and will see your system partition mounted in the drive overview. Of course, you cannot eject the drive. To protect your data, shut down the system.

After restarting, you will be prompted to enter the key. Remember that you must type the key with an English keyboard layout. In addition to the password, you will be asked to enter a PIM if you set one. If you have not set a PIM, you can simply press Enter to confirm, otherwise you need to enter the correct value here. The operating system then boots in the usual way, and you can work with virtually no loss of performance.

Conclusions

Encrypting data, especially on mobile devices, is essential in the corporate environment. As an alternative to BitLocker, VeraCrypt offers a sophisticated approach to encrypting data carriers. It protects USB memory sticks, hard disks, and your system partition (though only when the computer is switched off or not connected). Hidden volumes also give users the ability to credibly deny the existence of any such volumes, should someone attempt to force you to hand over your data.

With the steps covered in this article, you can encrypt your computer with VeraCrypt. Keep in mind, however, that secure passwords are an important security aspect.