Truecrypt Installation and Deployment
TrueCrypt Installation and Deployment
Academic Services
Exeter IT
Desktop Support
TrueCrypt Installation and Deployment
Document reference: DS035
Document type: Desktop Support Procedure
Document status: Live
Review period: Twelve months
Next review date: 14 Dec 2013
DS035 - Truecrypt installation and deployment - v2.4 - Master.docx Page 1 of 16
TrueCrypt Installation and Deployment
1 TABLE OF CONTENTS
1 Table of Contents ...... 2 2 Document History ...... 3 2.1 Document location ...... 3 2.2 Revision history ...... 3 2.3 Approvals ...... 3 2.4 Reviews ...... 3 3 Introduction ...... 4 4 Pre-installation Steps ...... 4 4.1 Data backup ...... 4 4.2 Initial assessment of the machine / health check ...... 4 4.3 Check disk configuration ...... 4 4.4 chkdsk ...... 4 4.5 Analyse and defragment disk ...... 5 4.6 Create rescue CD folder ...... 5 5 Install the TrueCrypt Application ...... 6 6 Encryption ...... 6 6.1 Re-encryption ...... 11 7 User Deployment Steps ...... 11 7.1 Change user password ...... 11 7.2 User awareness ...... 11 8 Recovery Procedures ...... 12 8.1 Recovery of the original IT support password ...... 12 8.2 Procedure for decrypting the hard drive ...... 14 9 Technical Information ...... 15 9.1 Limitations ...... 15 9.2 Possible issues ...... 15 9.3 Further reading ...... 15 10 Appendix – Recommended Windows Configuration ...... 16 11 Appendix – Naming Convention for Header Files ...... 16
DS035 - Truecrypt installation and deployment - v2.4 - Master.docx Page 2 of 16
TrueCrypt Installation and Deployment
2 DOCUMENT HISTORY
2.1 DOCUMENT LOCATION
This document can be accessed from the following location: http://www.exeter.ac.uk/it/equipmentandsoftware/howto
2.2 REVISION HISTORY
The latest revision can be found at the top of the list:
Revision Date Author Version Summary of Changes Amended Encryption process, amended 14 Dec 2012 Rob Hatswell 2.4 Recovery procedure, minor changes to text 10 Oct 2011 Bill Lambert 2.3 Added re encryption information 9 May 2011 Paul Field 2.2 Fixed typo in one of the technical comments Minor tweaks, mostly cosmetic. Added some April 2011 Various 2.1 extra tips Additional sections added for user advice, data 25th February 2011 Various 2.0 recovery issues, windows configuration and header naming conventions. 2nd September 2010 Sue Watling 1.0 First live version
2.3 APPROVALS
This document requires the following approvals:
Name Title Version Date of approval Matt Coppell Incident Response Team Leader 2.4 14 Dec 2013 Paul Grogan Incident Response Team Leader 2.3 10 Oct 2011 Paul Grogan Incident Response Team Leader 2.2 9 May 2011 Paul Grogan Incident Response Team Leader 2.1 5 May 2011 Paul Grogan Incident Response Team Leader 2.0 25 March 2011 Paul Grogan Incident Response Team Leader 1.0 12 October 2010
2.4 REVIEWS
This document was reviewed at the following dates with no updates required:
Name Version Date of Review Notes
DS035 - Truecrypt installation and deployment - v2.4 - Master.docx Page 3 of 16
TrueCrypt Installation and Deployment
3 INTRODUCTION
This document is intended to be used by the University of Exeter’s Desktop Support staff and CDO’s supporting Colleges. It is to be used to guide the installation of TrueCrypt encryption software onto University-provided laptops. This document has been written to be applicable to the University’s recommended makes/models/builds of laptops running Windows XP SP3; however the software does support other versions of Windows and other Operating Systems. More information on supported Operating Systems can be found by visiting the link below. http://www.truecrypt.org/docs/?s=supported-operating-systems
The instructions recommend encryption of the entire disk. 4 PRE-INSTALLATION STEPS
For new PC deployments that have been imaged please skip to 4.5.
4.1 DATA BACKUP
Confirm user has backed up their data including Outlook archive .pst files. If NOT, ensure their data is backed up to a removable device (e.g. External Hard Drive).
4.2 INITIAL ASSESSMENT OF THE MACHINE / HEALTH CHECK
Technical staff to assess the machine, if deemed necessary re-image machine. Health check – look for any evidence of hardware faults, windows faults or traces of viruses/malware.
Check Windows XP SP3 is installed.
4.3 CHECK DISK CONFIGURATION
TrueCrypt may be installed on any PC that has been set up in the standard way (as described in the relevant DS documents). That is, one Windows Operating System fills the whole disk on a single partition. However, TrueCrypt may also be applied to any partition on a multi-partition disk, provided it does not have a “logical” partition. It must be a “primary” partition. If a whole-disk encryption is desired, and there are logical partitions, the contents of these partitions must be saved, the logical partitions deleted and replaced with primary partitions, and the content restored to these.
4.4 CHKDSK
On older systems it’s advisable to run chkdsk /f /r before proceeding to encrypt the drive. This is to highlight damaged areas of the disk which could cause problems with the process. If any bad clusters etc. are found then further investigation is needed (software or hardware) before encryption can commence.
DS035 - Truecrypt installation and deployment - v2.4 - Master.docx Page 4 of 16
TrueCrypt Installation and Deployment
4.5 ANALYSE AND DEFRAGMENT DISK
Run Disk Defragmenter from ‘System Tools’ folder that can be found in the ‘Accessories’ folder via the ‘Start menu’. Analyse the C: drive. If the disk is partitioned analyse all other volumes as well. Defragment each partition if advised to do so by the application. Once all volumes are defragmented, exit Disk Defragmenter and reboot the machine.
4.6 CREATE RESCUE CD FOLDER
During the installation sequence, you will be prompted to create a Rescue CD in the form of an .iso file (This CD is will be required to restore the original header). Ensure the account you are logged into has Administrator rights. Create a drive mapping to a server location where the Rescue CD information is to be stored. This should be an area accessed only by the IT Support team. Create a new folder, giving the folder the same name as the laptop (service tag – user’s name, e.g. B6YT998 – Minnie Mouse). This new folder will be used to store the Rescue CD .iso file.
DS035 - Truecrypt installation and deployment - v2.4 - Master.docx Page 5 of 16
TrueCrypt Installation and Deployment
5 INSTALL THE TRUECRYPT APPLICATION
If you have not done so, download and install TrueCrypt. Desktop Support Staff can find TrueCrypt on the Desktop Support shared drive. The latest stable version of TrueCrypt (version 7.1a) can be downloaded from http://www.truecrypt.org/downloads Start the setup of TrueCrypt and accept the licence At the next window headed ‘Wizard Mode’, make sure "Install" is selected and click “Next” At the next window headed ‘Setup Options’: Accept the default install location un-tick "Add TrueCrypt to Start menu" un-tick "Add TrueCrypt icon to desktop" This will hide the software from the user as a precaution Click “Install”
Once installation is complete a window will appear informing you that TrueCrypt has been successfully installed. Click “OK” to close the window.
Click “Finish” to close the installer. You may be prompted to read the Beginner’s Tutorial. Click “No” to close the window.
6 ENCRYPTION
Note: Using an optical mouse at this stage makes it easier when creating the encryption keys.
Click “Start” followed by “Run”. In the box type, (excluding quotes) “cmd” then click “OK” Change drive path to C: by typing C: and press “Return” Change to the TrueCrypt directory by typing the following, including quotes: cd “\program files\truecrypt” Including the odd placing of the quotes, type the following command: “truecrypt format” /noisocheck
DS035 - Truecrypt installation and deployment - v2.4 - Master.docx Page 6 of 16
TrueCrypt Installation and Deployment
(Using this command line switch to start the program means that we can skip the built in integrity check of the Rescue CD .iso file, thus considerably speeding up the process of the encryption. This is especially useful when having to encrypt a large number of laptops. The normal behaviour is that TrueCrypt checks that the file has been burnt successfully before it will allow the process to continue.)
You will now be presented with the TrueCrypt Wizard.
Select “Encrypt the system partition or entire system drive”. Click “Next”.
Select “Normal”. Click “Next”.
DS035 - Truecrypt installation and deployment - v2.4 - Master.docx Page 7 of 16
TrueCrypt Installation and Deployment
Select “Encrypt the whole drive” (the standard desktop support imaged laptop has only one partition). Click “Next”.
Select “Yes” to encrypt the Host Protected Area and then click “Next”. You may see a ‘Detecting Hidden Sectors’ window briefly.
Select “Single-boot” (with the standard image Windows XP is the only installed operating system). Then click “Next”.
DS035 - Truecrypt installation and deployment - v2.4 - Master.docx Page 8 of 16
TrueCrypt Installation and Deployment
Leave the ‘Encryption Options’ as the defaults. Click “Next”.
The next step is very important; you now have to set a password. This should eventually be a stronger password as suggested by the dialog box; however we recommend choosing a known password for all devices in a department and using this. This will enable a backup of the password as a “Header” on a Rescue CD to be created which can be used to overwrite the eventual password entered by the user in the event of them locking themselves out of their machine, or their header-file becoming corrupted.
Enter our standard password twice and click “Next”.
A warning will pop-up giving the dangers of using short passwords, click “Yes” to continue since we will change the password to a stronger and longer one when it is rolled out to the user.
Now you have entered the password you must increase the cryptographic strength of the encryption on it. Move your mouse as randomly as possible within the ‘Collecting Random Data’ window for at least 30 seconds. The longer the mouse is moved, the better. This significantly increases the cryptographic strength of the encryption keys (which increases security). Click “Next”.
DS035 - Truecrypt installation and deployment - v2.4 - Master.docx Page 9 of 16
TrueCrypt Installation and Deployment
Click “Next” again at the ‘Keys Generated’ summary window.
You are now requested to create a Rescue CD.
Select “Browse”, navigate to the Rescue CD folder for this laptop (as mentioned in section 4.6) Set the .iso filename to the machine name of the laptop. *Remember to put “.iso” after the filename. Click “Next”. The Rescue CD image is created. Click “Next”. A warning pop-up will appear advising you that you cannot re-use previously created Rescue CD’s if the laptop is decrypted then re- encrypted at a later date. A new Rescue CD needs to be created every time. Click “OK”. Click “Next” at the ‘Wipe Mode’ screen. Click “Test” at the ‘System Encryption Pretest’ screen. Clicking on “OK” will close the ‘Notes’ window – you will then be prompted to restart the machine. Click “Yes”. The PC will reboot. ENSURE THE LAPTOP IS ON MAINS POWER DURING THE NEXT STEP. When the machine starts you will be see the TrueCrypt Bootloader Screen. Enter your TrueCrypt password and wait for Windows XP to load as normal. Login with the same account and you will be presented with the following screen.
DS035 - Truecrypt installation and deployment - v2.4 - Master.docx Page 10 of 16
TrueCrypt Installation and Deployment
Select “Encrypt”. You may have to click “OK” to close another ‘Notes’ window. The drive will now start encrypting. This can take an indeterminate amount of time depending on the data on the machine, size of the hard drive, etc. The remaining time is displayed during the process, but this can fluctuate, which erodes confidence. The encryption can be paused and restarted at the discretion of the user. When the encryption process has completed, click “OK” and “Finish”.
6.1 RE-ENCRYPTION
There are occasions when a previously encrypted laptop may need to be rebuilt and encrypted again. (The imaging process overwrites the previously encrypted disk header). The original Rescue CD .iso can no longer be used for recovery on the re-encrypted laptop. Therefore during the re-encryption process, a new Rescue CD must be created to replace the existing .iso.
7 USER DEPLOYMENT STEPS
7.1 CHANGE USER PASSWORD
1. Boot the PC and enter the IT Support TrueCrypt password 2. Login to Windows (using any user’s login with Administrator rights) 3. Navigate to the TrueCrypt folder C:\Program Files\TrueCrypt 4. Run TrueCrypt.exe 5. From the menu “System” select ‘Change Password’ 6. Enter the current password (IT Support) and then allow the user to create their own. 7. Click “OK” and confirm “Yes” when prompted and “OK” after it has been changed. 8. Reboot PC to check that the new password has taken effect.
7.2 USER AWARENESS
Convey the following points to the user.
7.2.1 What has been installed
Explain all changes made, including security updates, XP SP3, virus software etc.
The TrueCrypt application provides full disk encryption with pre-boot authentication, i.e. from now on you will be presented with an additional login screen.
“Hassle Factor vs. End User experience” – explain that laptop encryption is the University’s response to the legal requirement to protect the organisation against the liability of unauthorised access to sensitive information.
7.2.2 What it does (*including ramifications if they adjust TrueCrypt settings)
The whole hard disk is encrypted, so every file currently on the drive and any new files will be automatically encrypted.
DS035 - Truecrypt installation and deployment - v2.4 - Master.docx Page 11 of 16
TrueCrypt Installation and Deployment
It does not automatically encrypt files that are transferred to a location off the laptop (i.e. removable media drives, network drives, etc.), so a file copied to another PC is not encrypted or protected.
There is no reason for a user to open the TrueCrypt application and make any changes to settings. If they do they will risk making the laptop and their data inaccessible.
7.2.3 Password creation (at least 12 characters, letters, numbers and symbols)
In order for the user’s password to be effective, we advise a strong password is used. The strength of a password depends on its length, complexity and randomness. The password should be at least 12 characters long - the recommended length is 20 characters. To make the password easy to remember it can be based on the first letters of the words in a poem or song, with numbers and/or symbols added. Simple strings of keyboard letters (e.g. qwertyuiop[]), usernames, words and names should not be used (even spelled backwards).
7.2.4 Password storage considerations, i.e. not stored with laptop
Advise the user not to store the password with the laptop.
7.2.5 Advice for increased security
Users should be advised to shut down the laptop rather than use suspend or hibernate prior to “at risk activities” such as leaving the laptop unattended or when travelling. This clears data from the system memory.
7.2.6 Data recovery
Users should be made aware that data recovery from an encrypted laptop may not be possible or may be a very lengthy procedure. If working away from campus they should take the precaution of connecting to the network using a VPN connection and synchronising their laptop regularly.
7.2.7 Support arrangements
Advise the user that if the password needs to be changed or there are any problems they should contact the IT Help Desk.
8 RECOVERY PROCEDURES
8.1 RECOVERY OF THE ORIGINAL IT SUPPORT PASSWORD
Using the Rescue CD .iso created during the encryption process, ‘burn it’ to a CD / DVD using a CD burning application. This can be carried out on any computer with a CD writer. Roxio CD & DVD Creator is installed on all XP machines that are using the standard image.
Enter the BIOS if necessary and change the boot device priority ensuring that the CD / DVD Drive are the first option.
Insert the Rescue CD into the Optical drive of the machine and reboot.
DS035 - Truecrypt installation and deployment - v2.4 - Master.docx Page 12 of 16
TrueCrypt Installation and Deployment
Press F8 at the boot menu to enter the ‘Repair Options’.
Select Option 3 – ‘Restore key data (volume header)’ and type in the standard password. You will then be asked to confirm whether you want to modify drive 0 (y/n), type ‘y’ to confirm this operation.
You will now see the message ‘Header Restored’ which informs us that the encryption password has been reset to our standard password. Press “Esc” twice to go back to the Rescue CD main menu. Remove the CD from the Optical Drive and reboot the machine. Typing the standard password at the Bootloader screen should allow the laptop to boot into Windows.
DS035 - Truecrypt installation and deployment - v2.4 - Master.docx Page 13 of 16
TrueCrypt Installation and Deployment
8.2 PROCEDURE FOR DECRYPTING THE HARD DRIVE
To decrypt the hard drive, run the TrueCrypt application under Program Files. From the TrueCrypt application, click ‘System’ and choose “Permanently Decrypt System Partition/Drive”.
Decrypting the hard drive can also be done via the Rescue CD; however the decryption process is a lot quicker through Windows. The Rescue CD option should only be used if the machine is not able to boot into Windows.
Confirm you want to “…permanently decrypt the system partition/drive?”
Note: This isn’t permenant if you want to re-encrypt the device at a later date.
The process may take longer than the original encryption owing to the amount of data stored on the hard drive. After several hours the computer should restart and no longer request a password on start-up.
DS035 - Truecrypt installation and deployment - v2.4 - Master.docx Page 14 of 16
TrueCrypt Installation and Deployment
9 TECHNICAL INFORMATION
9.1 LIMITATIONS
When the system partition/drive is encrypted, the system cannot be upgraded (e.g. from Windows XP to Windows Vista) or repaired* from within the pre-boot environment (using a Windows setup CD/DVD or the Windows pre-boot component). In such cases, the system partition/drive must be decrypted first. Note: A running operating system can be updated (security patches, service packs, etc.) without any problems even when the system partition/drive is encrypted.
See also the Issues and Limitations section at http://www.truecrypt.org/docs
* It’s also possible to browse to and mount an encrypted system partition using a USB to Sata/IDE data transfer cable by using the ‘mount without pre-boot authentication’ option under ‘System’ menu from within the Truecrypt program. Note: You’ll need to restore the header to the standard password first.
9.2 POSSIBLE ISSUES
9.2.1 Data recovery
Prior to recovering data the laptop needs to be decrypted. This can be a lengthy procedure on a large disk.
9.2.2 Stop errors
When you log on to the domain you may see the following Stop error:
STOP 0x00000035 (0x8207ecd8, 0x00000000, 0x00000000, 0x00000000) NO_MORE_IRP_STACK_LOCATIONS
This occurs if: You install more than three programs that are related to file security. For example, you install more than three antivirus programs or file-encryption programs. The computer is part of a domain.
Further information and a solution can be found at http://support.microsoft.com/kb/906866
9.3 FURTHER READING http://www.truecrypt.org/docs/
The documentation section of the above website is a good resource for information.
DS035 - Truecrypt installation and deployment - v2.4 - Master.docx Page 15 of 16
TrueCrypt Installation and Deployment
10 APPENDIX – RECOMMENDED WINDOWS CONFIGURATION
For security we recommend the following settings are used on all laptops; these settings are applied to all computers built using the standard desktop image.
Request the password when resuming from standby Configure the laptop to standby or hibernate when the lid is closed Configure the laptop to standby, hibernate or shut down when the power button is pressed Configure the laptop to standby or hibernate when the sleep button is pressed Request password when resuming from the Screensaver (for security purposes we are investigating the use of a GPO to force this setting on all computers shortly)
11 APPENDIX – NAMING CONVENTION FOR HEADER FILES
The suggested naming convention for TrueCrypt header files is service tag – user’s name (given name and family name), e.g. A12345J – Minnie Mouse. This allows easy identification.
DS035 - Truecrypt installation and deployment - v2.4 - Master.docx Page 16 of 16