I discovered a neat TrueCrypt trick the other day while searching for products that would encrypt flash drives on the fly. I never noticed it before but it has an option to create a “travel disk”. It’s right there in the tools menu, as you can see on the screen shot below:
It will essentially turn your chosen external drive into a self contained vehicle for TrueCrypt encrypted volume. It will copy all the files necessary for encrypting/decrypting the volume to the drive, and set it up to use the windows auto-play feature. So you just plug it in, type in your password and can start working with the encrypted files. The process is amazingly simple – so easy even a Caveman can do it. ;) You just pick the drive, and choose whether or not it should auto-mount a volume on startup (yes it should):
Then you click create. That’s all you really need to do. One thing this process doesn’t do is actually creating the TrueCrypt volume file on that drive. You have to do hat separately – I wrote about how to do this earlier. I created mine ahead of time called it files.tc and plopped it in the root directory of my flash drive. All I had to do then, was to point the above dialog at it. If you don’t have a tc volume yet, you can just type in a file name in that box, – it won’t complain that it doesn’t exist. You can add the volume later.
Once you hit create, bunch of files will get copied to the selected drive:
The autoruns.inf is the interesting one. As most of you know, this file contains the commands used by the Windows auto-play functionality. This is what it really contains:
[autorun] label=TrueCrypt Traveler Disk icon=TrueCrypt\TrueCrypt.exe action=Mount TrueCrypt volume open=TrueCrypt\TrueCrypt.exe /q background /e /m rm /v "files.tc" shell\start=Start TrueCrypt shell\start\command=TrueCrypt\TrueCrypt.exe shell\dismount=Dismount all TrueCrypt volumes shell\dismount\command=TrueCrypt\TrueCrypt.exe /q /d
In fact this is the only place which references the file name you entered in that dialog box. You can easily change it to anything else and it will work. Inside the TrueCrypt folder you get the guts of TrueCrypt. These few binary files are what does the encrypting/decrypting in the background:
I can give this flash drive to anyone in the world, and as long as they are running Windows XP (I don’t think 2k autoruns flash drives) they will be able to work with it. All you do, is just plug it in, and you see this dialog:
If you choose the TrueCrypt option you will be greeted by the familiar (well, familliar to me) TrueCrypt password dialog:
If you give the correct password it will mount another drive on your system, which will be the encrypted volume:
The two drive thing may be confusing to some lusers at first but it opens up the correct one automatically in explorer on startup. Besides, they can easily identify that one drive has some cryptic system files, while the other has their data.
From there it just works seamlessly as always – anything you move, copy to or create on the virtual drive will be encrypted. What encryption will be used? It is up to you. The encryption type is not tied to your copy of portable TC but to the volume you created. If I remember correctly I used 128 bit AES-Twofish combo on mine, but you can pick your own.
The nice part about this is that I can easily take another tc volume (different encryption algorithm, different password) stick it on my flash drive, name it files.tc (or modify the autoruns.inf with the new file name) and it will work just as well. Or I can copy the TrueCrypt folder and the autoruns.inf file to another drive, and it will work as well. I can essentially create a script that will crank these out at will, without even having TrueCrypt copy installed.
I’m considering making this mandatory for the folks at work. They do get a lot of use out of the flash drives – and the do handle confidential stuff sometimes. So this seems like a perfect solution. The only caveat is removing the flash drive from your system.The standard Windows “Safely Remove” dialog won’t work because the .tc file as well as the TrueCrypt binary will be in use. So removing the stick is really a 2 step process:
- Right Click on the TrueCrypt icon in the taskbar and choose “Dismount all Encrypted Volumes”
- Remove the Flash Drive using the usual method
The “Dismount Command” actually shuts down TrueCrypt which is nice. Otherwise it would be a 3 step process. I’m sure that most people in the world can deal with a single manual step when they are getting high grade encryption for free. But my users are not most people – they are the people who will cry about it. But there is not much that can be done about this other than just removing the drive without actually making sure the write buffers are flushed into the thing. I’m concerned that when working with a TrueCrypt volume, pulling out the flash drive prematurely my be doubly hazardous than usual – I have no clue how these encrypted file handle corruption and unexpected write errors.
So I suspect I will have to do a 2 hour phone in training session on this, write up a manual with step by step screnshots (hey, I already have most of them here – nice) and then just be prepared to field phone calls asking how to dismount the damn thing for the next 7 months.
[tags]true crypt, encryption, travel disk, crypt, cryptology[/tags]