Whole Disk Encryption in windows (xp and vista) using TrueCrypt

Companies and Universities across the US are requiring that faculty encrypt their hard drives, unfortunately they also aren't providing anyone with much direction on how to do so. This how to should help anyone in the most common scenario of having a laptop with 1 operating system and 1 partition (and only one hard drive) that needs to encrypt their entire disk.

Before getting started you should know 2 things to ensure that whole disk encryption with TrueCrypt goes smoothly

A. know your disk topography... the layout of your hard drives (HDD).
do you have multiple partitions or operating systems on your main OS drive? here is how to check
1. for both xp and vista find "Computer" or "my computer" on the start menu or desktop and right click
it then go to "manage".
2. In the Computer Management window look for "disk management" in the menu on the left. click on it
3. you should see the identifier for you connected HDDs and a map of their layout
4. identify the layout for your OS drive, make a note of it, it will come in handy later.

B. Is your burning software capable of burning images (.iso)?
if not, go to www.imgburn.com and download imgburn, its a free tool for burning image files correctly.

Now on to the TrueCrypt stuff.

1. download truecrypt from their site
2. run installer
3. accept license agreement
4. install or extract (install)
5. options: I suggest leaving all selected other than the adding of links, that is your choice.
X install for all users
X add truecrypt to start menu
add truecrypt to desktop
X associate the .tc file extension with truecrypt
X disable windows paging files
X create system restore point
6. restart, TrueCrypt is now installed.

Encrypting the system drive.

1. open TrueCrypt

2. in the TrueCrypt window go to system> Encrypt System Partition/Drive

3. choose type of system encryption. for most people Normal is enough, and its what I will show here.
(the hidden setting gives you the option of having 2 operating systems that would boot with different
passwords so in a "life or death" case you can appear to be unlocking your computer when in reality you
are unlocking a previously prepared operating system, again unnecessary for most people but an option
just the same)

4. next select the area to encrypt, here you select "Encrypt the whole drive"

5. Encrypt host protected area? for average users select yes. even most drives that come from the factory with
a recovery partition shouldn't use this space, and laptops won't have to worry about RAID data being hidden
there.

6. next TrueCrypt detects hidden sectors, not much for you to do here.

7. next select the number of operating systems on your machine, you should be completely aware if you have more than one. select the environment that best describes your hard drive.I will also stop anyone who has a multiboot setup right here, TrueCrypt does not support encryption of drives with multiple Operating Systems (yet?). Good news is TrueCrypt is multi-platform so you can encrypt each system partition individually, a bit more work but doable.

8. Encryption options: here you can choose from the available encryption algorythms and even stack them on top of eachother, this is a great feature but keep in mind more encryption = slower disk, and cascading encryption algorithms has been known to cause problems at times. you can also test the encryption algorithm and set the hash algorithm.

9. password: be sure to choose a strong password this means using numbers letters (capital and lower case) and symbols, and don't use any words found in the dictionary as common password attacks use word lists as primary tools.

10. Collecting Random Data: move the mouse around the TrueCrypt window to generate random numbers based on the movement, the longer you do this the more random the number.

11. the next window shows you the randomly generated keys, you have no real need to keep these numbers.

12. Rescue disk: Pay attention to where you save the disk image since TrueCrypt won't let you proceed until you insert the properly burnt disk. The file is a disk image (.iso) so you need to burn it as such and not just as data. If you don't have burning software that will let you burn an image, imgburn is a free tool to burn image disks and can be found here: www.imgburn.com.

13. Rescue disk recording: Once you've burnt the disk insert it in your cd drive and hit next.

14. once the disk is varified, eject it and store it in a safe place.

15. Wipe mode: for drives have, at one time had highly sensitive information on them government agencies require DOD complyant wipes of the HDD, this option lets you choose between several levels of such wipes. mainly for the purpose of making recovery of files more dificult for unautherized parties. Everyday users probably don't require any wipe at all.

16. Next is the system encryption pre-test, initiate it and the computer restarts. on restart you will have to enter your password as you will when the HDD is fully enctypted.

17. Pretest completed: hopefully your pretest went off without a hitch and you simply have to hit next to begin encryption. (The process does take a while so expect to wait a few hours depending on HDD size)

Once the process is done you should have a password prompt at boot, if the encrypted boot sector gets messed up you can use the recovery disk you burnt earlier to restore it. The disk also comes in handy when you decrypt a disk and you still get the password prompt, you can use the disk to restore the original boot sector.