Technology in terms you understand. Sign up for my weekly newsletter, "Confident Computing", for more solutions you can use to make your life easier. Click here.

TrueCrypt – Free Open Source Industrial Strength Encryption

TrueCrypt comes up frequently in Ask Leo! answers. Many people are concerned about things like privacy, identity and data theft, particularly on computers or on portable devices where they might not always have total physical control of the media.

Someone might gain access to sensitive data stored on your computer.

Encrypting your data renders that access useless, even when your computer or your thumbdrive falls into the wrong hands.

And TrueCrypt makes it not only easy, but nearly un-crackable.

IMPORTANT On September 30, 2015, it was reported that a serious security vulnerability had been discovered in TrueCrypt. Not a fault in its encryption, but rather a more traditional vulnerability that malicious software could use to gain administrative privileges on your Windows machine.

Since TrueCrypt development has halted and no fix is likely forthcoming, I can no longer recommend its use.

My tentative understanding is that VeraCrypt is a free, compatible, and supported alternative, based on a fork of the original TrueCrypt code. And yes, these most recent vulnerabilities are supposedly fixed therein.

IMPORTANT: On May 26th, 2014 TrueCrypt development was abruptly and somewhat mysteriously halted. While I still use and recommend TrueCrypt, please also read Is TrueCrypt Dead? for what happened, and any late-breaking updates.

Become a Patron of Ask Leo! and go ad-free!

There are two approaches to using TrueCrypt:

  • Whole Drive Encryption – you can use TrueCrypt to encrypt your entire hard disk, including the partition you boot from. In order to boot the machine, you must first supply your pass phrase to enable decryption. Once booted, data is automatically and transparently encrypted and decrypted as it travels to and from the disk. Once your machine is turned off, the data is unrecoverable without knowing the pass phrase.
  • Container Encryption – with this approach you create a single file on your computer’s hard drive that is encrypted. You then “mount” that file using TrueCrypt, supplying the correct pass-phrase to decrypt it after which the contents of that file appear as another drive on your system. Reading from and writing to that “drive” automatically and transparently decrypts and encrypts the data. Once the drive is unmounted, the data is once again unrecoverable without knowing the pass phrase.

Data encryption is an important part of an overall security strategy. TrueCrypt can be a key part of that strategy.

I tend to prefer container based encryption for its portability, and for the fact that you need only mount the encrypted drive when you need access. I keep a bunch of my personal information in a TrueCrypt container that I regularly copy between machines, onto a thumbdrive, and I even back it up to the internet. When I need the data thereon, I simply mount it, specify my pass phrase to unlock it, and use the files that are stored within it however I need. In my case, I keep spreadsheets, public and private keys, documents, and even my Roboform password database on it, all securely encrypted when not in use.

TrueCrypt is not tied to any one platform, your user account or anything else; just the pass phrase. In fact, you can copy your encrypted file to another machine entirely and mount it with TrueCrypt. Even using other operating systems such as Mac or Linux.

Peeking at a locked document

I do have to throw out a couple of important caveats:

  • Encryption does not make a bad pass phrase any more secure. If you choose an obvious pass phrase, an attack can certainly be mounted that could unlock your encrypted volume. This is why we talk about pass phrase instead of password. Use a multi-word phrase that you can remember to be the key to your encrypted data, and it’ll be much, much more difficult to break.
  • An encrypted volume does you no good if the files you care about are also elsewhere on your machine.
  • That being said, make sure you have secure backups, updated regularly. Preferably keep them UNencrypted, but secure in some other way, in case you lose your encrypted volume or forget your pass phrase. If you’ve chosen a good passphrase, without it the data is not recoverable.

Data encryption is an important part of an overall security strategy. TrueCrypt can be a key part of that strategy.

I recommend it.

21 comments on “TrueCrypt – Free Open Source Industrial Strength Encryption”

  1. A nice article. I’ve been using TrueCrypt for a while now, here’s where I heard about it the first time, and I have to say it works very well. They now also include a feature called Encrypt System Partition/Drive… which encrypts your system drive/partition so it can’t be booted without the passphrase. They even have (like hidden volumes) hidden systems, of which the existence (if all guidelines are followed) will be impossible to prove. For more information, refer to their website.

  2. Thanks for the recommendation. I’ll be looking further into TrueCrypt for my laptop at home, which is currently not secured. It’s become our primary computer in the house, as well.

    I’ll have to add it to my desktop, as well, but I’ve also looking into a NAS solution for the house that I may try your suggestion about putting the device in a “locked storage”. I would also encrypt that storage device, as well in case, but that is the direction I am heading now.

  3. About your article, I see that it’s very useful for those who’d like to encrypt their data. However, in the first solution “Whole Drive Encryption”, I think it’s not the best or recommended way of encryption because unauthorised people can also access the data encrypted by using a special software (I don’t remember it now) by many ways.
    For the second solution, I think it is more advanced but people can still access the data too, by using password finder softwares but much more difficult to do. However, these softwares can only work on common encrypter softwares (like WinRar or so), so to prevent thieves, I recommend using rare encryption formats (like kge, zip files v12.0, etc.). In these formats, we cannot mount it to a new drive, though it’s more secure. But be careful to delete files in temp folders of hard drives (often in C:) because the software often leave it there undeleted & unencrypted when the PC suddenly loses power.
    Thank you for the article. Here I just want to contribute to the tips. Best wishes.

  4. It seems to me (without trying my guess out) that TrueCrypt could also be used to protect emails between users. Do you consider this possible (oh, yeah, and reasonably easy)?

    You certainly can, but in all honestly tools like 7-Zip or AxCrypt are more suited to encrypting individual files for transmission this way.

    Leo
    28-Oct-2009

  5. How would you compare TrueCrypt with Best Crypt?

    Not very famliar with it, but from what I can see no reason to pay for it, over TrueCrypt which is free.

    Leo
    28-Oct-2009

  6. trueCrypt –
    FANTASTIC
    I personally use Winmagic-SecureDoc (paid program) for full disk encryption, needs passphrase at bootup, have been doing this for many years, VERY secure (TrueCrypt did not have this feature when I started using WinMagic)

    BUT, BOOT enryption is very secure; once machine is off, data cannot be extracted from the hard drive.

    AND, you can encrypt the vaults on the hard drive, only mount themn when you need them

    RE: EMAIL and secure stuff, YES, you could create a small truecrypt vault, include your data, email the truecrypt vault, and either phone your friend with the decryption key, OR evn send them the key in a different email from a different account (depending on sensitvity of info in that vault)

    AND, you can create your own personal USB stick, with password programs, ec, on it; create a truecrypt vault on the usb stick, and copy over your programs.
    THEN, in the root directory of the usb stick (unencrypted), copy over the TrueCrypt program folder itself.
    then, when traveling, you have the trueCrypt program, AND you have an encrypted vault on your USB stick, with your data protected, and can use it when you need it

  7. As I have many invention circuits and idea’s to keep safe, I have been using True Crypt for years.
    I use a pass phrase with no spaces and it’s one that I cant forget but over 30 letters long.
    With regards to being able to crack it – not possible without a cray computer and 2000 years to work with. I selected the 256 bit DES blowfish military encryption and NO, you can’t find the pass phrase on the disk because it doesn’t exist on the disk. Each letter is filtered through another algorithm in the program which changes each time you use it much like PGP where you have essentially 2 keys. So your pass letters are re-translated with another different code table which itself changes. Do you ever wonder why the military use it?. I personally know of one case in the local paper where Authorities tried to break it on someones computer and failed dismally [ Only had 30 days to do it by law ].
    Since the container itself is invisible and direct access reveals random data on the disk [ junk] it’s absolutly secure. Renaming the container to a common extension [ zip ] just like a valid file assures the attack to open it will start with zip crackers – a waste of more time trying to get into it.

  8. If I use TrueCrypt to encrypt the boot/system drive, and move that drive to a new computer as a data drive (a common tactic to save everything from the old computer on a new computer), can I access everything on that drive OK if I know the passphrase?

  9. TrueCrypt provides additional protection to your data so that when your storage device falls into the wrong hand, the data cannot be retrieve easily. But it does not mean that the data cannot be retrieve at all.

    That is correct. Brute force attempts to crack properly setup encryption will take years (if not decades or centuries), but it’s theoretically possible. The true weakest link is the passphrase you choose – choose something simple that anyone can guess, and all the encryption in the world won’t help you.

    Leo
    20-Dec-2009

  10. I hate to be a wet blanket but I had a horrible experience with TrueCrypt. I followed instructions and encrypted a external hard drive. The password worked several times and then suddenly the software didn’t recognize the password and my files were lost to me forever.

    I think it’s important that we hear all sides – even the best software will fail for some people. There’s no way to know what went wrong here, but it’s a good cautionary tale that emphasizes the need to backup your data, and to do so in a reliable – probably unencrypted – form.

    Leo
    29-Dec-2009

  11. I encrypted my external hard drive with True Crypt and formatted my primary hard drive where True Crypt was installed. After installing Windows 7 on the formatted drive I reinstalled True Crypt and the volume will not mount. Is there any way to retrieve my data from my external hard drive?

  12. I just worked it out. If a computer could work at 1 trillion tries a second and used just each letter of the alphabet in upper and lower case plus all the keyboard symbols; and the pass phrase was 30 letters long – it would take 256,000
    years to crack the pass phrase. Can’t get more secure than that.

  13. I wouldn’t use TrueCrypt for email because the file system of a FAT volume occupies 275 KB for starters. But I have a 100 MB TrueCrypt volume in my Dropbox, and it doesn’t get completely up/downloaded when the content changes. Which is good.

  14. To pre-empt user problems, this latest, important information is quoted from the TrueCrypt website–
    ——————–
    [Note: This limitation does not apply to users of Windows Vista and later versions of Windows.] On Windows XP/2003, TrueCrypt does not support encrypting an entire system drive that contains extended (logical) partitions. You can encrypt an entire system drive provided that it contains only primary partitions. Extended (logical) partitions must not be created on any system drive that is partially or fully encrypted (only primary partitions may be created on it). Note: If you need to encrypt an entire drive containing extended partitions, you can encrypt the system partition and, in addition, create partition-hosted TrueCrypt volumes within any non-system partitions on the drive. Alternatively, you may want to consider upgrading to Windows Vista or a later version of Windows.

    # TrueCrypt currently does not support encrypting a system drive that has been converted to a dynamic disk.

    # TrueCrypt does not support pre-boot authentication for operating systems installed within VHD files.

    # TrueCrypt volume passwords must consist only of printable ASCII characters. Non-ASCII characters in passwords are not supported and may cause various problems (e.g., inability to mount a volume).

    # To work around a Windows XP issue, the TrueCrypt boot loader is always automatically configured for the version of the operating system under which it is installed. When the version of the system changes (for example, the TrueCrypt boot loader is installed when Windows Vista is running but it is later used to boot Windows XP) you may encounter various known and unknown issues (for example, on some notebooks, Windows XP may fail to display the log-on screen). Note that this affects multi-boot configurations, TrueCrypt Rescue Disks, and decoy/hidden operating systems (therefore, if the hidden system is e.g. Windows XP, the decoy system should be Windows XP too).
    ————

    There is much more on the TrueCrypt website. See–
    http://www.truecrypt.org/docs/?s=issues-and-limitations

  15. In the context of this article, what does the word “mount” mean (ie., “…’mount’ that file using TrueCrypt…”)? I see that word used more and more lately in PC articles, but I am never quite sure as to what the authors are trying to say. Thanks…

    It harkens back to the day when a disk was added to a computer by physically mounting it – attaching it to or placing it in a large disk drive enclosure. That concept lived on as a way to think of adding a drive. When you “mount” a TrueCrypt volume its contents then appears as another disk drive on your machine. For example on my machine C:somepathdata.tc, when mounted, appears as drive F:.

    Leo
    12-Apr-2011

  16. I’ve used TrueCrypt for security on my PC’s and my portable devices and strongly recommend this form of security. Safe and easy to use.

  17. Is there a way to de-crypt a TrueCrypt file using an Android system. There are millions of Android Smart Phones out there that could use a program like TrueCrypt. The problem exists that one can encrypt a file on the PC side but when sent to an Android system the file becomes useless.

    I’m not aware of any mobile option for TrueCrypt as of yet.

    Leo
    27-Jul-2011

  18. What happens if I just delete all the files that are blue? Because my computer is running so slow now since they came up that it is ridiculious because I have so much free space it shouldn’t run slow. Could you please let my know Thank you.

    Lori

    I must be missing some context here – this is a TrueCrypt article, and Truecypt doesn’t turn files blue. I wouldn’t say it’s ok to delete any files without knowing exactly what they are, so no, I can’t say it’s ok.

    Leo
    10-May-2012

Leave a reply:

Before commenting please:

  • Read the article.
  • Comment on the article.
  • No personal information.
  • No spam.

Comments violating those rules will be removed. Typically that's off-topic or content-free comments, or comments that look even a little bit like spam. All comments containing links will be moderated before publication.

I want comments to be valuable for everyone, including those who come later and take the time to read.