Episode 520 – Encrypt your entire hard drive!

What’s your best defense against a boot CD that breaks Windows passwords in two keystrokes? Encrypting your entire hard disk. Shannon’s got the details on truecrypt drive encryption while Darren brings up plausible deniability with hidden volumes.

Download HD Download MP4 Download XviD Download WMV

Encrypting your entire hard drive

Truecrypt is an open-source, free program for everyone.
Download the latest version of Truecrypt.

Open Truecrypt and choose ‘Create Volume’. Choose ‘Encrypt entire hard drive’. Then, you will choose whether you single-boot or multi-boot your machine.

On the encryption options, I just choose AES because it is the default setting, and it’s a very strong encryption.

Next you will choose a password. This option is neat because it actually gives you a small notice saying that a password with less than 20 characters is easier to break than one with more than 20.

On the next page, you must randomize your data. You must move your mouse around in the box of algorithms to create a very randomized clump of data. The more randomized, the better encrypted.

Truecrypt will make your create a rescue disk. This is easy if you have a cd burner already installed in your tower. If not (if you have a netbook), you must create the rescuedisk.iso and burn it onto a flashdrive or something of the like. You are basically making Truecrypt think you have a cd burner and are burning the cd, when instead, you are just sticking the iso on a USB flashdrive.

For my netbook, I used WinCD Emu. WinCD Emu emulates the burning of a cd, so Truecrypt thinks you’ve finished this task.

Truecrypt will ask you to wipe your drive, and I just choose none since I don’t really need to. Next you must go through a pretest. Your computer will restart and a Truecrype login screen will appear before the windows login (this is why Konboot wouldn’t work!). If everything goes well and the pretest completes with no problems, you can begin encrypting. Encryption takes a LONG time, so be patient! Once it’s done, it’ll prompt you, and you’re finished!

For a more in depth step by step, go here.

And as always, you can email me at [email protected]!

Plausible Deniability with Hidden Truecrypt Volumes

Plausible Deniability basically means being able to deny awareness of something. For a more rich explination check out Wikipedia’s article on the subject, it’s quite interesting.

In regards to Truecrypt, our subject of the week, Plausible Deniability referrs to the ability to hide encrypted volumes within encrypted volumes. Since it cannot be proven that a hidden volume exists within a truecrypt volume.

Hidden volumes can contain just about any data, including entire operating systems. It is important to note that the sectors of a hidden volume do not change over time. If an adversary had access to the outer volume contents over a period of time the existance of a hidden volume could be proven if files were never read or written to or from these sectors.

Questions? Comments? Write me directly, [email protected] or send feedback to the entire Hak5 crew.


  • plbour

    Great episode. Will a Harddrive password take care of the full drive encryption? Most of our laps are Dells with built in.

  • plbour

    Definitely…. My policy states not to save anything locally. So if they lose something it’s there issue.

  • Kodess

    Instead of doing a hidden partition, how about making sure they don’t know you use truecrypt?
    How to do it? Easy:

    1. Use stenography to hide the truecrypt volume in a video or music file, since these can vary alot in size due to quality without causing suspicion.

    2. Dont store the Truecrypt program on your laptop/PC, but on a USB stick you carry around.

    Now how do they know you even HAVE an encrypted volume? 😀

  • Brainhacker12

    Sorry guys to tell you, but this episode was just some faq’s out of the truecrypt website. The content of this episode was just some wikipedia-knowledge, that had nothing to do with hacker-knowledge.
    Please bring back the good stuff. I know you can, because you used to have terrific episodes. Perhappes you could have spaced this episode up with some real life situations. Draw some pictures of it, which key seals which file, etc. You could have shown us in which situation we could use truecrypt in which mode. Tell us what pro’s and con’s this would have. You could have analysed situations like:
    “I like to carry along 1GB of music, for which I didn’t pay, on my laptop and probably someone will check my laptop, how can I protect myselfe?”
    Or like
    “I have 100GB of adult movies on my PC and I don’t want anyone ever to find it, even if I suddenly decease, what to do?”
    And you could have gone up to:
    “I have a thumbdrive with me on which I have a document which proves the existence of aliens, how can I hide this files so nobody will ever find out I have this information, even if they point on me with a gun. Shurly they don’t stop until they found something on my encryptet drive that was worth encrypt it”

    Please Hak.5 bring back your hacker-knowledge

  • Jonas3d

    Great show guys! I have to say that whole episode was made whole by the bloopers, with matt doing what ever that was. 😀

  • rockstar


    please go back to the old stuff, please. i liked it better when you guys did stuff that you loved, and you knew. the virtulization stuff however is fucking good.

    but sadly, the show suffers from stuff you guys aren’t passionate or in to. show just sucks when people like shannon have to ‘study’ for 2 hours because she doesnt know what shes talking about.

  • David H

    Not a bad show, but it would have been better as a small segment on a longer show covering other topics.

    Two caveats about Truecrypt:

    1. The hidden volume would only work if A. The guy with a gun wasn’t knowledgeable about Truecrypt and B. He wasn’t willing to continue beating you senseless for the second password. Still a cool feature.

    2. Using a keyfile is a good idea, but that keyfile can never change. I believe Truecrypt examines the hash of that file. I once used an MP3 of one of my favorite songs as the keyfile. Later, I updated the tag information in the song (added the album name or something) and it altered the hash, rendering the keyfile unrecognized by Truecrypt and my data lost.

  • Mnemonic

    This is kinda what happens when doing something that you love and are passionate about starts to become an ongoing chore.
    It’s no one’s fault and as human nature, it’s completely understandable.

    I think hak5, needs to step back as reassess the value in churning out an episode a week and I suppose it’s relationships with rev3 might even be on the cards.

    I’m a fan of hak5, don’t get me wrong, but frankly i haven’t watched an episode in a long time.

  • TheFu

    Truecrypt rocks!

    With that said, whole drive encryption is dangerous. How do you solve a logical file system issue that is inside the fully encrypted partition? How does IT support gain access to a system that’s fully encrypted short of wiping the disk and starting over?

    It is much easier to build encrypted volumes sized about 3.9GB, so they fit on DVDs and there’s room for par2 files to recover from any media corruption.

    If you encrypt everything, everyone will know you’re trying to hide “something” even if a hidden volume is used. If you encrypt something titled `x-wing-v4.56.iso` and it is 3.9 GB, they probably won’t bother looking too closely at it. It doesn’t look suspicious.

    Don’t get me wrong, all private and personal data NEEDS to be encrypted, even on desktops. What happens when there’s a failure? For most people, they take the computer into geek-squad and pay $200 for a fix. During that time, every interesting file is pulled onto a USB drive by the techs, for fun. I want my files, emails, PST, docs, xls to all be encrypted.

  • Steve Steiner

    Truecrypt is great! I use it at work to create encrypted containers to hold data generated from our site assessments and other security work. I have not tried full disk encryption with it yet, my only concern is, what happens when I need to decrypt the entire drive because it is going bad and want to get my data off before total crash? Does Truecrypt have a way to do this?

  • Steve Steiner


    We use a full drive encryption from one of the commercial vendors, and have been able to decryt a drive using a couple of different methods supplied by the vendor.

  • Pingback: Krypter disken din – Robins Blogg

  • imag1narynumber

    I’ve read where a portion of a file gets corrupted, thus destroying any chance of decrypting/using your HD if there’s full-drive encryption. So you make crazy amounts of backups? Doesn’t that get laborious?

  • Matt Buxton

    imag1narynumber – That’s hogwash, if a portion of a file gets corrupted you lose that portion of a file, if a portion of a truecrypt container gets corrupted you only lose the block or blocks where the corruption occurs. The only critical bit is the volume header which you can backup.

  • CryptFu

    TrueCrypt has the option not to check the rescue disc, however it involves starting the “TrueCrypt Format.exe” /n [or /noisocheck]. It will still create an ISO, but you can store that on a central server and only burn if you need it. (http://www.truecrypt.org/docs/command-line-usage)

    As far as TrueCrypt in a corporate environment, there is no central management, but using the method outlined in the user guide you can safely deploy TrueCrypt because you can always reset the password. Here is the excerpt from the manual:
    “Note that these features can be used in a corporate environment to reset volume passwords in case a user forgets it (or when he/she loses his/her keyfile). After you create a volume, backup its header (select Tools -> Backup Volume Header) before you allow a non-admin user to use the volume. Note that the volume header (which is encrypted with a header key derived from a password/keyfile) contains the master key with which the volume is encrypted. Then ask the user to choose a password, and set it for him/her (Volumes -> Change Volume Password); or generate a user keyfile for him/her. Then you can allow the user to use the volume and to change the password/keyfiles without your assistance/permission. In case he/she forgets his/her password or loses his/her keyfile, you can “reset” the volume password/keyfiles to your original admin password/keyfiles by restoring the volume header backup (Tools -> Restore Volume Header).”

    The show is still awesomeness. Keep up the great work.

    PS: What to you think of ZFS?

  • b0b

    What an episode!

    Snubs were indescribable annoying in the beginning just saying “what ever he said”. Matt looked at her weird @ 1:37
    And as another post mentioned it was funny, in a private invading way, to see snubs’ illegal movie downloads. Remember winners don’t do warez, right?

    This episode was fun to watch, but maybe not in the way you intended.

  • birus

    Interesting topic for sure. I have thought about messing with TrueCrypt on my desktop PC at home maybe I’ll have to revisit that thought again soon.

    Have you heard or had to use PointSec PC (now called Check Point Full Disk Encryption)? It appears to be something designed or pitched towards corporate environments.

  • Rickh925

    Couple of comments. I implemented TrueCrypt over about 20 medical laptops where we have HIPPA concerns about patient data. The users of the laptops are not the most technical and are prone to forgetting their password so my first tip from a corporate standpoint if you are going to use TrueCrypt is this(and sorry if it is on the Truecrypt.org website).

    Initially you do Whole Drive Encryption(WDE) with a password only the IT dept knows that I’ll call password01 for machine 01 and password02 for machine 02 and so on. Then you save the required ISO as a file someplace on your corporate LAN protected of course and backed up(DON’T forget that!). Next, allow the end user to change the TrueCrypt password to something that they know. This will change the encryption key that encrypts the symmetric key(that is not changed by a simple password change) that actually does the disk encryption/decryption. Now, if the end user forgets the password you can send them a CD(from the ISO) with the known password on it. You boot from that CD to then allow access to the previously locked drive.

    Second tip that I use when I travel abroad with my WDE laptop. To keep from being compelled to give my password, you can change the screen that is offered at boot from the “dead give away” screen that tells you to enter your password to something more fun like “Missing Operating System” or some sort of STOP message. When the laptop boots you get only that prompt and you have to know that you need to type your password. Nothing you type will show on the screen even as asterisks. If you type the wrong password and press enter you get no feedback except that the computer does not boot, not even a CRLF. This allows me to freak out in front of the customs official about my dead laptop. There is probably some way to look at the boot sector to realize that it is waiting for something to be entered but at least the typical person is going to just feel sorry for you.

    One final tip, don’t forget to whole drive encrypt your external drives. I bet more USB attached drives are left on airplanes, in hotels, and on board room tables than laptops and they frequently have very damaging data on them.

    TrueCrypt doesn’t(to my knowledge as of v6.1) support the TPM on the newer laptops but it may not be necessary. I think that with Win7 BitLocker is going to become the corporate standard since it integrates nicely with TPM and AD and now allows encryption of external drives as well as blocking the writing to an unencrypted USB attached drive which is very cool.

    Sorry for the rant but TC is one of my must have’s.


  • ho0d0o

    Years of watching you guys and seeing the GoDaddy sponsorship has led me to jump on the proverbial bandwagon and launch my own site. It’s a streaming anime site dedicated to the fans and for the fans I can only hope to have the kind of success you guys have had in spreading the 1337sauce that we all love so much!

    Guys come check it out if you like anime at AnimeFruit.com

    and I promise it’s totally pro.



  • Pingback: HakTip 30 - An Easy To Use script to find a lost USB FlashdriveHak5 - Technolust since 2005

  • tz03w4c5eo

    http://tomstw.sietarnewyork.org/ – toms 台灣 在深入如前所述,呼吸和回滾你的肩膀把你的身體恢復到直立位置。 又降低你的速度。 健走為什麼會有諸多功效呢?MBT休閒鞋長期以來以其獨特的設計個性、旅遊中的路面平整度遠不如城市馬路和工作場所,稍有不慎就會扭傷、跌倒,發生在險峻之處,更易造成意外。 根據誰曾住在一起,並研究了馬賽人的人類學家,他們沒有穿鞋。 貿易雜誌估計生理鞋的全球市場價值為1億美元。 http://tomstw.sietarnewyork.org/ – toms 台灣

    http://mcmtw.com.tw/ – mcm官網 通過使用更多的肌肉群,在關節和光盤應變減小。 如果您怕在搭配上出問題的話,那麼mbt 門市建議您選擇簡單的款式加上百搭的顏色,例如,黑色,巧克力色,灰色等等暗色系,這樣可以更好的搭配您的著裝呢。 MBT聲稱有應力減少對膝蓋和髖關節的19%。 http://skechers.csubrotaract.org/ – skechers專櫃

    http://tomstw.sietarnewyork.org/ – toms台灣哪裡買 在這篇文章中,我們將討論MBT鞋,他們已經對不斷變化的市場的影響。 也就是說,設計師本來他想解決自己的個人問題。 維持同一坐姿時間過長(如白領階層),以及日常生活和運動中的單側壓力及拉力均會導致臀屈肌變短。 http://timberlandtw.verecondos.com/ – timberland costco

    http://mcmtw.com.tw/ – mcm 官網
    http://mbttw.icanri.org/ – mbt健走鞋
    http://skechers.csubrotaract.org/ – skechers台灣官網

  • truth about abs articles of association

    And its extremely true when it comes to your diet
    for building flat abs. But if you’re set on losing weight and becoming the body
    they may have always wanted, this program could be the prefect solution. What it really comes down to is the place where hard you workout.

  • celebrity weight loss tips and tricks

    A great rule to follow along with for your amount of water you need each day is drinking
    half the body weight in ounces of water each day.

    This is an excellent way of getting the slow loser to lose fat at a more efficient rate all day long long.
    It’s not as simple as checking the label and seeking for

  • safe dieting and breastfeeding

    This is very good in case you are utilized to eating large portions as you will
    see that you consume less. I won’t pry them out of the hands of your preschooler at the park.
    Vomiting could happen to anyone with strong enough
    stomach upset.

  • Matt

    Excellent pieces. Keep posting such kind of info on your page.

    Im really impressed by your blog.
    Hi there, You’ve performed a fantastic job. I will
    definitely digg it and in my opinion suggest to my friends.

    I’m confident they’ll be benefited from this site.

  • Neva

    NHS Bursary Pupils on dietetics courses will often have their tuition charges
    paid completely and might receive financial backing in the form of a bursary.

  • Antonia

    It should not be too difficult as these days, there are simple instructions to run the
    installation script. Post high-quality images of your products on your site.
    However, a blog can ping the search engine several times a day without risk
    of being banned.

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>