Security :: TrueCrypt Encryption for Windows XP

Printer-friendly versionSend by emailPDF version

TrueCrypt is an open source on-the-fly encryption program for Windows XP, Windows 2000, and Linux; it should NOT be used with Windows 7 or Vista (use BitLocker with these OSs). TrueCrypt creates what’s called a “file-hosted container” which makes an encrypted volume inside a regular file that can be mounted as an virtual drive. The fact that the program can create its own containers and has a travel mode makes this a very useful tool when encrypting USB devices like flash drives. TrueCrypt cannot be integrated with Active Directory and there is no sort of master password so it is very important to keep a backup of the encryption key.

Do not encrypt the only copy of protected data. Mobile devices have a greater exposure to damaging environments, and data on these devices, encrypted or not, can suddenly become unrecoverable. Please work closely with ITS to ensure that you create data security, not a data disaster.

Note: If you have Level 1 protected data on a laptop or netbook running Windows XP or earlier, HSU recommends upgrading the system to WIndows 7 at the earliest opportunity. Contact the Technology Help Desk for more on how to get your OS upgraded.

Installation and use

Download and install the latest version of TrueCrypt from http://www.truecrypt.org/downloads

To comply with HSU and CSU Security policies and also to provide recovery options in the event of illness, injury, or other incapacity, the password to decrypt the system must be shared with trusted HSU ITS staff. TrueCrypt also creates a Rescue Disk, which must be securely stored.

To encrypt a system partition or entire system drive, select System > Encrypt System Partition/Drive and then follow the instructions in the wizard.

TrueCrypt can on-the-fly encrypt a system partition or the entire drive from which Windows boots.

Note that:

  • System encryption involves pre-boot authentication, which means that anyone who wants to gain access and use the encrypted system, read and write files stored on the system drive, etc., will need to enter the correct password each time before Windows boots (starts). Pre-boot authentication is handled by the TrueCrypt Boot Loader, which resides in the first track of the boot drive and on the TrueCrypt Rescue Disk.
  • TrueCrypt can encrypt an existing unencrypted system partition/drive in-place while the operating system is running (while the system is being encrypted, the computer can be used normally). Likewise, a TrueCrypt-encrypted system partition/drive can be decrypted in-place while the operating system is running. You can interrupt the process of encryption or decryption at any time, leave the partition/drive partially unencrypted, restart or shut down the computer, and then resume the process, which will continue from the point it was stopped.

To decrypt a system partition/drive, select System >Permanently Decrypt System Partition/Drive.

feedback