Truecrypt Installation and Deploymentas.exeter.ac.uk/media/level1/academicservices... · Using the...

TrueCrypt Installation and Deployment

DS035 - Truecrypt installation and deployment - v1.0 - Master.docx of 13

Academic Services

Information & Computing Systems Division

Desktop Support

Truecrypt Installation and Deployment

Document reference: DS035

Document type: Desktop Support Procedure

Document status: Live

Review period: Twelve months

Next review date: 12 October 2011



1 TABLE OF CONTENTS

1 Table of Contents........................................................................................................... 2

2 Document History .......................................................................................................... 3

2.1 Document location .................................................................................................... 3

2.2 Revision history ........................................................................................................ 3

2.3 Approvals .................................................................................................................. 3

3 Introduction .................................................................................................................... 4

4 Pre installation steps ..................................................................................................... 4

4.1 Data backup.............................................................................................................. 4

4.2 Initial assessment of the device/health check............................................................ 4

4.3 Check disk configuration ........................................................................................... 4

4.4 Analyse and defragment disk .................................................................................... 4

4.5 Create rescue disk folder .......................................................................................... 5

5 Install the TrueCrypt application .................................................................................. 5

6 Encryption ...................................................................................................................... 6

7 Post Encryption ........................................................................................................... 11

7.1 Create tdr rescue cd ............................................................................................... 11

7.2 Test the tdr rescue cd ............................................................................................. 11

8 User deployment steps................................................................................................ 12

8.1 Change user password ........................................................................................... 12

8.2 User awareness ...................................................................................................... 12

9 Technical Information .................................................................................................. 13

9.1 Limitations .............................................................................................................. 13

9.2 Possible issues ....................................................................................................... 13

9.3 Further reading ....................................................................................................... 13



2 DOCUMENT HISTORY

2.1 DOCUMENT LOCATION

This document can be accessed from the following location:

http://as.exeter.ac.uk/it/equipmentandsoftware/howto/

2.2 REVISION HISTORY

The latest revision can be found at the top of the list:

Revision Date Author Version Summary of Changes

2nd

September 2010 Sue Watling 1.0 First live version

2.3 APPROVALS

This document requires the following approvals:

Name Title Version Date of approval

Paul Grogan Incident Response Team Leader 1.0 12th October 2010

http://as.exeter.ac.uk/it/equipmentandsoftware/howto/



3 INTRODUCTION

This document is intended to be used by the University of Exeter Desktop Support staff and CDO’s supporting colleges. It is to be used to guide the installation of TrueCrypt encryption software onto university-provided laptops. This document has been written to be applicable to UoE recommended makes/models/builds of laptops running Windows XP SP3. The instructions recommend encryption of the entire disk.

4 PRE INSTALLATION STEPS

4.1 DATA BACKUP

Confirm user has backed up their data including Outlook archive .pst files.

If NOT, backup data to removable device

4.2 INITIAL ASSESSMENT OF THE DEVICE/HEALTH CHECK

Tech staff to assess the device, if deemed necessary reimage device

Healthcheck – look for any evidence of hardware faults, windows faults or viruses/malware

Check Windows XP SP3 is installed.

4.3 CHECK DISK CONFIGURATION

TrueCrypt may be installed on any PC that has been set up in the standard way (as described in the relevant DS documents). That is; one Windows operating system fills the whole disk on a single partition.

However, TrueCrypt may also be applied to any partition on a multipartition disk, provided it is not of type “logical”. It must be a “primary” partition.

If a whole-disk encryption is desired, and there are logical partitions, the contents of these must be saved, the logical partitions deleted and replaced with primary partitions, and the content restored to these.

4.4 ANALYSE AND DEFRAGMENT DISK

Run Disk Defragmenter from XP System Tools

Analyse C: drive, and D, E etc. if the disk is partitioned.

Defragment if advised to do so by the application

Reboot



4.5 CREATE RESCUE DISK FOLDER

During the installation sequence, you will be prompted to give the name and location of a rescue CD image file (for later burning to a CD).

Login to the device with any admin account.

Create a drive mapping to a server location where the rescue disk information is to be stored. This should be an area accessed only by the IT support team.

Create a new folder, giving the folder the same name as the laptop machine name, e.g. B6YT998. This new folder will be used to store the TRD rescue disk .ISO.

5 INSTALL THE TRUECRYPT APPLICATION

If you have not done so, download and install TrueCrypt. Desktop Support Staff can find TrueCrypt on the desktop support shared drive. The latest version of TrueCrypt can be downloaded from here: http://www.TrueCrypt.org/downloads

Start the setup of TrueCrypt.

Accept the licence

At the next window, make sure "Install" is selected, click “Next”

At the next window headed Setup Options:

un-tick "Add Truecrypt to start menu"

un-tick "Add TrueCrypt icon to Desktop"

This will hide the software from the user as a precaution

Select “Install”

http://www.truecrypt.org/downloads



Wait for installation to complete then select “Finish”.

6 ENCRYPTION

Note: Use an optical mouse for this stage as it makes it easiest to create the encryption keys

Select “Start” then in the run box “type CMD” then click “OK”

Change drive path to c: by typing c: and press “return”

Change to the Truecrypt directory by typing the following, including quotes:

cd “\program files \truecrypt”

Including the odd placing of the quotes, run the truecrypt command:

“truecrypt format” /noisocheck

(Using this command line switch to start the program means that we can skip the built in integrity check of the recovery CD ISO; thus considerably speeding up the process of the encryption. This is especially useful when having to encrypt a large number of laptops. The normal behaviour is that TC checks that the file has been burnt successfully before it will allow the process to continue.)

You will now been presented with the Truecrypt wizard.



Select “Encrypt System Partition or Drive”. Click Next.

Select “Normal – Encrypt the system partition or entire hard drive”. “Click Next”

Select “Encrypt the whole drive” (the standard desktop support imaged laptop has only one partition). Click “Next”.



Select “Yes” to encrypt the host protected area and then click “Next”.

Select “Single Partition” boot (with the standard image Windows XP is the only installed operating system). Then click “Next”.

Leave the encryption options as the defaults. Click “Next”.

The next step is very important; you now have to set a password. This should eventually be a stronger password as suggested by the dialog box; however we recommend choosing a known password for all devices in a department and using this. This will enable a backup of the password as a “header” on a rescue CD to be created which can be used to overwrite the eventual password entered by the user in the event of them locking themselves out of their machine, or their header-file becoming corrupted.



Enter the password twice and select “Next”.

A warning will pop-up giving the dangers of using short passwords, click “YES” to continue since we will change the password to a stronger and longer one when it is rolled out to the user.

Now you have entered the password you must increase the cryptographic strength of the encryption on it. Move your mouse as randomly as possible within the Volume Creation Wizard window for at least 30 seconds. The longer the mouse is moved, the better. This significantly increases the cryptographic strength of the encryption keys (which increases security). Click “Next”.

Click “Next” again at the Keys Generated summary window.

You are now requested to create a TrueCrypt Rescue Disk (TRD).



Select “Browse”, navigate to the rescue disk folder for this laptop.

Name the .ISO filename to the machine name of the laptop. *remember to put”.iso” after the filename.

Click “Next”.

The rescue disk image is created.

Click “Next”.

Select default options for all the following steps.

The PC will reboot

ENSURE THE LAPTOP IS ON MAINS POWER DURING THE NEXT STEP

Enter your TrueCrypt password at the TrueCrypt bootloader screen. You may briefly see a windows setup screen.

Login with the same account and you will be presented with the following screen

Select “Encrypt”

The drive will now start encrypting. This can take an indeterminate amount of time depending on the data on the machine, size of the hard drive etc.... The remaining time is displayed during the process, but this can fluctuate, which erodes confidence. The encryption can be paused and restarted at the discretion of the user.

When the Encryption process is complete Click “OK” and “Finish”.



7 POST ENCRYPTION

7.1 CREATE TDR RESCUE CD

Using the TRD .iso file created during the encryption process create the recovery CD using CD burning application. This can be carried out on any computer with a CD writer.

7.2 TEST THE TDR RESCUE CD

*this step is performed when you need to boot the system with the original IT support password

Enter the BIOS if necessary and select boot device priority so CD is first

Put TRD rescue CD into the drive and reboot

Press F8 at the boot menu to enter the recovery options

Select option 3 to boot the system with the key data stored on the rescue CD (with the IT support password).

Type IT support password

You can now reboot the PC and enter the IT support password



8 USER DEPLOYMENT STEPS

8.1 CHANGE USER PASSWORD

1. Boot the PC and enter the IT Support TrueCrypt password 2. Login to Windows (using any user’s login with admin rights) 3. Navigate to the TrueCrypt folder c:\program files\TrueCrypt 4. Run TrueCrypt.exe 5. From the menu “System” select Change Password 6. Enter the current password (IT Support) for them and then allow the user to create

their own. 7. Click “OK” and confirm “Yes” when prompted and “OK” after it has been changed. 8. Reboot PC

8.2 USER AWARENESS

Convey the following points to the user.

8.2.1 What has been installed

Explain all changes made, including security updates, XP SP3, virus software etc.

The TrueCrypt application provides full disk encryption with pre boot authentication, i.e. from now on you will be presented with an additional login.

“Hassle Factor vs End User experience” – to explain that laptop encryption is the University’s response to the legal requirement to protect the organisation against the liability of unauthorised access to sensitive information.

8.2.2 What it does (*including ramifications if they adjust TrueCrypt settings)

The whole hard disk is encrypted, so every file currently on the drive and any new files will be automatically encrypted.

It does not automatically encrypt files that are transferred to a location off the laptop, i.e. removable media drives, network drives etc. So a file copied to another PC is not encrypted/protected.

There is no reason for a user to open the TrueCrypt application and make any changes to settings. If they do they will risk making the laptop and their data inaccessible.

8.2.3 Password creation (suggest 12-15 characters, letters, numbers and symbols).

In order for their password to be effective, we advise a strong password is used.

8.2.4 Password storage considerations, i.e. not stored with laptop

Advise the user not to store the password with the laptop.

8.2.5 Support arrangements

Advise the user that should the password need to be changed or there are any problems please contact the IT helpdesk.



9 TECHNICAL INFORMATION

You may find the following information useful.

9.1 LIMITATIONS

When the system partition/drive is encrypted, the system cannot be upgraded (for example, from Windows XP to Windows Vista) or repaired from within the pre-boot environment (using a Windows setup CD/DVD or the Windows pre-boot component). In such cases, the system partition/drive must be decrypted first. Note: A running operating system can be updated (security patches, service packs, etc.) without any problems even when the system partition/drive is encrypted.

See also: the issues and limitations section at http://www.truecrypt.org/docs/

9.2 POSSIBLE ISSUES

When you log on to the domain you may see the following Stop error: STOP 0x00000035 (0x8207ecd8, 0x00000000, 0x00000000, 0x00000000) NO_MORE_IRP_STACK_LOCATIONS This occurs if:

you install more than three programs that are related to file security. For example, you install more than three antivirus programs or file-encryption programs.

The computer is part of a domain.

Further information and a solution can be found at http://support.microsoft.com/kb/906866

9.3 FURTHER READING

http://www.truecrypt.org/

The documentation section of the above website is a good resource for information.

http://www.truecrypt.org/docs/

http://support.microsoft.com/kb/906866

http://www.truecrypt.org/

Truecrypt Installation and Deploymentas.exeter.ac.uk/media/level1/academicservices... · Using the...

Documents

Transcript of Truecrypt Installation and Deploymentas.exeter.ac.uk/media/level1/academicservices... · Using the...