Academic Services Exeter IT Desktop Support TrueCrypt Installation and Deployment Document reference: Document type: Document status: Review period: DS035 Desktop Support Procedure Live Twelve months Next review date: 14 Dec 2013 DS035 - Truecrypt installation and deployment - v2.4 - Master.docx Page 1 of 16
1 TABLE OF CONTENTS 1 Table of Contents... 2 2 Document History... 3 2.1 Document location... 3 2.2 Revision history... 3 2.3 Approvals... 3 2.4 Reviews... 3 3 Introduction... 4 4 Pre-installation Steps... 4 4.1 Data backup... 4 4.2 Initial assessment of the machine / health check... 4 4.3 Check disk configuration... 4 4.4 chkdsk... 4 4.5 Analyse and defragment disk... 5 4.6 Create rescue CD folder... 5 5 Install the TrueCrypt Application... 6 6 Encryption... 6 6.1 Re-encryption... 11 7 User Deployment Steps... 11 7.1 Change user password... 11 7.2 User awareness... 11 8 Recovery Procedures... 12 8.1 Recovery of the original IT support password... 12 8.2 Procedure for decrypting the hard drive... 14 9 Technical Information... 15 9.1 Limitations... 15 9.2 Possible issues... 15 9.3 Further reading... 15 10 Appendix Recommended Windows Configuration... 16 11 Appendix Naming Convention for Header Files... 16 DS035 - Truecrypt installation and deployment - v2.4 - Master.docx Page 2 of 16
2 DOCUMENT HISTORY 2.1 DOCUMENT LOCATION This document can be accessed from the following location: http://www.exeter.ac.uk/it/equipmentandsoftware/howto 2.2 REVISION HISTORY The latest revision can be found at the top of the list: Revision Date Author Version Summary of Changes 14 Dec 2012 Rob Hatswell 2.4 Amended Encryption process, amended Recovery procedure, minor changes to text 10 Oct 2011 Bill Lambert 2.3 Added re encryption information 9 May 2011 Paul Field 2.2 Fixed typo in one of the technical comments April 2011 Various 2.1 25 th February 2011 Various 2.0 Minor tweaks, mostly cosmetic. Added some extra tips Additional sections added for user advice, data recovery issues, windows configuration and header naming conventions. 2 nd September 2010 Sue Watling 1.0 First live version 2.3 APPROVALS This document requires the following approvals: Name Title Version Date of approval Matt Coppell Incident Response Team Leader 2.4 14 Dec 2013 Paul Grogan Incident Response Team Leader 2.3 10 Oct 2011 Paul Grogan Incident Response Team Leader 2.2 9 May 2011 Paul Grogan Incident Response Team Leader 2.1 5 May 2011 Paul Grogan Incident Response Team Leader 2.0 25 March 2011 Paul Grogan Incident Response Team Leader 1.0 12 October 2010 2.4 REVIEWS This document was reviewed at the following dates with no updates required: Name Version Date of Review Notes DS035 - Truecrypt installation and deployment - v2.4 - Master.docx Page 3 of 16
3 INTRODUCTION This document is intended to be used by the University of Exeter s Desktop Support staff and CDO s supporting Colleges. It is to be used to guide the installation of TrueCrypt encryption software onto University-provided laptops. This document has been written to be applicable to the University s recommended makes/models/builds of laptops running Windows XP SP3; however the software does support other versions of Windows and other Operating Systems. More information on supported Operating Systems can be found by visiting the link below. http://www.truecrypt.org/docs/?s=supported-operating-systems The instructions recommend encryption of the entire disk. 4 PRE-INSTALLATION STEPS For new PC deployments that have been imaged please skip to 4.5. 4.1 DATA BACKUP Confirm user has backed up their data including Outlook archive.pst files. If NOT, ensure their data is backed up to a removable device (e.g. External Hard Drive). 4.2 INITIAL ASSESSMENT OF THE MACHINE / HEALTH CHECK Technical staff to assess the machine, if deemed necessary re-image machine. Health check look for any evidence of hardware faults, windows faults or traces of viruses/malware. Check Windows XP SP3 is installed. 4.3 CHECK DISK CONFIGURATION TrueCrypt may be installed on any PC that has been set up in the standard way (as described in the relevant DS documents). That is, one Windows Operating System fills the whole disk on a single partition. However, TrueCrypt may also be applied to any partition on a multi-partition disk, provided it does not have a logical partition. It must be a primary partition. If a whole-disk encryption is desired, and there are logical partitions, the contents of these partitions must be saved, the logical partitions deleted and replaced with primary partitions, and the content restored to these. 4.4 CHKDSK On older systems it s advisable to run chkdsk /f /r before proceeding to encrypt the drive. This is to highlight damaged areas of the disk which could cause problems with the process. If any bad clusters etc. are found then further investigation is needed (software or hardware) before encryption can commence. DS035 - Truecrypt installation and deployment - v2.4 - Master.docx Page 4 of 16
4.5 ANALYSE AND DEFRAGMENT DISK Run Disk Defragmenter from System Tools folder that can be found in the Accessories folder via the Start menu. Analyse the C: drive. If the disk is partitioned analyse all other volumes as well. Defragment each partition if advised to do so by the application. Once all volumes are defragmented, exit Disk Defragmenter and reboot the machine. 4.6 CREATE RESCUE CD FOLDER During the installation sequence, you will be prompted to create a Rescue CD in the form of an.iso file (This CD is will be required to restore the original header). Ensure the account you are logged into has Administrator rights. Create a drive mapping to a server location where the Rescue CD information is to be stored. This should be an area accessed only by the IT Support team. Create a new folder, giving the folder the same name as the laptop (service tag user s name, e.g. B6YT998 Minnie Mouse). This new folder will be used to store the Rescue CD.iso file. DS035 - Truecrypt installation and deployment - v2.4 - Master.docx Page 5 of 16
5 INSTALL THE TRUECRYPT APPLICATION If you have not done so, download and install TrueCrypt. Desktop Support Staff can find TrueCrypt on the Desktop Support shared drive. The latest stable version of TrueCrypt (version 7.1a) can be downloaded from http://www.truecrypt.org/downloads Start the setup of TrueCrypt and accept the licence At the next window headed Wizard Mode, make sure "Install" is selected and click Next At the next window headed Setup Options : Click Install Accept the default install location un-tick "Add TrueCrypt to Start menu" un-tick "Add TrueCrypt icon to desktop" This will hide the software from the user as a precaution Once installation is complete a window will appear informing you that TrueCrypt has been successfully installed. Click OK to close the window. Click Finish to close the installer. You may be prompted to read the Beginner s Tutorial. Click No to close the window. 6 ENCRYPTION Note: Using an optical mouse at this stage makes it easier when creating the encryption keys. Click Start followed by Run. In the box type, (excluding quotes) cmd then click OK Change drive path to C: by typing C: and press Return Change to the TrueCrypt directory by typing the following, including quotes: cd \program files\truecrypt Including the odd placing of the quotes, type the following command: truecrypt format /noisocheck DS035 - Truecrypt installation and deployment - v2.4 - Master.docx Page 6 of 16
(Using this command line switch to start the program means that we can skip the built in integrity check of the Rescue CD.iso file, thus considerably speeding up the process of the encryption. This is especially useful when having to encrypt a large number of laptops. The normal behaviour is that TrueCrypt checks that the file has been burnt successfully before it will allow the process to continue.) You will now be presented with the TrueCrypt Wizard. Select Encrypt the system partition or entire system drive. Click Next. Select Normal. Click Next. DS035 - Truecrypt installation and deployment - v2.4 - Master.docx Page 7 of 16
Select Encrypt the whole drive (the standard desktop support imaged laptop has only one partition). Click Next. Select Yes to encrypt the Host Protected Area and then click Next. You may see a Detecting Hidden Sectors window briefly. Select Single-boot (with the standard image Windows XP is the only installed operating system). Then click Next. DS035 - Truecrypt installation and deployment - v2.4 - Master.docx Page 8 of 16
Leave the Encryption Options as the defaults. Click Next. The next step is very important; you now have to set a password. This should eventually be a stronger password as suggested by the dialog box; however we recommend choosing a known password for all devices in a department and using this. This will enable a backup of the password as a Header on a Rescue CD to be created which can be used to overwrite the eventual password entered by the user in the event of them locking themselves out of their machine, or their header-file becoming corrupted. Enter our standard password twice and click Next. A warning will pop-up giving the dangers of using short passwords, click Yes to continue since we will change the password to a stronger and longer one when it is rolled out to the user. Now you have entered the password you must increase the cryptographic strength of the encryption on it. Move your mouse as randomly as possible within the Collecting Random Data window for at least 30 seconds. The longer the mouse is moved, the better. This significantly increases the cryptographic strength of the encryption keys (which increases security). Click Next. DS035 - Truecrypt installation and deployment - v2.4 - Master.docx Page 9 of 16
Click Next again at the Keys Generated summary window. You are now requested to create a Rescue CD. Select Browse, navigate to the Rescue CD folder for this laptop (as mentioned in section 4.6) Set the.iso filename to the machine name of the laptop. *Remember to put.iso after the filename. Click Next. The Rescue CD image is created. Click Next. A warning pop-up will appear advising you that you cannot re-use previously created Rescue CD s if the laptop is decrypted then reencrypted at a later date. A new Rescue CD needs to be created every time. Click OK. Click Next at the Wipe Mode screen. Click Test at the System Encryption Pretest screen. Clicking on OK will close the Notes window you will then be prompted to restart the machine. Click Yes. The PC will reboot. ENSURE THE LAPTOP IS ON MAINS POWER DURING THE NEXT STEP. When the machine starts you will be see the TrueCrypt Bootloader Screen. Enter your TrueCrypt password and wait for Windows XP to load as normal. Login with the same account and you will be presented with the following screen. DS035 - Truecrypt installation and deployment - v2.4 - Master.docx Page 10 of 16
Select Encrypt. You may have to click OK to close another Notes window. The drive will now start encrypting. This can take an indeterminate amount of time depending on the data on the machine, size of the hard drive, etc. The remaining time is displayed during the process, but this can fluctuate, which erodes confidence. The encryption can be paused and restarted at the discretion of the user. When the encryption process has completed, click OK and Finish. 6.1 RE-ENCRYPTION There are occasions when a previously encrypted laptop may need to be rebuilt and encrypted again. (The imaging process overwrites the previously encrypted disk header). The original Rescue CD.iso can no longer be used for recovery on the re-encrypted laptop. Therefore during the re-encryption process, a new Rescue CD must be created to replace the existing.iso. 7 USER DEPLOYMENT STEPS 7.1 CHANGE USER PASSWORD 1. Boot the PC and enter the IT Support TrueCrypt password 2. Login to Windows (using any user s login with Administrator rights) 3. Navigate to the TrueCrypt folder C:\Program Files\TrueCrypt 4. Run TrueCrypt.exe 5. From the menu System select Change Password 6. Enter the current password (IT Support) and then allow the user to create their own. 7. Click OK and confirm Yes when prompted and OK after it has been changed. 8. Reboot PC to check that the new password has taken effect. 7.2 USER AWARENESS Convey the following points to the user. 7.2.1 What has been installed Explain all changes made, including security updates, XP SP3, virus software etc. The TrueCrypt application provides full disk encryption with pre-boot authentication, i.e. from now on you will be presented with an additional login screen. Hassle Factor vs. End User experience explain that laptop encryption is the University s response to the legal requirement to protect the organisation against the liability of unauthorised access to sensitive information. 7.2.2 What it does (*including ramifications if they adjust TrueCrypt settings) The whole hard disk is encrypted, so every file currently on the drive and any new files will be automatically encrypted. DS035 - Truecrypt installation and deployment - v2.4 - Master.docx Page 11 of 16
It does not automatically encrypt files that are transferred to a location off the laptop (i.e. removable media drives, network drives, etc.), so a file copied to another PC is not encrypted or protected. There is no reason for a user to open the TrueCrypt application and make any changes to settings. If they do they will risk making the laptop and their data inaccessible. 7.2.3 Password creation (at least 12 characters, letters, numbers and symbols) In order for the user s password to be effective, we advise a strong password is used. The strength of a password depends on its length, complexity and randomness. The password should be at least 12 characters long - the recommended length is 20 characters. To make the password easy to remember it can be based on the first letters of the words in a poem or song, with numbers and/or symbols added. Simple strings of keyboard letters (e.g. qwertyuiop[]), usernames, words and names should not be used (even spelled backwards). 7.2.4 Password storage considerations, i.e. not stored with laptop Advise the user not to store the password with the laptop. 7.2.5 Advice for increased security Users should be advised to shut down the laptop rather than use suspend or hibernate prior to at risk activities such as leaving the laptop unattended or when travelling. This clears data from the system memory. 7.2.6 Data recovery Users should be made aware that data recovery from an encrypted laptop may not be possible or may be a very lengthy procedure. If working away from campus they should take the precaution of connecting to the network using a VPN connection and synchronising their laptop regularly. 7.2.7 Support arrangements Advise the user that if the password needs to be changed or there are any problems they should contact the IT Help Desk. 8 RECOVERY PROCEDURES 8.1 RECOVERY OF THE ORIGINAL IT SUPPORT PASSWORD Using the Rescue CD.iso created during the encryption process, burn it to a CD / DVD using a CD burning application. This can be carried out on any computer with a CD writer. Roxio CD & DVD Creator is installed on all XP machines that are using the standard image. Enter the BIOS if necessary and change the boot device priority ensuring that the CD / DVD Drive are the first option. Insert the Rescue CD into the Optical drive of the machine and reboot. DS035 - Truecrypt installation and deployment - v2.4 - Master.docx Page 12 of 16
Press F8 at the boot menu to enter the Repair Options. Select Option 3 Restore key data (volume header) and type in the standard password. You will then be asked to confirm whether you want to modify drive 0 (y/n), type y to confirm this operation. You will now see the message Header Restored which informs us that the encryption password has been reset to our standard password. Press Esc twice to go back to the Rescue CD main menu. Remove the CD from the Optical Drive and reboot the machine. Typing the standard password at the Bootloader screen should allow the laptop to boot into Windows. DS035 - Truecrypt installation and deployment - v2.4 - Master.docx Page 13 of 16
8.2 PROCEDURE FOR DECRYPTING THE HARD DRIVE To decrypt the hard drive, run the TrueCrypt application under Program Files. From the TrueCrypt application, click System and choose Permanently Decrypt System Partition/Drive. Decrypting the hard drive can also be done via the Rescue CD; however the decryption process is a lot quicker through Windows. The Rescue CD option should only be used if the machine is not able to boot into Windows. Confirm you want to permanently decrypt the system partition/drive? Note: This isn t permenant if you want to re-encrypt the device at a later date. The process may take longer than the original encryption owing to the amount of data stored on the hard drive. After several hours the computer should restart and no longer request a password on start-up. DS035 - Truecrypt installation and deployment - v2.4 - Master.docx Page 14 of 16
9 TECHNICAL INFORMATION 9.1 LIMITATIONS When the system partition/drive is encrypted, the system cannot be upgraded (e.g. from Windows XP to Windows Vista) or repaired* from within the pre-boot environment (using a Windows setup CD/DVD or the Windows pre-boot component). In such cases, the system partition/drive must be decrypted first. Note: A running operating system can be updated (security patches, service packs, etc.) without any problems even when the system partition/drive is encrypted. See also the Issues and Limitations section at http://www.truecrypt.org/docs * It s also possible to browse to and mount an encrypted system partition using a USB to Sata/IDE data transfer cable by using the mount without pre-boot authentication option under System menu from within the Truecrypt program. Note: You ll need to restore the header to the standard password first. 9.2 POSSIBLE ISSUES 9.2.1 Data recovery Prior to recovering data the laptop needs to be decrypted. This can be a lengthy procedure on a large disk. 9.2.2 Stop errors When you log on to the domain you may see the following Stop error: STOP 0x00000035 (0x8207ecd8, 0x00000000, 0x00000000, 0x00000000) NO_MORE_IRP_STACK_LOCATIONS This occurs if: You install more than three programs that are related to file security. For example, you install more than three antivirus programs or file-encryption programs. The computer is part of a domain. Further information and a solution can be found at http://support.microsoft.com/kb/906866 9.3 FURTHER READING http://www.truecrypt.org/docs/ The documentation section of the above website is a good resource for information. DS035 - Truecrypt installation and deployment - v2.4 - Master.docx Page 15 of 16
10 APPENDIX RECOMMENDED WINDOWS CONFIGURATION For security we recommend the following settings are used on all laptops; these settings are applied to all computers built using the standard desktop image. Request the password when resuming from standby Configure the laptop to standby or hibernate when the lid is closed Configure the laptop to standby, hibernate or shut down when the power button is pressed Configure the laptop to standby or hibernate when the sleep button is pressed Request password when resuming from the Screensaver (for security purposes we are investigating the use of a GPO to force this setting on all computers shortly) 11 APPENDIX NAMING CONVENTION FOR HEADER FILES The suggested naming convention for TrueCrypt header files is service tag user s name (given name and family name), e.g. A12345J Minnie Mouse. This allows easy identification. DS035 - Truecrypt installation and deployment - v2.4 - Master.docx Page 16 of 16