TrueCrypt Installation and Deployment

Similar documents
Install and setup TrueCrypt

Beginner's Tutorial. How to Create and Use a TrueCrypt Container

BackupVault Desktop & Laptop Edition. USER MANUAL For Microsoft Windows

The following documents are included with your Sony VAIO computer.

Encrypting a non-hrh laptop

How to install the software of ZNS8022

Finding information on your computer

Full System Restore Manually Windows 7 No Disk

Physical Imaging Rapid Recovery - Bare Metal Restore

INTRODUCTION... 2 GETTING STARTED...

A+ Guide to Software: Managing, Maintaining, and Troubleshooting, 5e. Chapter 7 Fixing Windows Problems

Image Backup and Recovery Procedures For Windows 7

DOWNLOAD PDF CREATOR FOR WINDOWS 8 64 BIT

Contents. Getting Started...1. Managing Your Drives...9. Backing Up & Restoring Folders Synchronizing Folders...52

Parallels Desktop 4.0 Switch to Mac Edition. Migrate your PC Tutorial.

Academic Services. Exeter IT. Desktop Support

A+ Guide to Managing and Maintaining Your PC, 7e. Chapter 16 Fixing Windows Problems

BitLocker Encryption for non-tpm laptops

we do Windows For more information about Windows, see Windows Basics under Help and Support in the Start menu.

Unit III: Working with Windows and Applications. Chapters 5, 7, & 8

WINDOWS 8.1 RESTORE PROCEDURE

Desktop & Laptop Edition

Table of Contents. Table of Figures. 2 Wave Systems Corp. Client User Guide

Server Edition USER MANUAL. For Microsoft Windows

Installing and Upgrading TSM 6.8

Instructions For Formatting Hard Drive Windows 7 Command Prompt

Infinova SS200T3R Embedded VMS Box

Secure Single Sign On with FingerTec OFIS

Release Notes for Cost of the Diet Version

Server Edition. V8 Peregrine User Manual. for Microsoft Windows

HDD Recovery Information for Your Toshiba Computer

Chapter 12: Advanced Operating Systems

InfoWatch CryptoStorage. User Guide

THEOREC PROGRAM INSTALLATION INSTRUCTIONS. Version 2.0 THEOREC TEAM CONTACT INFORMATION. Distribution, Device Setup and Installation:

USER GUIDE. CTERA Agent for Windows. June 2016 Version 5.5

UNIVERSITY OF EXETER BITLOCKER USER GUIDE

AccessData FTK Quick Installation Guide

Section 2 Getting Started

ZENworks 2017 Update1 Full Disk Encryption Emergency Recovery Reference. July 2017

Upgrading to Windows Vista for Toshiba Tecra M7

NEO & TRINITY Troubleshooting

This is Lab Worksheet/Installation 7

Windows Xp Installation User Manually Create Bootable Usb Flash Drive

3 INSTALLING WINDOWS XP PROFESSIONAL

GV Director Restoring USB Image / Frame and Panel Installation

PGP NetShare Quick Start Guide Version 10.2

Samsung Drive Manager User Manual

Full User Manual and Quick Start Guide

Using GIGABYTE Tablet PC for the First Time

DISK DEFRAG Professional

How To Fix Regedit Windows Xp Installation >>>CLICK HERE<<<

By Dr. Samaher Hussein Ali

This is Lab Worksheet 7 - not an Assignment

Super USB. User Manual. 2007, March

Silk Performance Manager Installation and Setup Help

Troubleshooting Troubleshooting Copyright 2018 Stone Computers Ltd. All Rights Reserved. 2

Installation and Setup Guide

Windows 2000 / XP / Vista User Guide

L AB: W I N D O W S 7 V I R T U A L I Z A T I O N

Apptix Online Backup by Mozy User Guide

Magic Card Professional

Macrorit Partition Expert 4.3.5

Optional Lab. Identifying the Requirements. Configuring Windows 7 with virtualization. Installing Windows Server 2008 on a virtual machine

Farstone TotalDeploy User Guide

IRONKEY WORKSPACE PROVISIONING TOOL 1.3. User Guide

Tax-Aide TrueCrypt - Version 6.2. Quick Start Guide

Full System Restore Manually Run Command Windows 7 From Boot

Enterprise Server Edition

Handbook: Carbonite Safe

SMART (Samsung Multiple Automatic Re-flash Tool) User Guide - For Managers

1. A broadband connection. 2. Windows Vista (for these instructions; other operating systems have other instructions).

Windows 10 First Login Guide (Laptops) Version 1.0

PS-4700/4800Series User ユーザーマニュアル Hardware Manual Manual

User Guide. Rebit Backup.

C A S P E R USER GUIDE V ERSION 5.0

we do Windows For more information about Windows, see Windows Basics under Help and Support in the Start menu.

How To Turn Off System Restore In Windows 7 Home Premium In Safe Mode

SAS Installation Instructions Windows 2003, XP, 2000, NT. Workstation Installation Guidelines

IT Essentials v6.0 Windows 10 Software Labs

Seagate Manager. User Guide. For Use With Your FreeAgent TM Drive. Seagate Manager User Guide 1

Empty the Recycle Bin Right Click the Recycle Bin Select Empty Recycle Bin

Upgrading to Windows Vista for Toshiba Tecra M4

USB to VGA/DVI Adapter User s Manual

Tax-Aide TrueCrypt Utility For Tax Year 2010

How To Reinstall Grub In Windows 7 Without Losing Data And Programs

System Management Guide for an STC UTC System

C-NaviGator Software Update Installation Procedure

Applied ICT Skills MS Windows

Cloud Compute. Backup Portal User Guide

IMS Client Operation Guide Version V1.1 Date

PGP Whole Disk Encryption Quick Start Guide Version 9.7

How To Eject Cd Using Command Prompt >>>CLICK HERE<<<

EaseUS Partition Master

PGP NetShare Quick Start Guide version 9.6

Veritas System Recovery Disk Help

Installing and Upgrading TSM 6.8

Table of Contents. Install/Update...1 SMS Version Information...1

2014 Securexam User Guide

2. install windows vista

AWG5000 and AWG7000 Series Windows XP Operating System Restore

Transcription:

Academic Services Exeter IT Desktop Support TrueCrypt Installation and Deployment Document reference: Document type: Document status: Review period: DS035 Desktop Support Procedure Live Twelve months Next review date: 14 Dec 2013 DS035 - Truecrypt installation and deployment - v2.4 - Master.docx Page 1 of 16

1 TABLE OF CONTENTS 1 Table of Contents... 2 2 Document History... 3 2.1 Document location... 3 2.2 Revision history... 3 2.3 Approvals... 3 2.4 Reviews... 3 3 Introduction... 4 4 Pre-installation Steps... 4 4.1 Data backup... 4 4.2 Initial assessment of the machine / health check... 4 4.3 Check disk configuration... 4 4.4 chkdsk... 4 4.5 Analyse and defragment disk... 5 4.6 Create rescue CD folder... 5 5 Install the TrueCrypt Application... 6 6 Encryption... 6 6.1 Re-encryption... 11 7 User Deployment Steps... 11 7.1 Change user password... 11 7.2 User awareness... 11 8 Recovery Procedures... 12 8.1 Recovery of the original IT support password... 12 8.2 Procedure for decrypting the hard drive... 14 9 Technical Information... 15 9.1 Limitations... 15 9.2 Possible issues... 15 9.3 Further reading... 15 10 Appendix Recommended Windows Configuration... 16 11 Appendix Naming Convention for Header Files... 16 DS035 - Truecrypt installation and deployment - v2.4 - Master.docx Page 2 of 16

2 DOCUMENT HISTORY 2.1 DOCUMENT LOCATION This document can be accessed from the following location: http://www.exeter.ac.uk/it/equipmentandsoftware/howto 2.2 REVISION HISTORY The latest revision can be found at the top of the list: Revision Date Author Version Summary of Changes 14 Dec 2012 Rob Hatswell 2.4 Amended Encryption process, amended Recovery procedure, minor changes to text 10 Oct 2011 Bill Lambert 2.3 Added re encryption information 9 May 2011 Paul Field 2.2 Fixed typo in one of the technical comments April 2011 Various 2.1 25 th February 2011 Various 2.0 Minor tweaks, mostly cosmetic. Added some extra tips Additional sections added for user advice, data recovery issues, windows configuration and header naming conventions. 2 nd September 2010 Sue Watling 1.0 First live version 2.3 APPROVALS This document requires the following approvals: Name Title Version Date of approval Matt Coppell Incident Response Team Leader 2.4 14 Dec 2013 Paul Grogan Incident Response Team Leader 2.3 10 Oct 2011 Paul Grogan Incident Response Team Leader 2.2 9 May 2011 Paul Grogan Incident Response Team Leader 2.1 5 May 2011 Paul Grogan Incident Response Team Leader 2.0 25 March 2011 Paul Grogan Incident Response Team Leader 1.0 12 October 2010 2.4 REVIEWS This document was reviewed at the following dates with no updates required: Name Version Date of Review Notes DS035 - Truecrypt installation and deployment - v2.4 - Master.docx Page 3 of 16

3 INTRODUCTION This document is intended to be used by the University of Exeter s Desktop Support staff and CDO s supporting Colleges. It is to be used to guide the installation of TrueCrypt encryption software onto University-provided laptops. This document has been written to be applicable to the University s recommended makes/models/builds of laptops running Windows XP SP3; however the software does support other versions of Windows and other Operating Systems. More information on supported Operating Systems can be found by visiting the link below. http://www.truecrypt.org/docs/?s=supported-operating-systems The instructions recommend encryption of the entire disk. 4 PRE-INSTALLATION STEPS For new PC deployments that have been imaged please skip to 4.5. 4.1 DATA BACKUP Confirm user has backed up their data including Outlook archive.pst files. If NOT, ensure their data is backed up to a removable device (e.g. External Hard Drive). 4.2 INITIAL ASSESSMENT OF THE MACHINE / HEALTH CHECK Technical staff to assess the machine, if deemed necessary re-image machine. Health check look for any evidence of hardware faults, windows faults or traces of viruses/malware. Check Windows XP SP3 is installed. 4.3 CHECK DISK CONFIGURATION TrueCrypt may be installed on any PC that has been set up in the standard way (as described in the relevant DS documents). That is, one Windows Operating System fills the whole disk on a single partition. However, TrueCrypt may also be applied to any partition on a multi-partition disk, provided it does not have a logical partition. It must be a primary partition. If a whole-disk encryption is desired, and there are logical partitions, the contents of these partitions must be saved, the logical partitions deleted and replaced with primary partitions, and the content restored to these. 4.4 CHKDSK On older systems it s advisable to run chkdsk /f /r before proceeding to encrypt the drive. This is to highlight damaged areas of the disk which could cause problems with the process. If any bad clusters etc. are found then further investigation is needed (software or hardware) before encryption can commence. DS035 - Truecrypt installation and deployment - v2.4 - Master.docx Page 4 of 16

4.5 ANALYSE AND DEFRAGMENT DISK Run Disk Defragmenter from System Tools folder that can be found in the Accessories folder via the Start menu. Analyse the C: drive. If the disk is partitioned analyse all other volumes as well. Defragment each partition if advised to do so by the application. Once all volumes are defragmented, exit Disk Defragmenter and reboot the machine. 4.6 CREATE RESCUE CD FOLDER During the installation sequence, you will be prompted to create a Rescue CD in the form of an.iso file (This CD is will be required to restore the original header). Ensure the account you are logged into has Administrator rights. Create a drive mapping to a server location where the Rescue CD information is to be stored. This should be an area accessed only by the IT Support team. Create a new folder, giving the folder the same name as the laptop (service tag user s name, e.g. B6YT998 Minnie Mouse). This new folder will be used to store the Rescue CD.iso file. DS035 - Truecrypt installation and deployment - v2.4 - Master.docx Page 5 of 16

5 INSTALL THE TRUECRYPT APPLICATION If you have not done so, download and install TrueCrypt. Desktop Support Staff can find TrueCrypt on the Desktop Support shared drive. The latest stable version of TrueCrypt (version 7.1a) can be downloaded from http://www.truecrypt.org/downloads Start the setup of TrueCrypt and accept the licence At the next window headed Wizard Mode, make sure "Install" is selected and click Next At the next window headed Setup Options : Click Install Accept the default install location un-tick "Add TrueCrypt to Start menu" un-tick "Add TrueCrypt icon to desktop" This will hide the software from the user as a precaution Once installation is complete a window will appear informing you that TrueCrypt has been successfully installed. Click OK to close the window. Click Finish to close the installer. You may be prompted to read the Beginner s Tutorial. Click No to close the window. 6 ENCRYPTION Note: Using an optical mouse at this stage makes it easier when creating the encryption keys. Click Start followed by Run. In the box type, (excluding quotes) cmd then click OK Change drive path to C: by typing C: and press Return Change to the TrueCrypt directory by typing the following, including quotes: cd \program files\truecrypt Including the odd placing of the quotes, type the following command: truecrypt format /noisocheck DS035 - Truecrypt installation and deployment - v2.4 - Master.docx Page 6 of 16

(Using this command line switch to start the program means that we can skip the built in integrity check of the Rescue CD.iso file, thus considerably speeding up the process of the encryption. This is especially useful when having to encrypt a large number of laptops. The normal behaviour is that TrueCrypt checks that the file has been burnt successfully before it will allow the process to continue.) You will now be presented with the TrueCrypt Wizard. Select Encrypt the system partition or entire system drive. Click Next. Select Normal. Click Next. DS035 - Truecrypt installation and deployment - v2.4 - Master.docx Page 7 of 16

Select Encrypt the whole drive (the standard desktop support imaged laptop has only one partition). Click Next. Select Yes to encrypt the Host Protected Area and then click Next. You may see a Detecting Hidden Sectors window briefly. Select Single-boot (with the standard image Windows XP is the only installed operating system). Then click Next. DS035 - Truecrypt installation and deployment - v2.4 - Master.docx Page 8 of 16

Leave the Encryption Options as the defaults. Click Next. The next step is very important; you now have to set a password. This should eventually be a stronger password as suggested by the dialog box; however we recommend choosing a known password for all devices in a department and using this. This will enable a backup of the password as a Header on a Rescue CD to be created which can be used to overwrite the eventual password entered by the user in the event of them locking themselves out of their machine, or their header-file becoming corrupted. Enter our standard password twice and click Next. A warning will pop-up giving the dangers of using short passwords, click Yes to continue since we will change the password to a stronger and longer one when it is rolled out to the user. Now you have entered the password you must increase the cryptographic strength of the encryption on it. Move your mouse as randomly as possible within the Collecting Random Data window for at least 30 seconds. The longer the mouse is moved, the better. This significantly increases the cryptographic strength of the encryption keys (which increases security). Click Next. DS035 - Truecrypt installation and deployment - v2.4 - Master.docx Page 9 of 16

Click Next again at the Keys Generated summary window. You are now requested to create a Rescue CD. Select Browse, navigate to the Rescue CD folder for this laptop (as mentioned in section 4.6) Set the.iso filename to the machine name of the laptop. *Remember to put.iso after the filename. Click Next. The Rescue CD image is created. Click Next. A warning pop-up will appear advising you that you cannot re-use previously created Rescue CD s if the laptop is decrypted then reencrypted at a later date. A new Rescue CD needs to be created every time. Click OK. Click Next at the Wipe Mode screen. Click Test at the System Encryption Pretest screen. Clicking on OK will close the Notes window you will then be prompted to restart the machine. Click Yes. The PC will reboot. ENSURE THE LAPTOP IS ON MAINS POWER DURING THE NEXT STEP. When the machine starts you will be see the TrueCrypt Bootloader Screen. Enter your TrueCrypt password and wait for Windows XP to load as normal. Login with the same account and you will be presented with the following screen. DS035 - Truecrypt installation and deployment - v2.4 - Master.docx Page 10 of 16

Select Encrypt. You may have to click OK to close another Notes window. The drive will now start encrypting. This can take an indeterminate amount of time depending on the data on the machine, size of the hard drive, etc. The remaining time is displayed during the process, but this can fluctuate, which erodes confidence. The encryption can be paused and restarted at the discretion of the user. When the encryption process has completed, click OK and Finish. 6.1 RE-ENCRYPTION There are occasions when a previously encrypted laptop may need to be rebuilt and encrypted again. (The imaging process overwrites the previously encrypted disk header). The original Rescue CD.iso can no longer be used for recovery on the re-encrypted laptop. Therefore during the re-encryption process, a new Rescue CD must be created to replace the existing.iso. 7 USER DEPLOYMENT STEPS 7.1 CHANGE USER PASSWORD 1. Boot the PC and enter the IT Support TrueCrypt password 2. Login to Windows (using any user s login with Administrator rights) 3. Navigate to the TrueCrypt folder C:\Program Files\TrueCrypt 4. Run TrueCrypt.exe 5. From the menu System select Change Password 6. Enter the current password (IT Support) and then allow the user to create their own. 7. Click OK and confirm Yes when prompted and OK after it has been changed. 8. Reboot PC to check that the new password has taken effect. 7.2 USER AWARENESS Convey the following points to the user. 7.2.1 What has been installed Explain all changes made, including security updates, XP SP3, virus software etc. The TrueCrypt application provides full disk encryption with pre-boot authentication, i.e. from now on you will be presented with an additional login screen. Hassle Factor vs. End User experience explain that laptop encryption is the University s response to the legal requirement to protect the organisation against the liability of unauthorised access to sensitive information. 7.2.2 What it does (*including ramifications if they adjust TrueCrypt settings) The whole hard disk is encrypted, so every file currently on the drive and any new files will be automatically encrypted. DS035 - Truecrypt installation and deployment - v2.4 - Master.docx Page 11 of 16

It does not automatically encrypt files that are transferred to a location off the laptop (i.e. removable media drives, network drives, etc.), so a file copied to another PC is not encrypted or protected. There is no reason for a user to open the TrueCrypt application and make any changes to settings. If they do they will risk making the laptop and their data inaccessible. 7.2.3 Password creation (at least 12 characters, letters, numbers and symbols) In order for the user s password to be effective, we advise a strong password is used. The strength of a password depends on its length, complexity and randomness. The password should be at least 12 characters long - the recommended length is 20 characters. To make the password easy to remember it can be based on the first letters of the words in a poem or song, with numbers and/or symbols added. Simple strings of keyboard letters (e.g. qwertyuiop[]), usernames, words and names should not be used (even spelled backwards). 7.2.4 Password storage considerations, i.e. not stored with laptop Advise the user not to store the password with the laptop. 7.2.5 Advice for increased security Users should be advised to shut down the laptop rather than use suspend or hibernate prior to at risk activities such as leaving the laptop unattended or when travelling. This clears data from the system memory. 7.2.6 Data recovery Users should be made aware that data recovery from an encrypted laptop may not be possible or may be a very lengthy procedure. If working away from campus they should take the precaution of connecting to the network using a VPN connection and synchronising their laptop regularly. 7.2.7 Support arrangements Advise the user that if the password needs to be changed or there are any problems they should contact the IT Help Desk. 8 RECOVERY PROCEDURES 8.1 RECOVERY OF THE ORIGINAL IT SUPPORT PASSWORD Using the Rescue CD.iso created during the encryption process, burn it to a CD / DVD using a CD burning application. This can be carried out on any computer with a CD writer. Roxio CD & DVD Creator is installed on all XP machines that are using the standard image. Enter the BIOS if necessary and change the boot device priority ensuring that the CD / DVD Drive are the first option. Insert the Rescue CD into the Optical drive of the machine and reboot. DS035 - Truecrypt installation and deployment - v2.4 - Master.docx Page 12 of 16

Press F8 at the boot menu to enter the Repair Options. Select Option 3 Restore key data (volume header) and type in the standard password. You will then be asked to confirm whether you want to modify drive 0 (y/n), type y to confirm this operation. You will now see the message Header Restored which informs us that the encryption password has been reset to our standard password. Press Esc twice to go back to the Rescue CD main menu. Remove the CD from the Optical Drive and reboot the machine. Typing the standard password at the Bootloader screen should allow the laptop to boot into Windows. DS035 - Truecrypt installation and deployment - v2.4 - Master.docx Page 13 of 16

8.2 PROCEDURE FOR DECRYPTING THE HARD DRIVE To decrypt the hard drive, run the TrueCrypt application under Program Files. From the TrueCrypt application, click System and choose Permanently Decrypt System Partition/Drive. Decrypting the hard drive can also be done via the Rescue CD; however the decryption process is a lot quicker through Windows. The Rescue CD option should only be used if the machine is not able to boot into Windows. Confirm you want to permanently decrypt the system partition/drive? Note: This isn t permenant if you want to re-encrypt the device at a later date. The process may take longer than the original encryption owing to the amount of data stored on the hard drive. After several hours the computer should restart and no longer request a password on start-up. DS035 - Truecrypt installation and deployment - v2.4 - Master.docx Page 14 of 16

9 TECHNICAL INFORMATION 9.1 LIMITATIONS When the system partition/drive is encrypted, the system cannot be upgraded (e.g. from Windows XP to Windows Vista) or repaired* from within the pre-boot environment (using a Windows setup CD/DVD or the Windows pre-boot component). In such cases, the system partition/drive must be decrypted first. Note: A running operating system can be updated (security patches, service packs, etc.) without any problems even when the system partition/drive is encrypted. See also the Issues and Limitations section at http://www.truecrypt.org/docs * It s also possible to browse to and mount an encrypted system partition using a USB to Sata/IDE data transfer cable by using the mount without pre-boot authentication option under System menu from within the Truecrypt program. Note: You ll need to restore the header to the standard password first. 9.2 POSSIBLE ISSUES 9.2.1 Data recovery Prior to recovering data the laptop needs to be decrypted. This can be a lengthy procedure on a large disk. 9.2.2 Stop errors When you log on to the domain you may see the following Stop error: STOP 0x00000035 (0x8207ecd8, 0x00000000, 0x00000000, 0x00000000) NO_MORE_IRP_STACK_LOCATIONS This occurs if: You install more than three programs that are related to file security. For example, you install more than three antivirus programs or file-encryption programs. The computer is part of a domain. Further information and a solution can be found at http://support.microsoft.com/kb/906866 9.3 FURTHER READING http://www.truecrypt.org/docs/ The documentation section of the above website is a good resource for information. DS035 - Truecrypt installation and deployment - v2.4 - Master.docx Page 15 of 16

10 APPENDIX RECOMMENDED WINDOWS CONFIGURATION For security we recommend the following settings are used on all laptops; these settings are applied to all computers built using the standard desktop image. Request the password when resuming from standby Configure the laptop to standby or hibernate when the lid is closed Configure the laptop to standby, hibernate or shut down when the power button is pressed Configure the laptop to standby or hibernate when the sleep button is pressed Request password when resuming from the Screensaver (for security purposes we are investigating the use of a GPO to force this setting on all computers shortly) 11 APPENDIX NAMING CONVENTION FOR HEADER FILES The suggested naming convention for TrueCrypt header files is service tag user s name (given name and family name), e.g. A12345J Minnie Mouse. This allows easy identification. DS035 - Truecrypt installation and deployment - v2.4 - Master.docx Page 16 of 16

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback