How-to: Encrypting documents and files on Mac OS X with TrueCrypt

Background

TrueCrypt is a free and open source disk encryption program that supports Microsoft Windows, Mac OS X and Linux operating systems. TrueCrypt can create a virtual encrypted disk within a file or encrypt a partition or (under Microsoft Windows except Windows 2000 and Windows 8 with GPT) the entire storage device (pre-boot authentication).

For more information, see: https://en.wikipedia.org/wiki/TrueCrypt or http://www.truecrypt.org.

Important! Known limitations

TrueCrypt publishes a chapter in its manual which details some known security issues with the software. If you want to use TrueCrypt, you must follow the security requirements and security precautions listed in this chapter. For more details, see http://www.truecrypt.org/docs/security-requirements-and-precautions. TrueCrypt up until now has not been subjected to a full security audit and cryptanalysis. However there is a project underway to audit its security. Hopefully more will be learned through this effort.

Instructions

1. Download and Install TrueCrypt

Open your preferred web browser and navigate to http://www.truecrypt.org/downloads.

Scroll down to where it says "Mac OS X" and click the "Download" button. The download will take a minute or two. When it is complete, the disk image will be in your downloaded files directory, which is accessible from your tool bar at the bottom of your screen.

Double-click on the disk image to mount it. Once the disk image is mounted, it will open up a file window. There should be a single file in there called something like "TrueCrypt 7.1a.mpkg". Run that installer by double-clicking it.

The Installer will begin, and first, you will be presented with some preliminary information about TrueCrypt. Click 'continue'. Next you will be presented with their license terms. If you accept those terms, then click "Accept".

Next you will be given the the option to select an alternative location to install the program, or to accept the standard location ( your Applications folder on your boot drive ). Once you have decided where to install the program, click 'Install'. The program will be installed.

2. Run TrueCrypt for the first time

If you chose the standard location for your installation then simply open up your Applications folder and run TrueCrypt.

3. Create your first encrypted volume

Click on the 'Create Volume' button. The TrueCrypt Volume Creation Wizard will begin. The default option is to create an 'encrypted file container' which is essentially an encrypted file that can be mounted as a disk. Click 'Next' to continue.

In the following step, you are asked what kind of volume to create, a standard volume or a hidden volume. For simplicity, choose a standard volume, and then click 'Next' to continue.

Next, you will be asked where to store your volume. Click on the 'Select File' button and you will be presented with a dialog box showing your Mac's filesystem. You will start out by default in your 'Documents' directory. Choose a filename that is not in use, for example 'MyTestEncryptedVolume'. Click 'Next' to continue.

Following that, you will be asked about Encryption options. TrueCrypt offers a number of different encryption algorithms, AES, Serpent, and Twofish. The choice of encryption algorithms is a complex issue but we recommend that you choose one of the cascading options which layers the different algorithms on top of each other, such as 'Serpent-Twofish-AES' or 'AES-Twofish-Serpent'. By using multiple encryption algorithms, you lessen the chance that a vulnerability in one of them will compromise your security. The trade-off is that performance gets worse when you do more math-heavy cryptography. Click 'Next.'

After that, you are prompted to choose your volume size. For testing purposes you can choose 100MB, then click 'Next'.

Finally, you are asked to choose a password that you will use to unlock your encrypted volume. As the program warns you, it is very important that you choose a difficult to guess password. Don't use a dictionary word, and don't choose something based on easily discovered information such as names or dates of birth. TrueCrypt recommends choosing a password of at least 20 characters, with mixed upper and lower case, and punctuation and symbol characters. The maximum length is 64 characters.

For more information on choosing a strong password see http://www.wikihow.com/Choose-a-Secure-Password.

The last step is to select the format of your encrypted disk. The choices are FAT or Mac OS X Extended. If you only intend to use your encrypted volume on Macintosh computers then Mac OSX Extended is a good choice. But if you intend to ever use it on a Windows based computer, or would like to leave that as an option then choose FAT.

After you select the format of your volume, the crypto key generation will begin. You will be asked to move your mouse as randomly as possible inside of the TrueCrypt window. Please do so. The longer you do so, the better the crypto keys will be. Then click 'Format' to format the volume. When the format is complete you will get a pop-up window notifying you that it is done. Then click 'Exit' to end the wizard.

4. Mount your volume

In the main TrueCrypt window, there are a bunch of numbered 'slots' in which you can mount volumes. Select slot #1. Then click the 'Select file' button. Navigate to your MyTestEncryptedVolume file in the Documents folder ( or whatever you called your test volume ) and select it. Then click the 'Mount' button.

You will be prompted to enter your password. Type it in the password window and click 'OK'. Your volume should mount on your desktop.

5. Using your volume

Feel free to try copying some files onto your volume. Then unmount it. And mount it again. Get used to how the interface works. The design is a bit non-intuitive but once you get the hang of it, it seems less intimidating.

You can just leave the TrueCrypt file in your documents folder. Or you can try some more advanced techniques. Here are some more creative things you can do with your volume. You can:

  • Move the TrueCrypt file onto a USB thumb drive or an SD card that can fit into the SD card slot on a MacBook Pro or Air.
  • Encrypt the TrueCrypt file yet again with GPG. This adds another layer of security, but of course, this also adds another layer of inconvenience. But won't it be funny when your adversary finally manages, after months of brute-forcing your password to break the GPG encryption only to find a TrueCrypt volume inside?
  • Store the TrueCrypt file in 'the cloud' on DropBox or Google Drive or a more security-focused service such as LeastAuthority.com's S4. Of course this means you are entrusting a 3rd party with your file and it could fall into your adversary's possession. On the other hand you get the convenience of being able to access it from multiple computers without much preparation. And if you lose your computer you won't lose your TrueCrypt file.
  • If the TrueCrypt file is small enough you can email it or send it over online services such as Jabber/XMPP or Skype.

There are many other things you can do if you use your imagination.