I previously discussed the merits of disk encryption as a countermeasure against the physical theft of portable computers and the leakage of private and confidential records that could ensue. But Full Disk Encryption is just scratching the surface of what can be done; the concept can and should be extended to all types of storage media, including portable media. I am currently using TrueCrypt‘s encrypted file-container volume capabilities to create encrypted CD-R’s and USB memory sticks both as part of my own regular secure backup and data vaulting operations and in the implementation of secure backup and data portability solutions for my customers.
Why encrypt a CD? Well, think of it this way: You take a good deal of trouble to protect the data on your computer from disclosure, using access controls like login passwords, software countermeasures to protect against infection and intrusion, maybe you have even followed my advice and implemented Full Disk Encryption. Suppose, though, that you then burn some important documents (lets say financial, tax, or customer records or the blueprints to a sensitive project) from your carefully protected computer to a plain old data CD. You place it on your desk, or in a spindle in a drawer, or in your car, or in a box to take to the post office. Later, when you’re not looking, a bad guy snatches this CD and makes off with it. Just like that, he has unrestricted access to its contents without ever having to defeat any defenses. This is a wide open security gap.
Encrypted CDs close this gap in an airtight way. They are effective against the risk of general theft from the premises, the risk of interception in transport, the risk of disclosure to an untrusted agent in a bailment situation as when data vaulting, the risk of corporate espionage, jealous lovers, the IRS, you name it. Whoever snags it will be the proud new owner of a nice pile of random data that, unless they have 5,000 years and a supercomputer, is totally opaque to them.
Secure portable storage media may even be required for regulatory compliance in many contexts, as when storing sensitive customer data such as Social Security Numbers, credit card numbers, or health records. Data breaches in military, public, and commercial sectors have increasingly been making headlines. Regulatory authorities in Nevada and Massachusetts just passed laws requiring the mandatory encryption of Social Security numbers, bank account numbers, and credit card numbers when carried on portable storage devices like flash drives, setting a precedent that will likely see legislation nationwide.
How to make an encrypted CD
The gist of the procedure is to create an encrypted file-container volume with TrueCrypt that is just slightly less than the size of the target media. I use a 695MB .tc container filesize for a 700MB CD-R. (You could choose a similar container filesize for a 4.7GB single layer DVD-R or 8.5GB dual layer DVD-R). The extra margin of 5MB is used to add some AutoRun machinery to the CD so that when the finished disk is inserted, Windows shell takes you right into password entry for mounting the encapsulated volume.
1. Create an encrypted file-container volume on disk
- Open TrueCrypt and start the Volume Creation Wizard by clicking “Create Volume”
- Choose the default “Create an encrypted file container”
- Choose the default “Standard TrueCrypt volume”
- Specify a scratch path where you have sufficient space to hold the 695MB container file. A scratch partition is ideal for this. Make up a filename of your choice, I usually name it contents.tc or [yyyymmdd].tc. For the purposes of this example let’s name it contents.tc
- For Encryption Options the default algorithms are fine unless you care to change them
- Enter a volume size of 695MB
- Specify a password, pick a good one
- The documentation says Windows has problems with NTFS on read-only media, but I’ve never had a problem and always choose NTFS
- Move the mouse around to populate the Random Pool, then finally click “Format” to create the container file
- Writing of the container file shouldn’t take too long, seconds to a minute depending on your system, then you can exit
2. Mount the file-container volume and copy your content into it
- Open the container file you just created, contents.tc, for mounting with TrueCrypt. If you named it with a .tc extension a shell association exists and you can just double-click on it to be taken right into TrueCrypt with it already selected as the volume file.
- An available drive letter should already be selected. Click “Mount” and enter your password to mount the encrypted volume as that virtual drive.
- You can now open that drive letter and populate it with content, whatever is the target data that will be going on the CD. Remember that the drive has a 695MB capacity.
- When done, dismount the volume from TrueCrypt using the “Dismount” button.
3. For a convenient and elegant touch, use TrueCrypt’s Traveler Disk Setup utility to generate some AutoRun machinery that will start automatically when the finished disk is inserted
- Start the utility from TrueCrypt > “Tools” menu > “Traveler Disk Setup…”
- For “Create traveler disk files at (traveler disk root directory)” box, browse for and locate the scratch path you used in step 1 above, the path where the container file resides
- Uncheck “Include TrueCrypt Volume Creation Wizard”, you don’t need it for this use case
- Under AutoRun Configuration choose “Auto-mount TrueCrypt volume (specified below)”
- For “TrueCrypt volume to mount (relative to traveler disk root)” box, browse for and locate the container file itself
- “Open Explorer window for mounted volume” should already be checked
- Finally, click “Create” to generate the AutoRun components. Traveler Disk Setup quickly creates a folder named TrueCrypt with a little bit of plumbing and a file named autorun.inf in the target path, then you can close out of the utility
4. Burn the CD
- Using CD burning software of your choice (I use Nero, but use whatever you have on your machine) create a new Data CD (ISO) compilation
- Place the following files into it: contents.tc, autorun.inf, and the TrueCrypt folder
- Notice importantly what is happening: You are burning the container – not its encapsulated contents – and the AutoRun machinery to media
- Burn the compilation to blank media, label it, and test it
Upon insertion to a computer with AutoPlay enabled, this CD should now prompt you for the password, mount the encrypted volume automatically to an available drive letter, and open an Explorer window to that drive. And because its runtime components are packaged on the disk, it will work even on a machine that doesn’t have TrueCrypt natively installed.
Many security conscious users (myself included) disable AutoPlay because it poses something of a security risk; in this case, you can still mount contents.tc the long way, using TrueCrypt’s main dialog, you just sacrifice some convenience.
The developers of TrueCrypt have remarked that they plan to add support for Raw CD/DVD volumes in a future release, which ought to further simplify this procedure.
Stay tuned to this space for Part 2: Encrypted USB Memory Sticks, where I plan to share a very useful nested AutoRun technique.
Extent of identity theft and data breaches largely hidden
Mass 201 CMR 17: A Survival Guide for the Anxious