For a while I’ve been carrying around a flash drive on my keychain. It helps if I ever need to transfer files from work or pictures from Susan’s house, or whatever. One of the things I put on there is paystubs that I download from work and then bring home. And sometimes I want some spreadsheet from home to be available when I’m at work, so I’ve been carrying around some other financial stuff too. I realized I don’t want just anyone to be able to get all of this if I ever lose the drive or my keys.
I looked around for some kind of flash drive vault software and soon found a free one called TrueCrypt. Like a lot of really good SourceForge collaborations, it has a huge feature set as people make recommendations for improvements. That has also made it kind of complicated: it has a 119 page user manual. I had to follow the first 23 pages of instructions just to store my first file (and this is the abbreviated quick start).
TrueCrypt’s approach is kind of neat. You create an encrypted file on the flash drive (I chose to make my 300 MB out of a 2 GB drive) that can be any name (so I chose katie.avi and figured people would just think it was a video of my dog that they couldn’t open with Windows Media Player for some reason). You open the TrueCrypt software (stored in unprotected space on the drive), open the archive file, enter your password, and it mounts a new drive letter where you can see all of your files and also drag and drop files just like another flash drive (for instance, my flash drive might be drive J:, but the TrueCrypt archive will show up as drive M:).
I still don’t have the hang of it yet, but the level of protection is really impressive. They recommend a 20-letter password and they generate some kind of random key to use by having you move the mouse around for 30 seconds. There are other options like different security algorithms and you can hide the archive file if you want, but I just started on this last night.
Bruce Schneier, my favorite security expert, has pointed out that folks with secret proprietary encryption methods are usually selling snake oil, so I was glad to see that truecrypt.org mentions AES-256 and Twofish, which I recognize as well known and respected encryption methods.
Just thinking about a 119 page manual for something that should be very simple (to use) makes me want to stay away from this.
I lost my flash drive at some point in the last few weeks. I had all kinds of stuff stored in the encrypted file (bills, statements, etc.), but I’m pretty confident no one will be able to get to any of it. Most people won’t get past the fact that I named the archive file katie.avi but it isn’t actually a video.