Encrypt an operating system using TrueCrypt

TrueCrypt has been the standard for file and folder encryption since 2004, and it doesn't hurt that it's open-source freeware, either. The latest update includes the power to do more than protect the mere output of your work: you can now encrypt and hide an entire operating system using the program's wizard.

TrueCrypt's Hidden Operating System wizard offers a lot of detail on the complicated procedure.

(Credit: CNET Networks)

As the step-by-step guide points out when you start it, one of the reasons you might want to create a hidden OS is in case of extortion. A little paranoia doesn't hurt, either. So, when you create the hidden OS, it also creates signposts to a decoy hidden operating system. The decoy operating system is the only one an outside investigator can discover, since all indicators to the true hidden OS have been removed.

The reason that the decoy is needed is that to boot any system encrypted by TrueCrypt, the hard drive must have the unencrypted TrueCrypt boot loader installed. However, this new version of the program creates the ability for a single boot loader to support more than one encrypted partition. Because the mere existence of the boot loader indicates an encrypted system, the first encrypted volume becomes the dummy one. With no signposts to indicate the second encrypted volume exists, it becomes the hidden one.

The language in TrueCrypt's explanation of how this all works can be a little confusing, but basically the encrypted partition contains two volumes encrypted under different keys, one within the other. The interior volume contains the hidden OS, while the outer one has data that looks sensitive but you're willing to sacrifice to protect the existence of the hidden volume and its operating system.

Here's how it works. The wizard verifies that the necessary partitions exist, with the second one being at least five percent larger than the first. (That number jumps to 110 percent if you're running an NTFS volume.) Assuming you've already partitioned your hard drive, it creates two volumes behind the system partition--an outer one and the hidden one. Eventually, the OS you started the wizard under will become the decoy, but to start you need to copy that handful of super secret-looking files or folders over to the new, second partition.

TrueCrypt then reanalyzes the partition to determine the amount of space needed for the hidden OS, creates the hidden volume, and copies the content of the system partition to it. The process can be interrupted so that users can shut down or reboot their computers. This is important because, TrueCrypt warns, depending on volume size and your computer's performance, the whole process can take anywhere from hours to days.

Yeah, days.

The Hidden Operating System wizard can be accessed from the System menu.

(Credit: TrueCrypt)

The actual copying process will restart, though, if it's interrupted. Still, once it's done, TrueCrypt encrypts the operating system on the first partition, using a different encryption key from the one used to create the hidden OS.

To get started, go to the Menubar and click System, then choose Create Hidden Operating System. The wizard for this option is well detailed, with clear explanations helping you understand what you're doing at each step.

Somebody forcing you to disclose secure files will only find a handful that you've chosen because they look important. These files live on the decoy OS. The wizard creates a new partition and copies the entire OS that exists on the current partition to it. This new partition becomes the hidden OS. In total, users will have three passwords: one for the outer volume, one for the decoy operating system, and one that will allow the hidden operating system to boot.

TrueCrypt is so concerned with your security that it even provides examples of plausible deniability for you to use if your encryption scheme is ever discovered. Given all the recent news about personal data and top-secret government files getting stolen, one would think that companies and the feds would consider investing in TrueCrypt--but it seems like authentic security will have to be left to the casual power user instead.