Let’s say you’ve pulled down a copy of your application’s production database, or simply want to encrypt some personal files.

First, download TrueCrypt. PGPDisk should work similarly.

You’ve got a big fat 400+ GB external hard-drive that you can load up with both unencrypted data (mp3s, etc) as well as your sensitive, encrypted data.

First, make sure the drive is formatted with NTFS.

In Windows Explorer, right-click on the drive and click properties — chances are it will either say FAT32 or NTFS.

If it says FAT32, click “Start -> Run” then enter “compmgmt.msc”. Select “Disk Management” from the menu on the left, then right-click on the drive and format it as NTFS.

Encrypting a Virtual Disk

TrueCrypt (and PGPDisk) work by creating “virtual disks” within a hard disk. Thus, they are basically just files on the filesystem. You’ll need to use the TrueCrypt software to decrypt the virtual disk, and mount it as a drive on your system.

See this tutorial on how to create an encrypted virtual disk. (for example, on your external hard-drive)

Your Passphrase

The encryption that both TrueCrypt and PGP uses are leveraged by the NSA, etc. With cryptography, there are no 100% certainties that crackers will not break these encryption schemes, but chances are, you should be as safe as your passphrase.

What that means is that if you choose a weak pass phrase, like ‘fido’ or ‘cookies’, then if someone ever intercepts your encrypted hard-drive, it will potentially be much easier to crack.

Some blog posts & commenters have talked about using biometric finger scanners, and techniques such as “hidden partitions” within the encrypted partition. If you seriously have data this valuable, it would be my recommendation to distance your physical self as far as possible from this data. i.e. you don’t want terrorists or criminals kidnapping you, lopping off your finger / retina, etc. just to access your data.

Choosing Your Passphrase

Obviously, if you write down your passphrase, store it in “notes.txt” in your desktop, tell it to a friend, or get tortured & forced to give it up… then the following technique is pointless.

The entire point of using this technique is to simply make brute force cracking of the physical encrypted drive more difficult.

So, choose a passphrase that has several words, uppercase characters and some numbers — but make sure you can still remember it!

For example, let’s use this one:

This dassphrase should do the trick.  123456789

These are cAsE sensitive btw.

Hash Your Passphrase Using SHA1

Next use a tool like this one to convert your passphrase to an SHA1 hash.
Since Internet connections are ubiquitous, it’s safe to assume that you’ll always be able to get access to an Internet connection when you need to decrypt your hard-drive. If your situation is such that this is not the case, then by all means don’t try this at home!

So, type in your passphrase into the “Input” field on this page and click the SHA-1 button. (or use your favorite programming language’s SHA1 hexdigest implementation)

My result:

fa636945cdce2604631aedf0c3a3e2ed71395991

Next convert it to discreet chunks — this will be our final ultimate passphrase that we type into TrueCrypt or PGPDisk:

fa636 945cd ce260 4631a edf0c 3a3e2 ed713 95991

I realize this may seem overly paranoid, but if you’re going to bother doing it, you might as well do it right. If any security aficionados are in the house, I’d love to hear your thoughts in the comments.

Mount Your New “Virtual Disk” with TrueCrypt

Once you’ve created your encrypted virtual disk (it took 3 hours on my machine for a 150GB encrypted virtual disk), you’ll need to mount it using TrueCrypt. Let’s say you mount it as drive “Y:”.

Now you can simply use Explorer to drag files onto it as you would any other mounted drive. It will be slightly slower, of course.

When you’re through loading files onto it, simply unmount the drive using TrueCrypt. You’ll need to go through this process every time you need to read from the encrypted virtual disk or write to it.