Last week we showed you how to set up a simple, but strongly encrypted, TrueCrypt volume to help you protect your sensitive data. This week we’re digging in deeper and showing you how to hide your encrypted data within your encrypted data.
Most people are already familiar with the idea of encryption—using a simple or complicated encryption scheme, data is shifted in some fashion so that it no longer appears in its original state without decryption. Whether we’re talking about a simple Boy Scout Manual cipher or a hardened military-grade encryption application, the basic principle is the same: unencrypted data goes in, encryption mechanism is applied, encrypted data comes out.
When it comes to securing something like your tax returns, a simple workflow built around strong encryption is more than adequate. After all, you’re not trying to prevent anyone from ever having access to your tax information (the government already has it all on file, after all) you’re just trying to protect yourself from identity theft if your computer is stolen. To that end you could follow our previous guide on getting started with TrueCrypt and be perfectly happy.
What if you have data you want to keep hidden at all costs, though? Whether it’s because of a deep sense of privacy, a smattering of paranoia, or a legitimate fear of persecution from a corrupt government, there’s a critical flaw in using simple encryption, humorously highlighted in this XKCD comic:
If the other party knows you have an encrypted volume they can coerce you in some fashion to provide the password for that encrypted volume. You can’t, after all, deny that you have encrypted data if they already have possession of the file container or hard drive that is encrypted.
In a situation like that, or any other situation where you want to encrypt data so deeply that you can outright deny its existence, what can you do? What if you want to hide your data, in a sort of cryptographic version of Inception, deeper than that? To this end we turn to an encryption concept known as “Hidden Volumes” and, conveniently, included as a tool in the TrueCrypt software we showed you how to use last week.
When you create a TrueCrypt volume, the entire volume appears, from outside the volume, like a giant block of random data. There is no way, short of decrypting the contents of the volume, to reveal the contents. Files and empty space alike are uniformly random. Hidden volumes take advantage of this random data and use it as a cloak. After all if an unencrypted volume looks like random data and the free space on an unencrypted volume looks like random data, it’s simple to use that random data to hide an additional encrypted volume.
To this end, you can have a parent encrypted volume filled with files that one would reasonably encrypt (personal correspondence, tax documents, client files, etc.) and then hidden and nested within it, an undetectable volume which houses the actual information you are unable or unwilling to reveal (the GPS coordinates of Jimmy Hoffa’s body, the recipe for Coca Cola, or your vacation photos from Area 51).
So how do you access the hidden volume? When you mount the parent volume, you are required to enter a password (and potentially additional verifications, like a key file). If you enter the correct password for the parent volume, the parent volume will mount (revealing the tax documents). In order to mount the hidden volume, you need to enter the password for the hidden volume in place of the password for the parent volume. TrueCrypt then checks a secondary volume header against the secondary password, and mounts the hidden volume. Again, the hidden volume is completely indistinguishable from the empty random space in the parent volume.
If you’d like to read more on the technical aspects of hidden volumes and their execution in TrueCrypt, you can dig into this meaty explanation here. Otherwise, let’s get started building a hidden volume!
There are two ways to create a hidden volume, the first way to is start completely from scratch and create a new parent volume and a hidden volume at the same time. The second way is to create a new hidden volume to nest within an existing parent volume. Since we already showed you how to create a parent volume, we’re going to pick up right where we left off. If you haven’t already created a parent volume we suggest you visit our guide to getting started with TrueCrypt to familiarize yourself with the application and to create a parent volume. Giving it a quick read over is recommended even if you plan on using the all-at-once option since we won’t be delving as in depth into the process this time around.
To create an encrypted volume within your parent volume you need to fire up TrueCrypt. Do not mount the parent volume—if you had it open, take a moment to dismount it. You cannot create the hidden volume while the parent volume is mounted!
Click on Volume – > Create New Volume to launch the Volume Creation Wizard. Like in the previous guide, we’re going to select Create an encrypted file container. In the next step, select Hidden TrueCrypt volume, then Direct mode.
Note: If you have decided to create the parent and hidden volume at the same time, select Normal mode—the only difference is that instead of opening an existing volume and creating the hidden volume within it, you’ll run through the Wizard twice.
In the next step you’ll be prompted to select the existing TrueCrypt container you wish to nest the hidden volume within. We picked the same container we created in last week’s tutorial.
Enter the password for that volume when prompted (if you are using extra verification, like a key file, you will need to use it now just as you would if you were mounting the volume for actual use). TrueCrypt will scan the parent volume to determine the maximum size.
Once you specify the size of the hidden volume, you will repeat the exact same volume creation process you used when you created the parent volume—selection of encryption and hash type, volume size, password, file system, etc. Aside from the volume size and password, you can recycle the settings you used with the original volume. Regarding the volume size and password: it’s important that you leave enough room so that you can continue to use the parent volume (more on this later). We have a 4.4GB volume and we dedicated 1GB of it to the hidden volume. Also, it is important you use a password that is significantly different than the password you used for the parent volume. When you’ve selected all the appropriate settings and picked a strong password, it’s time to format the drive.
Once the drive is created, close the Wizard and return to the main TrueCrypt interface. It’s time to mount the hidden volume. Go ahead and navigate to the volume file as you would if you were going to open up the parent volume. Click on Select File, pick the file, and click Mount. When prompted for the password put in the password of the hidden volume, not the password of the parent volume. TrueCrypt will mount the hidden volume and, in the Type column, indicate that it is a “Hidden” volume. Go ahead and fill it up with all the super secret Spy Guy files you need to bury.
Take a moment to dismount the hidden volume so we walk you through mounting the parent volume safely. Now that you have real data hidden within the random data on the parent volume it’s critical you mount it correctly to protect that hidden data.
Instead of just selecting the parent volume and plugging in the password, navigate to Volumes –> Mount Volumes with Options. The following menu will pop up:
Check Protect hidden volume… type in the password, and hit OK. If you fail to follow these steps it is possible that, while working in the parent volume, you can accidently overwrite part of the hidden volume and corrupt it. Any time you intend to write data to the parent volume, you must engage Hidden Volume Protection. Now we can safely access the parent volume’s data:
It’s important that you continue to use the parent volume to store reasonable decoy data (data that a normal person would want to encrypt) in order to create the illusion that the parent volume exists solely for that purpose. If the container fill is frequently accessed and modified but the only files inside are 5 year old tax documents, your plausible deniability goes out the window.
For more information about hidden volumes make sure to check out TrueCrypt’s documentation on Hidden Volumes and the accompanying support documents.