[Encryption]The TrueCrypt tutorial seems to be the weakest part of the whole howto. You should really study the
documentation and use that tool to its full potential.
Ummm... disabling the swap file?
Ever heard of deploying full disk encryption (FDE) instead?
You need to set up FDE and two operating systems: the overt one (the system to be used for day-to-day activities) and the concealed one (the one with virtual machines and stuff).
This can be easily achieved with TrueCrypt, and unless you screw something up you should maintain plausible deniability.
FDE makes the whole step 3 (Securing Your Hard Drive) pretty much moot.
Be advised to disable standby on a FDE-secured machine - when that machine sleeps, the FDE keys are still in RAM.
If using Windows XP, Server 2003 or earlier, disable hibernation as well - as there is no API for performing crypto operations on the hibernation file, full security cannot be guaranteed.
ALWAYS REMEMBER TO DISMOUNT ANY TRUECRYPT VOLUME CONTAINING ANY SENSITIVE INFORMATION WHEN YOU ARE NOT USING YOUR COMPUTER
Don't forget to mention that there are automation settings for that in TrueCrypt preferences.
[Data sanitization]If the disk needs to be sanitized, do so before messing with encryption. Consequently, step 6 should be moved to position 0 in your tutorial.
Copy the sensitive data to another (encrypted) medium, backup valuable non-sensitive data, and sanitize the drive.
File shredder... really?
Why not just hose the drive with random data? Be advised that everything on the drive is about to go bye-bye.
dd if=/dev/urandom(1) of=/dev/sdX ... ; repeat until satisfied.
If you don't feel comfortable with linux use
DBAN.
If you do that, no force on earth will be able to scrub any old data off that drive.
By all means do install a file shredder in the OS but use it as an emergency tool.
Don't use SSD drives for storing sensitive data - due to the nature of their operation (wear leveling algorithms and controller-level compression) you can never guarantee full erasure.
Don't use damaged hard drives developing bad sectors - once a bad sector has been detected and replaced the only way to write to it is to use specialized low-level software.
SpinRite can be used to reinstate bad sectors into service. It is not cheap, however.
[Cryptography limitations]Don't expect cryptography to save you if you get identified as the perpetrator of an unlawful act.
Depending on where you live, you might be compelled by law to hand over all decryption keys to the LE (law enforcement) agency.
The investigators might threaten and intimidate you into releasing the keys.
Rubber hose cryptanalysis is a powerful tool.
You never mentioned such basic aspects of security as physical security - a LE agency investigating you might plant a (hardware?) key logger or surveillance cameras to capture your precious passwords.
How lamentable will your situation be if you rely solely on TrueCrypt, oh my
I guess what the last paragraph amounts to is,
please don't break the law - for your own best interest.
Let this be my final piece of advice.
Notes:
(1)
Frandom is an order of magnitude faster than /dev/urandom. Good stuff.
Poll
