A Portable Encrypted Linux System for Windows
by Aaron
Using TrueCrypt along with Damn Small Linux (DSL), it is possible to create a portable encrypted GNU/Linux work environment which you can take with you from PC-to-PC.
As I have lost a number of USB drives, I find that having the data on them be encrypted by default provides some piece of mind.
The basic concept here is to use TrueCrypt to encrypt the majority of an USB drive. Inside the encrypted volume will be DSL along with QEMU, which allows the Linux installation to be run on a Microsoft Windows machine.
Steps
1.) Install TrueCrypt on your PC.
You can run TrueCrypt without installing it; this is called "Traveler Mode." For the purposes of this example, though, it is assumed that TrueCrypt is installed locally on your PC.
Download TrueCrypt from www.truecrypt.com; then, extract and run the SETUP.EXE program.
2.) Make a TrueCrypt volume on the USB drive.
Insert the USB drive and wait for the system to recognize it. For this step, we are going to create an encrypted volume.
In TrueCrypt, select "Volumes -> Create New Volume", which will fire up the Volume Creation wizard.
Select "Create a standard TrueCrypt volume", and hit "Next".
Select "File" and create a file on the USB drive. Take the defaults for "Encryption Algorithm" and "Hash Algorithm", and hit "Next".
In the next dialog box, set the size of the volume; typically you can choose an amount equal to size of the drive, subtracting 20 megabytes for the TrueCrypt Traveler volume.
It will then ask you for a volume password; be sure to remember this or you will never be able to access this volume again. Enter the password, and hit "Next".
It will then begin to format the volume. After this, you will have an encrypted volume on your USB device.
3.) Install TrueCrypt Traveler Mode on the USB device.
The next step is to install TrueCrypt Traveler Mode on the drive.
To do this, go to "Tools -> Traveler Disk Setup" in the TrueCrypt program. This will take you to a setup screen. Select the drive letter for the USB drive. Select "Automount TrueCrypt volume (specified below)" from the "AutoRun" configuration section. Then, select the encrypted volume in the "TrueCrypt volume to mount" section. Then, hit "Create".
4.) Test the TrueCrypt volume.
Safely remove the drive and reinsert it. You should get the TrueCrypt prompt asking for the volume's password. After that, the drive should be mounted as the next available drive letter. If this works, we should be ready for the next step.
5.) Install DSL on the encrypted volume. Download dsl-4.4.10-embedded.zip from the Damn Small Linux website, www.damnsmalllinux.org. Unzip the contents to the encrypted volume.
6.) Create a hard drive image for DSL.
Follow the directions in the README.txt file included with dsl-4.4.10-embedded.zip to "Create a QEMU Virtual Hard Disk and use the DSL-VHD.BAT file". Fortunately, this only has to be done once per USB drive.
7.) Test the DSL configuration.
Safely remove the drive and reinsert it. You should get the TrueCrypt prompt asking for your password. After you enter that, an Explorer window should pop up. Select DSL-VHD.BAT, and you should be off and running.
Caveats
TrueCrypt running in Traveler Mode will leave behind evidence on the PC that it has been run and that a volume has been mounted.
TrueCrypt running in Traveler Mode requires administrator privileges to be able to mount drives. This is a limitation in the way Microsoft Windows handles devices. If you install TrueCrypt on the system, then you can set it up so it doesn't need administrator rights to run.
Cleanly shutting down the DSL environment is a good idea. Not shutting it down correctly can lead to file corruption problems in the additional save space.
If you want to save anything, you have to save it to the /mnt/hdb directory. You will need to be root to be able to save data here.
To change this, open a root shell by choosing "XShells -> Root Access -> Dark" and typing chmod 0777 /mnt/hdb into the window that pops up. After that, you will be able to save documents to the /mnt/hab filesystem and have them preserved between boots.
Options
Note that the method presented here is merely one way to build a portable encrypted environment.
FreeOTFE can be used in place of TrueCrypt. One of the advantages of FreeOTFE over TrueCrypt is that Linux can use dm-crypt to read FreeOTFE volumes, instead of installing TrueCrypt on a Linux box.
Another distribution of Linux can be substituted for DSL. For example, nUbuntu can be used to create a portable security toolkit, or Knoppix can provide a more fully featured Linux distribution. Using Bart's Preinstalled Environment (BartPE), it is even possible to create a version of this project which runs Microsoft Windows instead of Linux.
You can use an SD card, a memory stick, or a portable hard drive instead of an USB drive to hold the environment. Many systems now come with SD card readers, and some currently don't disable them. A first-generation Apple iPod shuffle makes a wonderful way to carry the environment around with you.
TrueCrypt has many additional options, such as hidden volumes and stronger encryption algorithms. Visit the TrueCrypt website for more information.
DSL has optional packages, such as Tor, which can be used to create a more secure browsing environment.
Links
Damn Small Linux (DSL): www.damnsmalllinux.org
TrueCrypt: www.truecrypt.org
QEMU: www.qemu.org