A handy trio of tools for protecting your privacy
Maybe you can't stop the NSA, but you can still take meaningful steps to protect your privacy.
We've all read the reports about Internet companies and government agencies that are tracking people. Like many Linux users, you might be interested in making your system as "NSA-proof" as possible. The tools and techniques for cyberprivacy are far too numerous to cover in a single article, but most of the challenge boils down to three basic objectives:
- Secure data at rest
- Secure data in transit
- Clean up
Securing data at rest means encrypting the data as it sits in storage somewhere – which might be on your own drive or in a Dropbox or Carbonite folder in the cloud. Securing data in transit means encrypting and anonymizing information so no one can read your messages or trace your Internet activity. Cleaning up means you don't leave information around for others to find.
This article tours a trio of tools for keeping intruders, spies, and traffic analyzers off your trail. The software described helps you raise the bar to make it more difficult for anyone to snoop your data and your browsing habits. Some of these tools have appeared in previous articles, but it is still useful to see the information all in one place. I have no illusion that these tools are impregnable, fool-proof solutions. They simply make it more difficult for any entity to snoop, track, and analyze your activities.
Encrypting at Rest: TrueCrypt
Several open source tools offer the ability to encrypt data at rest. Some of these tools operate at the file and directory level, and others operate on a whole block device. One example of a block encryption tool is TrueCrypt . See the article on block encryption elsewhere in this issue for more on TrueCrypt and the differences between disk-level versus file-level encryption. I'll just give you a quick tour of the GUI so you can see how easy it is to get started with encrypting your data.
TrueCrypt sports a nice graphic interface for those who don't want to go the command-line route. If you want to use TrueCrypt, you'll have to download it from the site; most Linux distributions don't support it from any of their installation tools. Installing TrueCrypt is quite simple, however: Download the tarball, unzip it, and follow the wizard shown in Figure 1.
To run TrueCrypt after you install it, open a terminal and issue the following command:
The TrueCrypt application shown in Figure 2 will run.
From the TrueCrypt main window, you can:
- Create a volume: A "container" that acts as an encrypted directory and holds any file or subdirectory you wish. Any file or subdirectory dropped into this volume is automatically encrypted and decrypted, as long as you know the password to the volume.
- Specify the encryption algorithm you wish to use: In addition to AES, you can specify Serpent, Twofish, and Cascades. I almost always use AES with the highest key size possible. In the United States, that's 256 bits. In general, a larger key size means it will be harder to break the encryption. See the TrueCrypt website for more on the available encryption algorithms. 
- Hide and unhide volumes: TrueCrypt lets you hide an encrypted volume inside another encrypted volume. If someone manages to decrypt the outer volume (or if you are forced to reveal the password) the hidden volume will look like random data inside the outer volume. See the TrueCrypt website for more on hidden volumes .
Creating a Simple Volume
TrueCrypt uses convenient wizards to get you going. To create a simple volume (that basically acts as a giant TrueCrypt file and allows you to place new files inside it), simply click on the Create Volume button. The wizard will begin to create the volume. At the initial screen, select the Create an encrypted file container radio button, then click Next. Creating an encrypted file container means you won't be encrypting an entire partition or USB drive. You'll simply be creating a file inside a standard Linux partition or a directory or file on a USB drive.
At the next screen, you can specify whether you want to create a standard or hidden volume. Clicking Next takes you to the Volume Location window, which is where you tell TrueCrypt where the TrueCrypt volume should be stored. You can specify any location, including a directory off your home directory or a directory on a USB drive.
Creating an initial volume is quite straightforward. Remember that if you have existing files in a directory, TrueCrypt won't encrypt them. If you specify an existing file, that file will be overwritten, which means you'll lose any data in that file.
Encrypt an Entire Drive
To encrypt an entire drive, simply start the TrueCrypt wizard, then select Create a volume within a partition/drive and click Next. The remaining steps are similar to creating a simple volume, but instead of selecting a file or a directory for the file, you are asked to specify a volume, which can include any hard disk partition or USB drive.
Understand that any information on the volume you choose will be destroyed. Don't specify partitions that contain valuable information or system files. If you want to use TrueCrypt to encrypt an entire partition, proceed carefully; do yourself a favor and back up any important data.
Your data at rest is considerably more secure with encryption. TrueCrypt is an easy and convenient encryption tool that even comes with a simple GUI for encrypting volumes and disks. See the article on block encryption elsewhere in this issue for more on TrueCrypt at the command line and other encryption techniques.
Buy this article as PDF
Kernel king admits his tone has alienated volunteers, but says the demands of the process require directness.
New flaw in an old encryption scheme leaves the experts scrambling to disable SSL 3
Lennart Poettering wants to change the way Linux developers talk to each other.
Enterprise giant frees itself from ink and home PCs (and visa versa).
Mozilla’s product think tank sinks silently into history.
TODO group will focus on open source tools in large-scale environments.
New tool will look like GParted but support a wider range of storage technologies.
New public key pinning feature will help prevent man-in-the-middle attacks.
Carnegie Mellon researchers say 3 million pages could fall down the phishing hole in the next year.
The US government rolls new best-practice rules for protecting SSH.