Encrypting Swap and User Profiles on Windows

TrueCrypt, TCTEMP and TCGINA

TrueCrypt allows for the establishment and maintainence of on-the-fly encryption (OTFE) of data storage devices (i.e., USB drives, files, partitions). No one is able to access the data without the appropriate passphrase. Currently, TrueCrypt is available on Windows and Linux. OS X support is on the road map for 5.0 due for release in January 2008. Through the use of TrueCrypt containers, TCTEMP and TCGINA encrypt user profiles, the Windows paging file, temporary files and print spooler files.

TCTEMP automates the use of TrueCrypt encrypted volume as the Windows paging file (equivalent of Linux swap), temporary files and print spooler files. TCTEMP accomplishes in the following manner. First, it creates new random keys and password for a TrueCrypt volume during the Windows startup. Next, it mounts the TrueCrypt volume and initializes the volume by copying the contents of an image file to the volume. By copying only the sectors to the TrueCrypt volume which are required to replicate the file system, the procedure is as fast as a quick format.

TCGINA uses TrueCrypt to provide OTFE of a Windows user profile. A Windows user profile may contain user registry files, user documents and settings, temporary files, etc.

Important Note: The use of TCTEMP and TCGINA is unneccessary with the release of TrueCrypt 5.0. TrueCrypt 5.0 allows system (partition or drive) encryption, removing the need to separately encrypt temp space and user profiles.

Configuring TCTEMP

Before installing TCTEMP, remember there is a warning posted on the project page for a known problem. The known problem is moving the paging file to the TCTEMP volume may cause a STOP error (blue screen of death) during a Windows shutdown.

To install TCTEMP, you must first have TrueCrypt installed. Download from the TCTEMP project page, the version of TCTEMP which corresponds to the version of TrueCrypt you installed. To install TCTEMP, follow the instructions in the TCTEMP user guide. After installation, you need to configure Windows to use the encrypted volume for the temporary files, Windows paging file and the print spooler files. To change the location where Windows stores temporary files, run the following steps. For the example below, the mount point is T:. Be sure to change the actions as appropriate for your system. Note, if you have multiple users for who you wish encrypted temporary files, you will need to repeat for only the user variables for each subsequent user.

Right click on "My Computer" and select "Properties"
Select the "Advanced" tab and click "Environmental Variables"
Select the TEMP variable in the "User variables" and click "Edit"
Change the variable value to T: and click "OK"
Repeat steps 3 and 4 for the TMP variable in "User variables" and the TEMP and TMP variables in "System variables"
Click "OK"
Click "OK"
Reboot your system so the new values take effect
On reboot, securely wipe the data in the values of the previous TMP and TEMP variables with Eraser

To change the location which Windows as the paging file, run the following steps. For the example below, the mount point is T:. Be sure to change the actions as appropriate for your system.

Right click on "My Computer" and select "Properties"
Select the "Advanced" tab and the "Settings" button under the "Performance" section
Select the "Advanced" tab and click the "Change" button under the "Virtual Memory" section
Select the C: drive, set the radio button for "No paging file" and click the "Set" button
Repeat step 4 for every drive listed with the exception of the T: drive.
Select the T: drive, set the radio button for "Custom size", and set the "Intial size (MB)" and "Maximum size (MB)" to the size of your TrueCrypt volume
Click the "Set" button and click the "OK" button
Click "OK"
Click "OK"
Reboot your system so the new values take effect

To change the location where Windows stores the print spool, run the following steps. For the example below, the mount point is T:. Be sure to change the actions as appropriate for your system.

Click the "Start" button, select Control Panel->Printers and Faxes
Click "File" and select "Server Properties"
Click on the "Advanced" tab
In the "Spool Folder" box, type T:
Click "OK"
Reboot your system so the new values take effect
On reboot, securely wipe the data in the value of the previous spool folder with Eraser

Configuring TCGINA

Before installing TCGINA, make a backup of your user profile. If something goes wrong during or after the installation or if you forget/lose the password for the TrueCrypt container, you have lost your entire user profile. There is no recovery option.

You will need to create a Truecrypt volume for your encrypted profile(s) You can either create one per user profile or your can create one volume for each user profile. Be sure to create the volumes large enough for all the user's files. I highly recommend separate volumes for each profile as this will prevent the compromise of one profile from compromising the remaining.

Lastly, TCGINA will not all you to encrypt the profile of the user currently logged in. For this reason, it is highly recommended you create a temporary account with admin privileges whose sole purpose is to encrypt the profiles. Upon completion of this task, you can either encyrpt this account's profile and/or delete the account and its data.

After mounting the desired TrueCrypt volume, run the "install/setup.exe" from the tcgina 7-Zip archive. Select "Encrypt User Profile". Then select the appropriate user from the drop down menu along with the appropriate mount point. Click "OK". TCGINA will copy the files from the unecrypted partition to the TrueCrypt volume. Upon completion, TrueCrypt will inform you of the old unencrypted partition and recommend you erase it with something similar to Eraser upon reboot.

On reboot, the system will prompt you for your Windows password, if you did not disable LAN Manager hashes, followed by your TrueCrypt password. If you sucessfully log in, you have done so with an encrypted profile.