Header Key in TrueCrypt

OK then, how do you encrypt a partition? I am trying to find a way so it can be transparent to the user, without having to login several times. If I encrypt the whole drive, the user will have to login 2 times. Thanks!

To decrypt, you have to input a password to unlock the encrypted container/partition. You can automount TC containers and the password get's filled in automatically, but to me that's not much security, because your relying on the users windows password only, well in effect. If you still have LM-Hashes stored on the machine and the users password is not 15 or more characters, the password is sure to fall in minutes.

What type of data are you protecting, perhaps TC isn't the answer? It doesn't fit every situation, but most. What types of attacks or scenarios come to mind, laptop theft, company records being stolen, PCI/SOX compliance? I'd like to give you the best answer possible so if you can lay out the situation or a mock situation I might have a better answer.
-rich

This is for laptop theft for the company I work for. I tried Microsoft EFS but it is too vulnerable, since there is a software that can break it. From what I read, truecrypt is a pretty good choice, I just want the laptop users to feal this is not a burden for them - there are executives who have laptops, too!

something is not right here... I created a volume and mount it, then I put a file in it, I reboot it and logged in as a different user, but I can open the file from it's original location. Shouldn't it be encrypted?

The file in the container is encrypted, and once mounted, meaning you've input the password to open the container and view/access the file you can now read it. If you take a "new text document.txt" file an put some words in it, save it. Then MOVE or CUT the file, and place in the mounted container, the file will only exist in the encrypted container. If you COPY the file, it will exist in two places, one in plain-text and the other in the container. If you copy and then delete (use shift+del or remember to empty the recycle-bin) the original file, then the one in the TC container should be the only one that remains.

What truecrypt and other software like it (PGP, PointSec and others) try to protect you from is offline attacks. Meaning if the container isn't mounted, or if the HD is removed and read as a secondary drive. Once a container is mounted, meaning open, you've put in the password (or used the keyfiles) to unlock the container, the data in the container looks plain-text. However if the PC lost power after you mounted, your data is safe because it remains encrypted on the disk. When you mount a TC container, the decryption key is kept in memory and the file is decrypted on the fly. Say you have a 2gig text file, a dictionary or something in a TC container. When you open that file in the mounted container, as your text editor reads the file, those portions the text editor accesses are decrypt to memory only, not to disk. But, if the PC doesn't lose power, and the TC container is mounted, and you step away from the PC without locking it, I come by and look at your z: (we'll use that as an example drive for your TC container) I can open the files as if they were never encrypted at all because the decryption key remains in memory and the PC can't tell me from you. The same applies for someone remote, if I sit down the hall from you and I can get to your Z$ because I am an administrator of your machine, if the Z: is mounted, I too can read it. If you do not have Z: mounted, I cannot, I still don't know the password. If I install a keylogger it's likely I can get the password, so TC has another protection called keyfiles that a key logger won't pick up on.

EFS won't encrypt the whole drive, in fact there are many folders it won't work on by design. Just about any solution that encrypts the HD needs a secondary password to be able to boot. Seagate has hardware encrypted LT drives, the Momentus drives, that too require a password to boot them. PGP is the same, but might be able to use ActiveDirectory login's or cached windows logins, as does PointSec from CheckPoint. Those are enterprise solutions that you may want to look at. If you have 1-20 LT's that you want to secure, I'd recommend Full Disk encryption either using TC, PGP,PointSec or SeaGate drives. All are good choices, some may be a better fit for you than others. TC is free, very good solution for a small amount of LT's, but doesn't have the enterprise capabilities as the others.
The other thing to take into account, as you've pointed out, your users might not be too savvy... meaning you can't expect them to put vitial documents and data in a certain place, they are just as likely to leave it on their desktop as they are to put it where they should in their encrypted partition you've laid out for them. That is another benefit of keyfiles, not having to remember a password, but you do have to remember the file used to unlock the container.
http://www.truecrypt.org/docs/?s=keyfiles
I hope this helps some
-rich

sorry to ask you so much, what about encrypting the whole drive, is this better for the users, especially for the executives who, I know would not like to mount volume in Windows every day?
Also, How can I, as administrator, have full control over a laptop, if someone leaves. Is there a key I can use for all the laptops to decrypt them? If yes, how can I use it?
Thanks!

No problem, I am here to help :)
I feel whole disk is better for securing a LT, especially for the reasons you've cited, users not mounting the container or keeping the files in the container. There is no backdoor, or secondary login for TC whole-disk encryption. You could and should set the protection password yourself, have it documented for each Laptop, and maintain a library of the TC Rescue disc's. These are the CD's TC forces you to create before WDE (whole disk encryption) kicks off. Again WDE allows you to continue to use the computer as it's encrypting, even allows reboots and pauses in the process!
You should set the password to boot yourself, and give it to the users, try to make each unique, but not by using an easy to guess scheme like "UserName-works4companyXYZ" and then each user inserts their username (jsmith) for the username portion. TC requires a 20 character password for the boot pass, I'm not sure if that is a changeable parameter or not.
I let users pick their phrases for the most part, it makes it more memorable, however I am the one who inputs it so I know what it is. Changing it will be beyond most users ability.
Again when the PC is booted, it will function like any other PC, you'll have the exact same access to that PC as you did before encrypting, it's the same with all similar software and hardware offerings. The protection/encryption is for when the OS isn't running. All apps still function as before, defrag, chkdsk etc... it's just the HD can't be read now without someone entering the correct pass. You as and admin knowing the pass can both boot or remove the HD and mount the HD using a USB to IDE/SATA cable for instance as long as you have TC installed on the PC your trying to mount the HD from. So if you have an infected HD you can remove it, and scan it (after mounting using TC) just like any other HD.
-rich

You say that changing the password would be beyond users ability, is this because they could not do it or because they would not know how to do it?

Besides the rescue disk, can I have like one administrator key that I would be able to decrypt any drive or not?

Looks like what I said doesn't matter, as long as you maintain a backup or original copy of the rescue disk and the password that was used when it was created, even if the user does change the password, you can still recover/boot the HD: http://www.truecrypt.org/docs/?s=rescue-disk
WARNING: By restoring key data using a TrueCrypt Rescue Disk, you also restore the password that was valid when the TrueCrypt Rescue Disk was created. Therefore, whenever you change the password, you should destroy your TrueCrypt Rescue Disk and create a new one (select System -> Create Rescue Disk). Otherwise, if an attacker knows your old password (for example, captured by a keystroke logger) and if he then finds your old TrueCrypt Rescue Disk, he could use it to restore the key data (the master key encrypted with the old password) and thus decrypt your system partition/drive

So as long as the Rescue Disk is around and the known initial password, you should be able to restore even if they do manage to change it. I don't leave TC installed after the HD is encrypted unless I have users that need to store or access sensitive data while not on our networks. You should always test these scenarios in your own test environment as well to make sure your familiar with the process.
-rich

Thank you Rich!

Not that I know of, you might need to write the TC help forums to see if there is a way...
The automount feature, which I thought didn't provide much protection, it looks like it's better that I thought as it's derived from the pre-boot authentiaction: http://www.truecrypt.org/faq#automount-on-start
You can use the /noisocheck command line switch to create and save ISO files rather than CD's.
http://www.truecrypt.org/docs/?s=command-line-usage
-rich

I have another question, is it possible to have a different decryption password than the one I use to encrypt the whole drive, so I can stop users do decrypt their hard drive? Thanks!