How to Encrypt and Hide Your Entire Operating System from Prying Eyes
How to Encrypt and Hide Your Entire Operating System from Prying Eyes
if you’rereally serious about protecting your data, you can actually hide your entire operating system. Here’s exactly how to do it.
To accomplish this task, we’ll be using TrueCrypt, our favorite free and open-source disk encryption software that runs on all platforms, supports hidden volumes, and can even encrypt your entire hard drive.
Once we’ve completed the setup, you’ll have two Windows installations and two passwords. One password will activate a hidden Windows installation as your real operating system, and the other, a decoy install to throw intruders off the trail.
Setting Up Your Hidden Operating System
In order to actually activate the hidden operating system features, you’ll need to make sure that your hard drive is partitioned in a very particular way: You’ll need two partitions on your drive, and the first partition has to have your Windows install on it. The second partition needs to be bigger than the first, and if you’re using NTFS as your file system, it will need to be at least 2.1 times as big as the first partition. You can re-partition your current drive, but your best bet will be a clean installation. (As with skinning a cat, there are many ways to partition a hard drive. Windows 7 and Vista have built in partitioning tools [open Computer Management, then go to Storage -> Disk Management in the sidebar], or you could check out our guide to dual booting Windows 7 as a solid resource to get started with a partitioned system.)
Once you’ve got your Windows installation up and running, make sure you’vedownloaded and installed TrueCrypt on your machine. Then fire it up and use the System –> Create Hidden Operating System menu item.
This will pop up a wizard that will help create the new TrueCrypt volume to house the hidden operating system, which will live inside of a hidden volume on the secondary partition. Your best bet the first time around is to just choose Single-boot—leave the multi-boot for the advanced class.
The Volume Encryption options page is important for one primary reason, namely that you need to choose the same encryption method across the board while you’re running through this process. You’ll be prompted a number of times to choose the encryption, and you need to always choose the same one or else you can’t boot or access your data—also, the default setting of AES encryption is much, much faster than any other option.
You’ll be prompted to choose the outer volume password, which will house a set of decoy files to make people believe that your TrueCrypt volume on the second partition contains nothing more than a bunch of files you don’t want people to see—except the files you put on the outer volume aren’t actually meant to be a secret. Make sure you don’t lose this password.
Next you’ll be asked whether or not you want to store large files on the TrueCrypt outer volume. This choice is up to you, but there’s probably no reason to choose yes here.
Once the outer volume is created, you’ll be prompted to put some files there to make sure it looks like a real drive in case you’re asked to open your TrueCrypt volume.
Next you’ll be asked to create a password for the hidden volume, which will contain the hidden operating system. It’s crucially important that you choose a different password here, make sure it’s difficult, and make sure that you don’t forget it.
At this step you’ll be asked to reboot your PC and re-enter the password for the hidden operating system. Your new hidden OS will be copied from your primary operating system and encrypted into your newly created hidden volume. Readers should note that this process can take an extremely long time—you’ll want to let this run overnight.
Once the hidden operating system has been created, you’ll be able to boot directly into it by using the hidden password, and then you’ll be prompted to wipe the original system off the first partition. This process can also take a few hours, so go do something else while it’s running.
At this point you’ll have a hidden operating system, accessible by using the hidden password. The outer volume password won’t do anything, and hitting Esc at the TrueCrypt boot loader screen will take you to a page saying there’s no bootable operating system.
When you boot into your hidden operating system, you’ll notice that you still see two drives, and the C: drive appears to be the same as it was before, but it’s actually living in the encrypted volume, which is on the second drive that you aren’t able to access. Whatever you do, leave that second drive alone-don’t try to use partition tools to reformat or anything else.
Install the Decoy OS
Naturally, creating a hidden operating system isn’t very useful unless you also have a decoy OS to show off to somebody that might be looking at your PC—they will simply assume that you used TrueCrypt to encrypt your drive, not that you also have a hidden operating system.
Just drop the Windows installation disk into your drive, and install a fresh copy—but make absolutely certain that you install onto the first partition on the drive and not on top of your encrypted OS.
Once you’ve installed Windows again, the TrueCrypt boot loader will be wiped out, but don’t worry, you’ll just need to download and install TrueCrypt inside the decoy operating system, and then use System –> Encrypt System Partition/Drive to encrypt the decoy OS as well. During this process, you’ll be asked to pick t
he password for the decoy operating system, and you’ll want to make sure you save this one as well.
Make sure this time that you select the Normal option on the wizard, and when prompted, choose the same encryption version as you did before.
Choose to encrypt just the Windows system partition (see screenshot below), which in this case is the first partition on the drive that houses the decoy operating system. If you choose to encrypt the whole drive here, it’s going to break your hidden operating system.
Below is the one screen in the wizard that might throw you for a loop: You are required to create a rescue disk and burn it to CD or DVD using TrueCrypt’s wizard. While you should absolutely create the rescue disk, if you are having problems burning it off this particular PC and decided to burn the disc using another PC instead, you can simply save the ISO image to your hard drive and then use an ISO mounting software to mount the disk. Either way, you can proceed through the wizard once the rescue disk is in the drive.
Once the wizard is complete, you’ll need wait while the drive is encrypted, which will take a few more hours. Once it’s done, you’ll have a hidden operating system, and a decoy to throw people off your trail.
Using Your Decoy or Hidden Operating Systems
When you reboot your computer, you’ll see the TrueCrypt boot loader screen, where you can type in one of two passwords. If you use the Hidden password, you’ll be able to access your hidden Windows install, and if you use the Decoy password, naturally, you’ll be able to access the decoy operating system.
If you have booted into the decoy operating system, you can access the outer volume sitting on the secondary partition to “prove” to somebody that it’s nothing more than a TrueCrypt drive—just use the outer volume password when you mount the volume using TrueCrypt, which will do nothing more than show off the sample files you added in a previous step.
And after all that, you’ve got a completely encrypted, completely hidden operating system. It’s a complex, time-consuming process, to be sure, but if you regularly have sensitive data on your machine, you’re a card-holding member of the tin-foil hat club, or you just like your privacy, it does the job nicely.