1 00:00:00,120 --> 00:00:02,690 Welcome to part four of this module. 2 00:00:02,700 --> 00:00:08,520 This video is going to focus on how to create a hidden Windows operating system using very script while 3 00:00:08,520 --> 00:00:12,060 also creating an encrypted Cally Linux installation. 4 00:00:12,060 --> 00:00:19,140 In other words when we're done we're going to have an encrypted decoy installation of Windows and encrypted 5 00:00:19,290 --> 00:00:20,980 hidden installation. 6 00:00:21,030 --> 00:00:26,520 And we're also going to have an encrypted Cally Linux installation when we built our system. 7 00:00:26,520 --> 00:00:33,300 The password that we enter is going to determine which encrypted operating system loads before we get 8 00:00:33,300 --> 00:00:33,960 started. 9 00:00:33,990 --> 00:00:38,210 I have to cover a lot of the same things that I covered in the last video. 10 00:00:38,220 --> 00:00:43,800 If you're only interested in having a hidden Windows system and you don't care about being able to dual 11 00:00:43,800 --> 00:00:48,540 boot to an encrypted Cally operating system please see the prior video. 12 00:00:48,540 --> 00:00:55,080 Although much of this procedure is going to look almost identical to everything shown in the last presentation 13 00:00:55,200 --> 00:00:59,940 certain key aspects of it are in fact very different. 14 00:00:59,940 --> 00:01:07,780 This is a very complicated setup to pull off everything shown here is done at your own risk. 15 00:01:07,800 --> 00:01:12,210 And I do strongly recommend that you try this out in virtual box first. 16 00:01:12,240 --> 00:01:17,160 The best time to do something like this is when you're first setting up your computer. 17 00:01:17,220 --> 00:01:23,850 If you're using a newer computer you may need to go into your system bios and make some changes very 18 00:01:23,850 --> 00:01:26,580 script supports you EFI boot loaders. 19 00:01:26,610 --> 00:01:31,650 But if your BIOS has a secure boot enabled you are going to need to disable that. 20 00:01:31,650 --> 00:01:37,950 Otherwise your system may not allow you to boot from USP your city ram at all unless you're booting 21 00:01:37,950 --> 00:01:41,040 a Windows system because every BIOS is different. 22 00:01:41,040 --> 00:01:44,240 I can't show this procedure for how to do this. 23 00:01:44,250 --> 00:01:50,340 So please research your BIOS version a bit before proceeding normally. 24 00:01:50,400 --> 00:01:57,360 It is as simple as toggling enabled to disabled but be aware this may require you to reinstall your 25 00:01:57,360 --> 00:01:58,830 operating systems. 26 00:01:58,830 --> 00:02:05,100 You should be fully willing to reinstall your operating systems before you begin anyway because if something 27 00:02:05,100 --> 00:02:11,850 does go wrong in this process it is quite often necessary that you reformat your hard drive and try 28 00:02:11,850 --> 00:02:12,480 again. 29 00:02:12,480 --> 00:02:18,270 So with that in mind make absolutely sure that you've backed up all of your important data on external 30 00:02:18,270 --> 00:02:18,780 media. 31 00:02:18,780 --> 00:02:23,550 Another thing that may vary from system to system is the partition configuration. 32 00:02:23,580 --> 00:02:31,110 Some computer manufacturers like to create truly bizarre partition layouts with multiple reserved partitions 33 00:02:31,110 --> 00:02:34,170 in front of the operating system and so on and so forth. 34 00:02:34,170 --> 00:02:41,700 Generally speaking these are recovery partitions and the like but they tend to gnaws up the entire process 35 00:02:41,730 --> 00:02:46,830 and may in fact compromise the security of your encrypted system for these reasons. 36 00:02:46,830 --> 00:02:50,670 You may wish to reformat and start fresh anyway. 37 00:02:50,670 --> 00:02:57,060 Finally some bios versions will give you the option of using a legacy bootloader and switching from 38 00:02:57,060 --> 00:02:59,910 GP t to MPR partitioning. 39 00:02:59,910 --> 00:03:06,860 Doing so will absolutely require a ring installation of any operating systems you have installed. 40 00:03:06,960 --> 00:03:12,360 If you run into problems though this may be your only option to make a long story short. 41 00:03:12,420 --> 00:03:17,890 Don't attempt this unless you are 100 percent comfortable with reformatting your hard drive. 42 00:03:17,940 --> 00:03:25,230 You absolutely must have all of the installation media created and on hand before we begin a Windows 43 00:03:25,230 --> 00:03:27,490 rescue disk is not adequate. 44 00:03:27,510 --> 00:03:34,290 You will need an iso image burned to either a seedy or USP for the Windows version that you wish to 45 00:03:34,290 --> 00:03:35,210 install. 46 00:03:35,280 --> 00:03:39,170 These can usually be obtained legally from the Microsoft Web site. 47 00:03:39,180 --> 00:03:46,200 You will need your Windows product key So be certain to obtain that key and verify it before you begin. 48 00:03:46,200 --> 00:03:51,850 It is also recommended that you have a boot repair disk or USP of some kind. 49 00:03:51,870 --> 00:04:00,180 On hand in case your bootloader gets goofed up if you need any help reform any computer please see the 50 00:04:00,180 --> 00:04:03,150 next video on Derek's boot and nuke. 51 00:04:03,210 --> 00:04:10,200 The demonstration shown here will work with all versions of Windows going as far back as Windows XP. 52 00:04:10,200 --> 00:04:14,430 The procedure is identical if you prefer True Crypt over Vera crypt. 53 00:04:14,430 --> 00:04:15,720 However be aware. 54 00:04:15,720 --> 00:04:22,770 True Crypt has no UTF I support so you will need to change the bootloader to legacy and recreate your 55 00:04:22,770 --> 00:04:26,370 partitions as MPR if you wish to use True Crypt. 56 00:04:26,370 --> 00:04:33,990 Last but not least you absolutely must activate your Windows operating system before you encrypted. 57 00:04:33,990 --> 00:04:39,850 This is covered in the very crypto documentation creating a hidden operating system prior to authentication 58 00:04:39,850 --> 00:04:43,910 and can compromise your security in several key ways. 59 00:04:43,920 --> 00:04:49,300 It is also recommended that you fully update before encrypting to start us off. 60 00:04:49,320 --> 00:04:57,000 We're actually going to go to the disk management system so we're going to press the Windows plus X 61 00:04:57,000 --> 00:05:00,240 key and we're going to select disk manage. 62 00:05:00,660 --> 00:05:06,090 If you watch the prior video this is the point where you'll start to notice procedural differences. 63 00:05:06,090 --> 00:05:12,510 The first thing we're going to do is we're going to create a large volume of space behind the primary 64 00:05:12,510 --> 00:05:15,030 part system partition to do this. 65 00:05:15,030 --> 00:05:17,410 We need to shrink our system volume. 66 00:05:17,460 --> 00:05:21,480 We're going to create three partitions behind the primary. 67 00:05:21,540 --> 00:05:26,160 The first one is going to contain our hidden Windows operating system. 68 00:05:26,160 --> 00:05:35,340 This partition must be at least twice the size plus 5 percent of your primary partition which will contain 69 00:05:35,340 --> 00:05:37,290 your decoy operating system. 70 00:05:37,320 --> 00:05:43,800 In other words if your decoy system partition is 50 gigabytes in size your hidden partition must be 71 00:05:43,800 --> 00:05:46,650 at least one hundred and five gigabytes in size. 72 00:05:46,650 --> 00:05:52,320 What makes this a little more complicated is that we're going to create two more partitions behind the 73 00:05:52,320 --> 00:05:53,500 hidden partition. 74 00:05:53,520 --> 00:05:59,410 One will be a beautiful partition that is going to contain our Linux grub bootloader. 75 00:05:59,490 --> 00:06:06,840 The next will be the actual operating system for our encrypted Cally Linux partition. 76 00:06:06,840 --> 00:06:13,020 There are other partition schemes that can work here and once you're practiced at doing this you can 77 00:06:13,020 --> 00:06:14,100 experiment. 78 00:06:14,100 --> 00:06:21,510 If you prefer to separate your Linux installations across partitions that is possible you wouldn't do 79 00:06:21,600 --> 00:06:28,950 do so in this window however you would do so during the installation of Cally by splitting up the system 80 00:06:28,950 --> 00:06:31,050 partition that we're creating now. 81 00:06:31,140 --> 00:06:34,760 However doing that is a little outside of the scope of this tutorial. 82 00:06:34,770 --> 00:06:38,490 We're going to keep things simple for demonstration purposes. 83 00:06:38,490 --> 00:06:44,460 So the first thing we're gonna do is we're going to right click on b c the C partition which is the 84 00:06:44,460 --> 00:06:52,200 system partition and select shrink volume and we're gonna go ahead and shrink it by about 81 gigabytes. 85 00:06:52,260 --> 00:06:57,300 In this example that will leave about 20 for the decoy operating system. 86 00:06:57,330 --> 00:07:03,120 So now we're going to right click on the unallocated space and we're going to select new simple volume 87 00:07:03,660 --> 00:07:05,880 of the amount of space available. 88 00:07:05,970 --> 00:07:13,650 We're going to go ahead and assign it 41000 megabytes or 41 gigabytes. 89 00:07:13,650 --> 00:07:18,160 This will make it a little more than double the size the first partition. 90 00:07:18,180 --> 00:07:20,300 And remember this is a requirement. 91 00:07:20,310 --> 00:07:27,000 It will also leave us around 40 gigs or so to play with for our Linux installation. 92 00:07:27,000 --> 00:07:32,690 We'll use all of the default options here and we'll do NTSC format. 93 00:07:32,760 --> 00:07:40,000 It's up to you if you wish to assign a drive letter. 94 00:07:40,120 --> 00:07:41,950 Now we'll do the same thing again. 95 00:07:42,190 --> 00:07:46,120 We'll click on unallocated space and select new simple volume 96 00:07:49,340 --> 00:07:56,250 and we'll sign 30 nine thousand megabytes or thirty nine gigabytes. 97 00:07:56,290 --> 00:07:59,170 Again the size will vary for you. 98 00:07:59,170 --> 00:08:07,250 And don't worry about format this will leave a little over a gigabyte of free space that we're going 99 00:08:07,250 --> 00:08:08,930 to make another partition out of. 100 00:08:08,960 --> 00:08:13,820 This is going to be our boot partition that we're going to install the grub bootloader too. 101 00:08:14,000 --> 00:08:15,840 This is a little unusual. 102 00:08:15,860 --> 00:08:23,270 One thing that I want to point out is that this boot partition or any boot partitions that you create 103 00:08:23,330 --> 00:08:29,150 if you create more than one always need to be at the end of the partition scheme. 104 00:08:29,150 --> 00:08:34,160 There's a reason for this and I'll try to illustrate it as it becomes relevant during the installation 105 00:08:34,160 --> 00:08:34,760 of Kali. 106 00:08:34,760 --> 00:08:41,480 But for right now just make sure that your boot partition is at the end of the scheme and how big of 107 00:08:41,480 --> 00:08:44,480 a partition you want this to be is up to you. 108 00:08:44,540 --> 00:08:47,390 I recommend about a gigabyte. 109 00:08:47,390 --> 00:08:55,040 The reason is that while grubs certainly doesn't take up that much space it will allow you more flexibility 110 00:08:55,040 --> 00:08:59,660 for updating your bootloader later on if you so desire. 111 00:08:59,660 --> 00:09:02,920 So once again we're just going to go with the default options here. 112 00:09:02,960 --> 00:09:10,130 These don't matter because we will be given the opportunity to properly format these partitions during 113 00:09:10,130 --> 00:09:11,600 the cowling installation. 114 00:09:11,630 --> 00:09:17,810 So now we're basically done but one last thing I want to point out if you have enough disk space and 115 00:09:17,810 --> 00:09:24,040 you're so inclined it is possible to have still more encrypted operating systems. 116 00:09:24,050 --> 00:09:32,450 However you may run into some difficulties with the swap partition between different versions of Linux 117 00:09:32,510 --> 00:09:34,310 so just be aware of this. 118 00:09:34,310 --> 00:09:42,350 Also be aware that if you were to install multiple versions of Linux behind the encrypted Windows operating 119 00:09:42,350 --> 00:09:47,240 systems you would need a designated boot partition for each one. 120 00:09:47,240 --> 00:09:53,390 This is because every time we install grub it's only going to recognize the encrypted operating system 121 00:09:53,390 --> 00:09:59,210 that we are installing it for not any other encrypted operating systems that we have present. 122 00:09:59,210 --> 00:10:07,400 So for example if you wanted to have Cally and let's say a bunch too you would then have a system partition 123 00:10:07,700 --> 00:10:16,310 another system partition a boot partition for Kali and a boot partition for a to again outside of the 124 00:10:16,310 --> 00:10:17,440 scope of this tutorial. 125 00:10:17,450 --> 00:10:21,610 But I wanted to mention that it is possible so we're now done with the disk manager. 126 00:10:21,620 --> 00:10:23,290 We're gonna go ahead and close it out. 127 00:10:23,480 --> 00:10:28,040 Now things are gonna get a little tricky so we're going to open up very crypt. 128 00:10:28,040 --> 00:10:34,500 I've already done so it is vitally important that we follow these next steps in the correct order. 129 00:10:34,520 --> 00:10:38,350 Otherwise this will all turn into a huge mess. 130 00:10:38,360 --> 00:10:44,760 The first thing we're going to do is create the hidden Windows operating system using very crypt. 131 00:10:44,810 --> 00:10:48,980 Again this can be any version of Windows from XP to 10. 132 00:10:48,980 --> 00:10:54,510 Just remember your decoy system must be the exact same type of windows. 133 00:10:54,580 --> 00:11:00,890 If you're using Windows 10 professional for your hidden system then your decoy must be Windows 10 professional. 134 00:11:00,890 --> 00:11:07,430 So how this works is pretty simple and very crypt is going to encrypt the large partition we created 135 00:11:07,430 --> 00:11:14,990 behind our system partition it will then copy our current version of Windows on to that encrypted partition 136 00:11:15,110 --> 00:11:21,580 that is going to be our hidden operating system then it is going to wipe out the current partition and 137 00:11:21,590 --> 00:11:26,750 if you watch the last video then you would know that the next step would be to install Windows on the 138 00:11:26,750 --> 00:11:29,090 first partition again and encrypted. 139 00:11:29,090 --> 00:11:31,730 But that isn't quite what we're going to do here. 140 00:11:31,730 --> 00:11:36,110 Instead we're going to go ahead and we're going to create the hidden operating system. 141 00:11:36,110 --> 00:11:43,670 We will fully delete and securely wipe the first partition but before we go ahead and install our windows 142 00:11:43,670 --> 00:11:49,970 decoy operating system we're going to install the encrypted Kali Linux installation complete with its 143 00:11:49,970 --> 00:11:57,590 own beautiful partition only after that is done will we install the decoy system and encrypted confused. 144 00:11:57,590 --> 00:12:01,590 Hopefully it will all make sense by the end of the presentation to start with. 145 00:12:01,610 --> 00:12:07,370 We need to click on system and select encrypt partition drive. 146 00:12:07,370 --> 00:12:12,680 This time we're going to click the second radial button to specify that we want to create a hidden operating 147 00:12:12,680 --> 00:12:14,540 system and click next. 148 00:12:14,540 --> 00:12:16,670 Read through this warning carefully. 149 00:12:16,670 --> 00:12:19,610 It's just telling you what I've already said. 150 00:12:19,610 --> 00:12:25,610 You must be ready to install a fresh copy of Windows to the decoy operating system. 151 00:12:25,610 --> 00:12:31,880 Once the hidden system is created make sure you have all of the disks on hand and make sure that you 152 00:12:31,880 --> 00:12:38,590 have your windows product key the correct product key and all of your important files fully backed up 153 00:12:38,600 --> 00:12:40,370 before proceeding when you're ready click. 154 00:12:40,370 --> 00:12:46,550 Yes please read through this carefully and keep in mind you may encounter certain issues while using 155 00:12:46,550 --> 00:12:54,280 USP devices such as unencrypted thumb drives being read only when you're using hidden operating system. 156 00:12:54,290 --> 00:12:57,230 This is by design and yes. 157 00:12:57,410 --> 00:13:03,740 This can make things rather a pain but it isn't necessary security precaution when you're ready click 158 00:13:03,740 --> 00:13:04,820 OK. 159 00:13:04,970 --> 00:13:06,830 And yes we want to grant authority. 160 00:13:06,920 --> 00:13:10,120 Now you may or may not receive this message. 161 00:13:10,130 --> 00:13:15,320 Depending on how your windows is configured if you don't skip this next step. 162 00:13:15,380 --> 00:13:21,170 If you do what this is telling you is that there are paging files on non system partitions. 163 00:13:21,170 --> 00:13:25,370 This can adversely affect plausible deniability of the hidden operating system. 164 00:13:25,370 --> 00:13:31,790 It is therefore very strongly recommended that you click yes here which will configure windows to create 165 00:13:31,790 --> 00:13:35,780 paging files only on the windows partition from now on. 166 00:13:35,780 --> 00:13:38,870 But doing this will require a system reboot. 167 00:13:39,020 --> 00:13:46,100 So I'm going to click yes once you reboot is complete you won't receive any special prompts so go ahead 168 00:13:46,100 --> 00:13:53,980 and relaunch very script and once again we're gonna click system encrypt system partition drive hidden 169 00:13:54,280 --> 00:14:01,450 click yes click OK yes to authorize now once again if you watched the prior videos you already know 170 00:14:01,450 --> 00:14:02,850 what I think of this screen. 171 00:14:03,100 --> 00:14:07,420 I call it the screen of doom because it exists only to confuse you. 172 00:14:07,570 --> 00:14:14,680 We are setting up multiple beautiful operating systems so it would be quite reasonable for you to think 173 00:14:14,680 --> 00:14:18,970 that you're supposed to click on multi boot and you're really not. 174 00:14:18,970 --> 00:14:26,050 This screen is a holdover from true script and it really should be rewritten to be less blatantly deceptive. 175 00:14:26,050 --> 00:14:32,210 We're going to click the single boot radial button and yes I know it seems counterintuitive and we're 176 00:14:32,200 --> 00:14:38,740 going to click next this next pop up is basically telling you about two important salient points. 177 00:14:38,740 --> 00:14:45,100 First your hidden operating system won't be allowed to hibernate but your decoy system can hibernate 178 00:14:45,100 --> 00:14:46,090 normally. 179 00:14:46,420 --> 00:14:48,190 You can select no. 180 00:14:48,310 --> 00:14:54,440 At this point however removing the extra boot partition is outside of the scope of this tutorial. 181 00:14:54,760 --> 00:15:00,910 So we're going to click yes the next pop up is reminding us that for security reasons we must make sure 182 00:15:00,940 --> 00:15:06,160 the current operating system is activated and authenticated before proceeding. 183 00:15:06,160 --> 00:15:09,170 This is your last chance to do so before we begin. 184 00:15:09,160 --> 00:15:16,780 So if you haven't exit Vera crypt and do so now if you have click yes with all the preamble out of the 185 00:15:16,780 --> 00:15:20,620 way it's now time to create our outer volume. 186 00:15:20,620 --> 00:15:26,740 This should seem familiar if you've been following along but if it's new that's OK this so-called outer 187 00:15:26,740 --> 00:15:30,010 volume is going to be our decoy partition. 188 00:15:30,010 --> 00:15:37,960 In other words when we are using our decoy operating system the hidden system will appear to be a regular 189 00:15:37,960 --> 00:15:42,410 encrypted partition to make the deception convincing. 190 00:15:42,460 --> 00:15:50,060 We need to create this outer volume and will place some sensitive looking files into it in case wherever 191 00:15:50,060 --> 00:15:55,340 ever called upon to melt the partition while we're using the decoy operating system. 192 00:15:55,360 --> 00:16:02,410 So we're presented with our encryption options and these will be the encryption and hash algorithms 193 00:16:02,410 --> 00:16:09,370 that bear crypto will be using as before we have the option of using a single algorithm or a cascade 194 00:16:09,370 --> 00:16:10,360 of algorithms. 195 00:16:10,360 --> 00:16:11,840 The choice is yours. 196 00:16:11,980 --> 00:16:16,310 However I strongly recommend that you select a single algorithm. 197 00:16:16,330 --> 00:16:22,290 The reason is that using multiple algorithms is going to slow your system performance down considerably. 198 00:16:22,300 --> 00:16:28,720 If system performance is not a concern and you want maximum security by all means do as you like but 199 00:16:28,720 --> 00:16:31,900 realize that all of these are solid choices. 200 00:16:31,900 --> 00:16:38,260 The United States military itself uses advanced encryption standard to encrypt top secret data and that's 201 00:16:38,260 --> 00:16:40,780 really going to be good enough for this demonstration. 202 00:16:40,780 --> 00:16:48,820 Also keep in mind you aren't ever likely to use the outer partition for anything and in fact you really 203 00:16:48,820 --> 00:16:49,420 shouldn't. 204 00:16:49,450 --> 00:16:52,870 As you run the risk of corrupting your hidden operating system. 205 00:16:52,870 --> 00:16:56,430 As for the hash algorithm there really isn't a wrong choice here. 206 00:16:56,440 --> 00:16:59,490 You can read up on the different algorithms if you desire. 207 00:16:59,570 --> 00:17:03,450 They are all completely rock solid for this demonstration. 208 00:17:03,460 --> 00:17:05,950 I'll be using SHA 256. 209 00:17:05,980 --> 00:17:11,030 Notice that on this next screen the option to change volume size is great out. 210 00:17:11,080 --> 00:17:12,630 Just click next. 211 00:17:12,700 --> 00:17:16,190 Now we need to set the outer volume password. 212 00:17:16,210 --> 00:17:19,230 This is actually a little bit more tricky than it seems. 213 00:17:19,240 --> 00:17:25,450 You probably won't ever have a reason to use this password since in in the normal scheme of things you're 214 00:17:25,450 --> 00:17:32,680 not likely to ever access the decoy partition but you need to remember this password so that you can 215 00:17:32,740 --> 00:17:36,480 access the partition if you're ever called upon to do so. 216 00:17:36,700 --> 00:17:43,280 Yet if you make the password simple enough to be easily brute forced it won't be convincing. 217 00:17:43,390 --> 00:17:50,020 After all if you use a password less than 20 characters long why did you even bother to encrypt at all. 218 00:17:50,050 --> 00:17:53,270 Really can't give you any special advice here. 219 00:17:53,320 --> 00:17:55,670 You just have to use your best judgment. 220 00:17:55,750 --> 00:18:02,050 Pick a password can't be brute forced easily and you'll remember despite the fact that you'll probably 221 00:18:02,050 --> 00:18:04,090 never have any occasion to use it. 222 00:18:04,330 --> 00:18:10,930 I explained the key files and pin in the last few videos so I'm not going to go into great length about 223 00:18:10,930 --> 00:18:18,010 them here except to say that key files add an extra layer of security by requiring certain files to 224 00:18:18,010 --> 00:18:20,170 be present when the password is entered. 225 00:18:20,170 --> 00:18:26,770 If these files are lost or become corrupted by even a few killer bytes they will no longer function. 226 00:18:26,770 --> 00:18:29,740 So do this at your own risk. 227 00:18:29,740 --> 00:18:35,830 Also keep in mind that if you ever ordered by a legal authority to grant access to this volume and you 228 00:18:35,830 --> 00:18:41,680 find that you can't because the key files have become lost or corrupted you may be in seriously hot 229 00:18:41,680 --> 00:18:43,390 water legally speaking. 230 00:18:43,390 --> 00:18:49,990 Even if there's nothing important stored in the decoy drive for this reason I recommend against using 231 00:18:49,990 --> 00:19:00,200 key files and I further recommend that you avoid using the PMA option the choice is yours. 232 00:19:00,270 --> 00:19:07,590 Now this looks really simple and it is but it's also a little complicated very crypt is asking you if 233 00:19:07,590 --> 00:19:14,490 you want to store files larger than 4 gigabytes on your decoy partition or your outer partition that 234 00:19:14,490 --> 00:19:20,850 is to say in the prior video covering how to encrypt a USP device. 235 00:19:20,880 --> 00:19:27,870 I rather mischaracterized the selection of N T S F for the outer volume by saying that it cuts available 236 00:19:27,870 --> 00:19:29,190 space in half. 237 00:19:29,280 --> 00:19:34,180 It does but only relative to how much data you have on the drive. 238 00:19:34,200 --> 00:19:41,010 In other words what I should have said is if you save a 4 gigabyte file and you format the outer volume 239 00:19:41,010 --> 00:19:48,540 using NTSC f around 8 gigabytes worth of space is going to end up being used up or double the total 240 00:19:48,540 --> 00:19:53,010 amount of space used in the container when it was created. 241 00:19:53,010 --> 00:20:00,230 This is because n t s f likes to store stuff stored data in the middle of the file system. 242 00:20:00,240 --> 00:20:06,710 This may be a bit confusing so to cut right to the point you really want to click no here. 243 00:20:06,750 --> 00:20:15,130 If you decide to click yes and go with NTFS you'll be wasting a little bit of space and this is a random 244 00:20:15,130 --> 00:20:15,920 pool. 245 00:20:16,180 --> 00:20:21,790 As we move the mouse around within the very crypt or true crypt window the complexity of the pool will 246 00:20:21,790 --> 00:20:23,040 grow. 247 00:20:23,050 --> 00:20:29,830 This is one of the safety precautions that these pieces of software use so that you're not 100 percent 248 00:20:29,830 --> 00:20:33,890 dependent upon windows cryptographic functions. 249 00:20:34,030 --> 00:20:41,470 These functions can fail and then you can be potentially compromised either by nation state actors or 250 00:20:41,500 --> 00:20:46,100 corporations to produce a weak or predictable random pool. 251 00:20:46,120 --> 00:20:52,810 This would make it trivially easy to obtain the master key and access the volume for that reason. 252 00:20:52,810 --> 00:20:58,330 It is recommended that you waive your mouse cursor around in this window like a crazy person for as 253 00:20:58,330 --> 00:21:04,480 long as you can stand it in order to increase the cryptographic strength and the randomness of your 254 00:21:04,480 --> 00:21:07,150 encrypted container volume or partition. 255 00:21:07,150 --> 00:21:09,000 Do this for as long as you can stand it. 256 00:21:09,010 --> 00:21:14,290 The little bar at the bottom of the screen here is really just a suggestion and if you click display 257 00:21:14,290 --> 00:21:19,790 pool then the obscuring symbols will be changed to hexadecimal. 258 00:21:19,810 --> 00:21:24,240 It will also display your master and header keys when you're done. 259 00:21:24,340 --> 00:21:25,600 When you're ready click format. 260 00:21:27,200 --> 00:21:31,970 Also notice that four file system it will default to fat in most cases. 261 00:21:31,970 --> 00:21:39,350 Fat is probably your best choice for an outer volume unless you're dealing with a drive of two terabytes 262 00:21:39,350 --> 00:21:44,420 or more in which case you would need to choose e x fat or X fat 263 00:21:47,420 --> 00:21:50,130 neither the outer volume has been created. 264 00:21:50,210 --> 00:21:55,930 We have one chance and one chance only to add files to it. 265 00:21:56,090 --> 00:22:01,920 So to do this the outer volume is currently mounted at this point in the process. 266 00:22:02,240 --> 00:22:08,240 So we're gonna click the open outer volume button and it's going to open the outer volume as a partition 267 00:22:09,200 --> 00:22:16,880 and we're going to go ahead and we're gonna drag are fake secret files onto this drive. 268 00:22:16,880 --> 00:22:22,820 Now remember that these are going to be files that look like something he would want to encrypt and 269 00:22:22,820 --> 00:22:24,590 keep secret. 270 00:22:24,590 --> 00:22:31,080 But you don't actually mind if you end up having to give up your password and they do get discovered. 271 00:22:31,100 --> 00:22:34,510 So what these files are are entirely up to you. 272 00:22:34,520 --> 00:22:40,110 I went ahead and created a single file folder just to have something there to look at me. 273 00:22:40,250 --> 00:22:45,620 Come on open up this drive later you would want to make this look convincing. 274 00:22:45,620 --> 00:22:48,090 How you do that is up to you. 275 00:22:48,170 --> 00:22:56,210 You might add picture files or old records or journal entries or whatever you like. 276 00:22:56,210 --> 00:23:00,800 Remember though this is your one and only chance to add files to this drive. 277 00:23:00,830 --> 00:23:09,290 You really don't want to add anything to the drive later on after this process is finished because this 278 00:23:09,290 --> 00:23:15,170 outer volume and your hidden operating system are really occupying the same partition and there is a 279 00:23:15,170 --> 00:23:22,040 chance whenever you modify files on the outer partition without protecting it first that you can corrupt 280 00:23:22,040 --> 00:23:23,930 your hidden operating system. 281 00:23:24,080 --> 00:23:31,400 So it's strongly recommended that once you're done with this you never touch this drive again so after 282 00:23:31,400 --> 00:23:39,420 you've added whatever whatever files you wish to add close out of this and we click next. 283 00:23:39,500 --> 00:23:42,020 It's now time to create the hidden volume. 284 00:23:42,020 --> 00:23:44,870 This is going to contain our hidden operating system. 285 00:23:44,990 --> 00:23:46,100 Click Next. 286 00:23:46,180 --> 00:23:50,140 Now please pay careful attention to this warning it's very important. 287 00:23:50,150 --> 00:23:58,100 It's absolutely essential that you choose the same encryption algorithm and hash for both the hidden 288 00:23:58,190 --> 00:24:04,130 volume and the outer volume or decoy volume as it were. 289 00:24:04,130 --> 00:24:11,840 In other words if you pick a s for your hidden operating system and Sha 256 then when you install your 290 00:24:11,840 --> 00:24:21,560 decoy operating system and encrypted you need to select ATX and Sha 256 your choices must match if they 291 00:24:21,560 --> 00:24:25,800 don't match you won't be able to boot into the hidden operating system. 292 00:24:26,090 --> 00:24:32,960 So write down on a piece of paper whatever it is you choose from these options. 293 00:24:32,960 --> 00:24:40,330 Once again I'm going to go with a yes and Sha 256 when you've made your selection click next. 294 00:24:40,400 --> 00:24:45,200 Remember that the password you select for the hidden volume is the one that you're going to be keeping 295 00:24:45,200 --> 00:24:46,240 secret. 296 00:24:46,460 --> 00:24:52,940 And it's probably one that you want to be as strong as possible a minimum of 20 characters the password 297 00:24:52,940 --> 00:24:58,970 that you choose for the hidden volume needs to be as this message says substantially different from 298 00:24:59,000 --> 00:25:00,980 your other two passwords. 299 00:25:00,980 --> 00:25:04,460 That is the outer end decoy volumes. 300 00:25:04,460 --> 00:25:08,840 Once again you have the option of using key files or setting a pin. 301 00:25:08,840 --> 00:25:10,520 I'm not going to do so. 302 00:25:10,550 --> 00:25:15,350 This has been covered but you have the option when you're ready click Next 303 00:25:18,090 --> 00:25:24,300 once again we're going to wave our mouse cursor around to gather entropy increase the cryptographic 304 00:25:24,300 --> 00:25:25,230 strength. 305 00:25:25,290 --> 00:25:29,490 Notice that you don't have an option to set a file system currently. 306 00:25:29,640 --> 00:25:31,200 When you're ready click format 307 00:25:35,100 --> 00:25:36,990 and we're done with this step. 308 00:25:36,990 --> 00:25:40,650 Just like the creation of a hidden volume on USP. 309 00:25:40,860 --> 00:25:44,440 The creation of a hidden volume happens almost instantly. 310 00:25:44,550 --> 00:25:49,150 Now as I said before and I'll say it again. 311 00:25:49,290 --> 00:25:50,940 Get ready for the pain. 312 00:25:51,060 --> 00:25:56,290 You thought creating the outer volume took a long time but that was just the tip of the iceberg. 313 00:25:56,340 --> 00:26:01,800 As soon as we clicks the start button very script will begin copying the current version of Windows 314 00:26:02,070 --> 00:26:07,120 that we are running right now into the hidden volume that we just created. 315 00:26:07,140 --> 00:26:13,680 It's then going to wipe the original completely out of existence in a secure manner that we will be 316 00:26:13,680 --> 00:26:15,510 prompted to specify. 317 00:26:15,510 --> 00:26:21,380 So we're gonna click start and we will be required to restart the computer. 318 00:26:21,390 --> 00:26:25,470 This is all going to happen in the bootloader so click. 319 00:26:25,470 --> 00:26:27,650 Yes. 320 00:26:27,800 --> 00:26:29,960 Welcome to the very crypt bootloader. 321 00:26:29,960 --> 00:26:33,800 The screen may look slightly different in you EFI. 322 00:26:33,800 --> 00:26:42,060 It is possible to abort at this stage by pressing the escape key which will allow you to boot into windows. 323 00:26:42,080 --> 00:26:44,510 We haven't as of yet done anything. 324 00:26:44,510 --> 00:26:49,850 As soon as we put in the password to our hidden operating system however everything is going to be set 325 00:26:49,850 --> 00:26:51,050 in motion. 326 00:26:52,970 --> 00:26:56,410 If you selected a value for Pym you would enter it now. 327 00:26:56,570 --> 00:27:01,230 Otherwise just press enter the password will now verify. 328 00:27:01,280 --> 00:27:07,100 I have noticed that this verification process takes substantially longer with better script than it 329 00:27:07,100 --> 00:27:08,750 does with true script. 330 00:27:08,750 --> 00:27:15,590 Presumably this is a result of updated security although the true script audit which I do strongly encourage 331 00:27:15,590 --> 00:27:18,530 you to read online if you're interested. 332 00:27:18,530 --> 00:27:21,870 Found no flaws with bootloader implementation. 333 00:27:21,950 --> 00:27:25,450 In any case you are in for a bit of a wait here. 334 00:27:25,460 --> 00:27:32,760 But once the password does verify the process of copying the hidden system will begin. 335 00:27:32,760 --> 00:27:33,810 There we go. 336 00:27:33,810 --> 00:27:40,620 The version of Windows we were just using on the C partition is now being copied into the hidden container 337 00:27:41,160 --> 00:27:45,200 or volume that we created on the D partition. 338 00:27:45,210 --> 00:27:47,650 That is to say on the first partition. 339 00:27:47,700 --> 00:27:50,730 Windows is being copied onto the second partition. 340 00:27:50,730 --> 00:27:57,660 Once this is done we'll boot into the hidden operating system on the second partition and be prompted 341 00:27:57,660 --> 00:28:04,050 to securely delete and wipe all data located on that first partition or C partition. 342 00:28:04,050 --> 00:28:11,360 Once that is done we're going to begin the process of installing Kali Linux as an encrypted system. 343 00:28:11,400 --> 00:28:20,430 Once Cally is installed then we can go ahead and install our decoy Windows operating system on the first 344 00:28:20,430 --> 00:28:21,330 partition. 345 00:28:21,330 --> 00:28:28,020 Once all of our systems are encrypted the very crypto bootloader will direct you to the correct system 346 00:28:28,050 --> 00:28:30,330 based on the password you enter. 347 00:28:30,330 --> 00:28:37,020 In other words if you wish to boot into the decoy operating system you would supply your decoy password. 348 00:28:37,200 --> 00:28:43,620 If you want to boot into the hidden operating system which is being created for us right now you'd supplier 349 00:28:43,620 --> 00:28:49,350 hidden password if you wanted to boot into Cali Linux you would press the escape key. 350 00:28:49,530 --> 00:28:56,850 Select the second mutable partition which we're going to setup and that would then take you to the password 351 00:28:56,850 --> 00:29:00,750 screen where you would enter your encryption password for Cally. 352 00:29:00,750 --> 00:29:05,910 It is strongly recommended that you read through all of our crypto documentation on hidden operating 353 00:29:05,910 --> 00:29:09,300 systems so that you can maintain plausible deniability. 354 00:29:09,300 --> 00:29:15,900 It is also recommended that your decoy operating system be used from time to time so that it shows signs 355 00:29:15,900 --> 00:29:21,720 of being lived in a decoy system that is never used makes a very poor decoy. 356 00:29:21,720 --> 00:29:27,780 I would also like to note in case you are a little worried at this point that the decoy system works 357 00:29:27,780 --> 00:29:34,720 exactly like a normal windows installation since these are actually two totally separate partitions. 358 00:29:34,800 --> 00:29:41,400 You can save files on the decoy operating system without any fear of corrupting the hidden system as 359 00:29:41,400 --> 00:29:47,370 would be the case if you saved files to the outer volume without first placing it into protected mode. 360 00:29:47,370 --> 00:29:50,730 This will be demonstrated a little later in the video for right now. 361 00:29:50,730 --> 00:29:54,860 I'm going to make a cut to the recording so that we can skip to the end of this process. 362 00:29:54,870 --> 00:29:56,680 Copying is now complete. 363 00:29:56,790 --> 00:30:06,530 Enter the password to boot into your hidden operating system remember to just press enter for Pim unless 364 00:30:06,530 --> 00:30:15,190 you set a value in which case you would enter that value excellent our hidden system is now up and running. 365 00:30:15,270 --> 00:30:17,190 Read through this if you want. 366 00:30:17,190 --> 00:30:23,310 It's just telling you that even though we appear to be on C drive we are in fact on the D drive. 367 00:30:23,370 --> 00:30:29,640 Of course your partition designations may vary but the point is that the applications will not be able 368 00:30:29,640 --> 00:30:35,130 to tell the difference between a hidden and decoy systems because both systems will appear to be the 369 00:30:35,130 --> 00:30:43,530 primary system partition or in this case c if we were to click the defer button we could postpone the 370 00:30:43,530 --> 00:30:46,290 next step until our next reboot. 371 00:30:46,290 --> 00:30:49,650 If you're ready to proceed click next. 372 00:30:49,650 --> 00:30:51,570 Now it's time to wait again. 373 00:30:51,630 --> 00:30:54,900 The original system needs to be securely deleted. 374 00:30:55,140 --> 00:31:00,430 As you know simply deleting something of a hard drive won't actually make the information go away. 375 00:31:00,450 --> 00:31:07,560 It can still be recovered by using certain tools and forensic techniques to securely delete data. 376 00:31:07,620 --> 00:31:13,510 We're going to need to overwrite that data that we wish to delete with random nonsense. 377 00:31:13,560 --> 00:31:19,410 The more we do this the harder it will be to recover the original operating system or to even know that 378 00:31:19,410 --> 00:31:20,600 one existed. 379 00:31:20,670 --> 00:31:21,720 Click next. 380 00:31:21,840 --> 00:31:27,840 As I explained in the prior video the number of passes indicates how securely your data is going to 381 00:31:27,840 --> 00:31:31,990 be wiped but also adds time to this already lengthy process. 382 00:31:32,010 --> 00:31:38,580 One pass will simply overwrite the operating system and that's that three passes is a better level of 383 00:31:38,580 --> 00:31:45,450 security and is used by the Department of Defense of the United States to wipe secret data seven passes 384 00:31:45,510 --> 00:31:51,120 is used by the DOJ to wipe data classified top secret and above 35 passes. 385 00:31:51,150 --> 00:31:57,940 Also known as the government wipe is generally used only when you plan to discard a drive. 386 00:31:57,960 --> 00:32:01,740 It is extremely hard on even conventional hard drives. 387 00:32:01,770 --> 00:32:06,750 And remember also that solid state drives have a limited number of read rights before they begin to 388 00:32:06,750 --> 00:32:07,820 fail. 389 00:32:07,830 --> 00:32:13,200 The choice is yours but three passes should be very sufficient for most users. 390 00:32:13,230 --> 00:32:19,830 If you have the time to devote and if you are paranoid 7 passes should be enough to defeat even the 391 00:32:19,830 --> 00:32:21,570 most determined adversary. 392 00:32:21,570 --> 00:32:28,380 However if your life hangs in the balance and you absolutely positively must do so you can select the 393 00:32:28,380 --> 00:32:29,310 government wipe. 394 00:32:29,310 --> 00:32:33,760 I've never actually heard of anyone selecting 256 passes. 395 00:32:33,840 --> 00:32:39,800 I wasn't even aware that very crypt added that option and frankly it's kind of beyond insane. 396 00:32:39,870 --> 00:32:45,840 If you ever have a hard drive that requires that level of time and effort to wipe you're probably just 397 00:32:45,840 --> 00:32:54,030 better off smashing it and burying the pieces 256 passes will not be a good choice for hard drive longevity. 398 00:32:54,030 --> 00:32:58,950 I strongly recommend that you not choose it when you've made your selection. 399 00:32:58,980 --> 00:33:01,650 I'm going to go with one WIP for this demonstration. 400 00:33:01,890 --> 00:33:06,310 Click Next when you're ready to begin click wipe. 401 00:33:06,320 --> 00:33:11,600 You will be prompted with a warning that the entire contents of the original operating system will be 402 00:33:11,600 --> 00:33:12,770 erased. 403 00:33:12,800 --> 00:33:22,090 Once again we're being asked to generate entropy in the form of mouse movements. 404 00:33:22,100 --> 00:33:28,610 This is of course the random pool if we click display pool it will change these symbols to hexadecimal 405 00:33:29,580 --> 00:33:36,000 this is because as I said Windows cryptographic functions can potentially fail or be compromised. 406 00:33:36,020 --> 00:33:43,670 So while doing this may seem a bit tiresome it does add extra layers of security that is not easily 407 00:33:43,670 --> 00:33:45,470 sabotaged. 408 00:33:45,470 --> 00:33:51,850 So when you're done click continue and click yes to authorize as always. 409 00:33:51,920 --> 00:33:56,690 Once the authorization is done very crypto will proceed to wipe the original drive. 410 00:33:56,690 --> 00:34:03,470 Keep in mind as you watch this that the amount of space we're dealing with is really quite small and 411 00:34:03,470 --> 00:34:07,130 I'm only doing a single wipe for a modern hard drive. 412 00:34:07,130 --> 00:34:10,840 Be prepared to devote hours to this stage of the process. 413 00:34:10,850 --> 00:34:11,430 All right. 414 00:34:11,480 --> 00:34:15,800 The contents of the original operating system have been securely erased. 415 00:34:15,890 --> 00:34:18,920 Our first partition is now totally blank. 416 00:34:18,920 --> 00:34:24,620 You should read through this information carefully and maybe even print it the first thing it is telling 417 00:34:24,620 --> 00:34:30,640 you to do is power off your computer and leave it powered off for at least several minutes. 418 00:34:30,710 --> 00:34:34,420 Although ideally you should do this for up to an hour. 419 00:34:34,460 --> 00:34:39,990 This is because memory still remains active in the ram ships until they have had time to cool. 420 00:34:40,010 --> 00:34:44,360 And this may include evidence of your hidden operating system. 421 00:34:44,360 --> 00:34:49,370 If we were doing this normally the next step would be to install our Windows operating system as the 422 00:34:49,370 --> 00:34:50,030 decoy. 423 00:34:50,060 --> 00:34:56,840 However since we want to install an encrypted version of Linux in this case Kelly we need to do that 424 00:34:56,840 --> 00:34:57,870 first. 425 00:34:57,950 --> 00:35:04,250 Once our encrypted Cally is installed with the grub bootloader and our designated boot partition we 426 00:35:04,250 --> 00:35:11,000 can then go ahead and install windows again on the first partition encrypt it and everything should 427 00:35:11,000 --> 00:35:12,080 work smoothly. 428 00:35:12,080 --> 00:35:19,340 So we need to take our Cally installation media and use it to boot up our computer 429 00:35:21,920 --> 00:35:26,740 so I'm going to go ahead and reboot with the Kelly Cedi installed. 430 00:35:26,870 --> 00:35:31,530 Once you reach the screen you're going to select graphical installation. 431 00:35:31,550 --> 00:35:36,530 Most of these initial options are pretty straightforward so I'm just going to go through this quickly. 432 00:35:36,650 --> 00:35:38,100 Select your language. 433 00:35:38,180 --> 00:35:39,110 Continue. 434 00:35:39,140 --> 00:35:44,340 Select your country click continue and select your keyboard layout. 435 00:35:44,490 --> 00:35:49,860 It's not necessary to configure the network at this time so it will click continue. 436 00:35:49,860 --> 00:35:53,240 Now we have the opportunity to name our system. 437 00:35:53,280 --> 00:35:55,560 You can provide any hostname you like. 438 00:35:55,560 --> 00:35:57,440 I'm just going to go with Carly. 439 00:35:57,480 --> 00:35:59,190 When you've done this click continue. 440 00:35:59,370 --> 00:36:01,610 And now we need to set our root password. 441 00:36:01,620 --> 00:36:07,010 Remember that the default is tor t o o r. 442 00:36:07,080 --> 00:36:11,310 I'm going to set it as Tor but you may set it as whatever you wish. 443 00:36:11,310 --> 00:36:18,420 This is not our encryption password but rather the password to log into Cally once we've decrypted it 444 00:36:18,480 --> 00:36:20,280 click continue. 445 00:36:20,410 --> 00:36:23,090 Go ahead and select your time zone. 446 00:36:23,110 --> 00:36:27,180 Okay we're gonna go ahead and click manual and continue. 447 00:36:27,180 --> 00:36:33,700 Now we need to set up our boot partition so we've got these two partitions down here that we created 448 00:36:33,730 --> 00:36:35,620 after the two primaries. 449 00:36:35,620 --> 00:36:42,670 Now this first primary was our original Windows operating system which has been wiped. 450 00:36:42,690 --> 00:36:47,610 Third primary in this particular scheme is our hidden operating system. 451 00:36:47,650 --> 00:36:55,240 And you can tell because this is a little more than twice the total size of this first partition. 452 00:36:55,510 --> 00:37:02,170 And we have these two logical partitions down here and the first one the larger one is going to contain 453 00:37:02,170 --> 00:37:04,270 our encrypted Cowling installation. 454 00:37:04,270 --> 00:37:11,260 So we need to set up our boot partition that is going to link to that encrypted Cally and it's always 455 00:37:11,260 --> 00:37:12,760 the last one on the list. 456 00:37:12,820 --> 00:37:22,840 So we're gonna double click it and we're going to double click use as X T for journaling file system. 457 00:37:22,910 --> 00:37:30,100 We're gonna set the Mount point to boot and then we're going to click done setting up partition and 458 00:37:30,100 --> 00:37:36,400 notice now that this change to e x T4 and we see that it is now a beautiful partition while we're at 459 00:37:36,400 --> 00:37:41,290 it let's go ahead and double click on the Cowley partition. 460 00:37:41,290 --> 00:37:46,900 This isn't absolutely necessary but it will make it easier to recognize later so we don't make a mistake 461 00:37:47,460 --> 00:37:52,070 and we're going to double click use as and we're going to select X T4 again. 462 00:37:52,480 --> 00:37:57,870 And this is again mainly just so that we know what we're looking at later in the process. 463 00:37:58,000 --> 00:38:04,090 We don't want to accidentally format one of our windows partitions by mistake click done setting up 464 00:38:04,090 --> 00:38:05,440 partition. 465 00:38:05,440 --> 00:38:10,510 And with that done we're going to come up to configure encrypted volumes and double click it and we're 466 00:38:10,510 --> 00:38:13,660 going to select yes we want to write the changes. 467 00:38:13,660 --> 00:38:17,720 This may take a few moments okay. 468 00:38:18,010 --> 00:38:20,700 We're going to click Create encrypted volume. 469 00:38:20,740 --> 00:38:28,450 Now we're going to select R. Kelly Linux partition or what is going to become our encrypted Cally Linux 470 00:38:28,450 --> 00:38:29,560 partition. 471 00:38:29,560 --> 00:38:34,420 But this is very important don't also select your beautiful partition. 472 00:38:34,720 --> 00:38:39,720 What we're doing here is we're creating a container an encrypted container on. 473 00:38:39,760 --> 00:38:47,980 In this case SDH 5 and your number may vary which is going to contain Cally and if you were to include 474 00:38:48,310 --> 00:38:55,210 your boot partition in that encrypted container then it's not going to be recognized when you boot up 475 00:38:55,210 --> 00:38:57,940 your computer and you won't have any way of getting into it. 476 00:38:58,030 --> 00:39:03,610 So just select your Kelly partition and be careful not to select your windows partition and one more 477 00:39:03,610 --> 00:39:04,150 thing. 478 00:39:04,150 --> 00:39:12,700 Make note of what your beautiful partition is in my case it's Dev slash SD 6. 479 00:39:12,820 --> 00:39:13,900 Yours may vary. 480 00:39:13,900 --> 00:39:15,550 You're going to need to remember this. 481 00:39:15,550 --> 00:39:21,670 You might want to write it down because we're gonna have to manually enter forward slash Dev 4D slash 482 00:39:21,730 --> 00:39:27,910 SD 6 when it comes time to specify where we want to install the bootloader and if we install it in the 483 00:39:27,910 --> 00:39:30,770 wrong place the whole process will fail. 484 00:39:30,790 --> 00:39:36,100 So when you're ready click continue the default settings are in my opinion just fine. 485 00:39:36,100 --> 00:39:39,370 We do have the option to change certain things. 486 00:39:39,370 --> 00:39:47,660 For example if you don't like a yes encryption you do have other options but the defaults are going 487 00:39:47,660 --> 00:39:49,340 to be very strong. 488 00:39:49,340 --> 00:39:55,470 So we're just going to go with that in this demonstration when you're ready click done setting up partition 489 00:39:56,400 --> 00:39:58,500 and then we're going to click finish. 490 00:39:58,800 --> 00:40:02,010 And when prompted we are going to write the changes. 491 00:40:02,100 --> 00:40:09,810 Now we're being prompted to erase all data on the partition that we have selected for encryption. 492 00:40:09,810 --> 00:40:17,790 This wiping process is more or less exactly what very cryptic does with a partition prior to encryption. 493 00:40:17,820 --> 00:40:20,060 It is important for security reasons. 494 00:40:20,190 --> 00:40:22,920 So I recommend that you do so. 495 00:40:22,920 --> 00:40:30,000 We're going to click yes you have the option of canceling this process to save time in this demonstration. 496 00:40:30,060 --> 00:40:35,460 I'm going to cancel but if you're doing this for real I strongly suggest that you allow this process 497 00:40:35,460 --> 00:40:36,490 to complete. 498 00:40:36,510 --> 00:40:39,550 Now you need to select your encryption passphrase. 499 00:40:39,570 --> 00:40:47,580 This passphrase should be 20 or more characters any less than that and will be relatively easy to brute 500 00:40:47,580 --> 00:40:49,860 force depending on the password you select. 501 00:40:49,920 --> 00:40:56,040 There's really no point in encrypting your entire operating system if your password is something easily 502 00:40:56,310 --> 00:40:57,630 found in the dictionary. 503 00:40:57,630 --> 00:41:04,110 In any case whatever password you select you need to remember because there is absolutely no way to 504 00:41:04,110 --> 00:41:06,330 recover it if you forget it. 505 00:41:06,450 --> 00:41:08,240 You will be locked out of your system. 506 00:41:08,250 --> 00:41:12,000 So choose carefully when you've entered your very strong password. 507 00:41:12,000 --> 00:41:13,120 Click Continue. 508 00:41:13,140 --> 00:41:15,000 You probably won't see this warning. 509 00:41:15,000 --> 00:41:19,440 Hopefully you won't see this with that out of the way. 510 00:41:19,470 --> 00:41:27,700 We're going to configure the launch call volume manager we're going to say yes to write changes and 511 00:41:27,740 --> 00:41:30,120 now we need to create our volume group. 512 00:41:30,120 --> 00:41:34,040 And this is what's going to contain all of our encrypted volumes. 513 00:41:34,050 --> 00:41:40,470 Or rather the volume is going to be encrypted and contain our operating system and our swap area. 514 00:41:40,680 --> 00:41:46,010 So click Create volume group and we're going to need to give the volume group a name. 515 00:41:46,020 --> 00:41:47,580 This can be any name you want. 516 00:41:47,580 --> 00:41:54,240 For simplicity I'm just going to call it crypto underscore. 517 00:41:54,270 --> 00:41:57,030 KELLY Again you can name it whatever you want. 518 00:41:57,050 --> 00:41:58,210 Click Continue. 519 00:41:58,280 --> 00:42:05,690 And now we need to select or partition that we're using as this encrypted volume. 520 00:42:05,700 --> 00:42:13,360 It's been setup in my case it's SD a five underscore crypt 64. 521 00:42:13,380 --> 00:42:16,800 Be careful not to select any of your other partitions. 522 00:42:16,800 --> 00:42:17,610 Click Continue. 523 00:42:17,610 --> 00:42:24,230 Now we're going to click Create logical volume and we're going to select our group and we're going to 524 00:42:24,230 --> 00:42:30,760 define this first volume as the swap underscore area. 525 00:42:30,920 --> 00:42:36,140 You could just call it swap or whatever you like click continue. 526 00:42:36,140 --> 00:42:42,500 Now how much space you assigned your swamp area is up to you. 527 00:42:42,560 --> 00:42:47,690 There is a lot of debate about how big a swamp area should be. 528 00:42:47,690 --> 00:42:56,420 I personally believe just a little over four gigabytes is best if you have a larger system. 529 00:42:56,420 --> 00:42:58,620 You may wish to have a larger swap area. 530 00:42:58,730 --> 00:43:02,690 You can of course choose not to use a swamp area at all. 531 00:43:02,690 --> 00:43:03,740 If you wish. 532 00:43:03,740 --> 00:43:10,820 Whatever you decide entered and click continue and we're going to create logical volume again select 533 00:43:10,880 --> 00:43:18,460 our crypto Kelly group now that this is going to be the root partition or the Cali partition if you're 534 00:43:18,460 --> 00:43:26,350 one of those people who likes to split up your Linux installation for example having a root partition 535 00:43:26,380 --> 00:43:31,020 and a different home partition and so on and so forth you can do that. 536 00:43:31,030 --> 00:43:35,830 I'm not going to be demonstrating it in this tutorial it's a little outside of the scope. 537 00:43:35,830 --> 00:43:41,350 I want to keep things simple for this demonstration but if this is how you would do it you just create 538 00:43:41,920 --> 00:43:48,540 each logical volume within this group and then set it up accordingly in the next steps. 539 00:43:48,580 --> 00:43:56,620 So we're going to call this the Kali underscore root and click continue and we're going to assign it 540 00:43:56,650 --> 00:44:01,770 the maximum amount of space left click finish. 541 00:44:02,550 --> 00:44:06,180 So now we need to set up our root partition and our swap area. 542 00:44:06,180 --> 00:44:08,920 So this first partition we're going to double click on it. 543 00:44:09,180 --> 00:44:14,770 We're going to double click on use as X T4 or whatever file system we prefer. 544 00:44:14,940 --> 00:44:17,190 And we're going to set the Mount point as root. 545 00:44:17,190 --> 00:44:22,870 Now again I'm just going to quickly point out that if you wanted to separate your partitions you would 546 00:44:22,870 --> 00:44:30,090 have simply created a few more partitions within the volume that we created. 547 00:44:30,090 --> 00:44:35,930 And then you would set for example your home partition and your root partition and so on and so forth. 548 00:44:35,940 --> 00:44:37,430 But I don't want to get confusing. 549 00:44:37,530 --> 00:44:42,160 We're gonna set the root partition and we're gonna say done setting up partition and now we're gonna 550 00:44:42,180 --> 00:44:48,390 double click on this second four point two gigabyte partition and we're going to double click on use 551 00:44:48,390 --> 00:44:51,870 as we're gonna define it as the swamp area. 552 00:44:51,870 --> 00:44:57,610 So double click on that done setting up partition and now we're going to scroll all the way to the bottom. 553 00:44:57,670 --> 00:44:59,800 We've got our root partition. 554 00:44:59,800 --> 00:45:01,850 We've got our swamp area. 555 00:45:01,900 --> 00:45:08,760 These are all setup within our encrypted SDK five underscore crypt volume that we've created. 556 00:45:08,800 --> 00:45:14,140 So we're going to click finish partitioning and write changes to disk. 557 00:45:14,140 --> 00:45:18,870 We're going to click yes to confirm we wish to write changes and click continue. 558 00:45:18,880 --> 00:45:24,190 Now the operating system will install this will take some time so please be patient. 559 00:45:24,220 --> 00:45:31,010 Once the lengthy installation process is complete you can use a network mirror if you want to configure 560 00:45:31,010 --> 00:45:32,220 the package manager. 561 00:45:32,230 --> 00:45:33,710 I'm going to say no. 562 00:45:33,730 --> 00:45:39,220 Okay now here we need to be a little careful because this is the part where most people seem to goof 563 00:45:39,220 --> 00:45:40,520 up this process. 564 00:45:40,540 --> 00:45:47,100 We're now being asked if we want to install grub bootloader to the master boot record. 565 00:45:47,110 --> 00:45:55,150 Normally we would do this but remember the master boot record is going to be taken up by the very script 566 00:45:55,180 --> 00:45:56,860 or true crypt bootloader. 567 00:45:56,860 --> 00:46:03,910 So we can't install grub to the master boot record we need to say no and click continue and then we're 568 00:46:03,910 --> 00:46:09,370 going to specify our second beautiful partition and this has to be done manually. 569 00:46:09,370 --> 00:46:11,300 Remember I said to write it down. 570 00:46:11,440 --> 00:46:17,220 So we're going to enter the device and in my case it's going to be forward slash Dev forward slash Esh 571 00:46:17,350 --> 00:46:19,880 SD a six. 572 00:46:19,930 --> 00:46:21,100 Yours may vary. 573 00:46:21,100 --> 00:46:26,800 Once you've typed in your boot partition going to click continue and grub will be installed to that 574 00:46:26,800 --> 00:46:28,140 partition. 575 00:46:28,150 --> 00:46:34,930 So now when we boot our computer we will first be presented with the very script or true script bootloader 576 00:46:35,590 --> 00:46:42,880 and if we were to press the escape key we would see a list of beautiful partitions we would select. 577 00:46:42,910 --> 00:46:50,290 The second partition on the list and that partition is going to contain R. Kelly Linux grub bootloader 578 00:46:50,410 --> 00:46:56,110 which will then allow us to boot into Kali and will then be prompted for our encryption password to 579 00:46:56,170 --> 00:47:03,100 open the Cowley volume which is encrypted so hopefully that didn't seem too confusing with the installation 580 00:47:03,100 --> 00:47:10,730 complete and go ahead and remove your installation media whether it's a CDO or a pen drive containing 581 00:47:10,730 --> 00:47:16,300 your Kelly Linux image and then when you're done click continue. 582 00:47:16,300 --> 00:47:20,790 Once you reboot you'll find yourself in the very crypt bootloader or true crypt. 583 00:47:20,830 --> 00:47:25,950 If you used true crypto instead we haven't installed the decoy operating system yet. 584 00:47:25,960 --> 00:47:33,160 So if you enter your hidden password that is to say the password for your hidden Windows operating system 585 00:47:33,580 --> 00:47:35,070 you will boot into it. 586 00:47:35,230 --> 00:47:42,440 But if you press the escape key notice that we have two beautiful partitions. 587 00:47:42,440 --> 00:47:50,720 If we select the second mutable partition we're in grub we'll go ahead and boot Kelly and in a moment 588 00:47:50,780 --> 00:47:53,570 we will be prompted for our encryption password 589 00:47:56,700 --> 00:47:58,770 and here we are in Cali normally. 590 00:47:58,770 --> 00:48:05,120 Now we would just enter our user name which in most cases is route and whatever password you specified. 591 00:48:05,130 --> 00:48:07,380 But we're not going to log in to Cali right now. 592 00:48:07,380 --> 00:48:14,910 We've confirmed that Cali has been installed successfully and is encrypted so now it's time to install 593 00:48:14,910 --> 00:48:18,270 the windows decoy operating system. 594 00:48:18,270 --> 00:48:20,650 This will be the final step of this procedure. 595 00:48:20,700 --> 00:48:27,990 We're going to need to insert our windows installation media whether that's a city that you burned with 596 00:48:27,990 --> 00:48:35,130 the ISO or a U.S. B pen drive and we're going to boot our computer from it to get into the windows installer 597 00:48:35,640 --> 00:48:41,910 then we're going to install Windows normally and this will temporarily make the hidden operating system 598 00:48:42,000 --> 00:48:49,050 unsuitable and we're going to encrypt this new installation of Windows to be our decoy. 599 00:48:49,110 --> 00:48:54,300 Once this is done all three operating systems will once again be accessible. 600 00:48:54,480 --> 00:48:56,180 So let's go ahead and do that now. 601 00:48:56,190 --> 00:48:56,770 All right then. 602 00:48:56,970 --> 00:49:03,060 Having booted from our windows installation media we will be presented with a screen like this. 603 00:49:03,060 --> 00:49:09,900 Now this is all a very straightforward process of following prompts all of which you'll see me do though 604 00:49:09,900 --> 00:49:15,000 I will make little recording edits to make sure that this process speeds along. 605 00:49:15,000 --> 00:49:18,480 So when you're ready click next and click install. 606 00:49:18,480 --> 00:49:22,980 This is where you enter your product key for your Windows installation. 607 00:49:22,980 --> 00:49:26,050 You can skip this step if you don't have a key. 608 00:49:26,070 --> 00:49:30,820 But remember you need to activate Windows before you encrypted. 609 00:49:30,830 --> 00:49:34,890 This is very important since I'm doing this for a demonstration. 610 00:49:34,890 --> 00:49:37,360 I will click I don't have a product key. 611 00:49:37,380 --> 00:49:39,300 Select your operating system. 612 00:49:39,300 --> 00:49:45,000 If you're presented with different choices remember to select the same operating system that you're 613 00:49:45,000 --> 00:49:47,980 using for your hidden operating system. 614 00:49:48,000 --> 00:49:54,680 In my case that is Windows 10 professional you will be required to agree to these terms before you'll 615 00:49:54,680 --> 00:49:59,750 be allowed to proceed select custom. 616 00:49:59,880 --> 00:50:05,190 And remember to select the first partition not the system reserved. 617 00:50:05,190 --> 00:50:06,530 If you have one. 618 00:50:06,750 --> 00:50:09,030 But this first partition. 619 00:50:09,030 --> 00:50:13,200 We wiped that contained or original Windows installation. 620 00:50:13,200 --> 00:50:17,210 Remember it'll be smaller than the partition immediately following it. 621 00:50:17,220 --> 00:50:25,050 Because this is our hidden partition which is by requirement a little over twice the size. 622 00:50:25,080 --> 00:50:29,630 When you're ready click Next windows will now proceed to install normally. 623 00:50:29,670 --> 00:50:31,070 Please be patient. 624 00:50:31,140 --> 00:50:36,310 The rest of the installation process is really just going through the steps. 625 00:50:36,360 --> 00:50:39,820 You can use Express settings if you want to. 626 00:50:39,840 --> 00:50:44,840 I always choose customize and I tend to switch all of these off. 627 00:50:45,930 --> 00:50:51,240 I'm not sure it does any good with Windows 10 but once you've made your selections and you're ready 628 00:50:51,240 --> 00:50:52,140 to proceed 629 00:50:55,840 --> 00:51:01,400 once you're done windows will setup and you should boot straight into the operating system. 630 00:51:01,480 --> 00:51:06,670 So once all the critical updates are downloaded and everything is setup and we're back in Windows we're 631 00:51:06,670 --> 00:51:07,330 gonna go ahead. 632 00:51:07,330 --> 00:51:13,450 We're going to open up our browser of choice or more likely edge because that's what comes default with 633 00:51:13,450 --> 00:51:17,550 Windows nowadays and we're going to download a better script. 634 00:51:17,620 --> 00:51:23,560 Remember that we need to download the installer and not the portable version with that done we can go 635 00:51:23,560 --> 00:51:30,400 ahead and close our browser and we'll run the very script installation click yes to authorize select 636 00:51:30,400 --> 00:51:38,740 your language accept the terms and click install once the installation is successful click OK finish 637 00:51:39,070 --> 00:51:42,770 you can read through the beginners tutorial if you wish. 638 00:51:42,790 --> 00:51:46,420 Close out of this all right now with very scripts installed. 639 00:51:46,420 --> 00:51:53,260 We're gonna go ahead and we're going to encrypt this operating system and it's going to become our decoy. 640 00:51:53,260 --> 00:51:59,560 Now remember it's very important that you make sure that your current windows installation is properly 641 00:51:59,560 --> 00:52:02,950 activated before proceeding to the next step. 642 00:52:02,950 --> 00:52:07,340 It's also recommended that you go ahead and download updates at this time. 643 00:52:07,360 --> 00:52:09,160 You don't absolutely have to. 644 00:52:09,160 --> 00:52:15,250 The reason I recommend to doing that is because when you're running through the very script reboot you 645 00:52:15,250 --> 00:52:21,580 really don't want to deal with Windows Updates reconfiguring things in the background. 646 00:52:21,610 --> 00:52:27,910 So it is your choice but when you're ready to proceed go ahead and run very crypt and from here we're 647 00:52:27,910 --> 00:52:34,690 gonna go to system and select encrypt system partition drive the hidden operating system has already 648 00:52:34,690 --> 00:52:35,690 been created. 649 00:52:35,740 --> 00:52:40,030 We're going to now create the decoy so we want to make sure that normal is selected. 650 00:52:40,030 --> 00:52:46,930 Press next we're going to select encrypt the Windows system partition click next. 651 00:52:47,030 --> 00:52:53,690 And now once again were on my favorite screen which is essentially trying to trick you. 652 00:52:53,690 --> 00:52:57,980 I have never really run into a case where multi boot was the correct choice. 653 00:52:57,980 --> 00:53:03,350 Pretty much every time no matter how you set this up you're going to want to go with single boot so 654 00:53:03,350 --> 00:53:06,350 click the single boot radial button and click next. 655 00:53:06,350 --> 00:53:08,270 Now this is very important. 656 00:53:08,360 --> 00:53:13,490 Whatever options you selected for the hidden operating system need to be repeated here. 657 00:53:13,520 --> 00:53:19,880 In other words if you selected a yes for the encryption algorithm you need to select a yes again and 658 00:53:19,880 --> 00:53:22,490 the same is true for the hash algorithm. 659 00:53:22,520 --> 00:53:29,540 If you change either option in other words if your hidden operating system and your decoy have either 660 00:53:29,540 --> 00:53:34,580 a different encryption algorithm or a different hash algorithm than the hidden operating system will 661 00:53:34,580 --> 00:53:35,300 not boot. 662 00:53:35,450 --> 00:53:40,700 So please make sure that these are the same choices you made when you set up the hidden operating system 663 00:53:41,060 --> 00:53:42,200 and click next. 664 00:53:42,200 --> 00:53:46,490 Now we need to give the password for our decoy operating system. 665 00:53:46,490 --> 00:53:51,740 And again it is important that you pick a good password to make the deception credible. 666 00:53:51,740 --> 00:53:53,910 You also need to be able to remember it. 667 00:53:53,910 --> 00:53:56,350 Few were ever forced to give up your password. 668 00:53:56,360 --> 00:54:00,000 This is the password you'd give up along with the outer volume. 669 00:54:00,080 --> 00:54:02,750 Again key files are an option. 670 00:54:02,750 --> 00:54:07,780 Do not select the use of the Pym option unless you did so with the hidden operating system. 671 00:54:07,910 --> 00:54:14,750 And if you did set a pin with the hidden operating system be sure you choose the same setting here 20 672 00:54:14,810 --> 00:54:20,180 or more characters is recommended for the password when you're ready click next. 673 00:54:20,180 --> 00:54:24,170 Now we've reached the random pool collection screen. 674 00:54:24,170 --> 00:54:28,550 This should look familiar to you by now and I trust it needs no further explanation. 675 00:54:28,580 --> 00:54:33,860 If you wish to display the pool content that option is available simply wave your mouse cursor around 676 00:54:33,860 --> 00:54:37,100 for as long as you can stand it and try to be as random as possible. 677 00:54:37,160 --> 00:54:42,410 And remember that the bar at the bottom of the screen really is just a suggestion. 678 00:54:42,410 --> 00:54:48,870 You can keep doing this longer if you wish and the longer the better. 679 00:54:48,900 --> 00:54:55,320 And once you're satisfied click next click yes to authorize the screen is letting us know that our keys 680 00:54:55,320 --> 00:54:56,330 have been generated. 681 00:54:56,340 --> 00:54:58,530 You can hide these keys if you wish. 682 00:54:58,530 --> 00:55:04,450 Now comes the tricky bit both true crypt and very crypt require you to create a rescue desk. 683 00:55:04,470 --> 00:55:11,250 If you encounter a situation where windows will not start or if the very crypt bootloader itself gets 684 00:55:11,280 --> 00:55:15,840 corrupted somehow the disk will allow you to repair this damage. 685 00:55:15,840 --> 00:55:18,380 Keep one very important detail in mind. 686 00:55:18,390 --> 00:55:24,510 However the rescue disk is not a substitution for the password and or key files. 687 00:55:24,720 --> 00:55:30,480 If you forget your password or you lose your key files or you set a pin and you forget about it you're 688 00:55:30,480 --> 00:55:31,300 out of luck. 689 00:55:31,320 --> 00:55:35,240 We can use the Browse button to select where we want to save the iso file. 690 00:55:35,250 --> 00:55:42,480 The file would then be placed on some form of external media such as a USP or burned to a CDO before 691 00:55:42,480 --> 00:55:48,240 proceeding very script gives you the option of skipping the rescue disk verification which is handy 692 00:55:48,240 --> 00:55:50,490 if your system doesn't have any way to mount it. 693 00:55:50,490 --> 00:55:56,730 True Crypt does not give you this option if you are using True Crypt you will need to mount the iso 694 00:55:56,730 --> 00:56:03,150 image somehow either by right clicking it and selecting the mount option in certain versions of Windows 695 00:56:03,270 --> 00:56:11,010 or by using third party software and Windows 7 to melt the image as if it were a drive for this tutorial. 696 00:56:11,010 --> 00:56:17,040 I'm going to go ahead and click skip rescue disk verification when you're ready click next. 697 00:56:17,070 --> 00:56:21,780 We're now being told essentially what I just said that the ISO for the rescue desk has been created 698 00:56:21,780 --> 00:56:28,320 in a directory that we specified and that it should at this time be moved to external media or burned 699 00:56:28,320 --> 00:56:29,420 onto a disk. 700 00:56:29,550 --> 00:56:35,190 Click Next this screen is telling you something important so don't just flash right through it. 701 00:56:35,190 --> 00:56:41,010 This is reminding you that each rescue disk is unique to the encrypted operating system that you're 702 00:56:41,160 --> 00:56:42,210 using it on. 703 00:56:42,240 --> 00:56:49,320 In other words if you create a rescue disk on another system or even a prior encryption on the system 704 00:56:49,320 --> 00:56:52,170 you're using now the disk won't work. 705 00:56:52,170 --> 00:56:59,100 Only the disk that is now being created will work with this encryption so keep that in mind and click 706 00:56:59,130 --> 00:56:59,720 OK. 707 00:56:59,790 --> 00:57:05,430 And last but not least we need to once again select our WIP mode since we already covered this with 708 00:57:05,430 --> 00:57:06,720 the hidden system creation. 709 00:57:06,720 --> 00:57:09,690 I won't go over it again for this demonstration. 710 00:57:09,690 --> 00:57:11,580 I'm selecting none. 711 00:57:11,580 --> 00:57:17,670 Keep in mind that the more passes you select the longer this process is going to take and the harder 712 00:57:17,670 --> 00:57:19,340 it's going to be on your drive. 713 00:57:19,350 --> 00:57:23,400 Please do not select government unless you absolutely have to. 714 00:57:23,400 --> 00:57:29,910 Once you've made your selection click next and the last step is going to be the encryption pretest when 715 00:57:29,910 --> 00:57:31,570 we click the test button. 716 00:57:31,590 --> 00:57:37,260 Windows is going to reboot and we will be presented with the very script password screen. 717 00:57:37,320 --> 00:57:43,830 If we fail to enter our password or if something broke along the way the test will fail and no harm 718 00:57:43,830 --> 00:57:44,910 will be done. 719 00:57:45,030 --> 00:57:50,880 If the password works and everything else functions correctly we will be prompted to proceed with the 720 00:57:50,880 --> 00:57:52,260 encryption process. 721 00:57:52,260 --> 00:57:57,420 Please note however that you must not boot into the hidden system at this time. 722 00:57:57,420 --> 00:58:02,610 It will seriously goof things up when you're ready click test. 723 00:58:02,610 --> 00:58:06,040 You may read through this if you wish otherwise click Okay. 724 00:58:06,150 --> 00:58:10,110 We will now be prompted to restart click yes to confirm. 725 00:58:11,240 --> 00:58:14,020 So here we are once again on the bootloader screen. 726 00:58:14,090 --> 00:58:18,370 I've mentioned before that cosmetically this is almost identical to the true script. 727 00:58:18,380 --> 00:58:19,690 Boot loading screen. 728 00:58:19,730 --> 00:58:25,520 Except that we have the option to show our password and Pym and also to skip authentication with the 729 00:58:25,520 --> 00:58:29,150 escape key which by the way does work with true crypto as well. 730 00:58:29,150 --> 00:58:31,670 Remember this is only the pre-test. 731 00:58:31,670 --> 00:58:34,510 Our system is not yet being encrypted. 732 00:58:34,730 --> 00:58:40,940 Enter the password you selected for the decoy operating system and again do not enter the password for 733 00:58:40,940 --> 00:58:44,400 the hidden system or the outer volume under P.M.. 734 00:58:44,420 --> 00:58:50,810 Just press enter unless you specified a specific value in which case you would enter that value now 735 00:58:51,470 --> 00:58:53,680 true crypto has no Pym prompt. 736 00:58:53,780 --> 00:58:57,820 He will now verify our password and this may take a minute or two. 737 00:58:57,830 --> 00:59:02,950 Once done windows will boot normally and we can begin the process of encryption. 738 00:59:03,050 --> 00:59:08,150 Once Windows is finished rebooting will need to wait just a minute for the notification to pop up telling 739 00:59:08,150 --> 00:59:12,950 us that our pretest was successful and there it is our pretest was successful. 740 00:59:12,950 --> 00:59:18,300 We could click the defer button if we don't wish to begin encrypting right now. 741 00:59:18,320 --> 00:59:23,990 However we're ready so we're gonna go ahead and click encrypt read through this pop up and printed if 742 00:59:23,990 --> 00:59:24,990 you wish. 743 00:59:25,160 --> 00:59:31,850 It is simply telling you how to use the rescue disk if you need to when you're ready click OK and finally 744 00:59:31,850 --> 00:59:33,620 click yes to authorize. 745 00:59:33,620 --> 00:59:35,830 Now we can see the encryption progress. 746 00:59:35,930 --> 00:59:39,520 It would begin with the wiping of free space. 747 00:59:39,620 --> 00:59:42,410 If we had selected a white mode other than none. 748 00:59:42,410 --> 00:59:48,170 I said all of this in the prior video but you may have skipped it and it does bear repeating so I'm 749 00:59:48,170 --> 00:59:49,640 going to say it again now. 750 00:59:49,670 --> 00:59:52,710 I really can't stress enough just how long this takes. 751 00:59:52,730 --> 00:59:58,760 You are seeing this performed on a very small amount of space but for a real system this process can 752 00:59:58,760 --> 00:59:59,780 take days. 753 00:59:59,780 --> 01:00:03,040 A four terabyte hard drive might take up to a week or more. 754 01:00:03,050 --> 01:00:06,040 Of course it depends on many factors. 755 01:00:06,050 --> 01:00:12,410 I therefore suggest that you place your system somewhere cool and keep all potentially flammable objects 756 01:00:12,410 --> 01:00:18,410 away from it as you may need to leave it on for an extended period unattended and the heavy drive usage 757 01:00:18,410 --> 01:00:20,290 may cause it to heat up quite a bit. 758 01:00:20,300 --> 01:00:25,700 Please also keep in mind the laws of your region of the world concerning encryption. 759 01:00:25,730 --> 01:00:29,300 As I mentioned before I'm not an international lawyer. 760 01:00:29,300 --> 01:00:35,990 Depending on where you are in the world encryption may or may not be legal or you may be under a legal 761 01:00:35,990 --> 01:00:42,380 obligation to surrender your password and keys if requested to do so by certain authorities. 762 01:00:42,380 --> 01:00:44,930 Even if they do not have a warrant as such. 763 01:00:44,930 --> 01:00:48,380 If you fail to comply with these laws you may end up in hot water. 764 01:00:48,380 --> 01:00:51,950 This is very important to remember when you're traveling abroad. 765 01:00:51,950 --> 01:00:57,830 It might be 100 percent legal to encrypt your laptop in the United States but you might be in for a 766 01:00:57,830 --> 01:01:03,890 nasty shock when you travel to certain parts of the world and airport authorities demand that you decrypt 767 01:01:03,890 --> 01:01:09,590 it or worse you must do your due diligence and make certain that you were employing these techniques 768 01:01:09,680 --> 01:01:13,520 in a way consistent with the laws of wherever you happen to be. 769 01:01:13,640 --> 01:01:18,890 To avoid getting into any legal trouble the hidden operating system and plausible deniability exists 770 01:01:18,920 --> 01:01:25,640 so that in the event that some criminal attempts to compel you to give up your password you have a way 771 01:01:25,640 --> 01:01:31,490 of protecting your real data withholding the hidden password from lawful authorities when you are expressly 772 01:01:31,490 --> 01:01:37,160 required by law to give up all of your encryption keys may be illegal. 773 01:01:37,160 --> 01:01:43,400 Please have all of this sorted out in your mind long before you ever find yourself in this situation 774 01:01:43,460 --> 01:01:44,990 where you need to think about it. 775 01:01:44,990 --> 01:01:50,330 Encryption is a very good technology and protects innocent people from oppressive powers. 776 01:01:50,330 --> 01:01:55,250 Helps to ensure honest journalism and protect important information from criminal theft. 777 01:01:55,250 --> 01:01:59,060 There are many good and lawful reasons to employ encryption. 778 01:01:59,060 --> 01:02:06,610 Even at the level that we're seeing in this video and we're done click OK and finish all right now we're 779 01:02:06,610 --> 01:02:10,420 going to reboot the system. 780 01:02:10,470 --> 01:02:18,570 So now if we enter our decoy password our decoy operating system will boot if we enter our hidden password 781 01:02:18,720 --> 01:02:25,170 our hidden operating system will boot if we press the escape key and select the second mutable partition. 782 01:02:25,170 --> 01:02:31,860 As you saw before we can then boot into R. Kelly Linux installation and we will be prompted for our 783 01:02:31,860 --> 01:02:33,210 encryption password. 784 01:02:33,390 --> 01:02:37,630 So for right now we're gonna go ahead and we're going to boot into the decoy partition. 785 01:02:37,650 --> 01:02:40,070 Remember that if you did not specify a pin. 786 01:02:40,080 --> 01:02:41,130 Just press enter. 787 01:02:41,190 --> 01:02:45,780 Now we could end the video here and if this is all you need to know then. 788 01:02:45,780 --> 01:02:47,030 Thank you for your attention. 789 01:02:47,070 --> 01:02:56,040 But the last thing I'm going to show off is how to mount the decoy or outer volume. 790 01:02:56,040 --> 01:02:59,910 If you're ever called upon to do so this is something you will need to know. 791 01:02:59,910 --> 01:03:07,080 So here we are once again in our decoy installation of Windows and you'll notice that when you go to 792 01:03:07,080 --> 01:03:16,200 this P.C. or my computer you have this local disk D and we know that this is the partition which contains 793 01:03:16,200 --> 01:03:19,500 the hidden Windows operating system. 794 01:03:19,740 --> 01:03:28,020 But an adversary who is looking at this decoy installation of Windows will notice this drive and will 795 01:03:28,020 --> 01:03:30,750 probably ask you what it is. 796 01:03:30,750 --> 01:03:35,580 And of course you don't want to say that it contains a hidden Windows installation or that would defeat 797 01:03:35,580 --> 01:03:36,960 the whole purpose. 798 01:03:36,960 --> 01:03:44,010 So remember that we set up what was called an outer volume and this contained files that looked sensitive 799 01:03:44,070 --> 01:03:50,850 like something we would wish to encrypt but are actually files we don't mind falling into the hands 800 01:03:50,850 --> 01:04:00,510 of an adversary so to mount this partition not as a hidden operating system but as what appears to be 801 01:04:00,570 --> 01:04:02,780 a normal encrypted volume. 802 01:04:03,120 --> 01:04:09,380 We're going to launch very crypt and we're going to select any drive that is not currently in use. 803 01:04:09,450 --> 01:04:16,930 We're going to select device we're going to choose the appropriate partition and then we're going to 804 01:04:17,500 --> 01:04:20,480 mount. 805 01:04:20,550 --> 01:04:23,430 We will now enter our outer volume password 806 01:04:28,480 --> 01:04:32,800 and please notice that there is a true crypt mode that you can click on. 807 01:04:33,010 --> 01:04:38,580 If you're using a volume that was created with True Crypt one ready click OK. 808 01:04:38,590 --> 01:04:45,490 Notice that the partition has now been mounted as a Z drive and it appears to be a normal encrypted 809 01:04:45,490 --> 01:04:47,100 volume under type. 810 01:04:47,110 --> 01:04:55,820 So we go back to my computer or this P.C. we can see local disk Z and it contains the supposedly top 811 01:04:55,820 --> 01:05:00,690 secret files that we placed into it during the creation of our outer volume. 812 01:05:00,710 --> 01:05:07,790 Someone very knowledgeable about how very crypt or True Crypt works might suspect the deception but 813 01:05:07,880 --> 01:05:12,100 they will be unable to prove the existence of a hidden operating system. 814 01:05:12,110 --> 01:05:14,620 This gives you plausible deniability. 815 01:05:14,990 --> 01:05:15,990 And one last thing. 816 01:05:15,990 --> 01:05:21,350 And do not under any circumstances add or modify files on this drive. 817 01:05:21,380 --> 01:05:24,770 You run the risk of damaging your hidden operating system. 818 01:05:24,950 --> 01:05:31,010 If you need to interact with this file space at any time when you're not under any sort of a threat 819 01:05:31,430 --> 01:05:37,850 then you need to mount the drive in what is called protected mode which I will now demonstrate. 820 01:05:37,850 --> 01:05:42,900 So we're going to dismount the drive and we're going to once again click mount. 821 01:05:43,220 --> 01:05:46,340 And this time we're going to go in to mount options. 822 01:05:46,370 --> 01:05:51,340 We're going to click protected and volume against damage caused by writing to the outer volume. 823 01:05:51,380 --> 01:05:56,300 And for this we need to supply the password to our hidden operating system. 824 01:05:56,300 --> 01:05:58,860 So remember only do this when you're alone. 825 01:05:58,910 --> 01:05:59,730 You'll need to you. 826 01:05:59,750 --> 01:06:05,410 You'll need to specify a poem if you set one and you'll need to use key files. 827 01:06:05,450 --> 01:06:11,450 If you used key files and you'll only need to use key files if you specified them during the creation 828 01:06:11,480 --> 01:06:12,410 the hidden system. 829 01:06:12,440 --> 01:06:19,920 When you're ready click OK then enter the password and credentials for your outer volume click OK. 830 01:06:20,140 --> 01:06:27,140 We'll receive this message and notice that the outer volume is now revealed under type as being an outer 831 01:06:27,140 --> 01:06:27,770 volume. 832 01:06:27,800 --> 01:06:35,570 So the character of the partition is in this way revealed so again only do this when you're alone and 833 01:06:35,570 --> 01:06:37,980 only do this when you absolutely need to. 834 01:06:38,060 --> 01:06:39,160 And that's about it. 835 01:06:39,200 --> 01:06:43,910 How you use your decoy and hidden operating systems is entirely up to you. 836 01:06:43,910 --> 01:06:51,110 However I would suggest making frequent use of your decoy make it your daily driver for most of the 837 01:06:51,110 --> 01:06:56,900 things that you do only use the hidden system for activities or when dealing with data that needs to 838 01:06:56,900 --> 01:06:57,870 stay hidden. 839 01:06:57,890 --> 01:07:05,180 That way if anyone ever has cause to examine your decoy system in detail it will appear lived in a decoy 840 01:07:05,180 --> 01:07:09,080 system that is never used is going to look extremely suspicious. 841 01:07:09,080 --> 01:07:15,740 Also remember that your hidden operating system right protects things like external media to prevent 842 01:07:15,740 --> 01:07:23,240 data leaks so you may find that certain activities like transferring files via a USP is a pain while 843 01:07:23,240 --> 01:07:26,230 using the hidden operating system in a prior video. 844 01:07:26,230 --> 01:07:31,690 I gave a demonstration of how to remove the encryption for an operating system if you so desire. 845 01:07:31,700 --> 01:07:35,540 Please see that video for more information about doing that if you wish. 846 01:07:35,540 --> 01:07:42,260 However this will leave you with two windows systems installed side by side and a potentially broken 847 01:07:42,260 --> 01:07:42,970 bootloader. 848 01:07:43,040 --> 01:07:48,800 So please make sure you have a boot repair disk of some kind handy before you attempt that if at any 849 01:07:48,800 --> 01:07:51,210 point you wish to start over from scratch. 850 01:07:51,230 --> 01:07:57,770 And I do mean square one or if you just wish to securely delete all encrypted data once you're done 851 01:07:57,770 --> 01:08:04,580 using the encrypted systems please see the video later in this module covering Derek's boot and nuke 852 01:08:04,790 --> 01:08:10,730 boot and nuke will completely wipe a hard drive including its partition table and allow you to start 853 01:08:10,730 --> 01:08:15,590 fresh with the obvious catch being that all of your data will be totally erased. 854 01:08:15,590 --> 01:08:21,650 Finally it is probably worth repeating that for any of this to work you will need to disable any protected 855 01:08:21,650 --> 01:08:23,350 boot settings in your BIOS. 856 01:08:23,450 --> 01:08:29,290 If they exist this is done at your own risk and may require you to reinstall your operating system. 857 01:08:29,300 --> 01:08:36,380 It may also be possible to switch from GP t partitioning to NPR and put your bootloader into legacy 858 01:08:36,380 --> 01:08:37,190 mode. 859 01:08:37,190 --> 01:08:44,180 Again this is done in bios and Iran risk although it may make things much smoother because every version 860 01:08:44,180 --> 01:08:45,800 of bios is a little different. 861 01:08:45,800 --> 01:08:48,560 There isn't any real way to show this. 862 01:08:48,620 --> 01:08:53,170 So you may need to research the subject a bit if it is a consideration for you. 863 01:08:53,180 --> 01:08:54,340 Thank you for your attention.