AWS Import/Export
Developer Guide (API Version 2010-06-03)
« PreviousNext »
View the PDF for this guide.Go to the AWS Discussion Forum for this product.Go to the Kindle Store to download this guide in Kindle format.Did this page help you?  Yes | No |  Tell us about it...

Using TrueCrypt Encryption

For added security, AWS Import/Export supports data encryption using TrueCrypt for import to Amazon S3 and export from Amazon S3. TrueCrypt is an open-source disk encryption application.

TrueCrypt is the only device encryption supported by AWS Import/Export. For information about how to download, install, and use TrueCrypt, go to www.truecrypt.org.

For import to Amazon S3, you can use TrueCrypt to encrypt your data before sending it to AWS Import/Export. You will need to include your TrueCrypt password in your import manifest.

For import to Amazon EBS or Amazon Glacier, you can use any encryption method you choose. AWS does not decrypt your data for import to Amazon EBS or Amazon Glacier. We strongly encourage you to encrypt your data.

For export from Amazon S3, AWS always encrypts your data using TrueCrypt with the TrueCrypt password in your export manifest.

The following sections detail the encryption process for import to Amazon S3 and export from Amazon S3.

Encryption for Import to Amazon S3

Follow the instructions in the TrueCrypt documentation to create a new TrueCrypt volume. AWS Import/Export supports only TrueCrypt volumes created as non-system partitions or encrypted file containers. Do not use the Encrypt the system partition or the entire system drive option.

To ensure that we can decrypt your device, choose the following options when creating a TrueCrypt volume:

  • Select either the Create an encrypted file container option or the Encrypt a non-system partition/drive option.

  • For Volume Type, select Standard TrueCrypt volume. Do not create a hidden volume.

  • If you are creating an encrypted file container, for Volume Location, create a file in your device's home directory and name the file <JOBID>.tc, where <JOBID> is the job ID associated with the device. For example, 1B23C.tc.

  • If you are encrypting non-system partition, for Volume Location, select the partition to be encrypted. For Volume Creation Mode, if your volume already contains files, select Encrypt partition in place. TrueCrypt will not format the partition or erase any files. Encrypt partition in place takes longer than encrypting an empty volume. If the partition is empty, select Create encrypted volume and format it.

  • For Encryption Options, use AES for the Encryption Algorithm and RIPEMD-160 for the Hash Algorithm.

  • Create a password for your TrueCrypt volume. You will include this password in the job manifest that you create with the AWS Import/Export tool. Without this password, we won’t be able to access any data on the encrypted partition.

    Important

    Do not lose your password, or you will not be able to decrypt your device. AWS Import/Export will not send the password with the encrypted device.

  • If you are prompted to select a volume format, select NTFS.

After you create your TrueCrypt volume, use TrueCrypt to mount the volume and then copy your files into the volume. Your device must contain only one partition or container and no other files. If you use a file container, the container must be named <JOBID>.tc, using the job ID associated with the device. Copy the SIGNATURE file to the root directory of the encrypted volume.

When you complete your manifest file in preparation for submitting a job request, include the password for the trueCryptPassword option. When AWS receives your device, we will attempt to mount the device. If the volume is encrypted, we decrypt it using the password you supplied. If the volume is not encrypted, we will look for a container file named <JOBID>.tc, using the job ID associated with the device. We will decrypt the container using the password you supplied.

Following a successful import, we will erase the device and ship it to the address provided on your manifest.

If any of the following conditions occur, AWS will erase your device without performing the import and ship it to the address provided on your manifest:

  • You specified a TrueCrypt password in your manifest, but the partition is not encrypted or no encrypted container named <JOBID>.tc exists on the device.

  • More than one container exists on the device.

  • More than one partition exists on the device.

  • AWS is not able to decrypt the partition or the container.

If we are unable to erase the data on the device, we will schedule it for destruction and our support team will contact you using the email address specified in the manifest file.

Encryption with Export from Amazon S3

When you create an Export to Amazon S3 job, you specify a TrueCrypt password in the export manifest. AWS creates a TrueCrypt encrypted volume in a file container on your device using the password you provided, and then copies the data to the container. The container is named JOBID.tc, using the job ID associated with your device.

Important

Do not lose your password, or you will not be able to decrypt your device. AWS Import/Export will not send the password with the encrypted device.

Decrypting the TrueCrypt Container

When you receive your device, you will use TrueCrypt with the password you provided with your export manifest to decrypt the container and mount the volume.

To decrypt the TrueCrypt container

  1. If you have not installed TrueCrypt, you will need to install it first.

    Note

    Note: The developer no longer supports TrueCrypt. You can still download and use the application without charge to decrypt your device.

    Download the installation files from one of the following locations:

    Windows

    TrueCrypt 7.2 sig key

    Mac OS X

    TrueCrypt 7.2 sig key

    Linux

    TrueCrypt 7.2 32-bit sig key

    TrueCrypt 7.2 64-bit sig key

    TrueCrypt 7.2 32-bit console sig key

    TrueCrypt 7.2 64-bit console sig key

  2. Open TrueCrypt.

  3. Select Volume, Select File.

  4. Select the TrueCrypt container file on your device and click Open.

  5. Select Volume, Mount Volume.

  6. Enter the password you provided in the export manifest and click OK.

  7. The encrypted container is mounted as a volume on your computer.