I have recently purchased a yubikey because I always thought it was cool and given the level of security it provides I always wanted to configure it with my passpack account just so I have peace of mind whenever I’m not at home. Considering the fact that the yubikey provides 2 configurable slots (usually the first is already configured with the yubico OTP) and the second is empty so you can configure it with whatever static password you wish, and since my Hard Drive contains a lot of sensitive data from work, I was thinking of encrypting the data using truecrypt (since you can also use the yubikey with truecrypt). I have a 2 TB internal hard drive divided into 4 partitions, 500 gb each. Initially I wanted to encrypt the system partition only (C:\) and also to create an encrypted volume of about 150 gb on the last partition so I can move everything that is work-related in there. But then I realized that since the place I moved the files from is not covered by the encrypted area, it would be possible to view file names /maybe recover some of the files with data recovery software. On that note, I concluded that the safest way to go would be to encrypt the entire hard drive. Initially I wanted to use AES-TwoFish-Serpent, but given the fact that encrypting 2tb with cascading ciphers would take virtually forever, and also given the fact that even if I would get it done, it would dramatically limit read/write speeds and thus performance, I decided that AES should do the trick, since it has the highest benchmark speeds, and it is still very safe to use. Therefore, provided that I don’t have a lot of experience with truecrypt, I had a few questions I wanted to ask you guys, before I do anything stupid. 1) Should I also include the host protected area (hpa) in the encryption process? (I don’t have a brand PC so there are no utilities that would access the hpa prior to boot – I don’t have RAID enabled since I only have one 2TB hard drive – my machine was built from scratch with components I bought so I don’t think that encrypting the hpa would be a problem – but it’s always good to double-check. 2) The Yubikey Personalization Tool offers two options when it comes to configuring your static password on the second free slot as follows: - The first option is called Scan Code and it allows you to manually input any password you wish and the yubikey will use it as your static password (limited to maximum 38 characters). - The second option is called “Advanced” and it allows you to generate a random alphanumeric static password based on 3 random hexadecimal keys (limited to maximum 64 characters). Here’s where it gets tricky: I read that the longer your password is, the harder it is to decrypt the data. The random generated alphanumeric password can have a maximum length of 64 characters and it would look something like this: !TAAeqepbeweybqebpnaeersdebwewerwe12we8qwqtyhyfewq After I checked the password’s quality rating (using a function that passpack provides) – I discovered that the value is 157 (estimated in bits). However, if I use the “Scan Code” option which allows me to configure my password manually, it enables me to use symbol characters such as ^/%(#$\)_@ but it limits my password to only 38 characters, instead of 64 with the automatically generated alphanumeric password. However, the 38 characters password has a significantly higher quality rating – around 250 (estimated in bits). So given the circumstances, which one do you think would be a better choice? Longer alphanumeric password but weaker, or shorter with ascii symbols but stronger in bits? NOTE: I realized that even though yubico limits the characters to 38 on the manual symbol password, I can still do the following trick – first, I input a sequence of characters from my mind – ~!*#)(@!\ + push the yubikey button and the rest of the 38 chars static password is attached to the first portion I wrote. That would also work as a two factor authentication and would prevent anyone from doing any harm should they steal my yubikey, and best of all, it would further strengthen my password quality higher towards an estimated value of 300 bits. 3) after I encrypt my entire drive with AES (including the C:\ system partition), let’s say I want to reinstall windows at some point. can I just log in, pass the pre-boot login screen, and then enter my Windows DVD, perform a clean install (within the huge encrypted volume) and then start using the new OS? Or do I have to decrypt everything, reinstall windows and then re-encrypt it again? 4) after I encrypt my entire hard drive, should I open truecrypt and save a backup of the header? (I think yes). 5) I noticed that only the RIPEMD-160 Hash Algorithm can be used for system encryption – as it seems SHA-512 and Whirlpool are not supported – I know Whirlpool would be better but I can’t use it since I get an error that it’s not supported – I use windows 7. Thank you in advance and sorry for the very long “case study”.