How many of you use encryption?

[Josh]

Will BestCrypt Traveler allow you to access encrypted containers on a machine where you do  not have admin privileges?

-mwb1100 (December 20, 2007, 11:02 PM)

Quoting the help file:
"Please note that the user should have administrating privileges to run BestCrypt Traveller software."

"BestCrypt Traveller" seems like a very limited version of commercial "Bestcrypt". I'll stick with TrueCrypt.... 100% free, no crippleware.

-wr975 (December 21, 2007, 01:50 AM)

Does TC allow you to run it off a usb drive and without admin rights? I would love to have a portable encryption system I can use on any system.

[mwb1100]

Does TC allow you to run it off a usb drive and without admin rights? I would love to have a portable encryption system I can use on any system.

-Josh (December 25, 2007, 12:21 PM)

Unfortunately, no.  This is understandable (same as for BestCrypt Traveler, I'm sure) since there's a device drive involved and only admins can install/load device drivers.  There have been requests on the TC forum for some sort of access through a regular program for non-admin access (like opening an archive) - even if read-only, but there's been no apparent developer interest in that.  You'd have to implement enough smarts about NTFS and FAT filesystems to get that to work for Windows containers; that's very non-trivial, and then you'd have to also deal with Linux and Mac filesystems for completeness.  So, I think this is probably not in the cards.

[f0dder]

FAT access would be pretty darn easy, NTFS... ugh. Although linux read-only access is stable enough, so that code could be ripped. But one could probably live with FAT for use on a flash pendrive, which is where a device-driver less solution is required...

Would take a bit of work though, sure

[f0dder]

If you've used PGP to encrypt individual files, and haven't used wiping tools, you have residue left on your harddisk that's easy to restore. Using multiple layers of keys hasn't been mathematically proven to make you more secure, you shouldn't use a cipher you don't trust a single layer of.

For text files, fSekrit is pretty good. At least that's what the government has told me to tell you

[housetier]

I am more and more inclined to back up my data, and then reinstall my OS using a crypto-container this time. And I am thinking about encrypting all data that leaves my computer. Well not so much "data" as files.

I think I have been careless in some areas in the past...

[Lashiec]

Don't forget the tinfoil hat

[ppass]

I use SyncBackSE to partly synchronize my Home and Work PCs via a USB HDD. On the USB HDD, I use encryption. So if my USB HDD gets stolen or lost, file contents are protected.

Compression with Encryption is part of SyncBackSE. The only limitation is that only file contents is protected, not file names, which can be still read normally.

[Nod5]

If you do full-disk encryption on linux, make sure to use encrypted swap too... having /boot unencrypted (as it needs to) isn't a security issue. I've used root-encrypted linux with slackware and loop-AES for several years, works like a charm.

-f0dder (December 24, 2007, 03:53 AM)

Very late reply: I had to re-checked the step by step guide and it seems that only the 100MB boot partition is unencrypted. Everything else, including swap, is encrypted.
 
Armando #24: great if they add support for keyfiles. Most practical would be if you could have two ways to unlock the encrypted installation once you have created it: either through a keyfile (for everyday use) or through a strong password (in case the flash drive with the keyfile is lost).

edit: when I now read the links Armando supplied I saw that my wish above already is on the todo list since this is listed under use cases: "Pitti normally uses a keyfile on an USB stick for booting his laptop and only uses the very long and complicated passphrase as a fallback. When booting, he is asked to insert the USB key or enter the passphrase."

[Nod5]

Lusher wrote earlier in this thread that WDE is coming for TrueCrypt. Some more details from their site reveals that it should be released very soon. Very interesting!

TrueCrypt 5.0
Release scheduled for: January 2008
Windows system partition encryption with pre-boot authentication
Mac OS X version
GUI for Linux versions of TrueCrypt
Parallelized and pipelined read/write
and more.

http://www.truecrypt.org/future.php

[Dormouse]

I know I need to use encryption more. And definitely more systematically. That means having a clear system for it (which I can use across all the computers & usb sticks I use - in a number sites and also when travelling) depending on the need. Some computers I do not have access rights on, so I will need to badger IT depts over the issue.

One question I have not got sorted in my mind is the issue of keys. Encryption is fine, but it seems to me that leaves the key as the weak point. How long a password/phrase can I rely on myself to learn and use regularly? Is it then best to use a password manager for the really complex phrase? How does a keyfile system actually work? Is a password hashing system a better option?

I use all the systems a bit, but none entirely convinces and none work easily but still leave me feeling very secure.

As if the medicine must taste terrible to be effective.

[Armando]

I'm exactly in the same situation. And I want to retry TrueCrypt... it's just that it left me with such a bitter taste last time I installed it (previous laptop) : unsolvable BSODs -- well, the solution was to uninstall TrueCrypt. BSODs tend to really traumatize me... Especially that my current Dell gave me BSODs for a full year, every single week.

[Josh]

Is there a truly portable encryption system that allows someone to access an encrypted file on any system via a usb drive?

[relequestual]

I use built in Google browser sync encryption
but seriously, i do like my truecrypt!

[Curt]

C   J L H L N   L J I N V F K   Q J V K A C J P ,   L Z I L F K   K A Q K   C     D Y L   M C P C K Q G   C M L J K C K V   O X N   K A L   Q J J D Q G   K Q Z Q K C X J

[HINT]

A      B      C      D      E      F      G      H      I       J      K      L      M
Q      R      I       M     L      O      P      A      C      S      E      G      T

--------------------------------------------------------------------

N      O      P      Q      R      S      T      U      V      W     X      Y      Z
J       X      F      W     N      Y      K      D      H      B      Z      V      U

[/HINT]

 

[f0dder]

Is there a truly portable encryption system that allows someone to access an encrypted file on any system via a usb drive?

-Josh (January 20, 2008, 04:32 PM)

Humm... I think TrueCrypt comes close, because it's free and portable. Dunno if there's a "volume explorer" usermode app for it, or if it requires driver install, though?

[Josh]

That is exactly what I am looking for is an application which has both a driver mode (for admin right users) and an app mode for users on a limited user account. That would be a great tool for my thumb drive.

[Renegade]

I like the idea of encryption, but so far no implementation appeals.

I experimented with PGP a few years ago and found the whole mindset & workflow cumbersome.  I use TwoFish encryption in some of the software I write for security related objects, and offer it as a feature for "regular" data.  None of my customers avail themselves of this feature -- not sure why.

For normal correspondence I find most people don't understand what I say anyway, so it seems a waste of time.

-Ralf Maximus (December 20, 2007, 10:23 PM)

I'm with Ralf there. The "idea" is cool, but it's still far too difficult to be bothered with.

Besides, I don't have anything that could put me in jail anyways, so what do I care? Sure. Read my email to my mother! I've got some music with some pretty nasty lyrics? Wanna listen? (And no - I never keep any passwords on disk if it's possible to keep them on paper - you'd never find anything on my desk anyways! )

So there's very little reason for me to use encryption. Use it at the office? Huh? Silliness. If someone wanted to get into my files they could very easily. Slap on a hardware keylogger and DONE! (See below for real security.)

I do use PGP at the dayjob but ONLY because I MUST use it to communicate with some security companies. Otherwise, I'd never touch it.

When all this finally reaches the level that there's a hardware device on every computer, and I simply swipe my hadn over it for some kind of bio-metric identification, then it will finally be at a level that's easy enough to use. Otherwise, 2-factor (or multi-factor) authentication is just far too time consuming for me to play a few MP3s or whatever.

The REAL security that matters isn't encryption... It's the lock on my front door!

[housetier]

I don't need a lock on my door: I possess nothing of value. This sounds like such a good argument, doesn't it?

However, using encryption or locking the door is not about having to hide something or about protecting valuable items, it is about not showing it to everyone or not letting everybody in. There is this thing called privacy, upon which people place different value. For me, it matters a lot. Others do not care about my privacy one bit, that is, they do not want to know.

So, even though I don't have anything of material value, I make sure to lock the door when I leave my apartment. And I protect my electronic communication whenever possible

Encryption matters, and it helps. It doesn't provide 100% protection against a dedicated "thief", but it very well helps against lesser villains. The same applies to your locked door: it won't keep anybody out who REALLY wants to get in. It is difficult to protect against extremes without going to extremes yourself; it is much easier to protect against "normal" and more likely "threats" using normal tools.

I am especially careful to protect myself, or rather, my data, against my government and their secret police. Recent incidents have shown that government officials are incapable of handling large amounts of sensitive data. I do not want my data to be among it when they leave USB sticks in a public library, or leave the laptop on the passenger seat over night, or send encrypted CDROMs with the key printed on the front... They show no signs of respect for other people's privacy, so I will not let them near it.


OK to sum it up: using encryption is up to everybody themselves. But consider why you do one thing (i.e. lock the door) but not the other 

[CWuestefeld]

There's a lot more to protect than your data. The keys to your identity are far more valuable in the long run. Your bank account numbers, PINs and passwords give a bad guy not just the means to take your money, but also to cause you very long-term problems (like hijacking your social security account), or to destroy your reputation in any number of ways.

Locking your house is a pain in the butt, but virtually everyone does it. The dangers of not locking your data may be somewhat less likely to materialize, but pose more significant consequences.

[Renegade]

I don't need a lock on my door: I possess nothing of value. This sounds like such a good argument, doesn't it?
...
OK to sum it up: using encryption is up to everybody themselves. But consider why you do one thing (i.e. lock the door) but not the other 

-housetier (January 21, 2008, 05:25 AM)

The computers I run are sufficiently locked down that I really don't need to worry about encryption. It's kind of like putting a safe inside of a bank vault. It's really quite redundant.

So for day to day operations, encryption will only slow me down and prove to be a nuisance.

Look at it like this -- why would you bother locking your bedroom door or bathroom door everytime that you leave the room? Nobody is in the house anyways, so the only thing that you're doing is creating a problem for yourself. Think of that the next time you really really really really really have to pee badly and can't find the keys to the bathroom! 

Encryption matters, and it helps. It doesn't provide 100% protection against a dedicated "thief", but it very well helps against lesser villains.

-housetier (January 21, 2008, 05:25 AM)

Not quite. Good strong encryption provides 100% protection against anything known to mankind for now and the forseeable future.

To verify that, calculate the keyspace of Rijndael at 256 and you'll see that it very quickly dwarfs the number of atoms in the universe. Check here on symmetric ciphers to find out. The size of the number is 1,296 billion billion billion billion digits. Rijndael is VERY secure.

But let's put those numbers into a bit of perspective...

The number of hydrogen atoms in the observable univers is around 3 * 10^79. So, let's write that number out...

30,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000

Now... The key space of AES 256 (Rijndael) takes up space on a hard disk, so we can't actually put that number here because it's that big. But, let's look at it a tad...

Now. 1 MB is 1,000 KB. And 1 GB is 1,000,000 KB. But we'll need much larger numbers that that. But 1 billion digits is far beyond even the SI system. It goes up like this:

10^24 = yotta-
10^21 = zetta-
10^18 = exa-
10^15 = peta-
10^12 = tera-
10^9 = giga-
10^6 = mega-
10^3 = kilo-

But we're talking about:
10^1,000,000,000 for just the small number of 1 followed by 1 billion zeroes!

But the key space is 1,296 * 10^1,000,000,000 * 10^1,000,000,000 * 10^1,000,000,000 * 10^1,000,000,000!

For the new and upcoming hard drives with terabytes:

1,000,000,000 / 12 = 83,333,333

So you'd need:

1,296 * 8.3 * 10^7 * 10^1,000,000,000 * 10^1,000,000,000 * 10^1,000,000,000 terabyte hard disks
= 1.1 * 10^11 * 10^1,000,000,000 * 10^1,000,000,000 * 10^1,000,000,000 terabyte hard disks

To hold the number. That's a lot of hard disks... I don't have that many at home.

But just look at the first part:

1.1 * 10^11

Now, if that were money, you'd have $110,000,000,000. That's 110 billion. The numbers are staggeringly, insanely HUGE!

If that first part were simply bytes, it would fill a 110 GB hard drive! And that IGNORES the rest of the number!

Ok - I'm just blathering on at this point. But really... Those are some REALLY big numbers! I'd say AES 256 is secure, and I'd bet on 100%.

[housetier]

Impressive numbers, however I never lock the bathroom door, not even when I am at someone else's place.   

The implementation of an encryption scheme is its weakest point. DES was found to be not supersecure, so "they" invented 3DES, however it didn't bring thrice the security of DES, because the flaw was still in there. There are no absolutes, just time frames in which breaking an encryption is feasible.

Soon the old encryption schemes will be broken, and new ones will have to be found. Years ago, a numeric lock was enough for a safe. These days there are so complex magnetic-mechanic-electronic combinations, it's easier to scam people instead of stealing their money from the bank or their homes.

Encryption can be very secure, until some researcher finds a shortcut. I am confident, if you'll forgive the irony, we will see literally a breakthrough of popular encryption schemes in the next 5 years.

The only protection I have, and which you so well laid out, is the effort it takes to break the encryption. Everything is breakable, but some things take longer to break; that's all I'll get from using encryption. But that's enough for me. I used to put 2 locks on my bicycle: that wouldn't stop anybody who was after my bicycle, but it would very likely stop anybody who was after some bicycle.

Protecting my data won't stop anybody who really wants to get ahold of my data, but it might stop someone who just is after some data.

The only thing 100% certain in life is death 

[Nod5]

The truecrypt homepage now states:
"Next release 5.0 scheduled for:  February 4, 2008  "
So four days left until we have open-source WDE for windows! 

[MrCrispy]

I can't wait for TC 5. I hope it has the ability to link mount my tc volumes as part of  NT's login process so that I can store my entire user profile (My Documents, Settings etc) in an encrypted container and have it be transparent to Windows.

[BrokenNails]

I use SyncBackSE to partly synchronize my Home and Work PCs via a USB HDD. On the USB HDD, I use encryption. So if my USB HDD gets stolen or lost, file contents are protected.

Compression with Encryption is part of SyncBackSE. The only limitation is that only file contents is protected, not file names, which can be still read normally.

-ppass (December 25, 2007, 08:13 PM)

Almost the same setup here except I use a USB thumbdrive on my keyring with TrueCrypt providing the encryption rather than SyncBackSE. I keep my important work and home files sync'd (using SyncBackSE) with the thumbdrive (inside a TrueCrypt encrypted volume) so (a) I have a backup if the worst happens, and (b) I can access work files at home or vice versa if the need arises. And everything is secure if I ever happen to lose my keys!

[Josh]

TrueCrypt 5.0 released:

5.0

February 5, 2008

      New features:

• Ability to encrypt a system partition/drive (i.e. a partition/drive where Windows is installed) with pre-boot authentication (anyone who wants to gain access and use the system, read and write files, etc.,    needs to enter the correct password each time before the system starts). For more information, see the chapter System Encryption in the documentation.   (Windows Vista/XP/2003)
• Pipelined operations increasing read/write speed by up to 100%   (Windows)
• Mac OS X version
• Graphical user interface for the Linux version of TrueCrypt
• XTS mode of operation, which was designed by Phillip Rogaway in 2003 and which was recently approved as the IEEE 1619 standard for cryptographic protection of data on block-oriented storage devices. XTS is faster and more secure than LRW mode (for more information on XTS mode, see the section Modes of Operation in the documentation).
        Note: New volumes created by this version of TrueCrypt can be encrypted only in XTS mode. However, volumes created by previous versions of TrueCrypt can still be mounted using this version of TrueCrypt.
  
• SHA-512 hash algorithm (replacing SHA-1, which is no longer available when creating new volumes).

      Note: To re-encrypt the header of an existing volume with a header key derived using HMAC-SHA-512 (PRF), select 'Volumes' > 'Set Header Key Derivation Algorithm'.

      Improvements, bug fixes, and security enhancements:

• The Linux version of TrueCrypt has been redesigned so that it will no longer be affected by changes to the Linux kernel (kernel upgrades/updates).
• Many other minor improvements, bug fixes, and security enhancements.  (Windows and Linux)

     
      If you are using an older version of TrueCrypt, it is strongly recommended that you upgrade to this version.

-What's New