How many of you use encryption?

[jgpaiva]

That "pre-boot autentication" got me thinking: would you be able to change the password?
I change my windows password very frequently, thus if changing that password would involve decrypting + encrypting the whole disk again, it'd make no sense in my case.

[f0dder]

Holy moley, TC5 adds some very nice stuff. System-partition support is really really nice, and pipelined operation sounds interesting.

Would definitely use this on a laptop, dunno about my workstation though.

[jgpaiva]

Following up on what i mentioned above:

Note that the volume header (which is encrypted with a header key derived from a password/keyfile) contains the master key with which the volume is encrypted.

- TC help file

Which means that your key only encrypts the master key, thus, you can change it without having to encrypt the whole disk.
Ok.. I think that the next time i format my machine, i'll use system-partition encryption

f0dder: why wouldn't you use it for the main workstation?

[f0dder]

f0dder: why wouldn't you use it for the main workstation?

-jgpaiva (February 06, 2008, 08:40 AM)

Simply because I'm not sure whether I have a reason to do so, and I would have to evaluate performance and stability first. Which includes waiting some months before going "live" on my system, to see if any horror stories pop up. Not that I expect any, but my data is preciousssss to me.

[Renegade]

f0dder: why wouldn't you use it for the main workstation?

-jgpaiva (February 06, 2008, 08:40 AM)

Simply because I'm not sure whether I have a reason to do so, and I would have to evaluate performance and stability first. Which includes waiting some months before going "live" on my system, to see if any horror stories pop up. Not that I expect any, but my data is preciousssss to me.

-f0dder (February 06, 2008, 08:46 AM)

Very valid objection.

Encryption just isn't worth the pain right now unless you have some very valuable data. And in that case, it's worth paying for a commercial solution that has weight behind it.

How many people here really need to encrypt their drives? I don't have any kiddie porn...

[jgpaiva]

I was following these 2 ideas:

- Just because you don't have anything to hide, you don't need to show everything.
- Disk encryption is mainly processor-based.

Thus, it'd be a pain-free way to have future guarantees. (since the processor is free most of the time)

[f0dder]

I'd rather run TrueCrypt than something commercial, to be honest.

Yeah, encryption is processor-based, but it's not free. I can clearly tell that on my fileserver... that's a relatively low-power core2 celeron, but still.

[Lashiec]

TrueCrypt is only really useful with laptops, and even then, with BitLocker and those TPM chips some manufacturers are using in their notebooks, I don't know if it's really worth it. Unless you use a Linux laptop or a MacBook (didn't Linux have a native encrypted filesystem?).

It could also be useful for PenDrives... but it requires administrative privileges, and it probably inflicts a hit in performance (a PenDrive with an encryption chip for me, thanks).

Question: What happens with backups if you encrypt the whole disk? Are those backups also encrypted or "in the clear"?

[Armando]

Thanks for the announcement, Josh.
I wonder how Acronis True Image (or other imaging programs) work with a True Crypt encrypted system file... Probably not very well as it would have (I'm guessing) to do a sector by sector  (or bit by bit?) copy and one would end up with an image that'd take a long time to complete + probably the same size as the original partition...???

[MrCrispy]

TrueCrypt is only really useful with laptops, and even then, with BitLocker and those TPM chips some manufacturers are using in their notebooks, I don't know if it's really worth it. Unless you use a Linux laptop or a MacBook (didn't Linux have a native encrypted filesystem?).

It could also be useful for PenDrives... but it requires administrative privileges, and it probably inflicts a hit in performance (a PenDrive with an encryption chip for me, thanks).

Question: What happens with backups if you encrypt the whole disk? Are those backups also encrypted or "in the clear"?

-Lashiec (February 06, 2008, 09:30 AM)

I disagree that TrueCrypt is useful only for laptops. BitLocker is arguably more secure since it can use TPM in hardware but its also a lot more restricitve and dangerous, not to mention that its only in the most expensive Vista version.

If you backup files they will not be encrypted. But if you take a disk image (sector copy) then it will be the same encrypted data.

[MrCrispy]

One more point I'd like to mention - there are many encryption schemes that are uncrackable because of their keyspace. But that doesn't guarantee your data is safe. The imp thing about TC is 'plausible deniability'. Without this a harmful agent (such as the govt) would know that there is encrypted data and by law (or worse) force you to reveal the key. With a hidden container there is no trace that there is any data at all.

[CWuestefeld]

The imp thing about TC is 'plausible deniability'. Without this a harmful agent (such as the govt) would know that there is encrypted data and by law (or worse) force you to reveal the key. With a hidden container there is no trace that there is any data at all.

-MrCrispy (February 06, 2008, 03:46 PM)

That's mostly true, and I do think that one of TC's outstanding features is how well thought out its plausible deniability is.

Not that I'm hiding any crimes, but...

I think that it's incorrect to say that the bad guy would not know that there is encrypted data. The DC container file must still exist; it's impossible to say what's in it, or indeed that it is encrypted data, with absolute certainty. But they don't need that kind of certainty, they just need the reasonable suspicion to issue a warrant that will force you to open it for them (or find you in contempt, and lead to deeper investigation, etc.)

The strong point of TC's plausible deniability is that a given container can have two separate keys, each of which reveals different content. You can have an outer shell that contains slightly embarrassing data, and give up that key when under duress. The bad guy, looking at the outer shell, has no way to know that there is another inner shell with the really juicy stuff, still buried in the container. But to be really plausible you need to mfill the outer shell with something that they'll believe that you were really trying to hide.

[Armando]

The strong point of TC's plausible deniability is that a given container can have two separate keys

-CWuestefeld (February 06, 2008, 03:59 PM)

I believe that to be plausible, any given container should have an infinite amount of separate keys (infinite being a purely theoretical value...).

But if you take a disk image (sector copy) then it will be the same encrypted data.

-MrCrispy (February 06, 2008, 03:31 PM)

...As the container/drive is always encrypted (and only decrypted in RAM, IIRC).

But anybody does imaging of encrypted drives here? According to that thread (as an example) http://www.wildersse...wthread.php?t=196136, it doesn't seem like a fun thing.

here's what the Acronis moderator says :

Thank you for your interest in Acronis Software.

Please be aware that Acronis True Image does not officially support third-party encryption software, so it's not recommended to create images of encrypted drives from Windows. It is always possible to create a sector by sector image of a hard drive using Acronis Bootable Rescue Media though, which is the recommended method for such cases.

Please also notice that corporate versions of Acronis True Image feature encrypting backups with industry-standard AES cryptographic algorithm (key size 128, 192, 256 bit).

Thank you.
--
Marat Setdikov

And another poster says :

using encrypted virtual disks is the best solution.
Making an image of a normal non-encrypted system partition is a fast, easy, simple and reliable procedure. To backup a virtual disk you just burn it to a DVD.
Making an image of a whole encrypted disk is a nightmare - very slow creation & restoration, the chances something to go wrong are many times higher, images are huge etc. (not only when using ATI, but with any imaging app). Also WDE affects system performance far more than using only encrypted containers for sensitive data.

Any file may get corrupt, it's your fault there was no backup. If you don't like PGP, use TrueCrypt containers. But WDE is just an unnecessary complication

stuff to think about IMO if you need to image/backup your system a lot.

[Armando]

BTW, an alternative to Truecrypt is also mentioned (free, and open source, and it's got a pda version) : FreeOTFE, and I don't believe it's ever been mentioned here on DC.

[Nod5]

Great that it is released!

Has anyone gotten the new system encryption (WDE) to work yet?

I tried twice to do it on a test system with and without secure overwriting but got a CRC-error half way through each time. I did a chkdsk inbetween these two attempts and that showed no errors. Maybe something else installed on that machine is interfering with TrueCrypt.  Tomorrow I'll put an image of a clean XP install on the same testmachine and see if I succeed with system encryption on that.

Some interface issues for the new features definitely needs to be improved. For example, it would be very useful if TrueCrypt could give you an estimate of how long time the encryption will take BEFORE you start the actual encryption. That way, the choice of what level of overwriting you want would be easier to make. TrueCrypt currently only gives a scary fixed estimate saying that opting for overwriting (3, 5 or 35 times I think) may mean that encryption can take a week to complete, or something like that. Not very helpful.

[f0dder]

Ho humm, BitLocker... dunno enough about it to say anything. Does it work on the system partition? I don't feel too comfortable trusting my data to full-disk encryption unless I have sourcecode, or at least complete documentation of the on-disk format + algorithms used.

TPM chip support ho humm, if you have boot-time authentication it's going to be secure even without TPM.

Disk images will obviously have to be sector-by-sector (the smallest granularity you can read a harddisk at) with an encrypted partition, which is fine, imaging != backup anyway.

The strong point of TC's plausible deniability is that a given container can have two separate keys, each of which reveals different content. You can have an outer shell that contains slightly embarrassing data, and give up that key when under duress. The bad guy, looking at the outer shell, has no way to know that there is another inner shell with the really juicy stuff, still buried in the container. But to be really plausible you need to mfill the outer shell with something that they'll believe that you were really trying to hide.

-CWuestefeld (February 06, 2008, 03:59 PM)

"They" will know that they didn't find what they were looking for. But they can't prove it , although they can muse about only 1 megabyte of a 100gigabyte container was used.

[CWuestefeld]

Warning: I just installed TrueCrypt 5 on a new computer. It was able to mount a volume from TC 4.3a, but it was unable to actually open the volume. I was getting weird error messages. After uninstalling v5 and putting v4.3 back, I can open my volume once again.

I suggest waiting for 5.1.

[4wd]

Is there a truly portable encryption system that allows someone to access an encrypted file on any system via a usb drive?

-Josh (January 20, 2008, 04:32 PM)

Yes, any portable archiver that supports encryption.  I use WinRAR to encrypt all my software keys but I can unencrypt using IZArc2Go, PeaZip or any other that supports encrypted RAR archives, (encrypted RARs are far more secure than encrypted ZIPs - it's been mentioned time and again that if you lose the password for an encrypted RAR in would be faster to create the original file than bruteforce the password).

[Nod5]

After doing a disk repair through the SeaTools for DOS boot-CD ( http://www.seagate.c...t/downloads/seatools ) I've now gotten truecrypt 5.0 system encryption to work. 

I've experience no performance hit and have no other major drawbacks to report either. But I haven't yet tried any CPU-heavy activities like gaming.

The system encryption supports passwords only, not keyfiles. I hope they add some smart support for that in the next version so that the bootloader at startup autosearches for a file with a certain name on any connection usb device and then tries to use that as a keyfile.

[f0dder]

I've experience no performance hit and have no other major drawbacks to report either. But I haven't yet tried any CPU-heavy activities like gaming.

-Nod5 (February 09, 2008, 07:53 AM)

Shouldn't make much of a difference, games tend to pre-load most data, and not do much disk loading until you progress to a new level.

The system encryption supports passwords only, not keyfiles. I hope they add some smart support for that in the next version so that the bootloader at startup autosearches for a file with a certain name on any connection usb device and then tries to use that as a keyfile.

-Nod5 (February 09, 2008, 07:53 AM)

Passphrases are secure enough for TrueCrypt - keyfiles wouldn't really bring any security advantage, and if not protected by a passphrase, it'd lower your security.

[Nod5]

F0dder,
You are right. I wasn't thinking (not enough anyway  ) when I wrote that about CPU-heavy activities.
I want keyfile support only because it is so much more convenient, not more secure.

[Josh]

TrueCrypt 5.1 Released!

5.1

March 10, 2008

New features:


• Support for hibernation on computers where the system partition is encrypted (previous versions of TrueCrypt prevented the system from hibernating when the system partition was encrypted). (Windows Vista/XP/2008/2003)
• Ability to mount a partition that is within the key scope of system encryption without pre-boot authentication (for example, a partition located on the encrypted system drive of another operating system that is not running).   (Windows Vista/XP/2008/2003)
        Note: This can be useful e.g. when there is a need to back up or repair an operating system encrypted by TrueCrypt (from within another operating system).
  
• Command line options for creating new volumes.  (Linux and Mac OS X)

      Improvements:


• Increased speed of AES encryption/decryption (depending on the hardware platform, by 30-90%).    (Windows)
• Faster booting when the system partition is encrypted.   (Windows Vista/XP/2008/2003)
• When the system partition/drive is encrypted, the TrueCrypt Boot Loader is now stored in a compressed form and is, therefore, smaller. If a non-cascade encryption algorithm is used (i.e., AES, Serpent, or Twofish), the TrueCrypt Boot Loader is now small enough so that a backup of the TrueCrypt Boot Loader can be (and is) stored in the first drive cylinder. Whenever the TrueCrypt Boot Loader is damaged, its backup copy is run automatically instead.
  
        As a result of this improvement, the following problem will no longer occur: Certain inappropriately designed activation software (used for activation of some third-party software) writes data to the first drive cylinder, thus damaging the TrueCrypt Boot Loader. The affected users had to use the TrueCrypt Rescue Disk to repair the TrueCrypt Boot Loader. This will no longer be necessary after upgrading to this version of TrueCrypt (provided that the system partition/drive is encrypted using a non-cascade encryption algorithm, i.e., AES, Serpent, or Twofish).
  
        Note: If your system partition/drive is currently encrypted using a non-cascade encryption algorithm (i.e., AES, Serpent, or Twofish), a backup copy of the TrueCrypt Boot Loader will be automatically stored in the first drive cylinder when you upgrade to this version of TrueCrypt.
  
• The minimum memory requirements for the TrueCrypt Boot Loader have been reduced from 42 KB to 27 KB (twenty-seven kilobytes). This allows users to encrypt system partitions/drives on computers where the BIOS reserves a large amount of memory.  (Windows Vista/XP/2008/2003)
  
• Many other minor improvements.  (Windows, Mac OS X, and Linux)

      Resolved incompatibilities:


• On some computers, when performing the system encryption pretest, Windows failed to display the log-on screen. This will no longer occur.   (Windows Vista/XP/2008/2003)

      Bug fixes:


• On some systems, drive letters were not correctly assigned to newly mounted non-system volumes. This will no longer occur.  (Windows)
• Many other minor bug fixes.  (Windows, Mac OS X, and Linux)

[/list]

[kartal]

I am yet looking for a free portable application(no install) that can encrypt files or folder. I use axcrypt and truecrypt but they do not serve my need. truecrypt is good for containers and axcrypt portable cannot encrypt folders, only files. Any suggestions?

[Lashiec]

How about Omziff or dsCrypt?

[kartal]

thanks but they seem to be only for text files?