Author Topic: IDEA: Encryption software (Read 25070 times)

Josh · « **on:** May 18, 2006, 07:05 PM »

OK, I know this probably exists, but I cannot find a worthy solution.

I know windows has encryption built into its filesystem, but the problem there is that I have to generate a recovery agent certificate which has failed me on numerous occasions using the EFS methods. So, what I need is this. An encryption software, shell integrated so I dont need to use a 3rd party gui to encrypt (merely to configure options and setup password based or encryption certificates to use). The software shouldnt require a whole partition and should be able to do file by file encryption via selecting them in explorer, right clicking, and choosing encrypt. Any ideas or is this a worthy project for the dc.com team?

Carol Haynes · « **Reply #1 on:** May 18, 2006, 07:07 PM »

Have a look at http://www.ghostsecu...php?page=cryptosuite which is good and is used from the shell menu.

taichimaster · « **Reply #2 on:** May 20, 2006, 04:41 PM »

or this

http://www.lassekolb.info/bfacs.htm

nevf · « **Reply #3 on:** May 20, 2006, 06:22 PM »

I'm a big fan of TrueCrypt, which is free and Open Source. You can encrypt an entire partition or create and use a file that appears as a drive, but encrypted of course. I use this to encrypt my USB sticks and USB drives. Works a treat. I've written Securing Information - TrueCrypt which is worth a read.

Carol Haynes · « **Reply #4 on:** May 20, 2006, 07:09 PM »

TrueCrypt looks really nice. It is particularly good that you can use it without having to install the software.

Josh · « **Reply #5 on:** May 20, 2006, 08:10 PM »

Truecrypt actually looks good, gonna try out all the suggestions here and post my results. Perhaps I can create a tool of my own!

Josh · « **Reply #6 on:** May 20, 2006, 08:55 PM »

In truecrypt, what is an "Outer volume" that is referred to. I have read through the manual, and am still a tad unsure what they refer to in truecrypt

Carol Haynes · « **Reply #7 on:** May 21, 2006, 04:50 AM »

TrueCrypt is very nice - seems to work smoothly.

The Outer/Hidden volume bit is interesting.

Imagine making an image file (the outer volume) and then inside that make another image file (this time not visible at all, the hidden volume). The idea is that if someone manages to hack into your outer image file they won't even be able to see the inner hidden image where the sensitive data is stored. The creation system automates the making of this layered volume system by checking hidden volume when prompted.

Having said that, in the scenario they describe on the website (someone breaking your legs to get the password) I'm sure it might occur to them that you may have used a hidden image and so break your arms too to get that password!

patthecat · « **Reply #8 on:** May 21, 2006, 12:30 PM »

For individual file encryption via explorer shell integration:
1. http://hotpixel.net/software.html
BFACS (Blowfish Advanced CS) - I currently use this on my portable USB key and can integrate via explorer shell. You do not need to be an admin user to install this. Only thing this lacks is capability to create a password protected self extracting / decrypting executables. Free.

2. http://7-zip.org
You can also use 7-zip to compress and encrypt via 256-AES algorithm in the default 7-zip format. The file manager can be integrated to explorer shell. One good thing is that you can create a password protected self extracting / decrypting executable so you do not need to have 7-zip installed to decrypt. Free.

3. http://www.cryptomat...file2file/index.html
File2File is strictly "run" from explorer shell menu. Can create password protected self decrypting executables. Free. I used to use this utility for my encryption needs until I switched over to the BFACS, 7-zip, and fsekrit "triple play" solution.

4. TrueCrypt is also good but it is not a file by file utility as you requested on the original posting. It creates an encrypted "partition"/"drive" and whatever files are in it are encrypted. Must have admin rights to machine you install this on. Free.

5. http://www.steganos.com
For a purchased solution you can try Steganos Security Suite.

patrick

f0dder · « **Reply #9 on:** May 21, 2006, 12:31 PM »

If you need just .txt encryption, don't forget http://fSekrit.donationcoder.com :-)

nevf · « **Reply #10 on:** May 21, 2006, 04:49 PM »

...

Having said that, in the scenario they describe on the website (someone breaking your legs to get the password) I'm sure it might occur to them that you may have used a hidden image and so break your arms too to get that password!
-Carol Haynes (May 21, 2006, 04:50 AM)

But they would need to know that it is a TrueCrypt file in the first place and as there is no signature in the file, there is no way to know this.

Carol Haynes · « **Reply #11 on:** May 21, 2006, 04:58 PM »

I suppose they might see TrueCrypt installed on your system! You can also within the interface associate .tc files with the image files so you can mount them with a double click, which seems to give them away abit.

Hoever, I think the scenario is ridiculous that they describe - unless you are a member of the secret service are you going to really hide information to the point of violence to get a password?

nevf · « **Reply #12 on:** May 21, 2006, 05:06 PM »

I suppose they might see TrueCrypt installed on your system! You can also within the interface associate .tc files with the image files so you can mount them with a double click, which seems to give them away abit.

Hoever, I think the scenario is ridiculous that they describe - unless you are a member of the secret service are you going to really hide information to the point of violence to get a password?
-Carol Haynes (May 21, 2006, 04:58 PM)

Agreed. It certainly isn't something I'll be loosing any sleep over.

As an aside we had a very senior Army Officer leave a disk with very important and confidential report in an Airport Lounge last week. The disk found its way to a Talkback Radio presenter that same day. I find it unbelievable that a) the contents weren't encrypted and b) it somehow got out of her bag, and c) she was carrying it in the first place. A very sad state of affairs for the military.

OldElmerFudd · « **Reply #13 on:** May 22, 2006, 12:08 AM »

OEF says:
i've used truecrypt, prefer PGP. runs from the shell, does what i need.

just have to keep bite-sized trouble in the loop for emergencies!

f0dder · « **Reply #14 on:** May 22, 2006, 05:44 AM »

Just remember that anything that need a decrypt->edit->encrypt cycle is a big security problem...

OldElmerFudd · « **Reply #15 on:** May 22, 2006, 09:42 AM »

f0dder, how so? I thought PGP was ok. (puts on flame suit over dunce cap.) oef

f0dder · « **Reply #16 on:** May 22, 2006, 10:51 AM »

The problem is that even after you delete a file, it's still present on your harddisk - it's only a directory entry that has been wiped. If you use a wipe tool to erase the file, you're better off, but a lot of people forget to do that. Also note that with fully journalling filesystems (those that journal the file data and not just meta-data/filesystem accounting overhead), it's more or less impossible to do file wipe... but that's not an issue with NTFS.

So, the encryption is fine enough, it's the temporary files that's the security problem.

Shameless self promotion: fSekrit doesn't create any temporary files

OldElmerFudd · « **Reply #17 on:** May 22, 2006, 02:33 PM »

Ah ha

I use Eraser for that cleaning stuff, but fSekrit sounds easier!

tnx

mwb1100 · « **Reply #18 on:** June 09, 2006, 01:01 AM »

The fact that fSekrit doesn't write temp files is a definite plus - f0dder, I wonder if you have looked at the VirtualLock() API to see if you can prevent inadvertant writing of the data to the pagefile. That would be a nice improvement to the paranoia/worry factor - particularly if using it on a machine that's not yours - in which case the paranoia factor of keyloggers, etc., kicks in - nothing fSekrit can do about that).

As for a nice encryption utility for non-txt files (.doc, .xls, etc.) I use AxCrypt (http://axcrypt.axantum.com/) and open source utility that integrates into the shell. To encrypt, just right click and select encrypt.

When you want to open the file, just double click on it and AxCrypt prompts for the passphrase, decrypts the file to the temp folder in the user profile then launches the application for the original filetype. When the application closes, the temp file is re-encrypted back to the file you double-clicked on. It's all very seemless.

However, you do run into the issues that f0dder mentions, so you need to be aware that:

1) the file is decrypted to the temp folder - AxCrypt does wipe and delete delete it when the application is done, but if something goes wrong (machine crash or whatever) the data can be left in the clear;
2) AxCrypt has no control over what the application that's editing the decrypted copy does - most apps will leave traces of the data in various places and Windows can also send the data in memory to the pagefile. there's pretty much nothing that AxCrypt can do about either of these.

You can reduce exposure of the decrypted data by setting up XP's EFS on the user profile's temporary folder - that way the working copy is transparently encrypted.

The author gives clear and comprehensive advice on how AxCrypt works and how to deal with some of inherent limitations such as those given above. As long as you're aware of these issues and take the proper steps it's a prettty nice little utility.

mwb1100 · « **Reply #19 on:** June 09, 2006, 01:10 AM »

Hoever, I think the scenario is ridiculous that they describe - unless you are a member of the secret service are you going to really hide information to the point of violence to get a password?
-Carol Haynes (May 21, 2006, 04:58 PM)

TrueCrypt goes to great effort to make sure that it can be used with 'plausible deniability'. I think the importance of this can be best stated by some people who may actually require that feature (via Phil Zimmermann):

http://www.interesting-people.org/archives/interesting-people/199603/msg00059.html

Thankfully, I do not require plausible deniability, but it's a feature that I'm glad that the TrueCrypt team places great importance on.

f0dder · « **Reply #20 on:** June 09, 2006, 05:19 AM »

mwb1100: even VirtualLock isn't guaranteed to keep windows from swapping out pages. If you REALLY need that, you'll have to write a driver - one for 9x, one for NT, one for 64bit NT. And getting those installed etc. wouldn't really fit in the philosophy of fSekrit.

Also, it wouldn't really help - I'm using a standard RichEdit control for the text, and as far as I know it uses it's own memory management and there's no way to change that.

I don't think the paging issue is to be worried about for as small files as fSekrit will probably be used for - and on shared machines, indeed keyloggers and the like are much more real issues.

Carol Haynes · « **Reply #21 on:** June 09, 2006, 05:33 AM »

You can use the Group Policy Editor in Windows XP Pro and 2003 to force Windows to purge the page file when you restart the machine. Given the number of times the Pagefile gets written to during a windows session this should be a pretty efficient way of removing an paged out traces of information.

mwb1100 · « **Reply #22 on:** June 09, 2006, 10:55 AM »

f0dder: I see - I thought VirtualLock() might be a help, but your explanation makes good sense.

f0dder · « **Reply #23 on:** June 09, 2006, 10:57 AM »

f0dder: I see - I thought VirtualLock() might be a help, but your explanation makes good sense.
-mwb1100 (June 09, 2006, 10:55 AM)

To be honest, I'm not sure whether it is effective on NT or not - but on 9x it's a null stub. I wouldn't think a usermode process would be allowed to lock pages, but perhaps it is... too lazy to look into it right now. But if it works and could be combined with some own-buffer stuff for the richedit, it might be worth looking into.

Santeria · « **Reply #24 on:** February 26, 2008, 07:51 AM »

hi,

i'm using DriveCrypt from SecurStar.

it's very good for me and so far i didn't have problems with it...

cheers

Author Topic: IDEA: Encryption software (Read 25070 times)

Santeria