Page 1 of 1

truecrypt...

Posted: Mon Apr 18, 2011 9:43 pm
by sarbin
http://www.truecrypt.org/

any here use it? experiences/caveats?
thx.

Re: truecrypt...

Posted: Thu Apr 21, 2011 12:28 am
by blackomegax
A major state uni i used to work for uses it to secure data for FERPA regs.

current-gen intel SSD's do encryption built in, but truecrypt is the only thing i would trust to encrypt a spinny disk these days. only downside is that the thinkpad TPM and finger reader do not support it at all, so you're stuck doing everything in software, with passwords.

Re: truecrypt...

Posted: Fri Apr 22, 2011 3:44 pm
by ThinkRob
blackomegax wrote:only downside is that the thinkpad TPM and finger reader do not support it at all, so you're stuck doing everything in software, with passwords.
On the bright side, it does not use the fingerprint reader, so you won't be tempted to rely on anything other than a strong passphrase. ;)

Re: truecrypt...

Posted: Sat Apr 23, 2011 7:50 pm
by pkiff
I've been using TrueCrypt for about a year.

I've used it with large data files where the files remained encrypted while being used. Worked great. Negligible impact on performance from what I could tell.

I have transferred files back and forth between an X60, Mac G5 Desktop, and a new Windows 7 machine via USB key carrying the encrypted file(s). Also worked great. And I was able to run the USB key portable version on a 4th machine when I needed to open the files in a pinch.

Nothing but good things to say about the whole experience.

DO NOT forget or misplace your password. There is no recovery if you lose it.

Phil.

Re: truecrypt...

Posted: Sun Apr 24, 2011 6:12 pm
by pinkymadam
I've used it as a secure partition for a a couple of years, and it works perfectly fine - like an ordinary partition. It has numerous encryption options and other settings you can tweak. It's also pretty darn easy to use.

I use KeePass (LastPass or whatever would be the same), so a long, long key is no issue at all. To get to the TrueCrypt partition, I press the shortcut, click "mount", press the KeePass autotype shortcut and I'm in - takes about 2 seconds.

You can use it to encrypt your system partition, but I've never tried that. There are guides available online - I know Lifehacker are fans and have done a couple.

Re: truecrypt...

Posted: Thu Apr 28, 2011 6:19 pm
by blackomegax
ThinkRob wrote:only downside is that the thinkpad TPM and finger reader do not support it at all, so you're stuck doing everything in software, with passwords.

On the bright side, it does not use the fingerprint reader, so you won't be tempted to rely on anything other than a strong passphrase. ;)
but you can bind your finger to any length of actual password behind it. just dont lose your finger. :)

Re: truecrypt...

Posted: Thu Apr 28, 2011 10:01 pm
by ThinkRob
blackomegax wrote: but you can bind your finger to any length of actual password behind it. just dont lose your finger. :)
Yes, and provided that malicious parties never get their hands on gummie bears, fingerprint readers will remain secure. :D

Re: truecrypt...

Posted: Thu Apr 28, 2011 10:13 pm
by ajkula66
The very last thing I'd ever rely upon when it comes to security on ThinkPads would be the fingerprint reader...and that's all I'm going to say...

Re: truecrypt...

Posted: Fri Apr 29, 2011 4:53 pm
by ThinkRob
ajkula66 wrote:The very last thing I'd ever rely upon when it comes to security on ThinkPads would be the fingerprint reader...and that's all I'm going to say...
Oh come on... let's be fair... the dock lock isn't exactly... uh...

... Hmm...

... yeah, you're right. Same for me. :lol:

Re: truecrypt...

Posted: Sun May 08, 2011 10:43 am
by Puppy
I don't use it but these two articles are probably worth to read:
http://www.net-security.org/secworld.php?id=9077
http://www.ghacks.net/2009/11/26/bitloc ... rformance/

The performance loss seems to be too high. I rather use NTFS encryption.

Re: truecrypt...

Posted: Sun May 08, 2011 11:14 am
by ThinkRob
Puppy wrote:I don't use it but these two articles are probably worth to read:
http://www.net-security.org/secworld.php?id=9077
http://www.ghacks.net/2009/11/26/bitloc ... rformance/

The performance loss seems to be too high. I rather use NTFS encryption.
The net-security.org article is nothing new, nor is it specific to TrueCrypt. Any machine with FireWire (or some other DMA-enabled port) is susceptible to this sort of attack whether they're using TrueCrypt, FileVault, LUKS, Bitlocker, or something else. This is why you should always shut your computer down completely before passing through US customs or TSA security checkpoints. (Also, the software and hardware necessary to perform this sort of attack is not something that only the "good guys" possess. A number of options are available for both LEOs and crooks alike.)

There's going to be a performance hit with *any* software solution, including NTFS's encryption. IMHO, it's absolutely worth it, especially considering the threats to your privacy posed by certain world governments (not to mention thieves, etc.)

Re: truecrypt...

Posted: Tue May 10, 2011 3:50 pm
by Tõnis
ThinkRob wrote:The net-security.org article is nothing new, nor is it specific to TrueCrypt. Any machine with FireWire (or some other DMA-enabled port) is susceptible to this sort of attack whether they're using TrueCrypt, FileVault, LUKS, Bitlocker, or something else. This is why you should always shut your computer down completely before passing through US customs or TSA security checkpoints.
How does it crack TrueCrypt encryption using Firewire? Can it also crack TrueCrypt on the backup DVD's I make?

Re: truecrypt...

Posted: Tue May 10, 2011 6:21 pm
by jdrou
Tõnis wrote: How does it crack TrueCrypt encryption using Firewire? Can it also crack TrueCrypt on the backup DVD's I make?
Read the article. It accesses the memory of a powered-on but locked computer through the firewire port.
If you shut the computer down completely with an encrypted disk it can't be booted without the password so that method won't work.

Re: truecrypt...

Posted: Tue May 10, 2011 6:24 pm
by Tõnis
jdrou wrote:Read the article. It accesses the memory of a powered-on but locked computer through the firewire port.
If you shut the computer down completely with an encrypted disk it can't be booted without the password so that method won't work.
Yea, I read it and got that part. I didn't understand what accesses/reads the memory means or how it does that if there's a password. But okay, thanks for your helpful reply.

Re: truecrypt...

Posted: Tue May 10, 2011 9:59 pm
by ThinkRob
Tõnis wrote: Yea, I read it and got that part. I didn't understand what accesses/reads the memory means or how it does that if there's a password. But okay, thanks for your helpful reply.
The encryption key has to be stored in memory when an encrypted partition is unlocked (how else would it decrypt the data?)

Any DMA-capable device (such as Firewire) can access (most) any part of memory. Therefore... well... you know the rest.

Re: truecrypt...

Posted: Wed May 11, 2011 7:03 am
by Tõnis
ThinkRob wrote:The encryption key has to be stored in memory when an encrypted partition is unlocked (how else would it decrypt the data?)

Any DMA-capable device (such as Firewire) can access (most) any part of memory. Therefore... well... you know the rest.
Makes sense. That whole part about the computer being on made me start to wonder if my TrueCrypt protected dvd's could be cracked/hacked so long as they are in a computer that's on. I suppose if I had just accessed the disc and the password was still in the RAM it might be possible. Therefore, for encryption to be effective, the machine should be off so that the memory's clear.

I guess it's one of those things like with my BlackBerry: encryption is still important. The BlackBerry's password isn't so difficult to circumvent for someone who plugs the device into a computer and uses the right utilities. But the BlackBerry deletes the copy of the private key each time the device is locked. Then, even if someone successfully circumvents the device password, all he'll end up with is a bunch of encrypted files.

Re: truecrypt...

Posted: Wed May 11, 2011 2:00 pm
by ThinkRob
Tõnis wrote: I guess it's one of those things like with my BlackBerry: encryption is still important. The BlackBerry's password isn't so difficult to circumvent for someone who plugs the device into a computer and uses the right utilities. But the BlackBerry deletes the copy of the private key each time the device is locked. Then, even if someone successfully circumvents the device password, all he'll end up with is a bunch of encrypted files.
I thought the BlackBerry's lock password is actually pretty well-implemented... IIRC, it's not really trivial to circumvent *if* you have disabled mass storage access.

Re: truecrypt...

Posted: Wed May 11, 2011 2:05 pm
by pkiff
Puppy wrote:I don't use it but these two articles are probably worth to read:
[...]
http://www.ghacks.net/2009/11/26/bitloc ... rformance/

The performance loss seems to be too high. I rather use NTFS encryption.
Well, that performance test was on an Atom-based netbook, not a recent or current Thinkpad. On my X60 Core 2 Duo, I don't notice much of a performance hit at all. And more recent benchmarking tests on TrueCrypt 7.0a seem to bear that out:
http://www.tomshardware.com/reviews/tru ... 899-5.html

But as with anything, I suppose it depends what you do with your system. As ThinkRob suggests, there will be some kind of performance hit with any encryption method.

More from the article I link to above:
Its versatility enabled even the previous TrueCrypt version 6.1 to stand out from competitors, such as BitLocker. It only lacked AES-NI support. This has now been taken care of in TrueCrypt 7.0a, finally making it our encryption tool of choice. We're even extending that recommendation to computers without hardware acceleration of AES. Compared to an unencrypted system, TrueCrypt encryption does affect system performance (as expected). But it in no way interferes with the user, and it doesn't demonstrate a performance impact that would be noticeable on a mainstream PC.

However, you should not install TrueCrypt by default if you are running a system that relies heavily on I/O (a database server, for example). Even if it can handle real-time encryption, the program cannot match the I/O performance and data throughput of an unencrypted system yet.
Source: http://www.tomshardware.com/reviews/tru ... 899-7.html

Phil.

Re: truecrypt...

Posted: Wed May 11, 2011 2:15 pm
by ThinkRob
Personally, when it comes to laptops, I don't even see an unencrypted drive to be a realistic option. That strikes me as a phenomenally risky proposition.

The performance hit varies depending on a number of factors, but even the worst case scenario isn't usually that bad (e.g. unencrypted setups a few years ago were as fast as "slow" encrypted ones now.) IMHO, unless you can unequivocally state that no data on your laptop will ever be of any value to *anyone*, both now and in the future, you should use FDE.

Re: truecrypt...

Posted: Wed May 11, 2011 2:57 pm
by Tõnis
ThinkRob wrote:I thought the BlackBerry's lock password is actually pretty well-implemented... IIRC, it's not really trivial to circumvent *if* you have disabled mass storage access.
Well, the good thing about it is the user can set a limit for wrong password attempts (maximum of ten). If the limit is exceeded, the device wipes itself.

As for circumventing the password, I don't exactly recall how it's done. It had something to do with hooking up the BlackBerry to a computer, removing the battery, booting into safe mode, and using the readily available CrackUtil program to remove the password. At that point, the BlackBerry would be unlocked. The phone would work, you would be able to use data, etc., but if encryption was in use, the existing files would remain encrypted, as the password is necessary to decrypt the files. This is from the BlackBerry Security Knowledge Base:

"If Content Protection is enabled on the smartphone, then user data on the smartphone is stored encrypted using AES-256. Thus, even if someone reads the user data directly from the device hardware, there’s no way to decrypt the data without the smartphone password."

I also found this valuable information from the BlackBerry Internet Service Security Feature Overview (v. 3.2) that explains the benefit of using content protection (encryption) in addition to a password:

"When you set up encryption of your BlackBerry® device data using the content protection feature, your BlackBerry device is designed to be protected against users with malicious intent who could attempt to steal your data directly from the internal hardware. No one can read your encrypted data without your device password.

"In the Security Options, you can set the Content Protection Strength level. The BlackBerry device then encrypts your data (for example, messages, contact entries, and tasks). The Content Protection Strength level optimizes either the encryption strength or the decryption time. When your BlackBerry device decrypts a message that it received while locked, the BlackBerry device uses an encryption key. More encryption strength means a longer decryption process.

"If you set the content protection strength to Stronger, use a minimum length of 12 characters for the BlackBerry device password. If you setthe content protection strength to Strongest, use a minimum length of 21 characters. These password lengths maximize the encryption strength that these settings are designed to provide."

Thus, I would say that with AES encryption, used together with a password, BlackBerry has the best security going for a mobile device.

Re: truecrypt...

Posted: Thu May 19, 2011 2:44 pm
by sarbin
thanks, much, for everyone's input.

Re: truecrypt...

Posted: Thu May 10, 2012 8:32 pm
by hyde
I wanted to revive this topic, if anyone wouldn't mind to comment further.
I just want to use my thinkpad fingerprint reader to just authenticate my truecrypt partition password to enable it. I really hate the fact that everytime I need to look at a file, I have to mount, type password, then navigate to the folder/file, then once I am done, I need to un-mount it and then let it sync with dropbox.

I was hoping I can just let the fingerprint authenticate and enable the partition. Unless anyone else has other suggestions on keeping the data encrypted before it is synced to the cloud.

Re: truecrypt...

Posted: Sun May 13, 2012 9:52 am
by ThinkRob
hyde wrote:I was hoping I can just let the fingerprint authenticate and enable the partition. Unless anyone else has other suggestions on keeping the data encrypted before it is synced to the cloud.
Are you syncing with a remote storage provider (I refuse to use more nebulous terms) for backup purposes or collaboration? If the former, I'd recommend something like Duplicity (or whatever the Windows equivalent is.) If the latter, you might want to consider using both FDE and individual file encryption.

Re: truecrypt...

Posted: Sat May 26, 2012 2:31 pm
by crashnburn
pinkymadam wrote:I've used it as a secure partition for a a couple of years, and it works perfectly fine - like an ordinary partition. It has numerous encryption options and other settings you can tweak. It's also pretty *****Expletives removed by Moderator***** easy to use.

I use KeePass (LastPass or whatever would be the same), so a long, long key is no issue at all. To get to the TrueCrypt partition, I press the shortcut, click "mount", press the KeePass autotype shortcut and I'm in - takes about 2 seconds.

You can use it to encrypt your system partition, but I've never tried that. There are guides available online - I know Lifehacker are fans and have done a couple.
I am thinking of doing an encrypted Partition the next time I reinstall.