thinkpads.com Support Community Forum Index Bill Morrow's thinkpads.com Open Forum - The Original Thinkpad Support Forum
Follow ThinkpadsForum on Twitter
 Support this forum, shop at newmodeus.com
 Support the forum, shop at newmodeus.com
System backups occur about 7:00 am EDT and last about 10 minutes. This will slow performance. RSS feeds have been added to the forum.
Donate if you wish to:
bill at thinkpads dot com

It is currently Fri Aug 29, 2014 3:08 pm

All times are UTC - 5 hours




Post new topic Reply to topic  [ 24 posts ] 
Author Message
 Post subject: truecrypt...
PostPosted: Mon Apr 18, 2011 9:43 pm 
Offline
ThinkPadder
ThinkPadder

Joined: Sat Apr 17, 2004 11:56 pm
Posts: 1134
Location: Central VA
http://www.truecrypt.org/

any here use it? experiences/caveats?
thx.

_________________
Current: X220 / T61p / T60p / X301 / X200T / Yoga 2 Pro
Support: T510 / T420 / T400 / R400 / T61 / T43 / Yoga 13
Hall of Fame: A31p ----- Retired: X61t / T42 / T30 / T22 / 600X / 380XD


Top
 Profile  
 
 Post subject: Re: truecrypt...
PostPosted: Thu Apr 21, 2011 12:28 am 
Offline
Junior Member
Junior Member

Joined: Thu Jul 29, 2004 7:36 pm
Posts: 405
A major state uni i used to work for uses it to secure data for FERPA regs.

current-gen intel SSD's do encryption built in, but truecrypt is the only thing i would trust to encrypt a spinny disk these days. only downside is that the thinkpad TPM and finger reader do not support it at all, so you're stuck doing everything in software, with passwords.


Top
 Profile  
 
 Post subject: Re: truecrypt...
PostPosted: Fri Apr 22, 2011 3:44 pm 
Offline
Senior ThinkPadder
Senior ThinkPadder

Joined: Wed May 20, 2009 9:54 am
Posts: 2342
Location: near RTP, NC
blackomegax wrote:
only downside is that the thinkpad TPM and finger reader do not support it at all, so you're stuck doing everything in software, with passwords.


On the bright side, it does not use the fingerprint reader, so you won't be tempted to rely on anything other than a strong passphrase. ;)

_________________
Need help with Linux or FreeBSD? Catch me on IRC: I'm ThinkRob on FreeNode and EFnet.
Code:
Current laptop: X200s/X201 hybrid
Current workstation: none


Top
 Profile  
 
 Post subject: Re: truecrypt...
PostPosted: Sat Apr 23, 2011 7:50 pm 
Offline
Moderator
Moderator

Joined: Wed May 05, 2004 9:17 am
Posts: 1322
Location: Toronto, Canada
I've been using TrueCrypt for about a year.

I've used it with large data files where the files remained encrypted while being used. Worked great. Negligible impact on performance from what I could tell.

I have transferred files back and forth between an X60, Mac G5 Desktop, and a new Windows 7 machine via USB key carrying the encrypted file(s). Also worked great. And I was able to run the USB key portable version on a 4th machine when I needed to open the files in a pinch.

Nothing but good things to say about the whole experience.

DO NOT forget or misplace your password. There is no recovery if you lose it.

Phil.

_________________
X61 Tablet SXGA+ (1.80 GHz, 8GB RAM, 750GB Momentus XT HDD) · T60p UXGA · Legacy: X60T, 600X, 770Z
Thinkpad Media Centre: X61T running XBMC with Broadcom Crystal HD BCM970015, Creative X-Fi Surround 5.1 plugged into Cambridge Audio Sonata AR30 receiver


Top
 Profile  
 
 Post subject: Re: truecrypt...
PostPosted: Sun Apr 24, 2011 6:12 pm 
Offline

Joined: Thu Sep 16, 2010 4:20 pm
Posts: 18
Location: London, United Kingdom
I've used it as a secure partition for a a couple of years, and it works perfectly fine - like an ordinary partition. It has numerous encryption options and other settings you can tweak. It's also pretty *****Expletives removed by Moderator***** easy to use.

I use KeePass (LastPass or whatever would be the same), so a long, long key is no issue at all. To get to the TrueCrypt partition, I press the shortcut, click "mount", press the KeePass autotype shortcut and I'm in - takes about 2 seconds.

You can use it to encrypt your system partition, but I've never tried that. There are guides available online - I know Lifehacker are fans and have done a couple.


Top
 Profile  
 
 Post subject: Re: truecrypt...
PostPosted: Thu Apr 28, 2011 6:19 pm 
Offline
Junior Member
Junior Member

Joined: Thu Jul 29, 2004 7:36 pm
Posts: 405
ThinkRob wrote:
only downside is that the thinkpad TPM and finger reader do not support it at all, so you're stuck doing everything in software, with passwords.

On the bright side, it does not use the fingerprint reader, so you won't be tempted to rely on anything other than a strong passphrase. ;)


but you can bind your finger to any length of actual password behind it. just dont lose your finger. :)


Top
 Profile  
 
 Post subject: Re: truecrypt...
PostPosted: Thu Apr 28, 2011 10:01 pm 
Offline
Senior ThinkPadder
Senior ThinkPadder

Joined: Wed May 20, 2009 9:54 am
Posts: 2342
Location: near RTP, NC
blackomegax wrote:
but you can bind your finger to any length of actual password behind it. just dont lose your finger. :)


Yes, and provided that malicious parties never get their hands on gummie bears, fingerprint readers will remain secure. :D

_________________
Need help with Linux or FreeBSD? Catch me on IRC: I'm ThinkRob on FreeNode and EFnet.
Code:
Current laptop: X200s/X201 hybrid
Current workstation: none


Top
 Profile  
 
 Post subject: Re: truecrypt...
PostPosted: Thu Apr 28, 2011 10:13 pm 
Offline
Senior ThinkPadder
Senior ThinkPadder

Joined: Sun Feb 25, 2007 11:28 am
Posts: 12432
Location: Albrightsville, Pennsylvania
The very last thing I'd ever rely upon when it comes to security on ThinkPads would be the fingerprint reader...and that's all I'm going to say...

_________________
...Knowledge is a deadly friend when no one sets the rules...(King Crimson)

Cheers,

George (your friendly retired FlexView farmer)

Collecting SSDI: A31p, T42p

Abused daily: T60, T61, R60F, R500F

For sale: T61p (4:3), T420, T601 QXGA


Top
 Profile  
 
 Post subject: Re: truecrypt...
PostPosted: Fri Apr 29, 2011 4:53 pm 
Offline
Senior ThinkPadder
Senior ThinkPadder

Joined: Wed May 20, 2009 9:54 am
Posts: 2342
Location: near RTP, NC
ajkula66 wrote:
The very last thing I'd ever rely upon when it comes to security on ThinkPads would be the fingerprint reader...and that's all I'm going to say...


Oh come on... let's be fair... the dock lock isn't exactly... uh...

... Hmm...

... yeah, you're right. Same for me. :lol:

_________________
Need help with Linux or FreeBSD? Catch me on IRC: I'm ThinkRob on FreeNode and EFnet.
Code:
Current laptop: X200s/X201 hybrid
Current workstation: none


Top
 Profile  
 
 Post subject: Re: truecrypt...
PostPosted: Sun May 08, 2011 10:43 am 
Offline
ThinkPadder
ThinkPadder

Joined: Sat Oct 30, 2004 4:52 am
Posts: 1469
Location: Prague, Czech Republic
I don't use it but these two articles are probably worth to read:
http://www.net-security.org/secworld.php?id=9077
http://www.ghacks.net/2009/11/26/bitloc ... rformance/

The performance loss seems to be too high. I rather use NTFS encryption.

_________________
ThinkPad (1992 - 2012)


Top
 Profile  
 
 Post subject: Re: truecrypt...
PostPosted: Sun May 08, 2011 11:14 am 
Offline
Senior ThinkPadder
Senior ThinkPadder

Joined: Wed May 20, 2009 9:54 am
Posts: 2342
Location: near RTP, NC
Puppy wrote:
I don't use it but these two articles are probably worth to read:
http://www.net-security.org/secworld.php?id=9077
http://www.ghacks.net/2009/11/26/bitloc ... rformance/

The performance loss seems to be too high. I rather use NTFS encryption.


The net-security.org article is nothing new, nor is it specific to TrueCrypt. Any machine with FireWire (or some other DMA-enabled port) is susceptible to this sort of attack whether they're using TrueCrypt, FileVault, LUKS, Bitlocker, or something else. This is why you should always shut your computer down completely before passing through US customs or TSA security checkpoints. (Also, the software and hardware necessary to perform this sort of attack is not something that only the "good guys" possess. A number of options are available for both LEOs and crooks alike.)

There's going to be a performance hit with *any* software solution, including NTFS's encryption. IMHO, it's absolutely worth it, especially considering the threats to your privacy posed by certain world governments (not to mention thieves, etc.)

_________________
Need help with Linux or FreeBSD? Catch me on IRC: I'm ThinkRob on FreeNode and EFnet.
Code:
Current laptop: X200s/X201 hybrid
Current workstation: none


Top
 Profile  
 
 Post subject: Re: truecrypt...
PostPosted: Tue May 10, 2011 3:50 pm 
Offline
Junior Member
Junior Member

Joined: Mon Aug 11, 2008 2:43 pm
Posts: 300
Location: Central Falls, RI
ThinkRob wrote:
The net-security.org article is nothing new, nor is it specific to TrueCrypt. Any machine with FireWire (or some other DMA-enabled port) is susceptible to this sort of attack whether they're using TrueCrypt, FileVault, LUKS, Bitlocker, or something else. This is why you should always shut your computer down completely before passing through US customs or TSA security checkpoints.


How does it crack TrueCrypt encryption using Firewire? Can it also crack TrueCrypt on the backup DVD's I make?

_________________
R61, Core 2 Duo T8300 at 2.40GHz, 15.4" WXGA, XP Pro


Top
 Profile  
 
 Post subject: Re: truecrypt...
PostPosted: Tue May 10, 2011 6:21 pm 
Offline
Junior Member
Junior Member

Joined: Tue Feb 10, 2009 6:15 pm
Posts: 373
Location: Canton, MI
Tõnis wrote:
How does it crack TrueCrypt encryption using Firewire? Can it also crack TrueCrypt on the backup DVD's I make?

Read the article. It accesses the memory of a powered-on but locked computer through the firewire port.
If you shut the computer down completely with an encrypted disk it can't be booted without the password so that method won't work.

_________________
Current Thinkpads:
X31 (PM-1.4), X40 (PM-1.2 LV), X60s (CD-1.66 L2400), X61 (C2D-2.0 T7300), X201 (i7-620M), W520 (i7-2720QM, 2000M, FHD), T440p (i7-4800MQ, FHD)
Dells: Latitude XPi, Latitude C840, Precision M70, Precision M4400, Precision M6500 (WUXGA)


Top
 Profile  
 
 Post subject: Re: truecrypt...
PostPosted: Tue May 10, 2011 6:24 pm 
Offline
Junior Member
Junior Member

Joined: Mon Aug 11, 2008 2:43 pm
Posts: 300
Location: Central Falls, RI
jdrou wrote:
Read the article. It accesses the memory of a powered-on but locked computer through the firewire port.
If you shut the computer down completely with an encrypted disk it can't be booted without the password so that method won't work.

Yea, I read it and got that part. I didn't understand what accesses/reads the memory means or how it does that if there's a password. But okay, thanks for your helpful reply.

_________________
R61, Core 2 Duo T8300 at 2.40GHz, 15.4" WXGA, XP Pro


Top
 Profile  
 
 Post subject: Re: truecrypt...
PostPosted: Tue May 10, 2011 9:59 pm 
Offline
Senior ThinkPadder
Senior ThinkPadder

Joined: Wed May 20, 2009 9:54 am
Posts: 2342
Location: near RTP, NC
Tõnis wrote:
Yea, I read it and got that part. I didn't understand what accesses/reads the memory means or how it does that if there's a password. But okay, thanks for your helpful reply.


The encryption key has to be stored in memory when an encrypted partition is unlocked (how else would it decrypt the data?)

Any DMA-capable device (such as Firewire) can access (most) any part of memory. Therefore... well... you know the rest.

_________________
Need help with Linux or FreeBSD? Catch me on IRC: I'm ThinkRob on FreeNode and EFnet.
Code:
Current laptop: X200s/X201 hybrid
Current workstation: none


Top
 Profile  
 
 Post subject: Re: truecrypt...
PostPosted: Wed May 11, 2011 7:03 am 
Offline
Junior Member
Junior Member

Joined: Mon Aug 11, 2008 2:43 pm
Posts: 300
Location: Central Falls, RI
ThinkRob wrote:
The encryption key has to be stored in memory when an encrypted partition is unlocked (how else would it decrypt the data?)

Any DMA-capable device (such as Firewire) can access (most) any part of memory. Therefore... well... you know the rest.

Makes sense. That whole part about the computer being on made me start to wonder if my TrueCrypt protected dvd's could be cracked/hacked so long as they are in a computer that's on. I suppose if I had just accessed the disc and the password was still in the RAM it might be possible. Therefore, for encryption to be effective, the machine should be off so that the memory's clear.

I guess it's one of those things like with my BlackBerry: encryption is still important. The BlackBerry's password isn't so difficult to circumvent for someone who plugs the device into a computer and uses the right utilities. But the BlackBerry deletes the copy of the private key each time the device is locked. Then, even if someone successfully circumvents the device password, all he'll end up with is a bunch of encrypted files.

_________________
R61, Core 2 Duo T8300 at 2.40GHz, 15.4" WXGA, XP Pro


Top
 Profile  
 
 Post subject: Re: truecrypt...
PostPosted: Wed May 11, 2011 2:00 pm 
Offline
Senior ThinkPadder
Senior ThinkPadder

Joined: Wed May 20, 2009 9:54 am
Posts: 2342
Location: near RTP, NC
Tõnis wrote:
I guess it's one of those things like with my BlackBerry: encryption is still important. The BlackBerry's password isn't so difficult to circumvent for someone who plugs the device into a computer and uses the right utilities. But the BlackBerry deletes the copy of the private key each time the device is locked. Then, even if someone successfully circumvents the device password, all he'll end up with is a bunch of encrypted files.


I thought the BlackBerry's lock password is actually pretty well-implemented... IIRC, it's not really trivial to circumvent *if* you have disabled mass storage access.

_________________
Need help with Linux or FreeBSD? Catch me on IRC: I'm ThinkRob on FreeNode and EFnet.
Code:
Current laptop: X200s/X201 hybrid
Current workstation: none


Top
 Profile  
 
 Post subject: Re: truecrypt...
PostPosted: Wed May 11, 2011 2:05 pm 
Offline
Moderator
Moderator

Joined: Wed May 05, 2004 9:17 am
Posts: 1322
Location: Toronto, Canada
Puppy wrote:
I don't use it but these two articles are probably worth to read:
[...]
http://www.ghacks.net/2009/11/26/bitloc ... rformance/

The performance loss seems to be too high. I rather use NTFS encryption.
Well, that performance test was on an Atom-based netbook, not a recent or current Thinkpad. On my X60 Core 2 Duo, I don't notice much of a performance hit at all. And more recent benchmarking tests on TrueCrypt 7.0a seem to bear that out:
http://www.tomshardware.com/reviews/tru ... 899-5.html

But as with anything, I suppose it depends what you do with your system. As ThinkRob suggests, there will be some kind of performance hit with any encryption method.

More from the article I link to above:
Quote:
Its versatility enabled even the previous TrueCrypt version 6.1 to stand out from competitors, such as BitLocker. It only lacked AES-NI support. This has now been taken care of in TrueCrypt 7.0a, finally making it our encryption tool of choice. We're even extending that recommendation to computers without hardware acceleration of AES. Compared to an unencrypted system, TrueCrypt encryption does affect system performance (as expected). But it in no way interferes with the user, and it doesn't demonstrate a performance impact that would be noticeable on a mainstream PC.

However, you should not install TrueCrypt by default if you are running a system that relies heavily on I/O (a database server, for example). Even if it can handle real-time encryption, the program cannot match the I/O performance and data throughput of an unencrypted system yet.
Source: http://www.tomshardware.com/reviews/tru ... 899-7.html

Phil.

_________________
X61 Tablet SXGA+ (1.80 GHz, 8GB RAM, 750GB Momentus XT HDD) · T60p UXGA · Legacy: X60T, 600X, 770Z
Thinkpad Media Centre: X61T running XBMC with Broadcom Crystal HD BCM970015, Creative X-Fi Surround 5.1 plugged into Cambridge Audio Sonata AR30 receiver


Top
 Profile  
 
 Post subject: Re: truecrypt...
PostPosted: Wed May 11, 2011 2:15 pm 
Offline
Senior ThinkPadder
Senior ThinkPadder

Joined: Wed May 20, 2009 9:54 am
Posts: 2342
Location: near RTP, NC
Personally, when it comes to laptops, I don't even see an unencrypted drive to be a realistic option. That strikes me as a phenomenally risky proposition.

The performance hit varies depending on a number of factors, but even the worst case scenario isn't usually that bad (e.g. unencrypted setups a few years ago were as fast as "slow" encrypted ones now.) IMHO, unless you can unequivocally state that no data on your laptop will ever be of any value to *anyone*, both now and in the future, you should use FDE.

_________________
Need help with Linux or FreeBSD? Catch me on IRC: I'm ThinkRob on FreeNode and EFnet.
Code:
Current laptop: X200s/X201 hybrid
Current workstation: none


Top
 Profile  
 
 Post subject: Re: truecrypt...
PostPosted: Wed May 11, 2011 2:57 pm 
Offline
Junior Member
Junior Member

Joined: Mon Aug 11, 2008 2:43 pm
Posts: 300
Location: Central Falls, RI
ThinkRob wrote:
I thought the BlackBerry's lock password is actually pretty well-implemented... IIRC, it's not really trivial to circumvent *if* you have disabled mass storage access.

Well, the good thing about it is the user can set a limit for wrong password attempts (maximum of ten). If the limit is exceeded, the device wipes itself.

As for circumventing the password, I don't exactly recall how it's done. It had something to do with hooking up the BlackBerry to a computer, removing the battery, booting into safe mode, and using the readily available CrackUtil program to remove the password. At that point, the BlackBerry would be unlocked. The phone would work, you would be able to use data, etc., but if encryption was in use, the existing files would remain encrypted, as the password is necessary to decrypt the files. This is from the BlackBerry Security Knowledge Base:

"If Content Protection is enabled on the smartphone, then user data on the smartphone is stored encrypted using AES-256. Thus, even if someone reads the user data directly from the device hardware, there’s no way to decrypt the data without the smartphone password."

I also found this valuable information from the BlackBerry Internet Service Security Feature Overview (v. 3.2) that explains the benefit of using content protection (encryption) in addition to a password:

"When you set up encryption of your BlackBerry® device data using the content protection feature, your BlackBerry device is designed to be protected against users with malicious intent who could attempt to steal your data directly from the internal hardware. No one can read your encrypted data without your device password.

"In the Security Options, you can set the Content Protection Strength level. The BlackBerry device then encrypts your data (for example, messages, contact entries, and tasks). The Content Protection Strength level optimizes either the encryption strength or the decryption time. When your BlackBerry device decrypts a message that it received while locked, the BlackBerry device uses an encryption key. More encryption strength means a longer decryption process.

"If you set the content protection strength to Stronger, use a minimum length of 12 characters for the BlackBerry device password. If you setthe content protection strength to Strongest, use a minimum length of 21 characters. These password lengths maximize the encryption strength that these settings are designed to provide."

Thus, I would say that with AES encryption, used together with a password, BlackBerry has the best security going for a mobile device.

_________________
R61, Core 2 Duo T8300 at 2.40GHz, 15.4" WXGA, XP Pro


Top
 Profile  
 
 Post subject: Re: truecrypt...
PostPosted: Thu May 19, 2011 2:44 pm 
Offline
ThinkPadder
ThinkPadder

Joined: Sat Apr 17, 2004 11:56 pm
Posts: 1134
Location: Central VA
thanks, much, for everyone's input.

_________________
Current: X220 / T61p / T60p / X301 / X200T / Yoga 2 Pro
Support: T510 / T420 / T400 / R400 / T61 / T43 / Yoga 13
Hall of Fame: A31p ----- Retired: X61t / T42 / T30 / T22 / 600X / 380XD


Top
 Profile  
 
 Post subject: Re: truecrypt...
PostPosted: Thu May 10, 2012 8:32 pm 
Offline
Sophomore Member

Joined: Fri Jul 08, 2011 8:12 pm
Posts: 241
Location: New York, NY
I wanted to revive this topic, if anyone wouldn't mind to comment further.
I just want to use my thinkpad fingerprint reader to just authenticate my truecrypt partition password to enable it. I really hate the fact that everytime I need to look at a file, I have to mount, type password, then navigate to the folder/file, then once I am done, I need to un-mount it and then let it sync with dropbox.

I was hoping I can just let the fingerprint authenticate and enable the partition. Unless anyone else has other suggestions on keeping the data encrypted before it is synced to the cloud.

_________________
8/18/2011 - X220, Intel 2540M, 12.5" IPS, FingerPrint, Webcam, Bluetooth, Intel 6205 Wifi, 8GB RAM with U2312HM UltraSharp 23" IPS
1/15/2012 - S405 (Wife's), AMD A6-4455M, 14", 4GB RAM, Windows 8


Top
 Profile  
 
 Post subject: Re: truecrypt...
PostPosted: Sun May 13, 2012 9:52 am 
Offline
Senior ThinkPadder
Senior ThinkPadder

Joined: Wed May 20, 2009 9:54 am
Posts: 2342
Location: near RTP, NC
hyde wrote:
I was hoping I can just let the fingerprint authenticate and enable the partition. Unless anyone else has other suggestions on keeping the data encrypted before it is synced to the cloud.


Are you syncing with a remote storage provider (I refuse to use more nebulous terms) for backup purposes or collaboration? If the former, I'd recommend something like Duplicity (or whatever the Windows equivalent is.) If the latter, you might want to consider using both FDE and individual file encryption.

_________________
Need help with Linux or FreeBSD? Catch me on IRC: I'm ThinkRob on FreeNode and EFnet.
Code:
Current laptop: X200s/X201 hybrid
Current workstation: none


Top
 Profile  
 
 Post subject: Re: truecrypt...
PostPosted: Sat May 26, 2012 2:31 pm 
Offline
ThinkPadder
ThinkPadder

Joined: Sat Apr 22, 2006 4:26 pm
Posts: 1515
Location: TX, USA & Bombay, India
pinkymadam wrote:
I've used it as a secure partition for a a couple of years, and it works perfectly fine - like an ordinary partition. It has numerous encryption options and other settings you can tweak. It's also pretty *****Expletives removed by Moderator***** easy to use.

I use KeePass (LastPass or whatever would be the same), so a long, long key is no issue at all. To get to the TrueCrypt partition, I press the shortcut, click "mount", press the KeePass autotype shortcut and I'm in - takes about 2 seconds.

You can use it to encrypt your system partition, but I've never tried that. There are guides available online - I know Lifehacker are fans and have done a couple.


I am thinking of doing an encrypted Partition the next time I reinstall.

_________________
T61 8892-02U: 14.1"SXGA+/2.2C2D/4G/XP|Adv Mini Dock|30" Gateway XHD3000 WQXGA via Dual-link DVI
X61T 7767-96U: 12.1"SXGA+/1.6C2D/3G/Vista|Ultrabase
W510 4319-2PU: 15.6"FHD/i7-720QM/4G/Win7Pro64 (for dad)
T43 1875-DLU: 14.1"XGA/1.7PM-740/1G/XP (Old)


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 24 posts ] 

All times are UTC - 5 hours


Who is online

Users browsing this forum: No registered users and 1 guest


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum

Search for:
Jump to:  
Powered by phpBB® Forum Software © phpBB Group