http://www.truecrypt.org/

any here use it? experiences/caveats?
thx.

A major state uni i used to work for uses it to secure data for FERPA regs.

current-gen intel SSD's do encryption built in, but truecrypt is the only thing i would trust to encrypt a spinny disk these days. only downside is that the thinkpad TPM and finger reader do not support it at all, so you're stuck doing everything in software, with passwords.

On the bright side, it does not use the fingerprint reader, so you won't be tempted to rely on anything other than a strong passphrase.

I've been using TrueCrypt for about a year.

I've used it with large data files where the files remained encrypted while being used. Worked great. Negligible impact on performance from what I could tell.

I have transferred files back and forth between an X60, Mac G5 Desktop, and a new Windows 7 machine via USB key carrying the encrypted file(s). Also worked great. And I was able to run the USB key portable version on a 4th machine when I needed to open the files in a pinch.

Nothing but good things to say about the whole experience.

DO NOT forget or misplace your password. There is no recovery if you lose it.

Phil.

I've used it as a secure partition for a a couple of years, and it works perfectly fine - like an ordinary partition. It has numerous encryption options and other settings you can tweak. It's also pretty *****Expletives removed by Moderator***** easy to use.

I use KeePass (LastPass or whatever would be the same), so a long, long key is no issue at all. To get to the TrueCrypt partition, I press the shortcut, click "mount", press the KeePass autotype shortcut and I'm in - takes about 2 seconds.

You can use it to encrypt your system partition, but I've never tried that. There are guides available online - I know Lifehacker are fans and have done a couple.

but you can bind your finger to any length of actual password behind it. just dont lose your finger.

Yes, and provided that malicious parties never get their hands on gummie bears, fingerprint readers will remain secure.

The very last thing I'd ever rely upon when it comes to security on ThinkPads would be the fingerprint reader...and that's all I'm going to say...

Oh come on... let's be fair... the dock lock isn't exactly... uh...

... Hmm...

... yeah, you're right. Same for me.

I don't use it but these two articles are probably worth to read:
http://www.net-security.org/secworld.php?id=9077
http://www.ghacks.net/2009/11/26/bitloc ... rformance/

The performance loss seems to be too high. I rather use NTFS encryption.

The net-security.org article is nothing new, nor is it specific to TrueCrypt. Any machine with FireWire (or some other DMA-enabled port) is susceptible to this sort of attack whether they're using TrueCrypt, FileVault, LUKS, Bitlocker, or something else. This is why you should always shut your computer down completely before passing through US customs or TSA security checkpoints. (Also, the software and hardware necessary to perform this sort of attack is not something that only the "good guys" possess. A number of options are available for both LEOs and crooks alike.)

There's going to be a performance hit with *any* software solution, including NTFS's encryption. IMHO, it's absolutely worth it, especially considering the threats to your privacy posed by certain world governments (not to mention thieves, etc.)

How does it crack TrueCrypt encryption using Firewire? Can it also crack TrueCrypt on the backup DVD's I make?

Read the article. It accesses the memory of a powered-on but locked computer through the firewire port.
If you shut the computer down completely with an encrypted disk it can't be booted without the password so that method won't work.

Yea, I read it and got that part. I didn't understand what accesses/reads the memory means or how it does that if there's a password. But okay, thanks for your helpful reply.

The encryption key has to be stored in memory when an encrypted partition is unlocked (how else would it decrypt the data?)

Any DMA-capable device (such as Firewire) can access (most) any part of memory. Therefore... well... you know the rest.

Makes sense. That whole part about the computer being on made me start to wonder if my TrueCrypt protected dvd's could be cracked/hacked so long as they are in a computer that's on. I suppose if I had just accessed the disc and the password was still in the RAM it might be possible. Therefore, for encryption to be effective, the machine should be off so that the memory's clear.

I guess it's one of those things like with my BlackBerry: encryption is still important. The BlackBerry's password isn't so difficult to circumvent for someone who plugs the device into a computer and uses the right utilities. But the BlackBerry deletes the copy of the private key each time the device is locked. Then, even if someone successfully circumvents the device password, all he'll end up with is a bunch of encrypted files.

I thought the BlackBerry's lock password is actually pretty well-implemented... IIRC, it's not really trivial to circumvent *if* you have disabled mass storage access.

Well, that performance test was on an Atom-based netbook, not a recent or current Thinkpad. On my X60 Core 2 Duo, I don't notice much of a performance hit at all. And more recent benchmarking tests on TrueCrypt 7.0a seem to bear that out:
http://www.tomshardware.com/reviews/tru ... 899-5.html

But as with anything, I suppose it depends what you do with your system. As ThinkRob suggests, there will be some kind of performance hit with any encryption method.

More from the article I link to above:
Source: http://www.tomshardware.com/reviews/tru ... 899-7.html

Phil.

Personally, when it comes to laptops, I don't even see an unencrypted drive to be a realistic option. That strikes me as a phenomenally risky proposition.

The performance hit varies depending on a number of factors, but even the worst case scenario isn't usually that bad (e.g. unencrypted setups a few years ago were as fast as "slow" encrypted ones now.) IMHO, unless you can unequivocally state that no data on your laptop will ever be of any value to *anyone*, both now and in the future, you should use FDE.

Well, the good thing about it is the user can set a limit for wrong password attempts (maximum of ten). If the limit is exceeded, the device wipes itself.

As for circumventing the password, I don't exactly recall how it's done. It had something to do with hooking up the BlackBerry to a computer, removing the battery, booting into safe mode, and using the readily available CrackUtil program to remove the password. At that point, the BlackBerry would be unlocked. The phone would work, you would be able to use data, etc., but if encryption was in use, the existing files would remain encrypted, as the password is necessary to decrypt the files. This is from the BlackBerry Security Knowledge Base:

"If Content Protection is enabled on the smartphone, then user data on the smartphone is stored encrypted using AES-256. Thus, even if someone reads the user data directly from the device hardware, there’s no way to decrypt the data without the smartphone password."

I also found this valuable information from the BlackBerry Internet Service Security Feature Overview (v. 3.2) that explains the benefit of using content protection (encryption) in addition to a password:

"When you set up encryption of your BlackBerry® device data using the content protection feature, your BlackBerry device is designed to be protected against users with malicious intent who could attempt to steal your data directly from the internal hardware. No one can read your encrypted data without your device password.

"In the Security Options, you can set the Content Protection Strength level. The BlackBerry device then encrypts your data (for example, messages, contact entries, and tasks). The Content Protection Strength level optimizes either the encryption strength or the decryption time. When your BlackBerry device decrypts a message that it received while locked, the BlackBerry device uses an encryption key. More encryption strength means a longer decryption process.

"If you set the content protection strength to Stronger, use a minimum length of 12 characters for the BlackBerry device password. If you setthe content protection strength to Strongest, use a minimum length of 21 characters. These password lengths maximize the encryption strength that these settings are designed to provide."

Thus, I would say that with AES encryption, used together with a password, BlackBerry has the best security going for a mobile device.

thanks, much, for everyone's input.

I wanted to revive this topic, if anyone wouldn't mind to comment further.
I just want to use my thinkpad fingerprint reader to just authenticate my truecrypt partition password to enable it. I really hate the fact that everytime I need to look at a file, I have to mount, type password, then navigate to the folder/file, then once I am done, I need to un-mount it and then let it sync with dropbox.

I was hoping I can just let the fingerprint authenticate and enable the partition. Unless anyone else has other suggestions on keeping the data encrypted before it is synced to the cloud.

Are you syncing with a remote storage provider (I refuse to use more nebulous terms) for backup purposes or collaboration? If the former, I'd recommend something like Duplicity (or whatever the Windows equivalent is.) If the latter, you might want to consider using both FDE and individual file encryption.

I am thinking of doing an encrypted Partition the next time I reinstall.