Take a look at our
ThinkPads.com HOME PAGE
For those who might want to contribute to the blog, start here: Editors Alley Topic
Then contact Bill with a Private Message

truecrypt...

Performance, hardware, software, general buying and gaming discussion..
Post Reply
Message
Author
sarbin
ThinkPadder
ThinkPadder
Posts: 1146
Joined: Sat Apr 17, 2004 11:56 pm
Location: Central VA

truecrypt...

#1 Post by sarbin » Mon Apr 18, 2011 9:43 pm

http://www.truecrypt.org/

any here use it? experiences/caveats?
thx.
Current: X1CT-G3 / Helix-G1 / X220 / T61p / T60p / X301 / X200T / Yoga 3 Pro
Support: T520 / T510 / T420 / T400 / R400 / T61 / Yoga 2 Pro / Yoga 13
Hall of Fame: A31p --- Retired: T43 / T30 / T22 / 600X / 380XD

blackomegax
Junior Member
Junior Member
Posts: 405
Joined: Thu Jul 29, 2004 7:36 pm

Re: truecrypt...

#2 Post by blackomegax » Thu Apr 21, 2011 12:28 am

A major state uni i used to work for uses it to secure data for FERPA regs.

current-gen intel SSD's do encryption built in, but truecrypt is the only thing i would trust to encrypt a spinny disk these days. only downside is that the thinkpad TPM and finger reader do not support it at all, so you're stuck doing everything in software, with passwords.

ThinkRob
Senior ThinkPadder
Senior ThinkPadder
Posts: 2394
Joined: Wed May 20, 2009 9:54 am
Location: near RTP, NC

Re: truecrypt...

#3 Post by ThinkRob » Fri Apr 22, 2011 3:44 pm

blackomegax wrote:only downside is that the thinkpad TPM and finger reader do not support it at all, so you're stuck doing everything in software, with passwords.
On the bright side, it does not use the fingerprint reader, so you won't be tempted to rely on anything other than a strong passphrase. ;)
Need help with Linux or FreeBSD? PM or catch me on IRC: I'm ThinkRob on FreeNode and EFnet.
Laptop: X270, running Fedora
Desktop: Intellistation 285 (currently dead)
Workstation: owned by my employer ;)
Toy: Miata!

pkiff
Moderator
Moderator
Posts: 1607
Joined: Wed May 05, 2004 9:17 am
Location: Toronto, Canada

Re: truecrypt...

#4 Post by pkiff » Sat Apr 23, 2011 7:50 pm

I've been using TrueCrypt for about a year.

I've used it with large data files where the files remained encrypted while being used. Worked great. Negligible impact on performance from what I could tell.

I have transferred files back and forth between an X60, Mac G5 Desktop, and a new Windows 7 machine via USB key carrying the encrypted file(s). Also worked great. And I was able to run the USB key portable version on a 4th machine when I needed to open the files in a pinch.

Nothing but good things to say about the whole experience.

DO NOT forget or misplace your password. There is no recovery if you lose it.

Phil.
X1E Gen 4 · X1T 3rd Gen · W520 · Legacy: P52, T60p, X61T, 600X, 770Z
Nostalgic for: 600X PIII 850MHz in a SelectaDock III with 64MB Voodoo 5 5500 and Sound Blaster Audigy 5.1.

pinkymadam
Posts: 18
Joined: Thu Sep 16, 2010 4:20 pm
Location: London, United Kingdom

Re: truecrypt...

#5 Post by pinkymadam » Sun Apr 24, 2011 6:12 pm

I've used it as a secure partition for a a couple of years, and it works perfectly fine - like an ordinary partition. It has numerous encryption options and other settings you can tweak. It's also pretty darn easy to use.

I use KeePass (LastPass or whatever would be the same), so a long, long key is no issue at all. To get to the TrueCrypt partition, I press the shortcut, click "mount", press the KeePass autotype shortcut and I'm in - takes about 2 seconds.

You can use it to encrypt your system partition, but I've never tried that. There are guides available online - I know Lifehacker are fans and have done a couple.

blackomegax
Junior Member
Junior Member
Posts: 405
Joined: Thu Jul 29, 2004 7:36 pm

Re: truecrypt...

#6 Post by blackomegax » Thu Apr 28, 2011 6:19 pm

ThinkRob wrote:only downside is that the thinkpad TPM and finger reader do not support it at all, so you're stuck doing everything in software, with passwords.

On the bright side, it does not use the fingerprint reader, so you won't be tempted to rely on anything other than a strong passphrase. ;)
but you can bind your finger to any length of actual password behind it. just dont lose your finger. :)

ThinkRob
Senior ThinkPadder
Senior ThinkPadder
Posts: 2394
Joined: Wed May 20, 2009 9:54 am
Location: near RTP, NC

Re: truecrypt...

#7 Post by ThinkRob » Thu Apr 28, 2011 10:01 pm

blackomegax wrote: but you can bind your finger to any length of actual password behind it. just dont lose your finger. :)
Yes, and provided that malicious parties never get their hands on gummie bears, fingerprint readers will remain secure. :D
Need help with Linux or FreeBSD? PM or catch me on IRC: I'm ThinkRob on FreeNode and EFnet.
Laptop: X270, running Fedora
Desktop: Intellistation 285 (currently dead)
Workstation: owned by my employer ;)
Toy: Miata!

ajkula66
SuperUserGeorge
SuperUserGeorge
Posts: 17303
Joined: Sun Feb 25, 2007 11:28 am
Location: Belgrade, Serbia

Re: truecrypt...

#8 Post by ajkula66 » Thu Apr 28, 2011 10:13 pm

The very last thing I'd ever rely upon when it comes to security on ThinkPads would be the fingerprint reader...and that's all I'm going to say...
...Knowledge is a deadly friend when no one sets the rules...(King Crimson)

Cheers,

George (your grouchy retired FlexView farmer)

One FlexView to rule them all: A31p

Abused daily: T520, X200s


PMs requesting personal tech support will be ignored.

ThinkRob
Senior ThinkPadder
Senior ThinkPadder
Posts: 2394
Joined: Wed May 20, 2009 9:54 am
Location: near RTP, NC

Re: truecrypt...

#9 Post by ThinkRob » Fri Apr 29, 2011 4:53 pm

ajkula66 wrote:The very last thing I'd ever rely upon when it comes to security on ThinkPads would be the fingerprint reader...and that's all I'm going to say...
Oh come on... let's be fair... the dock lock isn't exactly... uh...

... Hmm...

... yeah, you're right. Same for me. :lol:
Need help with Linux or FreeBSD? PM or catch me on IRC: I'm ThinkRob on FreeNode and EFnet.
Laptop: X270, running Fedora
Desktop: Intellistation 285 (currently dead)
Workstation: owned by my employer ;)
Toy: Miata!

Puppy
Senior ThinkPadder
Senior ThinkPadder
Posts: 2820
Joined: Sat Oct 30, 2004 4:52 am
Location: Prague, Czech Republic

Re: truecrypt...

#10 Post by Puppy » Sun May 08, 2011 10:43 am

I don't use it but these two articles are probably worth to read:
http://www.net-security.org/secworld.php?id=9077
http://www.ghacks.net/2009/11/26/bitloc ... rformance/

The performance loss seems to be too high. I rather use NTFS encryption.
ThinkPad (1992 - 2012): R51, X31, X220
Huawei MateBook 13

ThinkRob
Senior ThinkPadder
Senior ThinkPadder
Posts: 2394
Joined: Wed May 20, 2009 9:54 am
Location: near RTP, NC

Re: truecrypt...

#11 Post by ThinkRob » Sun May 08, 2011 11:14 am

Puppy wrote:I don't use it but these two articles are probably worth to read:
http://www.net-security.org/secworld.php?id=9077
http://www.ghacks.net/2009/11/26/bitloc ... rformance/

The performance loss seems to be too high. I rather use NTFS encryption.
The net-security.org article is nothing new, nor is it specific to TrueCrypt. Any machine with FireWire (or some other DMA-enabled port) is susceptible to this sort of attack whether they're using TrueCrypt, FileVault, LUKS, Bitlocker, or something else. This is why you should always shut your computer down completely before passing through US customs or TSA security checkpoints. (Also, the software and hardware necessary to perform this sort of attack is not something that only the "good guys" possess. A number of options are available for both LEOs and crooks alike.)

There's going to be a performance hit with *any* software solution, including NTFS's encryption. IMHO, it's absolutely worth it, especially considering the threats to your privacy posed by certain world governments (not to mention thieves, etc.)
Need help with Linux or FreeBSD? PM or catch me on IRC: I'm ThinkRob on FreeNode and EFnet.
Laptop: X270, running Fedora
Desktop: Intellistation 285 (currently dead)
Workstation: owned by my employer ;)
Toy: Miata!

Tõnis
Junior Member
Junior Member
Posts: 303
Joined: Mon Aug 11, 2008 2:43 pm
Location: Central Falls, RI

Re: truecrypt...

#12 Post by Tõnis » Tue May 10, 2011 3:50 pm

ThinkRob wrote:The net-security.org article is nothing new, nor is it specific to TrueCrypt. Any machine with FireWire (or some other DMA-enabled port) is susceptible to this sort of attack whether they're using TrueCrypt, FileVault, LUKS, Bitlocker, or something else. This is why you should always shut your computer down completely before passing through US customs or TSA security checkpoints.
How does it crack TrueCrypt encryption using Firewire? Can it also crack TrueCrypt on the backup DVD's I make?
R61, Core 2 Duo T8300 at 2.40GHz, 15.4" WXGA, XP Pro

jdrou
Senior Member
Senior Member
Posts: 670
Joined: Tue Feb 10, 2009 6:15 pm
Location: Madison Heights, MI

Re: truecrypt...

#13 Post by jdrou » Tue May 10, 2011 6:21 pm

Tõnis wrote: How does it crack TrueCrypt encryption using Firewire? Can it also crack TrueCrypt on the backup DVD's I make?
Read the article. It accesses the memory of a powered-on but locked computer through the firewire port.
If you shut the computer down completely with an encrypted disk it can't be booted without the password so that method won't work.
Current Thinkpads:
X31, X40, X61T, X61, X201, X220 (i7 IPS), W520 (FHD), T440p (FHD),
T480 (QHD)
Dells: Latitude C840, Precision M70, Precision M4400, M6400 (WUXGA), M6600, M6700, 7730, XPS 13
Daily driver: MS Surface Pro 7 (i7)

Tõnis
Junior Member
Junior Member
Posts: 303
Joined: Mon Aug 11, 2008 2:43 pm
Location: Central Falls, RI

Re: truecrypt...

#14 Post by Tõnis » Tue May 10, 2011 6:24 pm

jdrou wrote:Read the article. It accesses the memory of a powered-on but locked computer through the firewire port.
If you shut the computer down completely with an encrypted disk it can't be booted without the password so that method won't work.
Yea, I read it and got that part. I didn't understand what accesses/reads the memory means or how it does that if there's a password. But okay, thanks for your helpful reply.
R61, Core 2 Duo T8300 at 2.40GHz, 15.4" WXGA, XP Pro

ThinkRob
Senior ThinkPadder
Senior ThinkPadder
Posts: 2394
Joined: Wed May 20, 2009 9:54 am
Location: near RTP, NC

Re: truecrypt...

#15 Post by ThinkRob » Tue May 10, 2011 9:59 pm

Tõnis wrote: Yea, I read it and got that part. I didn't understand what accesses/reads the memory means or how it does that if there's a password. But okay, thanks for your helpful reply.
The encryption key has to be stored in memory when an encrypted partition is unlocked (how else would it decrypt the data?)

Any DMA-capable device (such as Firewire) can access (most) any part of memory. Therefore... well... you know the rest.
Need help with Linux or FreeBSD? PM or catch me on IRC: I'm ThinkRob on FreeNode and EFnet.
Laptop: X270, running Fedora
Desktop: Intellistation 285 (currently dead)
Workstation: owned by my employer ;)
Toy: Miata!

Tõnis
Junior Member
Junior Member
Posts: 303
Joined: Mon Aug 11, 2008 2:43 pm
Location: Central Falls, RI

Re: truecrypt...

#16 Post by Tõnis » Wed May 11, 2011 7:03 am

ThinkRob wrote:The encryption key has to be stored in memory when an encrypted partition is unlocked (how else would it decrypt the data?)

Any DMA-capable device (such as Firewire) can access (most) any part of memory. Therefore... well... you know the rest.
Makes sense. That whole part about the computer being on made me start to wonder if my TrueCrypt protected dvd's could be cracked/hacked so long as they are in a computer that's on. I suppose if I had just accessed the disc and the password was still in the RAM it might be possible. Therefore, for encryption to be effective, the machine should be off so that the memory's clear.

I guess it's one of those things like with my BlackBerry: encryption is still important. The BlackBerry's password isn't so difficult to circumvent for someone who plugs the device into a computer and uses the right utilities. But the BlackBerry deletes the copy of the private key each time the device is locked. Then, even if someone successfully circumvents the device password, all he'll end up with is a bunch of encrypted files.
R61, Core 2 Duo T8300 at 2.40GHz, 15.4" WXGA, XP Pro

ThinkRob
Senior ThinkPadder
Senior ThinkPadder
Posts: 2394
Joined: Wed May 20, 2009 9:54 am
Location: near RTP, NC

Re: truecrypt...

#17 Post by ThinkRob » Wed May 11, 2011 2:00 pm

Tõnis wrote: I guess it's one of those things like with my BlackBerry: encryption is still important. The BlackBerry's password isn't so difficult to circumvent for someone who plugs the device into a computer and uses the right utilities. But the BlackBerry deletes the copy of the private key each time the device is locked. Then, even if someone successfully circumvents the device password, all he'll end up with is a bunch of encrypted files.
I thought the BlackBerry's lock password is actually pretty well-implemented... IIRC, it's not really trivial to circumvent *if* you have disabled mass storage access.
Need help with Linux or FreeBSD? PM or catch me on IRC: I'm ThinkRob on FreeNode and EFnet.
Laptop: X270, running Fedora
Desktop: Intellistation 285 (currently dead)
Workstation: owned by my employer ;)
Toy: Miata!

pkiff
Moderator
Moderator
Posts: 1607
Joined: Wed May 05, 2004 9:17 am
Location: Toronto, Canada

Re: truecrypt...

#18 Post by pkiff » Wed May 11, 2011 2:05 pm

Puppy wrote:I don't use it but these two articles are probably worth to read:
[...]
http://www.ghacks.net/2009/11/26/bitloc ... rformance/

The performance loss seems to be too high. I rather use NTFS encryption.
Well, that performance test was on an Atom-based netbook, not a recent or current Thinkpad. On my X60 Core 2 Duo, I don't notice much of a performance hit at all. And more recent benchmarking tests on TrueCrypt 7.0a seem to bear that out:
http://www.tomshardware.com/reviews/tru ... 899-5.html

But as with anything, I suppose it depends what you do with your system. As ThinkRob suggests, there will be some kind of performance hit with any encryption method.

More from the article I link to above:
Its versatility enabled even the previous TrueCrypt version 6.1 to stand out from competitors, such as BitLocker. It only lacked AES-NI support. This has now been taken care of in TrueCrypt 7.0a, finally making it our encryption tool of choice. We're even extending that recommendation to computers without hardware acceleration of AES. Compared to an unencrypted system, TrueCrypt encryption does affect system performance (as expected). But it in no way interferes with the user, and it doesn't demonstrate a performance impact that would be noticeable on a mainstream PC.

However, you should not install TrueCrypt by default if you are running a system that relies heavily on I/O (a database server, for example). Even if it can handle real-time encryption, the program cannot match the I/O performance and data throughput of an unencrypted system yet.
Source: http://www.tomshardware.com/reviews/tru ... 899-7.html

Phil.
X1E Gen 4 · X1T 3rd Gen · W520 · Legacy: P52, T60p, X61T, 600X, 770Z
Nostalgic for: 600X PIII 850MHz in a SelectaDock III with 64MB Voodoo 5 5500 and Sound Blaster Audigy 5.1.

ThinkRob
Senior ThinkPadder
Senior ThinkPadder
Posts: 2394
Joined: Wed May 20, 2009 9:54 am
Location: near RTP, NC

Re: truecrypt...

#19 Post by ThinkRob » Wed May 11, 2011 2:15 pm

Personally, when it comes to laptops, I don't even see an unencrypted drive to be a realistic option. That strikes me as a phenomenally risky proposition.

The performance hit varies depending on a number of factors, but even the worst case scenario isn't usually that bad (e.g. unencrypted setups a few years ago were as fast as "slow" encrypted ones now.) IMHO, unless you can unequivocally state that no data on your laptop will ever be of any value to *anyone*, both now and in the future, you should use FDE.
Need help with Linux or FreeBSD? PM or catch me on IRC: I'm ThinkRob on FreeNode and EFnet.
Laptop: X270, running Fedora
Desktop: Intellistation 285 (currently dead)
Workstation: owned by my employer ;)
Toy: Miata!

Tõnis
Junior Member
Junior Member
Posts: 303
Joined: Mon Aug 11, 2008 2:43 pm
Location: Central Falls, RI

Re: truecrypt...

#20 Post by Tõnis » Wed May 11, 2011 2:57 pm

ThinkRob wrote:I thought the BlackBerry's lock password is actually pretty well-implemented... IIRC, it's not really trivial to circumvent *if* you have disabled mass storage access.
Well, the good thing about it is the user can set a limit for wrong password attempts (maximum of ten). If the limit is exceeded, the device wipes itself.

As for circumventing the password, I don't exactly recall how it's done. It had something to do with hooking up the BlackBerry to a computer, removing the battery, booting into safe mode, and using the readily available CrackUtil program to remove the password. At that point, the BlackBerry would be unlocked. The phone would work, you would be able to use data, etc., but if encryption was in use, the existing files would remain encrypted, as the password is necessary to decrypt the files. This is from the BlackBerry Security Knowledge Base:

"If Content Protection is enabled on the smartphone, then user data on the smartphone is stored encrypted using AES-256. Thus, even if someone reads the user data directly from the device hardware, there’s no way to decrypt the data without the smartphone password."

I also found this valuable information from the BlackBerry Internet Service Security Feature Overview (v. 3.2) that explains the benefit of using content protection (encryption) in addition to a password:

"When you set up encryption of your BlackBerry® device data using the content protection feature, your BlackBerry device is designed to be protected against users with malicious intent who could attempt to steal your data directly from the internal hardware. No one can read your encrypted data without your device password.

"In the Security Options, you can set the Content Protection Strength level. The BlackBerry device then encrypts your data (for example, messages, contact entries, and tasks). The Content Protection Strength level optimizes either the encryption strength or the decryption time. When your BlackBerry device decrypts a message that it received while locked, the BlackBerry device uses an encryption key. More encryption strength means a longer decryption process.

"If you set the content protection strength to Stronger, use a minimum length of 12 characters for the BlackBerry device password. If you setthe content protection strength to Strongest, use a minimum length of 21 characters. These password lengths maximize the encryption strength that these settings are designed to provide."

Thus, I would say that with AES encryption, used together with a password, BlackBerry has the best security going for a mobile device.
R61, Core 2 Duo T8300 at 2.40GHz, 15.4" WXGA, XP Pro

sarbin
ThinkPadder
ThinkPadder
Posts: 1146
Joined: Sat Apr 17, 2004 11:56 pm
Location: Central VA

Re: truecrypt...

#21 Post by sarbin » Thu May 19, 2011 2:44 pm

thanks, much, for everyone's input.
Current: X1CT-G3 / Helix-G1 / X220 / T61p / T60p / X301 / X200T / Yoga 3 Pro
Support: T520 / T510 / T420 / T400 / R400 / T61 / Yoga 2 Pro / Yoga 13
Hall of Fame: A31p --- Retired: T43 / T30 / T22 / 600X / 380XD

hyde
Junior Member
Junior Member
Posts: 372
Joined: Fri Jul 08, 2011 8:12 pm
Location: New York, NY

Re: truecrypt...

#22 Post by hyde » Thu May 10, 2012 8:32 pm

I wanted to revive this topic, if anyone wouldn't mind to comment further.
I just want to use my thinkpad fingerprint reader to just authenticate my truecrypt partition password to enable it. I really hate the fact that everytime I need to look at a file, I have to mount, type password, then navigate to the folder/file, then once I am done, I need to un-mount it and then let it sync with dropbox.

I was hoping I can just let the fingerprint authenticate and enable the partition. Unless anyone else has other suggestions on keeping the data encrypted before it is synced to the cloud.

8/18/11 - X220 i5-2540M, IPS, Intel 6205 Wifi, 8GB, U2312HM
1/15/12 - S405 (Wife's), A6-4455M, 14", 4GB
7/02/15 - T450s i5-5300U, 14" FHD IPS, FP, 12GB
7/1/20 - T490 i5-10210U, 24GB, 14" FHD TS IPS, 512GB NVMe,
5/20/23 - T14 Gen 3 AMD 6650U, 1TB, 32GB, WUXGA

ThinkRob
Senior ThinkPadder
Senior ThinkPadder
Posts: 2394
Joined: Wed May 20, 2009 9:54 am
Location: near RTP, NC

Re: truecrypt...

#23 Post by ThinkRob » Sun May 13, 2012 9:52 am

hyde wrote:I was hoping I can just let the fingerprint authenticate and enable the partition. Unless anyone else has other suggestions on keeping the data encrypted before it is synced to the cloud.
Are you syncing with a remote storage provider (I refuse to use more nebulous terms) for backup purposes or collaboration? If the former, I'd recommend something like Duplicity (or whatever the Windows equivalent is.) If the latter, you might want to consider using both FDE and individual file encryption.
Need help with Linux or FreeBSD? PM or catch me on IRC: I'm ThinkRob on FreeNode and EFnet.
Laptop: X270, running Fedora
Desktop: Intellistation 285 (currently dead)
Workstation: owned by my employer ;)
Toy: Miata!

crashnburn
ThinkPadder
ThinkPadder
Posts: 1724
Joined: Sat Apr 22, 2006 4:26 pm
Location: TX, USA & Bombay, India

Re: truecrypt...

#24 Post by crashnburn » Sat May 26, 2012 2:31 pm

pinkymadam wrote:I've used it as a secure partition for a a couple of years, and it works perfectly fine - like an ordinary partition. It has numerous encryption options and other settings you can tweak. It's also pretty *****Expletives removed by Moderator***** easy to use.

I use KeePass (LastPass or whatever would be the same), so a long, long key is no issue at all. To get to the TrueCrypt partition, I press the shortcut, click "mount", press the KeePass autotype shortcut and I'm in - takes about 2 seconds.

You can use it to encrypt your system partition, but I've never tried that. There are guides available online - I know Lifehacker are fans and have done a couple.
I am thinking of doing an encrypted Partition the next time I reinstall.
T61 8892-02U: 14.1"SXGA+/2.2C2D/4G/XP|Adv Mini Dock|30" Gateway XHD3000 WQXGA via Dual-link DVI
X61T 7767-96U: 12.1"SXGA+/1.6C2D/3G/Vista|Ultrabase
W510 4319-2PU: 15.6"FHD/i7-720QM/4G/Win7Pro64 (for dad)
T43 1875-DLU: 14.1"XGA/1.7PM-740/1G/XP (Old)

Post Reply

Return to “Thinkpad - General HARDWARE/SOFTWARE questions”

Who is online

Users browsing this forum: No registered users and 49 guests