TrueCrypt 6.0: Better Software for the Paranoid

by Mike Gunderloy - Jul. 07, 2008Comments (16)

You and I may have taken the 4th of July off, but the folks over at TrueCrypt didn't. Instead, they pushed out version 6.0 of their on-the-fly encryption utility, with more options than ever for protecting - and hiding - the critical data on your hard drives. Available for Linux, OS X, and Windows, the software is licensed under its own TrueCrypt license, which is not OSI-approved.

The basic idea behind TrueCrypt is "plausible deniability" - that someone who examines your hard drive, even someone who demands and gets your password, shouldn't be able to find all of the encrypted data. They employ a variety of strategies to achieve this, starting with the fact that you can hide a TrueCrypt-encrypted file system inside of any file. You can also put a "hidden volume" on the drive - a TrueCrypt volume inside another TrueCrypt volume, which is statistically indistinguishable from random noise.

TrueCrypt can use a variety of algorithms for its encryption, including AES, TwoFish, Serpent, and combinations of these. The developers have been good about dropping support for algorithms that have been significantly weakened over the software's lifetime.

There are two significant upgrades in version 6.0. First, TrueCrypt now performs parallel encryption and decryption operations on multi-core systems, giving you a phenomenal speedup if you have more than one processor available. Second, it now has the ability to hide an entire operating system, so even if you're forced to reveal your pre-boot password to an adversary, you can give them one that boots into a plausible decoy operating system, with your hidden operating system remaining completely undetectable.

TrueCrypt isn't necessarily for people who have illegal secrets to hide. If you travel with your laptop, and it contains any sensitive information - from your address book to company records - serious encryption is your best protection in case of theft. Remembering a few passwords, and installing a well-tested open source package that uses them, is a small price to pay for peace of mind.


Browse Blog

Jesse Babson uses OStatic to support Open Source, ask and answer questions and stay informed. What about you?



16 Comments
 

What happens if you forget you have a crypt! Seriously, though - is it possible to examine the drive to see if there are these volumes?

0 Votes

Thats the whole point of TrueCrypt, you can't tell if there are encrypted volumes on the drive, or just random noise.

1 Votes

I've done tech support for years. One Massively Important rule to NEVER forget. Do NOT forget your password, there is NOT a backdoor you can use to get back in. If you lose your password, you are TOAST.

Sorry about all the caps, but you wouldn't believe how many people believe that security programs like this have magic backdoors. I blame Hollywood and TV for this.

1 Votes

I usually have users write down their password/phrase and seal it in an envelope, then have them drop it in a safety deposit box/safe that has access limited to it.

PGP also has the option of an additional decryption key that you can automatically attach to all keys issued by the company keyserver as well as a one time use password for the whole disk encryption thus protecting against data loss. Albeit their support is the suxxor

1 Votes

There is perhaps an easier way to implement True Crpyt and not have an issue with forgotten passwords. Corporately we install True Crypt centrally using a predifned complex password and make the recovery disk as required during the install. This is then stored in a fire safe. We then have the user change the password to one of their liking. When (not if) they forget you can, using the recovery disk reset the password back to that with which it was installed and once again get the user to set it to one they choose. We have done this many times both in test and live situations with 100% sucess.

0 Votes

"TrueCrypt isn't necessarily for people who have illegal secrets to hide. If you travel with your laptop, and it contains any sensitive information - from your address book to company records - serious encryption is your best protection in case of theft."

WTF does the article's author mean by that? Is he implying that TrueCrypt is somehow NOT a serious encryption solution? Is this article writer an ignoramus or a blatant liar?

There are no backdoors for the NSA to try to crack the encryption on this. Using 3 different very strong 256-bit encryption schemes in series would take the NSA forever to crack it (certainly not in your lifetime). What about TrueCrypt is not "serious" exactly?

1 Votes

read the sentence again.

the implication is that TrueCrypt is INDEED serious encryption.

0 Votes

"WTF does the article's author mean by that? Is he implying that TrueCrypt is somehow NOT a serious encryption solution? Is this article writer an ignoramus or a blatant liar?"

You need to improve your reading skills.

0 Votes

"WTF does the article's author mean by that?"

I think the should read: TrueCrypt isn't ONLY necessarily for people who have illegal secrets to hide.

0 Votes

TrueCrypt is an app I've been using now for several years and it is very reliable. I've never had data corruption or a crash related to it.

As far as security goes, its about as good as it gets on the PC. AES, Serpent, and Twofish are all among the best encryption methods available and more than sufficient to defeat almost any attacker. Two and a half things to keep in mind: 1) The greatest weakness in this sort of setup isn't the encryption but the password. People tend to use stupid and relatively easily guessed passwords. 2) Paranoia. While certain authorities/parties may be interested in what's on your computer(s) very very very few have the ability and resources to "crack" via brute force or any other method a solid encryption installation. That includes most government forces. While I don't put anything past the NSA, they are not going to waste their time or efforts screwing around with your mickey mouse data which would tend to reveal the very capabilities that they have and that they would presumably like to hide from public knowledge. 3) For the truly paranoid use Serpent or Twofish, not AES. While AES is the best overall of the three, its also the one that is endorsed by the government. So if you don't trust them you shouldn't trust their endorsements. Serpent is supposed to have, arguably, superior theoretical security than the other two.

1 Votes

I love TrueCrypt, it works flawlessly for me and I notice absolutely no slow down with full drive encryption. What I truly want is a customizable boot screen that informs all that find the laptop if stolen where to return it. Yes I know there is stickers and what-not to mark the laptop but it still would be nice to be able to insert a company logo with contact information.

0 Votes

TrueCrypt is an app I've been using now for several years and it is very reliable. I've never had data corruption or a crash related to it.

As far as security goes, its about as good as it gets on the PC. AES, Serpent, and Twofish are all among the best encryption methods available and more than sufficient to defeat almost any attacker. Two and a half things to keep in mind: 1) The greatest weakness in this sort of setup isn't the encryption but the password. People tend to use stupid and relatively easily guessed passwords. 2) Paranoia. While certain authorities/parties may be interested in what's on your computer(s) very very very few have the ability and resources to "crack" via brute force or any other method a solid encryption installation. That includes most government forces. While I don't put anything past the NSA, they are not going to waste their time or efforts screwing around with your mickey mouse data which would tend to reveal the very capabilities that they have and that they would presumably like to hide from public knowledge. 3) For the truly paranoid use Serpent or Twofish, not AES. While AES is the best overall of the three, its also the one that is endorsed by the government. So if you don't trust them you shouldn't trust their endorsements. Serpent is supposed to have, arguably, superior theoretical security than the other two.

0 Votes

Rijndael (which now is usually called AES), Serpent and Twofish all were finalists in the AES-competition. Rijndael made the race and thus now usually is referred to as AES. If your point is that you shouldn't trust what the government likes you cannot trust either of those. I actually think that in that competition people who know a lot more about cryptography than any of us have checked out these ciphers and thus for their strength they were finalists. Having the option to combine forces of those three ciphers is a really nice feature of TrueCrypt and should give security that should withstand any reasonable effort of brute-forcing.

0 Votes

As with most encryption methods, the algorithm is almost NEVER the weakness, rather the implementation of the encryption. Any programming errors which allow buffer overflows of the key in the clear, etc., effectively eliminate any security from the encryption. As the NSA has stated numerous times, they have never needed to brute force an algorithm to crack encrypted data, they always find much easier and faster ways to hack encrypted data because of poor implementation. That is not to say that TrueCrypt uses poor implementation, as an open-source volume encryption method, it is subject to intense scrutiny, therefore the likelihood that such a weakness exists in its code is minimal.

0 Votes

My only questions are these: - If using "hidden OS", would any authority require you to copy a large file to the "outer volume" with protection turned off? - If so, are there any other ways to ensure that you do not loose or corrupt your "hidden OS"? - Is there a way to keep protection turned on by default without alerting this authority that may require you to copy a large file to the "outer volume"? - If not, could this be a possible feature in a future release? This bit sounds very unlikely because even if you cached the rest of this large file to RAM it would not be persistent after a re-boot, therefore revealing the existence of a “hidden volume”.

0 Votes

My only questions are these: - If using "hidden OS", would any authority require you to copy a large file to the "outer volume" with protection turned off? - If so, are there any other ways to ensure that you do not loose or corrupt your "hidden OS"? - Is there a way to keep protection turned on by default without alerting this authority that may require you to copy a large file to the "outer volume"? - If not, could this be a possible feature in a future release? This bit sounds very unlikely because even if you cached the rest of this large file to RAM it would not be persistent after a re-boot, therefore revealing the existence of a “hidden volume”.

0 Votes
Share Your Comments

If you are a member, to have your comment attributed to you. If you are not yet a member, Join OStatic and help the Open Source community by sharing your thoughts, answering user questions and providing reviews and alternatives for projects.