Slightly less Random Ramblings

May 29, 2014

Stick with Truecrypt 7.1a and Wait for more Information

Filed under: encryption, security, software, Truecrypt — Tags: , , , , — Robert Wicks @ 8:57 am

Yesterday, The homepage for the popular full disk encryption solution, Truecrypt, changed to reflect the following:

WARNING: Using TrueCrypt is not secure as it may contain unfixed security issues

This page exists only to help migrate existing data encrypted by TrueCrypt.

The development of TrueCrypt was ended in 5/2014 after Microsoft terminated support of Windows XP. Windows 8/7/Vista and later offer integrated support for encrypted disks and virtual disk images. Such integrated support is also available on other platforms (click here for more information). You should migrate any data encrypted by TrueCrypt to encrypted disks or virtual disk images supported on your platform.

The page goes on to describe how to configure Bitlocker encryption and remove Truecrypt.

The message is very odd, as there were no indications of the project ending. Truecrypt does very specific things. It is not the sort of software which requires expansive numbers of new features. It works well with Windows 7, which is a huge part of the market. I have not attempted to use it on Windows 8, but Microsoft’s own page on it indicates that it works fine. My reasons for distrusting the new message, despite the fact that the issuer of that message has access to the correct keys to sign the TC release are:

  • There are no details of the security issues with Truecrypt.
    Assuming this message is actually from the same people who have been developing Truecrypt, they should have no problem at all clearly describing the nature of the vulnerabilities. They have more ability to do this, once those vulnerabilities are known, than anyone else. The lack of detail makes me suspicious.
  • The endorsement of Bitlocker flies in the face of the history of the project.
    The developers of Truecrypt have shown a consistent (and justified) pattern of paranoia. The sudden endorsement of a closed source security solution is a completely different (and worse) attitude towards security. Among the most suspicious aspects of this is the fact that TC has explicitly avoided dependence on the TPM module due to a lack of trust, yet the “solution” suggested by the homepage currently explicitly endorses using that functionality in moving to Bitlocker.
  • The new release appears to not actually correct bugs or improve functionality.
    7.2 appears to do nothing more than issue warnings and disable encryption. The users of Truecrypt tend to be a savvy lot. They have the skills to decrypt data should that become necessary. Issuing a version with the encryption function disabled is nonsensical.

May 17, 2014

A Chat on Cybersecurity

Filed under: encryption, Firewall, OpenVPN, OpenWRT, security, Truecrypt, Windows — Robert Wicks @ 5:47 pm

I was recently interviewed by Manuel Lora for Liberty.me on the topic of cybersecurity. You can listen to it here.

January 10, 2012

Thank you Asus!

Filed under: encryption, security, Truecrypt, Windows — Tags: , , , , , , , , — Robert Wicks @ 6:56 am

I bought an Asus U56E from Fry’s, which has an Intel i5-2410M CPU. The laptop has been very good, having excellent battery life and good performance. I replaced the internal optical drive with a drive caddy so that I could replace the internal drive with an SSD, but have an additional spinning drive in order to have a larger amount of space. My SSD has built-in encryption, however the spinning drive does not. I use Truecrypt. I wanted the i5 because I was under the mistaken impression that they all supported AES-NI. I later discovered that Intel has issued a microcode update for this CPU which enables the feature, but the BIOS manufacturer needed to enable it in the system BIOS. Asus has now enabled this feature in version 213 of the BIOS. Truecrypt’s benchmark performance has increased 5x since the update.

July 19, 2010

Automounting Truecrypt in Linux

Filed under: computing, encryption, linux, Truecrypt, ubuntu — Tags: , , — Robert Wicks @ 12:35 am

I have a dual boot system with Windows 7 and Ubuntu 10.04. In order to secure the system, I have system encryption with Truecrypt and encrypted LVM in Ubuntu. I need to access my Windows files from within Ubuntu. After a bit of searching around the Internet, I pieced together this command line, which I put in /etc/rc.local. Since my system is fully encrypted and used by only me, I’m not concerned about the password being in /etc/rc.local. I installed the Truecrypt console version.

I added the following line to /etc/rc.local:

echo “MyTruecryptPassPhrase” | /usr/local/bin/truecrypt -t -m system -k “” -p ”” –protect-hidden=no –fs-options=rw,noatime,umask=000 –filesystem=ntfs-3g /dev/<windows partition> /<local mount point>

By echoing the passphrase and piping it to the Truecrypt command, we avoid having it show up in the ‘ps -ef’ command. The filesystem will be mounted with 0777 permissions.

I have found that it is even possible to mount outer partitions (with hidden partitions inside) using this method, and protecting the hidden partition. The command is as follows:

echo “HiddenPartitionPassphrase\n\nOuterPartitionPassphrase” | /usr/bin/truecrypt -t -k “” -p “”  –protect-hidden=yes –fs-options=rw,noatime,umask=000  /dev/sda2 /windows

By using the hidden OS feature in Truecrypt, it is possible to triple boot your computer, with all data on the drive except for the /boot partition in Linux being encrypted. Since no secret information is stored in /boot, this is not a problem.

December 5, 2009

Running Windows 7 as a Truecrypt Hidden Operating System

Filed under: encryption, Truecrypt, Windows — Robert Wicks @ 5:03 pm

My favorite whole drive encryption system, hands down, is Truecrypt. One of the interesting features is the notion of plausible deniability. One of the ways this deniability may be accomplished in through a hidden operating system. I don’t really need the deniability features, but I have found that the hidden operating system is useful in allowing me to keep Windows XP on my laptop, but being able to seamlessly boot into Windows 7 (I have also set up Windows 2008 Server in the same way).

I have a 160GB hard drive, which I divided into a 40 GB partition and another 120 GB partition. I have XP installed on the 40GB partition, which is my C: drive. I have another D: drive where I keep data. That’s the 120GB partition. It is important to have a similarly partitioned hard drive. It is also vital that the 120GB partition have enough space to hold all of C:, i.e., 40GB. Do a full sector level backup on the drive. I use Knoppix, then use the dd command to copy the entire /dev/sda drive to a file on a USB hard drive. You should be able to access the individual files on D:. Use ntbackup to run a backup from within Windows XP on the D: drive. Once you have all this done, you can install Windows 7 from scratch, reformatting all the partitions, but only installing on the 40GB one. Leave the 120GB partition empty.

After installing Windows 7, run Truecrypt, pull down on the system menu and select “Create Hidden Operating System . . .” Follow the prompts to create it as normal. After you delete the original partition (the last step in Truecrypt’s hidden OS creation sequence), you should then restore the boot sectors and the first partition from your backup. If you used dd, this just means booting into Knoppix and running something like:

dd if=/path/to/backup/file of=/dev/sda bs=512 count=<number of the last sector of the /dev/sda1 partition, which you can determine by running fdisk –l –u /dev/sda>

This will write over the hard drive up to the point where our outer volume which holds the hidden partition starts. When you reboot, you will boot back into your old Windows XP. It will probably freak out about not being able to get to D. Just install Truecrypt, then mount the outer volume using the outer volume password. You can then restore your backup into that volume.

Finally, encrypt the XP system. This will install the Truecrypt boot loader, where you will be able to provide either the XP decryption password or the Windows 7 decryption password in order to choose which operating system you wish to run.

This allows me to run two versions of Windows with no fear whatsoever that they will interfere with one another. Also, it gets me into the habit of performing disaster recovery backups on my laptop.

Blog at WordPress.com.

%d bloggers like this: