Schneier on Security
A blog covering security and security technology.
« InfoWorld Article About Me |
| Google Vulnerability Scanner »
March 4, 2008
There's a new version of TrueCrypt, the free open-source disk encryption software.
Posted on March 4, 2008 at 6:35 AM
• 58 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
It's OK... better than nothing. You still depend on the attacker being dumb. And it is still limited by the same problems as all these other encryption-centric products.
A very good package, but the Linux version has taken a step back from the previous one.
Performance is abysmal due to them having switched to FUSE, no support for filesystems used in Linux like ext3(!), the GUI is still buggy and no pre-boot authentication that I can see.
All in all, it's a good package for exchanging encrypted FAT32 volumes between operating systems, but nowhere near as useful or polished as the Windows version.
Anyone tried the mac OS X version?
@bogomips: "no support for filesystems used in Linux like ext3(!)"
I am under the impression that I have an ext3 formatted container here, created with 5.0 (as I did not really use Truecrypt on Linux before 5.0).
Sorry, I should have elaborated a bit more. You can of course format the unencrypted block device using whatever filesystem the distro supports, but it has to be done manually from the command line and it isn't a straightforward operation. Furthermore it has to be done outside of Truecrypt. Create a container, map it (but don't mount it) and then format that device using mkfs.
The GUI, which is the major selling point in this release, only supports creating FAT32 containers.
The hidden volume lies in an uninterrupted area of free space whose end is aligned with the end of the outer volume, according to http://www.truecrypt.org/docs/hidden-volume.php and hence the truecrypt's notion of hidden volume is useless for a whole disk encrytion.
"Why did you have a soooo large free space at end of you truecrypt volume, while last defragmentation has been done 3 years ago ? Now, I will force you to also give the password for the hidden volume."
It would be different if the truecrypt wizard could mark some blocks of the hidden volume as badblocks, and allocate them to construct a phony file in the outer volume.
The best part of Steve Gibson's review is when he talks about Window's defrag working faster under TrueCrypt -- that's everything you need to know about Microsoft right there.
Truecrypt encrypts the space, so even free space is not visible as such to outside eyes. If your encryption product doesn't even encrypt the free space to obscure information like this, it's a crappy product.
@hidden volume: "hence the truecrypt's notion of hidden volume is useless for a whole disk encrytion"
Which is probably why Truecrypt doesn't support it for whole disk encryption.
Its hidden volume is probably most useful in situations where you have a fixed size container that is plausibly quite empty.
They are selling 2GB USB drives for under EUR 10,- here. Despite carrying seldomly more than 100MB around on it, I bought one. You just don't get smaller drives these days. So while it's true that it has around 95% of free space, that's really no indication that there would be a hidden volume (there isn't :-).
Truecrypt is still first and foremost a Windows software and has only recently moved towards Linux.
The hidden volume feature is for situations where you have to provide your "normal" password.
Hence, the attacker will be able to tell which parts of your drive are supposed to be empty. If a large chunk at the end of the drive is supposedly empty, this might raise suspicions.
TC is a pretty darn good product from what I can tell (and you gotta love the price). I'm impressed that v5 supports system encryption (i.e., for the entire drive, including the OS, excluding the master boot record) for Windows OSes. Very impressive when a high level of DAR (data-at-rest) security is desired.
TC continues to be useful for encryption external HDDs, SSDs, etc.
@Philippe - I am using the OS X version. Haven't really exercised it that much yet - though I have a couple of volumes and one encrypted USB thumb drive.
Re: OSX - I have tried and there seem to be serious problems with 5.0a at least on some systems according to my own experience (encrypted USB drive suddenly became completely empty) and http://forums.truecrypt.org/viewtopic.php?t=9223
It would be interesting to use system encryption with hidden features. You will be able to install two OS (1 on the standard and the other on the hidden volume). The hidden and standard volumes will be part of the TrueCrypt system encryption features
It's TrueCrypt Open Source?
Stop whining, get off you're backside and write some code.....
I may of missed the memo but when did we start taking Steve Gibson seriously?
I would think it best to travel with just virtual driectories of sensitive files encrypted, but leaving the general c:\bootup and generic stuff wide open. Since a truecrypt virtual directory can carry any file name, it can be more or less 'hidden' among all the .dlls etc. in the system.
If you want open source, you don't need truecrypt. The dm-crypt module can be used for whole (excepting a boot partition) disk encryption.
Fedora 9 will have the ability to do this easily for new installs. It isn't quite working right in rawhide yet, but should be by the beta release (and hopefully by the end of this week).
sm-crypt has the advantage that it is supposed to honor write barriers which is useful if you are running transactions on top of it.
I use Truecrypt everywhere.
I have a big chunk of free space in my TC volume because it's a data transfer device, and I take everything off it when I get home and fill it from scratch every time. It doesn't NEED defragging. It's mostly empty because I didn't happen to be moving a big chunk of data from work to home today.
That's my excuse anyway.
I would also like to hear "s"'s elaboration on how we're relying on the attacker being "dumb".
dm-crypt is great, except my main use of encryption is for portable devices, mainly on Windows.
What are the relative merits of Twofish, Serpent, and AES (as offered in this version of TrueCrypt)?
"What are the relative merits of Twofish, Serpent, and AES (as offered in this version of TrueCrypt)?"
One of the manifest beauties of rubber-hose cryptanalysis is that it works independently of the cipher algorithm.
Other than that weakness (and ones derived from it), there isn't any substantial difference. The worse case scenario is that you pick Twofish today, and tomorrow someone finds an O(1) attack against it, the next day you re-encrypt with AES.
I'm using TC on OS X. It doesn't appear to support hidden volumes on OS X, and of course doesn't support full disk encryption. But it has worked flawlessly for me...I've completely replaced encrypted disk images. I frequently need to be able to open the TC volume on my flash drive in both Windows and Mac (the TC file was created under Windows with the previous version of TC) and the Mac opens and uses it without difficulty. I actually haven't tried going in the other direction yet (opening a TC volume created on Mac in Windows) but based on what I see so far, I expect it would work just fine.
Well, if he's referring to the fact that if someone manages to get to your computer within 2 minutes of turning it off with some liquid nitrogen and can extract the password, I'm not calling that "the attacker being dumb".
For one thing, I think most people are using TC for thumb drives and other portable data stores; I have TC volumes on CDRs and such. That attack is completely meaningless in these cases. Someone who finds my thumb drive lying in the street can't exactly come into my house (or even find it) and get my password off.
With TC5's full boot drive protection, anyone who has a private data loss due to a stolen laptop is just being stupid and lazy. There's no excuse anymore. This is pretty well respected software, and it's free.
Thanks. That's the perspective I needed. I can put all my eggs in one basket without fear. If that basket leaks, I switch baskets.
Use TC5 daily on a usb drive (volume created under windows) to exchange date between work (windows) and home (mac os x). Not one problem encountered so far.
I used TC's system encryption simply to sufficiently annoy anyone who steals the system into simply formatting/reinstalling it. It has personal emails and MP3s, but those are also backed up to external hard drive and can be accessed by any of my other systems. Overall, I have no real complaints about its functionality.
@Roy - "Thanks. That's the perspective I needed. I can put all my eggs in one basket without fear. If that basket leaks, I switch baskets."
Yes and no. That is true as long as you know nobody has acquired a copy of the encrypted drive in between times.
If you are mailing an encrypted disk, you may need to worry about someone having copied the contents and replaced it in the mail to be shipped on.
If the TSA takes a forensic image of your disk, you can change the encryption of the disk to whatever you want, the TSA's copy can sit around for years waiting for advances in encryption. Of course, the TSA will probably have lost track of their copy by the time that cryptanalytic result comes out...
If your laptop is stolen, you have to hope that whatever encryption scheme you chose will last - you can't change it now. (Of course any thief who's not an industrial or government spy will probably just wipe the disk with a pirated copy of XP and sell the computer on eBay, after about 1 minute looking at the passphrase prompt.)
John Ridley stated:
With TC5's full boot drive protection, anyone who has a private data loss due to a stolen laptop is just being stupid and lazy. There's no excuse anymore. This is pretty well respected software, and it's free.
That would be true if it worked. I just tried system encryption on an old laptop (think old enough to toss in car just in case I need it, gateway solo 5300). I install, it reboots, prompts for password, Screen clears (black), and I 'hang'. To be fair, I'm not sure I actually hang, the black screen does make it difficult to tell.
The good news is I reboot and hit esc at prompt and it will enter the OS and allow me to remove the encryption boot loader. The drive is not encrypted yet, it is still at the 'test' stage when it fails (so design points awarded).
Note: I do use TC and have for several versions now. Works great in container mode, even the hidden containers work well. I do like the product and was very excited by the system partition encryption in 5.0. However, I think I'll wait for at least the next release of the system encryption functionality. Or at least my 'disposable' laptop will :).
@dragonfrog: "If you are mailing an encrypted disk, you may need to worry about someone having copied the contents and replaced it in the mail to be shipped on."
Yes and no. Symmetric encryption provides a certain level of protection against this: As the attacker does not know the password, he could only "blindly" replace data, which would most probably be noted by the recipient (as it would decrypt to nonsense).
Given Truecrypt's XTS cipher mode, I am not sure about selective bit-flipping and the like, but I don't think that much harm could be done.
@grayputer: "even the hidden containers work well"
Ha! Please wait while we prepare the thumbscrews, sir...
@ Dom De Vitto
TrueCrypt's license is a minefield (http://lists.debian.org/debian-legal/2006/06/msg00295.html), and its developers are actively hostile towards forks, or even outside contributors. Taking matters into your own hands isn't advised.
Especially since, as Anonymous said, there are much better alternatives for Linux and Mac OS anyway.
I don't expect Bruce to say anything in this thread, as he works for a company that makes a competing commercial product.
Tried installing this on my system a few days ago. No luck. It won't even build on 64-bit Linux. I went back to a previous version that does. Doesn't look much like progress to me.
The only issue with the partial disk encryption is that in Windows there will be a lot of traces to stuff that used to exist on drives that are no longer present - highly suspicious to an advisary.
On the other hand, with full disk encryption they may just force you to give out the password.
For a casual inspection, it would be best to have 2 boot passwords to boot into one system or another, this way one can alway choose.
Has both new features and new bugs.
Waiting for 5.x.
fuck bill gates
free open source software forever
I tried to build Truecrypt 5 on SUSE 10.2 (32 bit), but it failed looking for fuse.h (fuse-devel ??? - it seems it's not available for Suse).
Looking at the sources, it seems this is Windows application more or less successfuly ported t other systems.
Crypto-advertising not intended here, but so far I use Jetico Bestcrypt for Linux, happily paid modest price.
I'm still waiting for some working product doing whole-disk (including boot partition) encryption for Linux.
If you are serious, consider hardware based solutions. Don't go cheap either as the XOR scandal shows you get what you pay for.
A good rule of thumb (Bruces in fact) is how much money do the put behind there product. ie provide liability cover in the case of compromised drive like some steering lock manufactures.
Most give non and include a full disclaimer of liability as part of the EULA.
> A good question is TC5 still vunerable to this? -
Please don't read only the web page you are refering to but also the original paper. ANY full disk encryption software is vulnerable against the cold boot attack because the encryption key must be stored somewhere in memory in order to decrypt the contents of the disk.
No full disk encryption is vulnerable against this type of attack if you simply switch off your computer and let it rest for a while.
I believe that TrueCrypt wipes the passwords from RAM when you dismount. You can set the options to dismount even on screen saver activation, but also by default it dismounts on power down and hibernate.
ISTM that TC is only vulnerable to the RAM read attack if power is cut from the computer, not if it's properly shut down. Unless the key area gets copied to another piece of RAM or to swap space. The swap space would still be OK in the case of boot drive encryption.
The Threat model where this cold boot attack is relevant is so far away from normal that for the vast majority of cases you don't need to worry.
Please what is remotely plasable about cold boot attacks for normal people? Do you consider Tempest? What about key loggers, bugs in the office? Cell phone cameras? Keyboard listeners? Screen "grabbers". Cause if these aren't in your threat model then cold boot attacks don't belong in there either.
"Performance is abysmal due to them having switched to FUSE"
Yeah and I guess that's because ALL things in kernel space run much faster. Even better if coded in assembler...
Personal prejudices seem to be the main argument when talking about performance.
Measure! or shut up.
Sorry Bruce, even for you it seems difficult to relate this to security.
@John Ridley: You are correct that TC _can_ be set to unmount volumes when the screen saver starts. But you must also be aware what happens to applications that have open documents.
In some cases you might not want volumes to unmount because your applications cannot handle it.
The point is that you can find a scenario where the computer is running, the encrypted volumes are mounted, the attacker has no logical access to the computer (because of screen saver or suspend to RAM mode) but has physical access to the computer.
In that case the computer is vulnerable to the cold boot attack.
Yes I am patently aware of this:
"Please don't read only the web page you are refering [sic] to but also the original paper. ANY full disk encryption software is vulnerable against the cold boot attack because the encryption key must be stored somewhere in memory in order to decrypt the contents of the disk."
I did read the relevant white paper and all associated commentary on the work done by the EFF researchers - I would not be much good at my job if I did not.
IMHO the EFF announcement was the correct reference for this blog - as it gave an overview with reference to the actual paper at the bottom of the page for people that wanted to read further.
To turn off your machine and wait for over a minute every time you walk away to make a cup of tea is not really the answer:
when combined with the above attack
I also meant to say it was Adam Boileau's research and findings on the Firewire vuln., which he demonstrated at Ruxcon in 2006, entitled "Hit By A Bus: Physical Access Attacks With Firewire". The 2006 paper can be found at:
His tool is called Winlockpwn but the trick can be run on other OS's
Rubber hose cryptanalysis don't work if you deleted the keyfile "You want me to remember 600 thousand random one and zero ? Go on and try, like if I could !"
Is there a reliable open source product that does full disk encryption in Windows?
Can Truecrypt work in an enterprise environment where users regularly lose thier passwords? How can the sysadmin's unlock the users password?
Obviously key control is important here.
@Felix: "Can Truecrypt work in an enterprise environment where users regularly lose thier passwords?"
When creating a volume, a rescue CD is created. The Admin can use it to reset the password (he must know the initial password).
@Paeniteo...So if the users changes his or her password you are stuck?
Truecrypt has failed me again. This time I encrypted an entire USB HDD.. it had all of my music and family photos and videos on it. It had been working fine about an hour ago.. I rebooted I try to open the drive using truecrypt and it says "password incorrect, or not a truecrypt volume" Heres the kicker it did this to both drives that I encrypted with truecrypt.. both of them usb external HDDS... LUCKILY I backed up the header of the 1st drive and restored it.. the other drive I did not... the password is the same for both drives. My first question is why would this happen? Do I have to live in fear that my password will just stop working out of the blue .. or that I'll have to rely on a backup file to save me from this happening frequently? I just don't understand why in the hell it would all of the sudden not work. So now I have a drive that I cannot get access to and has a lot of my important data on it. Truecrypt is complete shit.. this is not the first time it's fucked me over. If anyone can help me out ... enlighten me as to why this would happen... please do so. you can reach me at this email address firstname.lastname@example.org
I am sorry you had those problems. I have been in similar conditions. The solution here is to have backups, backups, backups, backup, backups.....
Sincerely I don't want to rub salt in your wounds, but consider it for the next time you entrust ANY technology with important things.
I've written several posts and HOWTO documents describing how to use Truecrypt on Linux to encrypt entire volumes and create hidden encrypted volumes on Linux.
Here is the most widely-hit HOWTO:
So is there actually anyway to protect ourselves against these bloody cold boot bastards or are we all screwed, if say in my case I use Truecrypt to create encrypted containers and hidden containers, if I dismount the drive and shut down my computer, am I still vulnerable? in another words, If some1 booted my pc with my external HDD plugged in (drives not mounted, just HDD plugged in) would the password be in the RAM straight away or would I have to mount the drive and enter the password once before it gets stored in the RAM?. All I keep reading about is how vulnerable anybody is, Someone find a solution! theres got to be some clever chinese hackers hiding somewhere!
About downloading TrueCrypt and verifying the authenticity of the downloaded file - on Mac OSX, the TrueCrypt official website does not provide clear information on how to verify the downloaded file and the How to use the provided PGP digital signature to verify the DMG file. Even thought, they do provide the fingerprint too, they don't provide the Checksum which is more commonly used.
The checksum is supposed to be: 0dfb1e09b337d92dd7a90095bc29d909
I did use the MD5 App the get the above checksum, and then I goole it to see if I will find it somewhere and I found it on The Chip Magazine download section, so it looks enough reliable for me to consider the TrueCrypt file that I downloaded directly from the TrueCrypt website.
Anyway, the point of all this is that TrueCrypt should also include the Checksum on their own site.
Now, About TrueCrypt for Mac I would prefer not to see a port, but an actual Mac App who does not use or depend on MacFuse, simply because everything that Google makes these days is not security and privacy conscious. Per example: Google Earth and Picasa Software heavily uses Google Analytics and phones home when installing it and on every update, see article below:
So, Why someone would like to use a fine security tool like TrueCrypt along side a utility developed by privacy - blood sucker - Google?
Sorry, I just don't trust MacFuse, it could and may be used to mount remotely anything you have on your Mac.
So, in the mean time, Encrypted Disk images (DMG) created with Disk Utility on a Mac seems to be a little more secure than using TrueCrypt on a Mac. Too bad that Apple does not allow you to copy and paste long and strong passwords from passwords managers to open an Encrypted Disk Image, so remembering and using a 40 digits alphanumeric password, with sign and dashes, to open an encrypted container is just unpractical.
Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.