TrueCrypt 5.0 Released, Now Encrypts Entire Drive

A funny little man writes "The popular open source privacy tool, TrueCrypt, has just received a major update. The most exciting new feature provides the ability to encrypt an entire drive, prompting the user for a password during boot up; this makes TrueCrypt the perfect tool for non-technical laptop users (the kind who are likely to lose all of that sensitive customer data). The Linux version receives a GUI and independence from the kernel internals, and a Mac version is at last available too."

The final excuse.

[by Anonymous Coward]

That removes the last excuse people have for not encrypting everything..."It is too complicated". Total encryption with a password at bootup...couldn't be simpler.

Re:The final excuse.

[stevie.f (1106777)]

Nope, the last excuse for people is "What's encryption?"

Re:

[rizole (666389)]

How about; "what's my password?"

Re:The final excuse.

[Lord Ender (156273)]

No. Encryption imparts serious performance penalties. Normally, things like DMA allow you to transfer data directly from your disk to your RAM, another disk, or another device. With encryption, every bit must pass through the CPU to do crypto on it. It some cases, that is a very noticeable delay. At our company, that delay was too long for some purposes, so I had them use DriveLock instead, which has no performance penalty.

Re:

[mi (197448)]

A reasonable compromise would be to encrypt only the "interesting" data — such as the /home partition and, maybe, the /var/log (or simply make sure the particular log-files you wish to protect — such as maillog — reside on the encrypted /home).

Whoever tries to crack your laptop is unlikely to be interested in the standard-issue binaries you may have installed...

Re:The final excuse.

[Lord Ender (156273)]

The entire point of whole disk encryption is that it is impossible to define where "interesting" data is. Temp files, cache, and swap files can all end up with sensitive data in them. They only way to be sure is to encrypt the whole disk. (or nuke it from orbit)

Re:The final excuse.

[phantomcircuit (938963)]

All I have to say is this [technocrat.net].

DriveLock: Full Discosure Required

[Anonymous Psychopath (18031)]

It is well known that DriveLock can be broken. It is also well-known that breaking it is beyond the capability of 99.9% of laptop thieves. This is a fair risk/reward trade-off for all but the most sensitive data.

I don't think it's well-known at all. DriveLock certainly doesn't say so on their web page. Every DriveLock user should be presented with, at a minimum, a click-through message stating that there are well-known methods of defeating DriveLock that are more practical than those required to defeat strong encryption, and that the methods used by DriveLock are only designed to prevent your data from being disclosed in the event of a casual theft aimed at your hardware, and not at your data. Not buried deep in the EULA, either.

As referenced in another reply, http://technocrat.net/d/2007/3/9/15796 [technocrat.net]this user was obviously not aware that DriveLock can be very easily bypassed if the persons taking your hardware have access to a clean-room facility.

Lastly, your definition of sensitive data might be different than mine. Without full disclosure, how can I be expected to make an informed decision about the strength of protection required?

Re:

[TAiNiUM (66843)]

What about data recovery? If my drive fails in some manner, can I still recover my data? Without this tool I can at least recover *some* data. Does this eliminate that possibility and turn it into an all or nothing scenario?

Re:

[Lord Ender (156273)]

Disk encryption is meant to counter a specific threat--laptop theft. Your backup server, hopefully, isn't sitting on a coffee table in an airport. Protecting your backup server is an entirely different issue.

Also, yes you CAN recover truecrypt volumes if you lose the password. If you backup the volume header and store that with a password, you may later get back at your data by restoring the volume header.

That FAQ is either out of context or out dated. I've recovered TC volumes using volume headers.

a pity the British government won't use it

[tolworthy (1205778)]

It's not by Microsoft. Plus they don't have much data left to lose.

How to DDoS your favorite open source project.

[Scott Lockwood (218839)]

Step 1: Post on Slashdot
Step 2: ???
Step 3: Profit!

One thing annoys me:

[imsabbel (611519)]

They have to option to convert boot drives to encrypted drives... even while the system is running.
Thats nice.

But how about converting non-boot drives?
Doesnt seem to be possible.

Not everybody starts with a blank sheet, or has double the needed capacity to empty first one HD and then another...

Re:One thing annoys me:

[hey! (33014)]

That doesn't seem so important to me.

If you want something encrypted, you put it on a truecrypt drive; you can move it from the original drive to the truecrypt drive, then juggle the drive letters if you use windows, the mount points otherwise. The only thing that can't get this treatment is the boot drive, therefore (uniquely) you have an absolute need for a way to encrypt that while it is running.

Download here (as the site seems down atm)

[_bug_ (112702)]

http://sourceforge.net/projects/truecrypt/ [sourceforge.net]

Press release here [sourceforge.net].

We are pleased to announce that TrueCrypt 5.0 has been released. Among the new features are the ability to encrypt a system partition or entire system drive (i.e. a drive where Windows is installed) with pre-boot authentication, pipelined operations increasing read/write speed by up to 100%, Mac OS X version, graphical interface for the Linux version, XTS mode, SHA-512, and more.

After four years of development, during which millions of people downloaded a copy of TrueCrypt, it is the only open-source disk encryption software that runs on Windows, Mac OS X, and Linux. The newly implemented ability to encrypt system partitions and system drives provides the highest level of security and privacy, as all files, including any temporary files that Windows and applications create on system drives (typically, without the user's knowledge or consent), swap files, etc., are permanently encrypted. Large amounts of potentially sensitive data that Windows records, such as the names and locations of files opened by the user, applications that the user runs, etc., are always permanently encrypted as well. For more information, please see http://www.truecrypt.org/docs/?s=version-history [truecrypt.org]

What about wake up?

[unbug (1188963)]

I almost never turn off my laptop, I just close the lid. Will it ask me for a password when it wakes up again?

Re:What about wake up?

[apathy maybe (922212)]

In Windows at least (not sure with the other versions), you can set it to dismount mounted volumes whenever certain ACPI events (lid closing, suspend or hibernate etc.) happen.

This forces you to re-enter your password to access the volume.

Of course, you should have an option in your OS to ask you for your login password whenever you close and then open your lid as well.

Re:

[twoshortplanks (124523)]

No, but you should have a screensaver that won't let you use the computer unless you enter a password.

Normally this wouldn't offer complete protection - you could just reboot from a system disk and access the filesystem, but with truecrypt (or FileVault, or any of the other encrypted file system solutions) they can't do this.

Finally a Linux GUI :)

[Loibisch (964797)]

I've been waiting for this release. I know that real men use the command line for each and everything including brewing their morning coffee, but I was really looking forward to the graphical user interface. :) Of course, thanks to Slashdot now the site (which has been dead slow all day) has now been blasted out of orbit...

Ah well, maybe the storm will be over till I'm home.

Downloading

[margam_rhino (778498)]

I will just wait until you pesky North Americans are in bed and download in the morning UK time, ha ha. Wait, no, everyone forget I said that! Aww, now you all will try then.

Linux 64bit?

[Wubby (56755)]

Any word on 64bit binaries for Linux? I've compiled the Non-gui version without issue before, but with a gui, things get more complicated. GTK/KDE? Which libraries? etc etc etc etc etc

FIPS 140-2?

[soboroff (91667)]

Are they planning to submit their system for FIPS 140-2? The US OMB decreed that most laptops must be encrypted with full-disk FIPS 140-2-compliant encryption, but the only certified tools for this exist for Windoze. The algorithms used are fine, but this stamp of approval would be very useful for federal Linux and Mac users!

Re:

[SuperBanana (662181)]

The algorithms used are fine, but this stamp of approval would be very useful for federal Linux and Mac users!

http://www.extrapepperoni.com/2007/09/10/fips-140-2-for-mac-os-x/

Filevault already provides FIPS 140-2 compliant encryption.

I will always encrypt

[Bobb Sledd (307434)]

Being in the US, I have become so paranoid now that I encrypt everything with TrueCrypt. Whether it's MP3's, DVDs or pr0n or just simply my web browser cache, it all goes into the encrypted file. Long hard password and keyfiles, and then I also use hidden volumes.

And one big big big reason I use encryption: Usenet. I often use NewsBin to indiscriminately download all the binaries in a given group. I think this is very dangerous. And many times you get some very illegal junk you just don't want lying around -- but I can't get to it for several days to manually filter through it. ISPs get the benefit of being an ISP and not having to filter their caches for content; I do not get that same benefit. If I get caught with something I shouldn't have, it's jail time.

So if it comes up that I had inadvertently downloaded some kiddie pr0n through Usenet newsgroup (which is often mixed in with legitimate stuff), and my machine gets searched, I want some protection. And both: the things I downloaded and the things I have deleted simply CAN NOT be found.

Re:Not sure it matters

[Bobb Sledd (307434)]

What can I say. I needed the karma.

Recovery CD

[MT628496 (959515)]

I'm not sure whether I like the idea of encrypting my entire disk. I don't really like the idea of not being able to boot a live CD to fix something should the need arise. Unless I'm misunderstanding the features, it won't be possible.

I know it doesn't happen often, but there is not anyone here that hasn't at least once screwed up something on his system and needed to boot a livecd to fix a configuration file. With total disk encryption, what do you do? You're boned, as far as I can see and I don't think that I really like the idea.

As I'm writing this, the thought pops into my head that "you can probably just enter your passphrase from the live environment while trying to mount the filesystem". Is this how things actually work? It's a genuine question and I'd appreciate not being modded down for asking it. Of course someone probably will.

Re:Recovery CD

[Xenoflargactian (883930)]

TrueCrypt requires that you burn a Rescue Disk before encrypting your boot partition. It saves a 2-meg ISO to 'My Documents' and gives you links to free burning software. It won't let you proceed without the burned CD in the drive. The rescue disk can be used to restore the boot loader (which has the password-encrypted keys, etc) in case of corruption, but it also has a 'Decrypt entire disk now' option. If you need to boot from a BartPE, you can decrypt your whole disk, then boot from the BartPE.

They've really thought this through. I've gotta hand it to the people at Truecrypt.org. I'm impressed, especially considering this is the first release of their whole disk encryption product.

Re:Independence from Kernel Internals?

[Chris Mattern (191822)]

It is also, of course, impossible that it encrypts the *entire* disk. It may encrypt all the partitions your running system uses, but unless your BIOS has encryption support (which it doesn't), you can't have an encrypted boot partition.

Re:

[Maljin Jolt (746064)]

It is also, of course, impossible that it encrypts the *entire* disk. It may encrypt all the partitions your running system uses, but unless your BIOS has encryption support (which it doesn't), you can't have an encrypted boot partition.

Your concept of impossible is, of course, a little bit flawed, for I have at least 5 *entire* disks encrypted in this single box I am writing on. And some of them has no partitions, just a filesystem over raw disk.

Re:Independence from Kernel Internals?

[CarpetShark (865376)]

unless your BIOS has encryption support (which it doesn't), you can't have an encrypted boot partition.

Of course you can. You just can't have an encrypted MBR... unless you boot from a floppy or a USB drive you keep on your person, or something like that. Note that bios limitations can also be circumvented with linuxbios ;)

Re:Independence from Kernel Internals?

[Chris Mattern (191822)]

Yes, they can recover key and encryption algorithms from the unencrypted boot sector. But if they can crack you simply by knowing the unencryption program, you're boned anyways. What they *can't* recover, assuming that your encryption vendor hasn't screwed up, is your key. And without that, they can't read your encrypted partitions. If they've done it right, it's secure. Somebody in possession of your laptop but without your passphrase cannot read the disk, no matter what he does, except for the boot partition, and there won't be any useful data there. I don't use Truecrypt and haven't researched them, so I can't guarantee that they did it right (look at WEP, where they managed to botch the encryption for a major standard, resulting in it having to be replaced by WPA). I believe every laptop should be "whole disk" encrypted--it's just too easy for a laptop to disappear. I run debian on my laptop, so I used cryptmount to encrypt my disk. If you're not encrypting your laptop's disk, you definitely should be. A brief glance over some recent news stories should tell you why.

Re:

[viper66 (412839)]

Whole disk encryption is meant to avoid the possibility that an application (possibly without your knowledge) could write sensitive data to a location that is not encrypted.

Re:Independence from Kernel Internals?

[filbranden (1168407)]

Hi, I read the site yesterday (from Firehose), and I think I can say one thing or two.

TrueCrypt does a good job of encryption, it's not a trivial level. It uses strong algorithms, and you can choose from 5 or 6 different algorithms. It doesn't store your password anywhere in the disk, when you type the password, it tries to decrypt the header, and if it makes sense (I guess if checksums match) then it knows it's the right password and it goes on, otherwise not. It uses basically the XEX (almost sure that's the name... I don't really know what it is, this is what I remember from the site) schema, but XEX uses only one key for two purposes, and TrueCrypt uses two different keys for these two purposes.

The whole-disk encryption (the correct term is partition encryption) seems to work well, at least from the documentation, I didn't try it (yet). It includes a boot sector that does the part of asking the password during boot and decrypting the partition. The boot sector is obviously encrypted, and I suppose it also stores some unencrypted data to implement the boot code (I don't believe it can be done in 512 bytes only), but after you boot the OS, everything it sees is encrypted, so it will protect even temporary files or logs created by the OS on that drive. Even if it doesn't encrypt 100% of the data (boot sector, boot code), it encrypts everything that you should encrypt. What it doesn't encrypt is not secret in any way.

I tried previous versions and I liked it, it is really a great product, and if 5.0 does everything they say it does, I guess it's really worth it. Whole-disk encryption is no longer missing from this excellent software, many businesses need it for laptops (just see how many information theft happened last year due to lost laptops). I believe TrueCrypt is going mainstream now.

Re:Independence from Kernel Internals?

[filbranden (1168407)]

Oh, I forgot to mention. According to their website, TrueCrypt can encrypt the boot partition even after the OS is installed, even with Windows.

Basically, you install it, then you ask it to encrypt the whole disk. It will install the boot code to ask the password and decrypt the partition before loading the OS, and then it will start encrypting your partition in the background, you may continue using the OS. You may even reboot the machine, it will boot correctly and continue encrypting from where it stopped. If it really works as they say it does, this version is indeed amazing.

Re:

[Skapare (16644)]

If it runs while loading the OS (kernel), and then runs when that OS mounts a filesystem, it must be running in two different places since in one case the I/O is done through BIOS calls and in the other case through device driver calls in a kernel. That doesn't sound like independence from the kernel to me. It sounds like it has to be compiled into the kernel (otherwise the / filesystem isn't encrypted), or at least inside initramfs (which is still compiled into the kernel).

I'm really not concerned about

Re:Independence from Kernel Internals?

[gweihir (88907)]

I would like to encrypt my entire laptop drive, but I'm not going through all the trouble if its just another easy layer to break through. Any Truecrypt experts out there?

I am not a TrueCrypt expert, but I follow the discoveries of the crypto community. It seems TrueCrypt is highly respected. While it cannot defeat a (hardare in this case) keylogger, the crypto used seems to be strong crypto implemented according to current standards. Not a snake-oil product with home-rolled ciphers or "passwordless" security or such nonsense. At the moment, nobody admits being able to breaking it and I am not aware of instances that indicate it has been broken. And, other than many other products, it is widely used. Personally I would say it is on a level with PGP/GnuPG/dm-crypt/LUKS with regard to security level offered.

Re:

[Nimey (114278)]

If the Mac version is any example, TrueCrypt now uses FUSE. That's not /completely/ independent of the kernel, but it's still rather more stable than having to recompile TC every time you build a new kernel.

Re:if truecrypt.org is still down

[Scott Lockwood (218839)]

IMPORTANT: Official TrueCrypt distribution packages can be downloaded only from www.truecrypt.org (above, select 'Project' > 'Web Site')

You Fail It.

Re:

[base3 (539820)]

Thanks, but the packages are not available to download from SourceForge. "IMPORTANT: Official TrueCrypt distribution packages can be downloaded only from www.truecrypt.org (above, select 'Project' > 'Web Site') Notes"

Re:if truecrypt.org is still down

[leuk_he (194174)]

5.0

February 5, 2008

New features:

*

Ability to encrypt a system partition/drive (i.e. a partition/drive where Windows is installed) with pre-boot authentication (anyone who wants to gain access and use the system, read and write files, etc., needs to enter the correct password each time before the system starts). For more information, see the chapter System Encryption in the documentation. (Windows Vista/XP/2003)
*

Pipelined operations increasing read/write speed by up to 100% (Windows)
*

Mac OS X version
*

Graphical user interface for the Linux version of TrueCrypt
*

XTS mode of operation, which was designed by Phillip Rogaway in 2003 and which was recently approved as the IEEE 1619 standard for cryptographic protection of data on block-oriented storage devices. XTS is faster and more secure than LRW mode (for more information on XTS mode, see the section Modes of Operation in the documentation).

Note: New volumes created by this version of TrueCrypt can be encrypted only in XTS mode. However, volumes created by previous versions of TrueCrypt can still be mounted using this version of TrueCrypt.
*

SHA-512 hash algorithm (replacing SHA-1, which is no longer available when creating new volumes).

Note: To re-encrypt the header of an existing volume with a header key derived using HMAC-SHA-512 (PRF), select 'Volumes' > 'Set Header Key Derivation Algorithm'.

Improvements, bug fixes, and security enhancements:

*

The Linux version of TrueCrypt has been redesigned so that it will no longer be affected by changes to the Linux kernel (kernel upgrades/updates).
* Many other minor improvements, bug fixes, and security enhancements. (Windows and Linux)

If you are using an older version of TrueCrypt, it is strongly recommended that you upgrade to this version.

4.3a.......

==============
System Encryption

TrueCrypt can on-the-fly encrypt a system partition or entire system drive, i.e. a partition or drive where Windows is installed and from which it boots (a TrueCrypt-encrypted system drive may also contain non-system partitions, which are encrypted as well).

System encryption provides the highest level of security and privacy, because all files, including any temporary files that Windows and applications create on the system partition (typically, without your knowledge or consent), swap files, etc., are permanently encrypted. Windows also records large amounts of potentially sensitive data, such as the names and locations of files you open, applications you run, etc. All such log files and registry entries are always permanently encrypted as well.

System encryption involves pre-boot authentication, which means that anyone who wants to gain access and use the encrypted system, read and write files stored on the system drive, etc., will need to enter the correct password each time before Windows boots (starts). Pre-boot authentication is handled by the TrueCrypt Boot Loader, which resides in the first cylinder of the boot drive.

Note that TrueCrypt can encrypt an existing unencrypted system partition/drive in-place while the operating system is running (while the system is being encrypted, you can use your computer as usual with

Re:Slashdotted - Download Mirror on Filehippo

[HP-UX'er (211124)]

Here it is [filehippo.com]

Re:Slashdotted

[apathy maybe (922212)]

Actually, I've been having trouble accessing the site all day.

I've been looking forward to the Linux GUI since I read about it, checking back, checking back etc.

Then today, suddenly the entire site is virtually inaccessible.

On the actual release, I think it is going to be good. After all, we see a new MacOS version, a Linux GUI and a few other nice little tools which most people might not even notice.

On the actual software, I love TrueCrypt, I use it both in Windows (where it, simply, is so easy to use), and in Linux (command-line, mehs all around, plus you have to go and delete history if you don't want to save the fact that your using it (or perhaps the fact that a specific file/partition is a container)).

The hidden-partition feature is the bees knees, especially for those extra secret documents, just hide them behind some porn, financial data or something else which you access and make changes to regularly (to hide if you are making changes to the hidden volume).

The ability to back-up headers makes this software great for businesses or governments (can restore a password if a user loses it), and this new encrypt the entire system thing, simply swell (though it doesn't work on Linux/MacOS I don't think).

Anyway, as always, check out the Wikipedia article for more info. http://en.wikipedia.org/wiki/TrueCrypt [wikipedia.org]

Re:

[SScorpio (595836)]

You're able to write protect the hidden area and write to the dummy partition. The only bad thing that it reports is that data written to the hidden partition area will appear as a write error. So you can technically have updated files in the dummy area.

Re:Slashdotted

[telchine (719345)]

The site is sooo slooow. Mirror please! But the update seems great!

http://sourceforge.net/projects/truecrypt/ [sourceforge.net]

Re:Slashdotted

[InvisiBill (706958)]

FYI, http://www.truecrypt.org/downloads.php [truecrypt.org] links to http://truecrypt.sourceforge.net/downloads/TrueCrypt%20Setup%205.0.exe [sourceforge.net].

Re:

[Library Spoff (582122)]

You can ONLY download from truecrypt.org. According to the sourceforge page anyway...

Re:

[imsabbel (611519)]

My personal experience with TC 4.0 (and, obviously, not my boot disk):

Random accesses arent slowed down noticable, but large STR (like copying 50Gbyte to another HD) are. For me, the limit was about 30Mbyte/s.
But as this is driver-level CPU load, and not interupt driven, the system responsitivity was not negatively affected.

Memory usage is neglectable, and CPU load scales linearly with bytes/s. So in most scenarios, or multicores, its not the limiting factor.

But you would NOT want to capture video or stuff

Re:OT -- what's the state of flash encryption?

[XMyth (266414)]

TrueCrypt can do this when used in 'Traveler' mode.

It does install a system driver when in use, but the driver can reside purely on the unencrypted portion of the flash drive.

James

Re:

[Sloppy (14984)]

File servers might not be able to tolerate the performance penalty of encryption.

Huh. I guess different people have seen different things, but in my experience, fileservers tend to have underworked CPUs. And it just becomes more extreme ever year, as CPUs double in speed more frequently than I/O devices do.

Re:

[TheLink (130905)]

It's not part of Ubuntu in a useful way.

Here's what it takes for it to be a real part of Ubuntu:

On a default install, EVERYONE should get a truecrypt container file that's of a fair size (maybe relative to the HDD size with a max limit, and min limit - unless the drive is really too small then it's not installed), with a random password.

Now truecrypt becomes far far more useful to everyone, because everyone now has plausible deniability.

All that marketing bullshit about hidden partition vs dummy partition i