TrueCrypt 5.0 Released, Now Encrypts Entire Drive 330
A funny little man writes "The popular open source privacy tool, TrueCrypt, has just received a major update. The most exciting new feature provides the ability to encrypt an entire drive, prompting the user for a password during boot up; this makes TrueCrypt the perfect tool for non-technical laptop users (the kind who are likely to lose all of that sensitive customer data). The Linux version receives a GUI and independence from the kernel internals, and a Mac version is at last available too."
The final excuse. (Score:5, Interesting)
One thing annoys me: (Score:5, Interesting)
Thats nice.
But how about converting non-boot drives?
Doesnt seem to be possible.
Not everybody starts with a blank sheet, or has double the needed capacity to empty first one HD and then another...
What about wake up? (Score:4, Interesting)
Re:Download here (as the site seems down atm) (Score:2, Interesting)
Finally a Linux GUI :) (Score:3, Interesting)
Ah well, maybe the storm will be over till I'm home.
Dual boot? (Score:1, Interesting)
Re:Independence from Kernel Internals? (Score:5, Interesting)
Hi, I read the site yesterday (from Firehose), and I think I can say one thing or two.
TrueCrypt does a good job of encryption, it's not a trivial level. It uses strong algorithms, and you can choose from 5 or 6 different algorithms. It doesn't store your password anywhere in the disk, when you type the password, it tries to decrypt the header, and if it makes sense (I guess if checksums match) then it knows it's the right password and it goes on, otherwise not. It uses basically the XEX (almost sure that's the name... I don't really know what it is, this is what I remember from the site) schema, but XEX uses only one key for two purposes, and TrueCrypt uses two different keys for these two purposes.
The whole-disk encryption (the correct term is partition encryption) seems to work well, at least from the documentation, I didn't try it (yet). It includes a boot sector that does the part of asking the password during boot and decrypting the partition. The boot sector is obviously encrypted, and I suppose it also stores some unencrypted data to implement the boot code (I don't believe it can be done in 512 bytes only), but after you boot the OS, everything it sees is encrypted, so it will protect even temporary files or logs created by the OS on that drive. Even if it doesn't encrypt 100% of the data (boot sector, boot code), it encrypts everything that you should encrypt. What it doesn't encrypt is not secret in any way.
I tried previous versions and I liked it, it is really a great product, and if 5.0 does everything they say it does, I guess it's really worth it. Whole-disk encryption is no longer missing from this excellent software, many businesses need it for laptops (just see how many information theft happened last year due to lost laptops). I believe TrueCrypt is going mainstream now.
Hard Drive Read/Write Times (Score:2, Interesting)
I am all for more security. But, if it slows my laptop down to the point of un-usability....
FIPS 140-2? (Score:3, Interesting)
I will always encrypt (Score:5, Interesting)
And one big big big reason I use encryption: Usenet. I often use NewsBin to indiscriminately download all the binaries in a given group. I think this is very dangerous. And many times you get some very illegal junk you just don't want lying around -- but I can't get to it for several days to manually filter through it. ISPs get the benefit of being an ISP and not having to filter their caches for content; I do not get that same benefit. If I get caught with something I shouldn't have, it's jail time.
So if it comes up that I had inadvertently downloaded some kiddie pr0n through Usenet newsgroup (which is often mixed in with legitimate stuff), and my machine gets searched, I want some protection. And both: the things I downloaded and the things I have deleted simply CAN NOT be found.
Re:The final excuse. (Score:5, Interesting)
Re:The final excuse. (Score:3, Interesting)
Recovery CD (Score:5, Interesting)
I know it doesn't happen often, but there is not anyone here that hasn't at least once screwed up something on his system and needed to boot a livecd to fix a configuration file. With total disk encryption, what do you do? You're boned, as far as I can see and I don't think that I really like the idea.
As I'm writing this, the thought pops into my head that "you can probably just enter your passphrase from the live environment while trying to mount the filesystem". Is this how things actually work? It's a genuine question and I'd appreciate not being modded down for asking it. Of course someone probably will.
Hibernate? And Error: Insufficient Memory (Score:2, Interesting)
Additionally the documentation is very sparse when it comes to features like Windows Hibernation; it implies in the docs that it disables hibernation but who knows
Forums are down so can't see the rest of the users screaming (assuming they can boot, of course...)
DriveLock: Full Discosure Required (Score:5, Interesting)
As referenced in another reply, http://technocrat.net/d/2007/3/9/15796 [technocrat.net]this user was obviously not aware that DriveLock can be very easily bypassed if the persons taking your hardware have access to a clean-room facility.
Lastly, your definition of sensitive data might be different than mine. Without full disclosure, how can I be expected to make an informed decision about the strength of protection required?
Re:LUKS? Ubuntu? (Score:3, Interesting)
Here's what it takes for it to be a real part of Ubuntu:
On a default install, EVERYONE should get a truecrypt container file that's of a fair size (maybe relative to the HDD size with a max limit, and min limit - unless the drive is really too small then it's not installed), with a random password.
Now truecrypt becomes far far more useful to everyone, because everyone now has plausible deniability.
All that marketing bullshit about hidden partition vs dummy partition is stupid, if the default install doesn't come with container files, and you create some, that bumps you up the list of "people to waterboard" or "ask nicely for all their passphrases".
Whereas if the default install came with encrypted container files, they can't harass every ubuntu user.
Naturally it has to be done in a way so that:
1) The container file access times and modified times aren't changed.
2) The container file(s) or their contents are never backed up automatically by the system or indexed etc. Otherwise the risk of people finding out that you are using crypto goes up - they just have to get hold of your backups and do some comparisons and then your quality of life goes down.
3) Using the container file is easy.
If people want to backup the container or files from the container, they must really use their brains otherwise they might have problems later on...
(I submitted this suggestion to ubuntu some time ago, not sure if they will do it - Ubuntu might get banned in some countries, or at least the default edition with crypto might get banned).
Anyway enough for now - bedtime...
Junction points? (Score:3, Interesting)
Still no option to mount a TrueCrypt volume on an NTFS junction point, alas.
PGPdisk has had this for ages. Means you don't have to expose to all and sundry who can see your machine that another drive has just appeared.
Would very much like to see this in the next version.
code audit by professionals (Score:3, Interesting)
if the code has never been audited doesn't it seem a bit irresponsible to recommend truecrypt?