TrueCrypt 5.0 Released, Now Encrypts Entire Drive

A funny little man writes "The popular open source privacy tool, TrueCrypt, has just received a major update. The most exciting new feature provides the ability to encrypt an entire drive, prompting the user for a password during boot up; this makes TrueCrypt the perfect tool for non-technical laptop users (the kind who are likely to lose all of that sensitive customer data). The Linux version receives a GUI and independence from the kernel internals, and a Mac version is at last available too."

The final excuse.

[Anonymous Coward]

That removes the last excuse people have for not encrypting everything..."It is too complicated". Total encryption with a password at bootup...couldn't be simpler.

One thing annoys me:

[imsabbel]

They have to option to convert boot drives to encrypted drives... even while the system is running.
Thats nice.

But how about converting non-boot drives?
Doesnt seem to be possible.

Not everybody starts with a blank sheet, or has double the needed capacity to empty first one HD and then another...

What about wake up?

[unbug]

I almost never turn off my laptop, I just close the lid. Will it ask me for a password when it wakes up again?

Re:Download here (as the site seems down atm)

[base3]

You can't get the distribution from SourceForge. The download page only contains text directing the would-be downloader to truecrypt.org.

Finally a Linux GUI :)

[Loibisch]

I've been waiting for this release. I know that real men use the command line for each and everything including brewing their morning coffee, but I was really looking forward to the graphical user interface. :) Of course, thanks to Slashdot now the site (which has been dead slow all day) has now been blasted out of orbit...

Ah well, maybe the storm will be over till I'm home.

Dual boot?

[Anonymous Coward]

How well does this play with with the other *legitimate* operating system you might have on the computer? Would you be locked out of a drive on the other?

Re:Independence from Kernel Internals?

[filbranden]

Hi, I read the site yesterday (from Firehose), and I think I can say one thing or two.

TrueCrypt does a good job of encryption, it's not a trivial level. It uses strong algorithms, and you can choose from 5 or 6 different algorithms. It doesn't store your password anywhere in the disk, when you type the password, it tries to decrypt the header, and if it makes sense (I guess if checksums match) then it knows it's the right password and it goes on, otherwise not. It uses basically the XEX (almost sure that's the name... I don't really know what it is, this is what I remember from the site) schema, but XEX uses only one key for two purposes, and TrueCrypt uses two different keys for these two purposes.

The whole-disk encryption (the correct term is partition encryption) seems to work well, at least from the documentation, I didn't try it (yet). It includes a boot sector that does the part of asking the password during boot and decrypting the partition. The boot sector is obviously encrypted, and I suppose it also stores some unencrypted data to implement the boot code (I don't believe it can be done in 512 bytes only), but after you boot the OS, everything it sees is encrypted, so it will protect even temporary files or logs created by the OS on that drive. Even if it doesn't encrypt 100% of the data (boot sector, boot code), it encrypts everything that you should encrypt. What it doesn't encrypt is not secret in any way.

I tried previous versions and I liked it, it is really a great product, and if 5.0 does everything they say it does, I guess it's really worth it. Whole-disk encryption is no longer missing from this excellent software, many businesses need it for laptops (just see how many information theft happened last year due to lost laptops). I believe TrueCrypt is going mainstream now.

Hard Drive Read/Write Times

[sjaguar]

As someone who has never used a full-drive encrypted, how does this impact hard drive access? Will reads/writes be noticeably slower (assuming a relatively new drive)? Will this affect utilities such as a defragmenter or disk checker? How much slower will boot up be? What about memory or CPU usage?

I am all for more security. But, if it slows my laptop down to the point of un-usability....

FIPS 140-2?

[soboroff]

Are they planning to submit their system for FIPS 140-2? The US OMB decreed that most laptops must be encrypted with full-disk FIPS 140-2-compliant encryption, but the only certified tools for this exist for Windoze. The algorithms used are fine, but this stamp of approval would be very useful for federal Linux and Mac users!

I will always encrypt

[Bobb Sledd]

Being in the US, I have become so paranoid now that I encrypt everything with TrueCrypt. Whether it's MP3's, DVDs or pr0n or just simply my web browser cache, it all goes into the encrypted file. Long hard password and keyfiles, and then I also use hidden volumes.

And one big big big reason I use encryption: Usenet. I often use NewsBin to indiscriminately download all the binaries in a given group. I think this is very dangerous. And many times you get some very illegal junk you just don't want lying around -- but I can't get to it for several days to manually filter through it. ISPs get the benefit of being an ISP and not having to filter their caches for content; I do not get that same benefit. If I get caught with something I shouldn't have, it's jail time.

So if it comes up that I had inadvertently downloaded some kiddie pr0n through Usenet newsgroup (which is often mixed in with legitimate stuff), and my machine gets searched, I want some protection. And both: the things I downloaded and the things I have deleted simply CAN NOT be found.

Re:The final excuse.

[phantomcircuit]

All I have to say is this [technocrat.net].

Re:The final excuse.

[TAiNiUM]

What about data recovery? If my drive fails in some manner, can I still recover my data? Without this tool I can at least recover *some* data. Does this eliminate that possibility and turn it into an all or nothing scenario?

Recovery CD

[MT628496]

I'm not sure whether I like the idea of encrypting my entire disk. I don't really like the idea of not being able to boot a live CD to fix something should the need arise. Unless I'm misunderstanding the features, it won't be possible.

I know it doesn't happen often, but there is not anyone here that hasn't at least once screwed up something on his system and needed to boot a livecd to fix a configuration file. With total disk encryption, what do you do? You're boned, as far as I can see and I don't think that I really like the idea.

As I'm writing this, the thought pops into my head that "you can probably just enter your passphrase from the live environment while trying to mount the filesystem". Is this how things actually work? It's a genuine question and I'd appreciate not being modded down for asking it. Of course someone probably will.

Hibernate? And Error: Insufficient Memory

[paulhar]

The documentation that comes with the system encryption is sparse. I ran through the tests on my RAID-0 laptop and at boot time I get "ERROR: Insufficient memory" (I've got 2GB... and a 64 bit CPU) so it failed.
Additionally the documentation is very sparse when it comes to features like Windows Hibernation; it implies in the docs that it disables hibernation but who knows :-/

Forums are down so can't see the rest of the users screaming (assuming they can boot, of course...)

DriveLock: Full Discosure Required

[Anonymous Psychopath]

It is well known that DriveLock can be broken. It is also well-known that breaking it is beyond the capability of 99.9% of laptop thieves. This is a fair risk/reward trade-off for all but the most sensitive data.

I don't think it's well-known at all. DriveLock certainly doesn't say so on their web page. Every DriveLock user should be presented with, at a minimum, a click-through message stating that there are well-known methods of defeating DriveLock that are more practical than those required to defeat strong encryption, and that the methods used by DriveLock are only designed to prevent your data from being disclosed in the event of a casual theft aimed at your hardware, and not at your data. Not buried deep in the EULA, either.

As referenced in another reply, http://technocrat.net/d/2007/3/9/15796 [technocrat.net]this user was obviously not aware that DriveLock can be very easily bypassed if the persons taking your hardware have access to a clean-room facility.

Lastly, your definition of sensitive data might be different than mine. Without full disclosure, how can I be expected to make an informed decision about the strength of protection required?

Re:LUKS? Ubuntu?

[TheLink]

It's not part of Ubuntu in a useful way.

Here's what it takes for it to be a real part of Ubuntu:

On a default install, EVERYONE should get a truecrypt container file that's of a fair size (maybe relative to the HDD size with a max limit, and min limit - unless the drive is really too small then it's not installed), with a random password.

Now truecrypt becomes far far more useful to everyone, because everyone now has plausible deniability.

All that marketing bullshit about hidden partition vs dummy partition is stupid, if the default install doesn't come with container files, and you create some, that bumps you up the list of "people to waterboard" or "ask nicely for all their passphrases".

Whereas if the default install came with encrypted container files, they can't harass every ubuntu user.

Naturally it has to be done in a way so that:
1) The container file access times and modified times aren't changed.
2) The container file(s) or their contents are never backed up automatically by the system or indexed etc. Otherwise the risk of people finding out that you are using crypto goes up - they just have to get hold of your backups and do some comparisons and then your quality of life goes down.
3) Using the container file is easy.

If people want to backup the container or files from the container, they must really use their brains otherwise they might have problems later on...

(I submitted this suggestion to ubuntu some time ago, not sure if they will do it - Ubuntu might get banned in some countries, or at least the default edition with crypto might get banned).

Anyway enough for now - bedtime...

Junction points?

[Butterspoon]

Still no option to mount a TrueCrypt volume on an NTFS junction point, alas.

PGPdisk has had this for ages. Means you don't have to expose to all and sundry who can see your machine that another drive has just appeared.

Would very much like to see this in the next version.

code audit by professionals

[unger]

afaik, the truecrypt code has never been audited for security issues by professional cryptographers. does anyone know if i'm mistaken?

if the code has never been audited doesn't it seem a bit irresponsible to recommend truecrypt?