Truecrypt Whole Disk Encryption

[Interrupt]

Anyone have much luck with Truecrypt's whole system disk encrypting? Will be trying it on my single partition system but wondering how much that will increase file sizes.

Just in case I'm cloning the drive before I begin! XD I really don't want to be left with a broken boot sector. Or worse... completely damaged data.

Also wondering if non-system encrypted drives w/ Truecrypt can have data added to them outside of Windows or if you need to load the Truecrypt program, decrypt the drive and then add files each time. I'm guessing the latter but then what happens when you connect a drive outside of Windows which is encrypted, it doesn't show up? Not sure.

The reason for my last question is that I'd like to encrypt a 2TB HDD I use for backing up customer disk images & backups. But I also often need to access the drive outside of Windows. Can I drop the files onto the drive and encrypt them later once within Windows and Truecrypt is opened?

I have experience using Truecrypt in a secure volume setting just not the program's whole disk/drive feature.

Anyone with any knowledge of Truecrypt can chime in.

[Taxmancometh]

I'm using Truecrypt right now as my browser is encrypted in the volume. But this is a portable volume. I never tried whole disk encryption, but it shouldn't be a problem once you mount and dismount the drive.

I actually have a program that can decrypt truecrypt volumes. The best password to use is with keyfiles. I use a DVD as the keyfile so that the data of the keyfile doesn't change.

[Interrupt]

Thanks bro, makes sense! I'm worried more about the main system disk but the obvious and inherent flaws in NTFS's EFS leaves me needing that extra piece of mind. Plus Truecrypt is free. So I think ill try that too with the tc bootloader.

Oh cool. I didn't know you could do that with keyfiles, ill give it a try.

[GroundZero3]

FYI

Schneier on Security: "Evil Maid" Attacks on Encrypted Hard Drives

Granted something is better than nothing, but not sure if you knew about this or not.

We do whole disk PGP encryption here at work.

[Interrupt]

Wow, no I didn't. Thank you for the information! Not cool...*tosses out that idea*

I suppose I can still implement this on non-system disks but it doesn't bode to well on system disks.

[Interrupt]

Then again it does rely on someone being physically near my computer at some point, setting this hack up without me knowing (or remotely using a virus or malware to accomplish this), me entering key, and them being in the physical location to nake use of it later technically (the one time key across the net isn't such a big deal but physically having access to the drive is a problem).

Worth the protection or not? Plus, out of curiosity, how long would a 300 gig hd take to decrypt upon a fresh system boot?

[GroundZero3]

Depends on the spec of your system

Granted as the article states the user will need physical access to your computer.

[Interrupt]

Bah which essentially gets rid of the primary objective of whole disk encryption (after all you don't establish it for remote security but against those ego would physically access the terminal).

So in your opinions is it worth the effort? To me it isn't looking like it.

A failsafe in the computer to destroy the data in case of compromise seems more valuable to me. But I'd need to check each option for security exploits. Obviously good data recovery - the kind I do - may be able to recover something but maybe some form of hardware which encrypted wipe/pass the drive would be quicker (software wipes take too long).

Or we can opt for the old C4 trick. physical destruction trumps all else.

[Taxmancometh]

I've heard of the evil maid trick, but for 1. if your using keyfiles to help protect the volume I don't see how the hack will work and 2. if this is a laptop and you password protect the hard drive no one is getting in. Granted there is a few tools I know of that can find a default password for the hard drive but for my Dell Inspirion I can't seem to find the default password at all.

Instead of using the whole disk encryption mode I would create a massive encrypted container using a keyfile and a lengthy password.

[Interrupt]

Well the BIOS password I'll agree but a Windows password is easy enough to crack regardless of length (0ph crack w/ rainbow tables ftw). Again time memory tradeoff is a biotch as far as time and RAM required but with enough steadfast dedication such is typically rendered helpless. I've heard of BIOS hacks but that's really a discussion onto itself and depends entirely on the BIOS.

I'll agree with you on that last part too though, Tax. I think that's what I'll do to avoid bootloader hacks. Just put all my sensitive files in that on my main system.

Do you see any inherent security flaws in creating a non-bootable encrypted disk? I have a secondary backup HDD that I'd like to encrypt the content on but it contains no operating system. As far as I know that should be fine, correct? Or for that would you still use an encrypted volume WITHIN/ON the disk?

[Interrupt]

i am nervous about keyfiles also because i have a tendency of losing shtuff (censored).

[Interrupt]

ugh XP doesn't allow for in place non-system disk encryption... I forgot! To go that route I'd need to move files from one disk to another which essentially eliminates security (data can then be recovered off that backup drive even if it was deleted with a tool). Then again I could wipe the backup drive clean which I'm highly considering in order to accomplish this. The encrypted drive's encrypted volume would then need to be formatted and suited for encryption.

It isn't a bad thing but it isn't direct either and rather time consuming.

Such is the price for security.

[Interrupt]

I've decided to create an encrypted non-system volume on the external I'm trying to encrypt. I've decided that the whole disk encryption using the Truecrypt bootloader is not suitable for my level of security (thank you GZ for bringing this to my attention & thank you Taxman for suggesting the encrypted volume on the disk).

I won't be doing the system disk at this time but when I do I'll be using Taxman's method of making an encrypted volume on the disk as opposed to an encrypted system disk (for the reasons stated above). Right now I'll be simply encrypted my mechanical external drive.

But since XP doesn't support (data) in tact whole disk encryption I'll have to format the encrypted volumes first. Will do this by backing up sensitive files first onto another drive (herein referred to as "backup"), Gutmann's 35 pass encrypted wipe the original (significantly stronger than the two DoD/NSA approved methods), create an encrypted volume on the that external drive, transfer over the files and use a 6 pass DoD on the backup drive (I opted for DoD standard since Gutmann on a 2 TB will take a long time but I may opt for something a little less strong here yet, regardless it will be wiped).

I'll then run recuva & a hex viewer-data erase tool that I have on both drives to ensure nothing was left unsecured.

Is that level of security and anti-CS forensics required? For me? Yes. I'm all about security (a bit paranoid).

Thanks for the help guys, it really did help me make my decision on how to proceed with encrypted my drives. Hopefully in time I'll even get around to working on the system disk (the Taxman Method, lol). But I have a feeling just doing the above is going to take some time so I have plenty of time to consider my options.

Thanks again as always!

[Taxmancometh]

Your welcome. I'm just as paranoid when it comes to security. What are you using to wipe the drives? Dariks boot and nuke?

[Interrupt]

Disk Wipe but that us good too.

[Interrupt]

Disk Wipe - Free software
Both work wonders.

DBAN, if I recall correctly, is better for bulk wipes (more than one drive) and system drives. But again it's really all preference. The wipe is still as effective.