TrueCrypt 6.0 Released

ruphus13 writes "While most of the US was celebrating Independence Day, the true fellow geeks over at TrueCrypt released version 6.0 of TrueCrypt over the long weekend. The new version touts two major upgrades. 'First, TrueCrypt now performs parallel encryption and decryption operations on multi-core systems, giving you a phenomenal speedup if you have more than one processor available. Second, it now has the ability to hide an entire operating system, so even if you're forced to reveal your pre-boot password to an adversary, you can give them one that boots into a plausible decoy operating system, with your hidden operating system remaining completely undetectable.' The software has been released under the 'TrueCrypt License,' which is not OSI approved."

first

svefg cbfg

More filesystems

Well, I hope that it now supports more filesystems, because mucking about with FAT on MacOS X didn't appeal to me last time.

Re:More filesystems

It still only creates FAT file systems, but you can reformat to whatever you want afterwards. I tried it with both HFS+ and ZFS and it seemed to work fine.

That might betray the presence of a hidden volume

- depending upon the file system.

For instance, if you used ext3 then mkfs.ext3 is going to put backup super blocks all over your disk. If you then setup a hidden volume later on, some of those backup super blocks are going to get over written. An attacker - to whom you've been forced to reveal your outer volume password - could easily discover that the backup super blocks aren't the same as the real super block and deduce that you're using a hidden volume that you didn't tell them about. You could, when formating, tell mkfs.ext3 not to use any backup super blocks - but that also might look a bit suspicious. Just food for thought.

Local admin rights on Windows

I work as a consultant and often use Truecrypt on my USB key in traveller mode on sites where I work. The top thing on my wishlist is to be able to run/install Truecrypt on a Windows machine without admin rights.

The issue is described in full here [truecrypt.org]:

[..] In Windows, a user who does not have administrator privileges can use TrueCrypt, but only after a system administrator installs TrueCrypt on the system. [...]

Full release notes can be found here [truecrypt.org].

Re:Local admin rights on Windows

You don't mind exposing your secrets to a machine you don't have control over (and thus should not trust)? I don't recommend it.

You should copy the files that you don't mind exposing, to the unencrypted partition of the USB key or a different no crypto USB drive.

Re:Local admin rights on Windows

You don't mind exposing your secrets to a machine you don't have control over (and thus should not trust)? I don't recommend it.

You should copy the files that you don't mind exposing, to the unencrypted partition of the USB key or a different no crypto USB drive.

Obviously his specific use for truecrypt is to protect data in transit, should he lose the USB drive.
I think that's a very common scenario.
Your 'solution' completely negates the value of that use of truecrypt.

Re:Local admin rights on Windows

You don't mind exposing your secrets to a machine you don't have control over (and thus should not trust)? I don't recommend it.

I'm not the OP, but this is being sillily unreasonable.

For instance, I don't have admin rights on the computer in my office. So maybe I don't want to trust this computer entirely. But if I'm walking back and forth with my USB key most days, the major threat is me leaving the key sitting on the bus seat or something like that, not information being stolen while I'm on the work computer.

It's not like just because you don't control a computer you don't trust it at all, or that just because something is in a TrueCrypt volume it's extremely sensitive.

Re:Local admin rights on Windows

I work as a consultant and often use Truecrypt on my USB key in traveller mode on sites where I work. The top thing on my wishlist is to be able to run/install Truecrypt on a Windows machine without admin rights.

The issue is described in full here [truecrypt.org]:

[..] In Windows, a user who does not have administrator privileges can use TrueCrypt, but only after a system administrator installs TrueCrypt on the system. [...]

Full release notes can be found here [truecrypt.org].

You dont need Admin rights with TCexplorer
Ideal for USB key
http://www.codeproject.com/KB/files/TCExplorer.aspx

Only works if it's default install

All this crypto stuff only works well if it's part of the default install and config.

Otherwise users get exposed to "rubberhose cryptography".

Basically if all users even Joe Sixpack get an encrypted partition by default, then people using crypto will be safe - they have plausible deniability.

Re:Only works if it's default install

Yeah, but Truecrypt has a defence against that. It is called "hidden volumes". Basically, you create a container, use it for porn or financial records (something that you have a legitimate reason to want to hide, from the wife or identities thieves for example), something that you access often. Then you create a hidden volume that is put at the end of that volume, which to access requires a second password.

There is no way of knowing if that second hidden volume exists unless you have both passwords.

If you access the first volume without both passwords, then you can just wipe over whatever information you have stored in the hidden volume.

Oh yeah, I love TrueCrypt. It's groovy.

Re:Only works if it's default install

Get a clue.

Does Joe Sixpack's computer come with Truecrypt? Does it come with a truecrypt container preinstalled?

The answer is NO.

So if the wrong people find Truecrypt on your computer guess what happens to you. If you say "Nothing" well: "Wrong answer!". They may give up after a few days of giving you the treatment, but it still means you get the treatment.

Whereas if everybody had truecrypt AND an encrypted partition, they could a) try to waterboard everyone, b) wait till they have more evidence.

And that is why I reported this bug/feature request: https://bugs.launchpad.net/ubuntu/+bug/148440 [launchpad.net]

Encryption must appear to be in _use_ by default by all users, then you get safety in numbers. When even your grandma using Ubuntu has a crypto partition, things are better for the people actually using it.

Re:Only works if it's default install

I followed this back to the Ubuntu bug report 148440 and see that a comment has been added https://bugs.launchpad.net/ubuntu/+bug/148440/comments/4 [launchpad.net] that I think says it all.

Re:Only works if it's default install

Think you totally missed the point.

You put plausible data into the encrypted volume, when they ask for your password you give it up, they access the encrypted volume and see you got porn/financial stuff/what nots you don't want others to see. What they can't see is the fact that there is another volume hidden inside this, which there is no way of knowing unless you got the second password. Waterboarding the person makes no sense since he has already given up the password giving you access to the "entire" volume.

Re:Only works if it's default install

Stop being an idiot and read up on it. You can *not* tell. And it certainly does not show up as free space. You can *not* prove OR disprove the existence of another hidden partition. Period. "Trained to look for it", oh please.

Re:Only works if it's default install

I have no hidden volume. I use truecrypt as a simple and easy way to keep my clients personal data secure.

No, I'm quite positive that you do have a hidden volume. It's where you're storing all of your terrorist secrets, and unless you reveal the password then this ballpeen hammer has a date with your fingers.

Still don't want to talk? Maybe you just need a little more electricity.

We'll stop when you are able to prove to the nice men who are protecting your country that you _don't_ have a hidden encrypted partition, and then they will let you go.

Re:Only works if it's default install

Great!. Now everybody will think I have a hidden partition, because I have she-male porn. Uh I mean, never mind.

Relevant links

Project homepage is here: http://www.truecrypt.org/ [truecrypt.org]
Release notes here http://www.truecrypt.org/docs/?s=version-history [truecrypt.org]

(Btw, these links should be in the article, instead of an external (sponsored?) one).

Great - I'll keep my geek-cred

It now has the ability to hide an entire operating system, so even if you're forced to reveal your pre-boot password to an adversary, you can give them one that boots into a plausible decoy operating system, with your hidden operating system remaining completely undetectable.

Great, I can now maintain my geek-cred by hiding the fact that I sometimes have to boot into Windows to run things like a GPS map updater. No more microsoft on the boot menu.

Sad

It's sad. I often travel between the US and China on business ( I live on the China side ). I've always been careful with sensitive data, but now I'm absolutely fascist. Why? I have no fear of the Chinese government. Besides, I work for a Chinese company. I fear my own country illegally accessing files to which they have absolutely no rights whatsoever.

Honestly. If someone works for the US government, pulls some CEO's laptop at the boarder for "inspection" and gets free access to all the company financials, would they do the right thing? How many semi-intelligent people wouldn't be tempted to start buying stock options or call their best friend with a really good "tip"? Even if they SEC investigated, they would never find the link.

Over the last several years, I've always been treated very respectfully inside China and going to and from. It is in the US, my own country, where I'm treated as if I'm already guilty.

Back to the topic at hand. TrueCrypt is a wonderful product. Everyone should be using it.

One question

True crypt is fabulous. But is it good enough to hide a body?

Hans

Independence day?

While most of the US was celebrating Independence Day, the true fellow geeks over at TrueCrypt released version 6.0 of TrueCrypt over the long weekend.

That might not be just a coincidence.

Re:OK

actually you can. with truecrypt I can create an encrypted volume which is just a file on my hard disk. say it's 1 gigabyte. To access it I have to type in my password "secretpass" I see a 1 gigabyte volume. now I can stop there. it's encrypted strongly enough to protect my files. I throw 200 MB of porn/corporate data/personal emails/photos of my girlfriend on there. it shows as 800MB free. Now I create a hidden volume 800 MB in size. In there I put my plans for how to kill every politician, the details of my drugrunning opperation, the plans for a nuclear weapon. etc etc etc. to access this I have to type in my second password "password2" So I boot up truecrypt, select the 1 gig file which is my virtual drive, type in "secretpass". What I then see is a 1 gig drive with 800mb free space and lots of semi-important files. if I open that same file with "password2" I'll see an 800MB drive almost full with highly important documents. There is no missing hard drive space, no hint at all that there is anything but the first drive unless I enter the second password. (side note, if you add files to the first drive then there's a chance that you'll overwrite files on the hidden drive since unless you enter that password as well then truecrypt can't see that it's there.)

Re:Breaking volumes

You know, if law enforcement "fucked up your volume" as you so nicely put it, they have just destroyed whatever evidence you where trying to hide. So why would anyone using true crypt have a problem with that?

Re:Breaking volumes

AFAIK, yes, if you fill the decoy volume it will kill your hidden volume.

which makes you wonder how long it'll be until a tool is developed for law enforcement specifically designed to fuck up these volumes.

They can only do that if they've confiscated your laptop *and* acquired your 'decoy' password. At that point, your only concerns are they not getting your data and you being able to deny the data is there in the first place.

Somebody deleting all your sensitive files is not a bad thing to happen at that point.