Forgot your password?
typodupeerror

TrueCrypt 5.0 Released, Now Encrypts Entire Drive 330

Posted by CmdrTaco
from the wear-a-condom-people dept.
A funny little man writes "The popular open source privacy tool, TrueCrypt, has just received a major update. The most exciting new feature provides the ability to encrypt an entire drive, prompting the user for a password during boot up; this makes TrueCrypt the perfect tool for non-technical laptop users (the kind who are likely to lose all of that sensitive customer data). The Linux version receives a GUI and independence from the kernel internals, and a Mac version is at last available too."
This discussion has been archived. No new comments can be posted.

TrueCrypt 5.0 Released, Now Encrypts Entire Drive

Comments Filter:
  • I do not think that is feasible for what is essentially part of a disk-driver. Marketing-lies now on Linux versions as well? Linux must be going mainstream...
    • by FudRucker (866063)
      yup, i agree, i knew this would happen as Linux gains market share and popularity...
    • by Chris Mattern (191822) on Wednesday February 06, 2008 @09:59AM (#22320010)
      It is also, of course, impossible that it encrypts the *entire* disk. It may encrypt all the partitions your running system uses, but unless your BIOS has encryption support (which it doesn't), you can't have an encrypted boot partition.
      • by Bandman (86149)
        Assuming the password isn't stored plaintext in the boot partition, isn't an encrypted data partition the important part?
        • Yes. Having an unencrypted boot partition isn't much of a vulnerability if you did your encryption right. That doesn't change the fact that saying you've encrypted "the entire disk" is a marketing lie.
        • by gweihir (88907)
          Assuming the password isn't stored plaintext in the boot partition, isn't an encrypted data partition the important part?

          True. I am not criticizing the technology. I think it is sound. I am criticizing the marketing statement.
      • Re: (Score:3, Informative)

        by Maljin Jolt (746064)
        It is also, of course, impossible that it encrypts the *entire* disk. It may encrypt all the partitions your running system uses, but unless your BIOS has encryption support (which it doesn't), you can't have an encrypted boot partition.

        Your concept of impossible is, of course, a little bit flawed, for I have at least 5 *entire* disks encrypted in this single box I am writing on. And some of them has no partitions, just a filesystem over raw disk.
      • by CarpetShark (865376) on Wednesday February 06, 2008 @10:32AM (#22320426)

        unless your BIOS has encryption support (which it doesn't), you can't have an encrypted boot partition.


        Of course you can. You just can't have an encrypted MBR... unless you boot from a floppy or a USB drive you keep on your person, or something like that. Note that bios limitations can also be circumvented with linuxbios ;)
        • Re: (Score:3, Funny)

          by skeeto (1138903)

          unless your BIOS has encryption support (which it doesn't), you can't have an encrypted boot partition.
          [...] Note that bios limitations can also be circumvented with linuxbios ;)

          Of course, then your BIOS isn't encrypted, so you encrypt it and need another one below that to decrypt it, but then that bottom one isn't encrypted.

          It's encrypted boot code all the way down!

      • by AmiMoJo (196126)
        That isn't entirely accurate. You can encrypt the boot partition, just not the boot record part which contains executable code. The code is driver for Truecrypt volumes that allows Windows to access them for booting the OS. All the files on the boot partition are encrypted, and the key is not stored anywhere.
    • Re: (Score:3, Informative)

      by Nimey (114278)
      If the Mac version is any example, TrueCrypt now uses FUSE. That's not /completely/ independent of the kernel, but it's still rather more stable than having to recompile TC every time you build a new kernel.
  • The final excuse. (Score:5, Interesting)

    by Anonymous Coward on Wednesday February 06, 2008 @09:56AM (#22319976)
    That removes the last excuse people have for not encrypting everything..."It is too complicated". Total encryption with a password at bootup...couldn't be simpler.
    • by stevie.f (1106777) on Wednesday February 06, 2008 @10:07AM (#22320134)
      Nope, the last excuse for people is "What's encryption?"
    • Re:The final excuse. (Score:5, Informative)

      by Lord Ender (156273) on Wednesday February 06, 2008 @10:30AM (#22320404) Homepage
      No. Encryption imparts serious performance penalties. Normally, things like DMA allow you to transfer data directly from your disk to your RAM, another disk, or another device. With encryption, every bit must pass through the CPU to do crypto on it. It some cases, that is a very noticeable delay. At our company, that delay was too long for some purposes, so I had them use DriveLock instead, which has no performance penalty.
      • Re: (Score:3, Insightful)

        by mi (197448)

        A reasonable compromise would be to encrypt only the "interesting" data — such as the /home partition and, maybe, the /var/log (or simply make sure the particular log-files you wish to protect — such as maillog — reside on the encrypted /home).

        Whoever tries to crack your laptop is unlikely to be interested in the standard-issue binaries you may have installed...

        • Depending on your directive...

          For us, since we can't guarantee our users store their confidential data in any particular location, we had to do full disk encryption and take the penalty.
        • by Lord Ender (156273) on Wednesday February 06, 2008 @12:48PM (#22322286) Homepage
          The entire point of whole disk encryption is that it is impossible to define where "interesting" data is. Temp files, cache, and swap files can all end up with sensitive data in them. They only way to be sure is to encrypt the whole disk. (or nuke it from orbit)
      • Re:The final excuse. (Score:5, Interesting)

        by phantomcircuit (938963) on Wednesday February 06, 2008 @11:03AM (#22320876) Homepage
        All I have to say is this [technocrat.net].
      • Re: (Score:3, Interesting)

        by TAiNiUM (66843)
        What about data recovery? If my drive fails in some manner, can I still recover my data? Without this tool I can at least recover *some* data. Does this eliminate that possibility and turn it into an all or nothing scenario?
  • by tolworthy (1205778) on Wednesday February 06, 2008 @09:56AM (#22319978)
    It's not by Microsoft. Plus they don't have much data left to lose.
  • by Scott Lockwood (218839) * on Wednesday February 06, 2008 @09:59AM (#22320022) Homepage Journal
    Step 1: Post on Slashdot
    Step 2: ???
    Step 3: Profit!
  • One thing annoys me: (Score:5, Interesting)

    by imsabbel (611519) on Wednesday February 06, 2008 @10:01AM (#22320048)
    They have to option to convert boot drives to encrypted drives... even while the system is running.
    Thats nice.

    But how about converting non-boot drives?
    Doesnt seem to be possible.

    Not everybody starts with a blank sheet, or has double the needed capacity to empty first one HD and then another...
    • by Grym (725290) *

      Converting non-boot drives seems like a fringe use, honestly. Most people can just make a new truecrypt volume and then mount like normal. For everyone else, move the files temporarily onto DVD-R/CD-R media, create a truecrypt volume, then move the files into the new truecrypt volume. Problem solved.

      -Grym

      • by Firehed (942385)
        That's still a pain in the ass if they can already do it on the drive you're running from. Surely that's much more complicated than encrypting data that's NOT loaded as part of your kernel.

        I'd be much more likely to convert a non-boot drive to full encryption anyways. I find typing a password in enough of a pain so a nice, long, secure passphrase would drive me nuts on bootup. I'd much rather just store any sensitive data on a second disk - not only does that mean I'm not completely hosed if I forget the
        • by Jugalator (259273)
          Yes, granted it would be safer security-wise to encrypt the system drive than going through the trouble of ensuring the system doesn't store anything sensitive on it without your knowledge.

          However, if the encryption is only about personal documents, mails, and simple things like that, and you don't need "deep" encryption of various stuff that may risk ending up on the system drive without your knowledge, I would also rather encrypt a non-system drive. That way, you would as you say not always have to enter
    • by hey! (33014) on Wednesday February 06, 2008 @10:23AM (#22320328) Homepage Journal
      That doesn't seem so important to me.

      If you want something encrypted, you put it on a truecrypt drive; you can move it from the original drive to the truecrypt drive, then juggle the drive letters if you use windows, the mount points otherwise. The only thing that can't get this treatment is the boot drive, therefore (uniquely) you have an absolute need for a way to encrypt that while it is running.
      • Re: (Score:2, Insightful)

        by waddleman (1230926)
        Assuming there is free space to move data between and have room for a new partition. While not critical, still an inconvience
      • I know we'd be interested in this, but we need something that can be rolled out to tens of thousands of machines automatically, encrypts in the background with minimal hassle to the user, won't lose data if power is lost during encryption, and will resume automatically after the system comes back on.

        Our current Windows-only solution does that, so the Macs get left untouched... which works out OK for me, but is technically a problem =-)
  • by _bug_ (112702) on Wednesday February 06, 2008 @10:02AM (#22320064) Journal
    http://sourceforge.net/projects/truecrypt/ [sourceforge.net]

    Press release here [sourceforge.net].

    We are pleased to announce that TrueCrypt 5.0 has been released. Among the new features are the ability to encrypt a system partition or entire system drive (i.e. a drive where Windows is installed) with pre-boot authentication, pipelined operations increasing read/write speed by up to 100%, Mac OS X version, graphical interface for the Linux version, XTS mode, SHA-512, and more.

    After four years of development, during which millions of people downloaded a copy of TrueCrypt, it is the only open-source disk encryption software that runs on Windows, Mac OS X, and Linux. The newly implemented ability to encrypt system partitions and system drives provides the highest level of security and privacy, as all files, including any temporary files that Windows and applications create on system drives (typically, without the user's knowledge or consent), swap files, etc., are permanently encrypted. Large amounts of potentially sensitive data that Windows records, such as the names and locations of files opened by the user, applications that the user runs, etc., are always permanently encrypted as well. For more information, please see http://www.truecrypt.org/docs/?s=version-history [truecrypt.org]
    • Re: (Score:2, Interesting)

      by base3 (539820)
      You can't get the distribution from SourceForge. The download page only contains text directing the would-be downloader to truecrypt.org.
    • by Shabbs (11692)
      Sourceforge no longer carries the latest versions. Distribution is only via truecrypt.org. We'll have to wait the Slashdotting out.
  • What about wake up? (Score:4, Interesting)

    by unbug (1188963) on Wednesday February 06, 2008 @10:02AM (#22320072)
    I almost never turn off my laptop, I just close the lid. Will it ask me for a password when it wakes up again?
    • If it's anything like SafeBoot, no. Would you want to have to put in a username and password twice every time your laptop went to sleep?

      The way SafeBoot works you only have to get past it once, when your machine starts, then you log onto the domain.
    • by apathy maybe (922212) on Wednesday February 06, 2008 @10:09AM (#22320152) Homepage Journal
      In Windows at least (not sure with the other versions), you can set it to dismount mounted volumes whenever certain ACPI events (lid closing, suspend or hibernate etc.) happen.

      This forces you to re-enter your password to access the volume.

      Of course, you should have an option in your OS to ask you for your login password whenever you close and then open your lid as well.
    • Re: (Score:3, Informative)

      No, but you should have a screensaver that won't let you use the computer unless you enter a password.

      Normally this wouldn't offer complete protection - you could just reboot from a system disk and access the filesystem, but with truecrypt (or FileVault, or any of the other encrypted file system solutions) they can't do this.

    • I think you're missing the point. The data continues to be encrypted - even if your operating system is using it.

      So if your computer is in sleep mode or has a screen saver - you need to password protect your computer so that you control who accesses your data and apps.

      If I wanted your data, and I didn't know your password - I would get your entire drive (either by stealing it, booting up with a liveCD, or image it to another drive). Now I can't even do that because the data is encrypted on the disk, not jus
    • Unless the thief is specifically targeting your data, the computer will have to make it through the black market, and the battery will die before someone who knows what they are doing gets their hand on your PC.
      • by gardyloo (512791)
        You mean there are no power bricks or batteries on the black market?!? I feel sorry for those guys.
    • by Exp315 (851386)
      I agree, that's the key weakness in Truecrypt. I hibernate both my desktop and laptop systems, and mounted Truecrypt drives remain mounted with no need to re-enter the password no matter how much time has passed. A data thief would have no problems. I think Truecrypt needs a review of their real-world security. And BTW, I've run into bugs with previous versions of Truecrypt used to encrypt USB drives where it suddenly stopped accepting the password and I lost access to the data. Nothing vital lost, but enou
      • Re: (Score:3, Informative)

        by Atti K. (1169503)
        In Truecrypt's menu, under Settings -> Preferences, there is an Auto-Dismount section. TrueCrypt volumes can be automatically dismounted when:
        • user logs off
        • screen saver is started
        • enters power saving mode
        • no data has been written for x minutes
        Dismounting can be forced even if there are open files on the volume. All those options were there even in TrueCrypt 4.3.
  • by Loibisch (964797) on Wednesday February 06, 2008 @10:14AM (#22320214)
    I've been waiting for this release. I know that real men use the command line for each and everything including brewing their morning coffee, but I was really looking forward to the graphical user interface. :) Of course, thanks to Slashdot now the site (which has been dead slow all day) has now been blasted out of orbit...

    Ah well, maybe the storm will be over till I'm home.
    • by Hatta (162192)
      I've been waiting for this release. I know that real men use the command line for each and everything including brewing their morning coffee

      Holy shit, you can do that?! And I've been weighing, grinding, and pouring my own coffee by hand. This is one time I really wouldn't mind being replaced by a very small shell script.
      • by Loibisch (964797)
        Sure you can, here you go: HTML version [linux.com] | text version [slackwaresupport.com]

        My favorite part must be from the "device driver" section:

        Just read kernel hacker's guide, implement a device driver (it could even be user space I think). Please compile it as a module, so that we won't need a kernel compile in every update. Then write:
        echo cappuccino > /dev/coffee
        And you will have a hot cup of coffee in minutes! Remember to give the right permission to /dev/coffee, depending on whether you want only root making coffee or not.

        Have fun setting that one up. :)

    • by russ1337 (938915)

      I've been waiting for this release. I know that real men use the command line for each and everything including brewing their morning coffee,
      I brew my coffee with butterflies and wind currents. [xkcd.com]
  • As someone who has never used a full-drive encrypted, how does this impact hard drive access? Will reads/writes be noticeably slower (assuming a relatively new drive)? Will this affect utilities such as a defragmenter or disk checker? How much slower will boot up be? What about memory or CPU usage?

    I am all for more security. But, if it slows my laptop down to the point of un-usability....
    • Re: (Score:3, Informative)

      by imsabbel (611519)
      My personal experience with TC 4.0 (and, obviously, not my boot disk):

      Random accesses arent slowed down noticable, but large STR (like copying 50Gbyte to another HD) are. For me, the limit was about 30Mbyte/s.
      But as this is driver-level CPU load, and not interupt driven, the system responsitivity was not negatively affected.

      Memory usage is neglectable, and CPU load scales linearly with bytes/s. So in most scenarios, or multicores, its not the limiting factor.

      But you would NOT want to capture video or stuff
  • Downloading (Score:3, Funny)

    by margam_rhino (778498) on Wednesday February 06, 2008 @10:30AM (#22320402)
    I will just wait until you pesky North Americans are in bed and download in the morning UK time, ha ha. Wait, no, everyone forget I said that! Aww, now you all will try then.
    • by SQLGuru (980662)
      You forget: that will be when everyone's torrents are running sucking up the bandwidth....

      Layne
  • Like for USB drives?

    Are there any standalone encryption systems that don't require software install on the host environment but can "mount" an encrypted disk file on a USB drive?
    • by Thyamine (531612)
      It seems to me that you'd have to have software installed or part of any system you wanted to access that USB/removable media on. Otherwise the system won't recognize that it's encrypted and see gibberish, or won't know how to decrypt it at best. I know that some USB drives (at least the thumb drives) come with small applications for just that purpose, but you have to install it on each system you want to run it, and I don't know how secure it is as I've never used it myself.
    • by XMyth (266414) on Wednesday February 06, 2008 @11:27AM (#22321238) Homepage
      TrueCrypt can do this when used in 'Traveler' mode.

      It does install a system driver when in use, but the driver can reside purely on the unencrypted portion of the flash drive.

      James
  • http://www.truecrypt.org/downloads/transient/9b6d4c43d4/TrueCrypt%205.0%20Source.zip [truecrypt.org] Forbidden You don't have permission to access /downloads/transient/9b6d4c43d4/TrueCrypt 5.0 Source.zip on this server. Apache/1.3.34 Server at www.truecrypt.org Port 80 I cannot get the source. The NSA has removed it.
  • Linux 64bit? (Score:3, Informative)

    by Wubby (56755) <.moc.yllavud. .ta. .yllavudt.> on Wednesday February 06, 2008 @10:40AM (#22320552) Homepage Journal
    Any word on 64bit binaries for Linux? I've compiled the Non-gui version without issue before, but with a gui, things get more complicated. GTK/KDE? Which libraries? etc etc etc etc etc
  • FIPS 140-2? (Score:3, Interesting)

    by soboroff (91667) on Wednesday February 06, 2008 @10:47AM (#22320662)
    Are they planning to submit their system for FIPS 140-2? The US OMB decreed that most laptops must be encrypted with full-disk FIPS 140-2-compliant encryption, but the only certified tools for this exist for Windoze. The algorithms used are fine, but this stamp of approval would be very useful for federal Linux and Mac users!
    • Re: (Score:3, Informative)

      by SuperBanana (662181)

      The algorithms used are fine, but this stamp of approval would be very useful for federal Linux and Mac users!

      http://www.extrapepperoni.com/2007/09/10/fips-140-2-for-mac-os-x/

      Filevault already provides FIPS 140-2 compliant encryption.

    • Not anytime soon. (Score:3, Informative)

      by Ayanami Rei (621112) *
      For whatever reason, the author of TrueCrypt wrote his own implementation of AES. This means even if someone put up the cash to apply for a cert, it'd probably take much longer to get anything other than assurance level 1 than most people are willing to wait.

      In any case it costs a lot of money and they only test binaries which makes anything that links into a kernel difficult unless it's only a library core common among implementations which is linked at install time or something.

      It's a real pain. :-(

      Most p
  • The site is back up & is actually responding pretty quickly.
  • by Bobb Sledd (307434) on Wednesday February 06, 2008 @10:54AM (#22320764) Homepage
    Being in the US, I have become so paranoid now that I encrypt everything with TrueCrypt. Whether it's MP3's, DVDs or pr0n or just simply my web browser cache, it all goes into the encrypted file. Long hard password and keyfiles, and then I also use hidden volumes.

    And one big big big reason I use encryption: Usenet. I often use NewsBin to indiscriminately download all the binaries in a given group. I think this is very dangerous. And many times you get some very illegal junk you just don't want lying around -- but I can't get to it for several days to manually filter through it. ISPs get the benefit of being an ISP and not having to filter their caches for content; I do not get that same benefit. If I get caught with something I shouldn't have, it's jail time.

    So if it comes up that I had inadvertently downloaded some kiddie pr0n through Usenet newsgroup (which is often mixed in with legitimate stuff), and my machine gets searched, I want some protection. And both: the things I downloaded and the things I have deleted simply CAN NOT be found.

  • There was a point where I wanted to build a RAID-5 system and use LUKS / dm-crypt. Seemed like too many layers, too many places for something to go wrong if one phantom bit got flipped. Once ZFS gets encryption I'll build myself a nice new file server.
    • Encryption is sort of a weird thing to want for a file server, isn't it?

      - File servers tend not to be mobile, so the chances of the disk(s) falling into the wrong hands because of the physical theft of the device is fairly low.
      - File servers are up all the time, so the primary means of attack is to compromise a service or application on the already-running server, and gain access to the data with that application or service's privilege level. Encryption does not protect against this.
      - When file servers do g
      • Re: (Score:3, Informative)

        by Sloppy (14984)

        File servers might not be able to tolerate the performance penalty of encryption.
        Huh. I guess different people have seen different things, but in my experience, fileservers tend to have underworked CPUs. And it just becomes more extreme ever year, as CPUs double in speed more frequently than I/O devices do.
  • That's already built in to the Mac OS, as it should be. Just use FileVault.
  • Recovery CD (Score:5, Interesting)

    by MT628496 (959515) on Wednesday February 06, 2008 @11:24AM (#22321156)
    I'm not sure whether I like the idea of encrypting my entire disk. I don't really like the idea of not being able to boot a live CD to fix something should the need arise. Unless I'm misunderstanding the features, it won't be possible.

    I know it doesn't happen often, but there is not anyone here that hasn't at least once screwed up something on his system and needed to boot a livecd to fix a configuration file. With total disk encryption, what do you do? You're boned, as far as I can see and I don't think that I really like the idea.

    As I'm writing this, the thought pops into my head that "you can probably just enter your passphrase from the live environment while trying to mount the filesystem". Is this how things actually work? It's a genuine question and I'd appreciate not being modded down for asking it. Of course someone probably will.
    • Re:Recovery CD (Score:4, Informative)

      by Xenoflargactian (883930) on Wednesday February 06, 2008 @06:56PM (#22326756)
      TrueCrypt requires that you burn a Rescue Disk before encrypting your boot partition. It saves a 2-meg ISO to 'My Documents' and gives you links to free burning software. It won't let you proceed without the burned CD in the drive. The rescue disk can be used to restore the boot loader (which has the password-encrypted keys, etc) in case of corruption, but it also has a 'Decrypt entire disk now' option. If you need to boot from a BartPE, you can decrypt your whole disk, then boot from the BartPE.

      They've really thought this through. I've gotta hand it to the people at Truecrypt.org. I'm impressed, especially considering this is the first release of their whole disk encryption product.
  • Junction points? (Score:3, Interesting)

    by Butterspoon (892614) <Butterspoon+slas ... com minus math_g> on Wednesday February 06, 2008 @04:43PM (#22325230)

    Still no option to mount a TrueCrypt volume on an NTFS junction point, alas.

    PGPdisk has had this for ages. Means you don't have to expose to all and sundry who can see your machine that another drive has just appeared.

    Would very much like to see this in the next version.

  • by unger (42254) on Wednesday February 06, 2008 @10:14PM (#22328862)
    afaik, the truecrypt code has never been audited for security issues by professional cryptographers. does anyone know if i'm mistaken?

    if the code has never been audited doesn't it seem a bit irresponsible to recommend truecrypt?

Given its constituency, the only thing I expect to be "open" about [the Open Software Foundation] is its mouth. -- John Gilmore

Working...