TrueCrypt 6.0 Released 448
ruphus13 writes "While most of the US was celebrating Independence Day, the true fellow geeks over at TrueCrypt released version 6.0 of TrueCrypt over the long weekend. The new version touts two major upgrades. 'First, TrueCrypt now performs parallel encryption and decryption operations on multi-core systems, giving you a phenomenal speedup if you have more than one processor available. Second, it now has the ability to hide an entire operating system, so even if you're forced to reveal your pre-boot password to an adversary, you can give them one that boots into a plausible decoy operating system, with your hidden operating system remaining completely undetectable.' The software has been released under the 'TrueCrypt License,' which is not OSI approved."
Relevant links (Score:5, Informative)
Project homepage is here: http://www.truecrypt.org/ [truecrypt.org]
Release notes here http://www.truecrypt.org/docs/?s=version-history [truecrypt.org]
(Btw, these links should be in the article, instead of an external (sponsored?) one).
Re:Only works if it's default install (Score:5, Informative)
Yeah, but Truecrypt has a defence against that. It is called "hidden volumes". Basically, you create a container, use it for porn or financial records (something that you have a legitimate reason to want to hide, from the wife or identities thieves for example), something that you access often. Then you create a hidden volume that is put at the end of that volume, which to access requires a second password.
There is no way of knowing if that second hidden volume exists unless you have both passwords.
If you access the first volume without both passwords, then you can just wipe over whatever information you have stored in the hidden volume.
Oh yeah, I love TrueCrypt. It's groovy.
Re:More filesystems (Score:5, Informative)
It still only creates FAT file systems, but you can reformat to whatever you want afterwards. I tried it with both HFS+ and ZFS and it seemed to work fine.
Re:A good defense... (Score:3, Informative)
Yes it is a good defence against that. Border guards aren't going to have enough time to find your encrypted containers while you are there, and if you have to give up your laptop, or if they take a copy of the HD, then they can't access the information because they don't have the password (and they can't force the password out of you, because you have already re-entered the country (assuming you are a yank)).
And if they do find a container, and force you to give up the password http://it.slashdot.org/comments.pl?sid=606473&cid=24097339 [slashdot.org] hidden volumes as described in that post.
Re:More filesystems (Score:4, Informative)
Or you can create your own filesystem? I don't know how it works on the mac, but on windows & linux truecrypt just creates an encrypted disk which you can format with any filesystem you like. Just create the container file filesystem type 'none' and format it yourself.
Re:OK (Score:2, Informative)
From the release notes:
It appears to work just like a hidden volume [truecrypt.org] (also described in this post [slashdot.org]).
In other words, you worry to much, these guys are really really smart.
Re:OK (Score:3, Informative)
No..
The decoy OS is not a outer, non hidden volume, it is a seperate partition. You must run the decoy OS regulary so it becomes obvouus it is a used OS. YOu can do safely
Re:OK (Score:5, Informative)
Re:OK (Score:2, Informative)
Re:Local admin rights on Windows (Score:5, Informative)
I work as a consultant and often use Truecrypt on my USB key in traveller mode on sites where I work. The top thing on my wishlist is to be able to run/install Truecrypt on a Windows machine without admin rights.
The issue is described in full here [truecrypt.org]:
Full release notes can be found here [truecrypt.org].
You dont need Admin rights with TCexplorer
Ideal for USB key
http://www.codeproject.com/KB/files/TCExplorer.aspx
Re:first (Score:4, Informative)
Re:Suggestion: Truecrypt LiveCD -Stealth- Install (Score:4, Informative)
This is discussed in the "plausible deniability" section of the TrueCrypt docs.
The recommended solution is to ensure you have a plausible use for the existing installation of TrueCrypt, for example some porn or customer records in a separate container, allowing you to deny the existence of the real container.
This means you do not have to put yourself in a situation where you are denying using TC and one tiny mistake could indicate that you have used TrueCrypt when no visible TC volume is present.
On the other hand, I'm sure most of the bootable Linux LiveCDs will continue to include TrueCrypt.
If you want to do it with Windows, use BartPE as discussed in the TrueCrypt FAQ.
Other filesystems could expose hidden volumes (Score:2, Informative)
See my comment here:
http://it.slashdot.org/comments.pl?sid=606473&threshold=-1&commentsort=0&mode=thread&no_d2=1&pid=24097371#24097539 [slashdot.org]
Re:OK (Score:3, Informative)
Re:Only works if it's default install (Score:5, Informative)
Think you totally missed the point.
You put plausible data into the encrypted volume, when they ask for your password you give it up, they access the encrypted volume and see you got porn/financial stuff/what nots you don't want others to see. What they can't see is the fact that there is another volume hidden inside this, which there is no way of knowing unless you got the second password. Waterboarding the person makes no sense since he has already given up the password giving you access to the "entire" volume.
Re:Local admin rights on Windows (Score:1, Informative)
Re:OK (Score:5, Informative)
So when they get the first password, they continue until they get another or they decide there's no way you could have withstood that much. And when they get your second password, they'll still go on in the hope of a third, unless the data they find would totally fill the disk.
Each time you give up something, they'll assume there may be more until they've kept torturing you for a long time without getting any more information.
Re:OK (Score:5, Informative)
Even the NSA would have to devote a significant part of their resources. 95^12 is over 500 sextillion combinations. So, say you've got a really really fast CPU that can do 1 billion test decrypts a second (which is unfeasibly fast at the current time). It would take that computer over 17 million years to find the password.
So, let's say that the NSA has a million CPUs at their disposal, it would still take over 17 years to decrypt. So, they'd have to be pretty sure that you have some seriously cool porn on your PC before they start devoting 100,000,000 impossibly fast CPUs to the task of cracking your password in a couple of months.
The Storm Botnet would take centuries to hack a random 12 character password (it would cut down on spam though).
Of course, if you choose 'password' as your password it might not take quite as long.
Re:OK (Score:1, Informative)
Re:Local admin rights on Windows (Score:5, Informative)
Re:Local admin rights on Windows (Score:3, Informative)
By the way one useful feature of truecrypt on windows is "mount volumes as removable drives". Windows by default creates admin shares (C$, D$ and so on) for each fixed drive. So a network admin can just connect to \\myip\D$ to take a look at my D: drive. If I mount my truecrypt volume as, let's say E:, an E$ share is automatically created and is accessible for any user (domain or local) with admin access to my machine. If I mount my TC volume as removable, no admin share is created.
Of course there could by other ways to access a volume on the computer, but let's not make it obvious with a new share that an additional volume is mounted.
They'd also get in trouble (Score:3, Informative)
For two reasons:
1) The proper procedure is to make a verified copy, and then work on the copy. Many reasons not the least of which being that if you screw up accidentally you can make another copy. You don't go mucking around on the original drive.
2) Law enforcement isn't welcome to just destroy property because they feel like it. They can't burn down your house and say "Well we thought there might be drugs in it, even though we never found any." Likewise they can't just screw up your data for shits and grins. That'd be a great way to get sued. You claim that the truecrypt volume in fact contained important research documents that were worth millions, not illegal data. They can't prove otherwise since they purposefully deleted it.
Also this same sort of thing applies hidden volume or not, encryption or not. If you have a normal truecrypt file, they can simply overwrite it with random data, even if they lack the password. They can do this to any file, encrypted or unencrypted. The only risk a hidden volume has is if someone has the password to the normal volume, doesn't know there's a hidden volume, and accidentally writes data in there so it gets overwritten.
They'd have no reason at all to do that. It wouldn't be helpful in an investigation, would probably get them in trouble, and would be way more effort than just smashing the harddrive with a hammer if they wanted to prevent you from getting your data back.
Re:Local admin rights on Windows (Score:4, Informative)
I think this fits the bill.
http://www.codeproject.com/KB/files/TCExplorer.aspx [codeproject.com]
Re:NSA backdoor? (Score:2, Informative)
Does anyone know if the backdoor has been made a little more user friendly? The current one takes like 3 minutes to decrypt without the password.
I don't know, why don't you examine the source code for yourself? You can download it here: http://www.truecrypt.org/downloads2.php [truecrypt.org] Or you could just quit trolling and spreading FUD.
Here's the non-spam link, dickhead (Score:5, Informative)
http://www.truecrypt.org/news.php [truecrypt.org]
Re:first (Score:5, Informative)
Replacement cipher.
Translation table:
b o
c p
e r
f s
g t
i v
Re:Sad (Score:3, Informative)
Re:Detecting Truecrypt. (Score:4, Informative)
Works in FreeBSD (Score:3, Informative)
Using the patches in the TrueCrypt 5 port [freebsd.org], TrueCrypt 6 builds and appears to run fine on FreeBSD \o/
Re:Low powered PC (Score:3, Informative)
I would say "not well versed on PDA software installation" is a major understatement. You manage to confuse yourself by using the ambiguous "Win-based PDA". To put it simply the hardware and software on "Win-based PDA"s has nothing to do with your XP, ok?
Re:Detecting Truecrypt. (Score:3, Informative)
Uh, I'd mod you down as Misleading if that was possible. If you at least bothered to read something about it before commenting, you would know that you are wrong.
From, the TrueCrypt documentation at http://www.truecrypt.org/hiddenvolume.php [truecrypt.org] :
"Even when the outer volume is mounted, it is impossible to prove whether there is a hidden volume within it or not*, because free space on any TrueCrypt volume is always filled with random data when the volume is created** and no part of the (dismounted) hidden volume can be distinguished from random data."
Re:Only works if it's default install (Score:2, Informative)
Think you totally missed the point.
Not quite.
It's true that if _every_ Ubuntu, Debian, Fedora, Mac OS X and XP/Vista installation appeared to use TrueCrypt, then attackers wouldn't become any more suspicious of a laptop with a TrueCrypt volume than they would one containing, say, an NTFS volume.
Think of a pile of a dozen laptops at a border crossing. As it is today, the laptops with the encrypted volumes will really stand out--- and probably get a more focused inspection as a result. That's a situation you want to avoid, whether you have sensitive data or not. If you can avoid the rubber hose altogether, thats preferable to getting just the "lite" treatment.
It's actually a pretty forward-thinking idea, one that might have side-effect benefits for things like secure browsing, identity protection, etc.
Of course, you'd have to deal with TrueCrypt's licensing issues (if any, IANAL) related to those OSen first. That may be the more difficult problem than getting one or more distos to include it in their default installations.
Re:Local admin rights on Windows (Score:5, Informative)
Any other coders have time to update these projects? I know I don't, but it would be a great service to the OSS community if someone could.
WindowsCE != WindowsXP but Linux: PDA ~PC (Score:5, Informative)
Would this even be necessary? I can install and run Truecrypt off of a USB Thumb drive or an SD card on a Win or Lin based PC.
Yes it's necessary, because currently in Windows there's no way to run TrueCrypt unless you have admin privilege on the target machine.
The original parent wanted to use TrueCrypt to secure data before transporting them (so the loss of the USB key isn't a critical leak) and then being able to retrieve the data from the USB key once arrived at the destination, EVEN if he doesn't have admin access on the machine on which said key is plugged (and thus can't install TrueCrypt from the key).
If you use a Windows PC to install the Win version of Trucrypt, and then plug the SD card into a Win-based PDA, would it not function normally?
No. Won't work. The only thing that "Windows CE" and "Windows XP" have in common is having the word "Windows" appearing in their names. As other have pointed out both don't even run on the same architecture (x86, AMD64 and Itanium for WinXP ; ARM, MIPS and SuperH for WinCE).
So :
- either you run the usual TrueCrypt on a portable device that runs Windows *XP* (or Linux or BSD or Mac) - this was my first suggestion, anything cheap like an Asus EEE PC or an OLPC is OK.
- or you use a PDA running Windows CE (or Palm OS, or Symbian, or RIM) and use a TrueCrypt version that was adapted for the differences and recompiled for the processor.
That was my second suggestion : if there exist a version of TrueCrypt which works on PDA, then the PDA could be used to do the decryption (but stock WinXP software can't run on WinCE).
Linux is an exception : the Linux running on PDAs (Sharp Zaurus, Nokia Maemo, Trolltech GreenPhone, OpenMoko/FIC NeoRunner, etc...) is much closer to the full Linux running on desktop.
Usually the graphic interface is different (often the PDAs don't have X-Windows but use special purpose GUIs) but the system are POSIX compliant and any console software usually run as-is after being simply recompiled from source (because the processors are still different and the binaries are different - but the source is the same for console applications).
So that's the exception to the rule.
Note: That also true for a lot of different Linux enabled appliace (modem/routers, file servers, etc.) - although lots of them have very limited resource which put a hard top at what you can manage to get run.
Also, Apple is touting that their desktops' Mac OS X and the iPhone and iPodTouch's OS X are similarly very related, and some developers (like Epocrates [epocrates.com] who are making medial PDA software) have mentioned that porting their application to the portable OS X was a matter of couple of days.
On the other hand, I haven't heard the iPhone / iPodTouch having a POSIX-compatible console environment (still hearing that the current SDK imposes limits on what can be done), so I don't know if getting a console application to work on those platforms is a simple matter of recompile.
Re:Only works if it's default install (Score:2, Informative)
What's needed to avoid this is *complete* deniability; something which I don't think any software can offer.
Truecrypt doesn't (and doesn't claim to) offer this complete deniability, but rather *plausible* deniability. Which is adequate to protect one from litigation and prison time in most modern countries. In most cases, this is enough.
Good software can protect your sensitive data, but *no* software can protect you from getting tortured in this sort of hypothetical psychotic dictatorship.
Re:Local admin rights on Windows (Score:3, Informative)
but let's not make it obvious with a new share that an additional volume is mounted.
You could give this this regkey value [windowsnetworking.com] a try and see if it takes care of your concern. Supposedly it prevents Windows from automatically creating those shares.
Re:That might betray the presence of a hidden volu (Score:5, Informative)
Re:Local admin rights on Windows (Score:2, Informative)
With the smbtree Samba tool, I can happily get the list of shares, including the $ ones, from an XP machine, even if I connect as a nonadmin user to the server.
Re:Only works if it's default install (Score:3, Informative)
To answer your points:
1) The default filesystem of TrueCrypt volumes is FAT32. Unlike modern filesystems, FAT32 sticks new data as close to the start of the disk as possible, leading to the inefficiency and fragmentation issues that FAT32 is notorious for.
2) The hidden volume is placed at the end of the filesystem, the area of the disk that, on a FAT32 filesystem, is most likely to be empty.
I believe this answers your concerns.
An irritatingly nightmarish experience (Score:3, Informative)
I'm a semi- geek when it comes to Windows, a non-"Power User". But I had a need for this so I thought I would give TrueCrypt a whirl, and had a real nightmarish day and a half.
This being slashdot, I'm only inviting flames about the various things I'm doing wrong. But it does seem to me that TrueCrypt is missing a very obvious feature--encrypt other partitions in the same manner as the boot partition (that is, online and allow them to be mounted transparently) that would have saved me a lot of grief.
See, I have C: and D: partitions, and all the user profile directories are on D:, because that's how our IT department sets things up. Do you see what's coming? Well, I encrypted the system partition without a problem. But now, the D: partition needs to be encrypted, and there's no way to do that without destroying it.
Okay, fine, "back up" and "restore", right? Except that applications, including TrueCrypt and Windows, are pretty highly dependent on the presence of that profile directory, as I learned to my moaning grief. (Yes! TrueCrypt apparently stores which volumes you want "automatically" mounted in your profile directory!)
One new TrueCrypt-encrypted NTFS filesystem later, and I realized there was no way to get the thing mounted before anyone logs in. Or rather, there probably is a way, but it's nothing like editing AUTOEXEC.BAT or something simple. There are registry keys that can be edited but "startup" in Windows-land always seems to refer to "user logs in" and not "boot time."
Additionally, the TrueCrypt command-line did not seem to work as advertised. I'm not a genius but I do carefully read documentation and double-check command-lines before I issue them, and it should not have been possible for TrueCrypt to attempt to remount and repair the system partition as another drive letter, but it did. So I gave up on my dream of having an encrypted C: and D: mounted at boot time, so the user profile directory can be there waiting for the user to log in.
Did I mention how grumpy Windows and everything else gets when the profile directory goes away? Very grumpy indeed. A forest of "registry may be corrupted" error messages greets any attempt to change anything, and so forth. After struggling with these kinds of issues for some time, I really just wiped D: for good and let the system "rebuild" the profile directories on first login. Now I have a bunch of reconfiguration to do and things still aren't right (for example, start menus aren't correct because lots of programs had shortcuts in D:\Documents and Settings\All Users\Start Menu).
It really seems to me that this is not that unusual a situation (two partitions need to be mounted to boot the system) that should be accommodated by something like TrueCrypt. I'm disappointed in TrueCrypt, red-bloodedly refreshed in my hatred of Windows and harboring evil thoughts toward my company IT department.
Re:Local admin rights on Windows (Score:2, Informative)