This is a read-only archive. Find the latest Linux articles, documentation, and answers at the new Linux.com!

Linux.com

Feature: Security

Filesystem encryption in mixed environments with TrueCrypt

By Anze Vidmar on February 14, 2007 (8:00:00 AM)

Share    Print    Comments   

If you want to encrypt your sensitive files so that no one can access them without your personal password or decryption key, you have several options. But if you want a free, cross-platform, open source encryption application, try TrueCrypt.

TrueCrypt encrypts and decrypts files on the fly, as they are loaded or saved, without user intervention. TrueCrypt can encrypt files and store them in a container file that acts as a virtual disk, or make an entire partitions or disk into an encrypted volume in both Microsoft and Linux. The software depends on a personal password or key that you create when configuring a TrueCrypt volume. Without this key, no data on an encrypted volume can be read (not even offline).

Before you get started, consider some precautions you need to be aware of:

  • There is a chance that Windows will write the opened cache file in a page file, rather than in RAM, thus exposing your data or key.
  • Avoid using hibernation when using TrueCrypt because at hibernation time the unsaved data is written to hard disk.
  • Content of a mounted TrueCrypt volume is visible (accessible) to all of a system's logged on users.

If those don't deter you, download the software. TrueCrypt offers binary packages for Fedora, openSUSE, and Ubuntu distributions. Detailed setup instructions can be found on TrueCrypt's Beginner's guide page. I tested the TrueCrypt under Ubuntu 6.10 system.

When you're done installing it's time to create and configure a TrueCrypt volume using a simple command-line tool called truecrypt. You can see the command's options by typing truecrypt without any additional options. For a detailed help, use --help, see the man page, or visit the TrueCrypt documentation page.

Let's say you want to create a password-protected TrueCrypt volume on the first partition of your second drive (/dev/hdb1). Start the configuration procedure by entering the following command in the shell, and prepare yourself for eight simple questions:

sudo truecrypt --create /dev/hdb1

You'll be asked to choose whether this will be a normal or a hidden partition. Hidden partitions allow you to hide encrypted volumes, in case you have to reveal your password or someone gets ahold of it. For non-paranoid people I suggest accepting the default choice -- a normal partition.

Next, choose the filesystem type. The default is FAT. You can reformat the filesystem later, so go ahead and choose the default.

In the third step you are asked to choose the hash algorithm you want to use for your encryption type. The default selection (RIPEMD-160) is good enough, but you can study the difference between the algorithms.

In the next step you are asked to choose the encryption algorithm. You have quite a few options, from 128-bit to 256-bit algorithms. Study the differences, but you can be comfortable with the default (AES) algorithm, which provides a 256-bit key.

Next, enter a personal password for accessing the volume. Make sure you choose a password that you won't forget, or you'll have no way to recover the data on the encrypted volume.

In the next step, you can specify a keyfile location, if you want to use one instead of a password. If you're planning to use TrueCrypt volumes for personal use, and only you will ever be authorized to access the files, just use a password.

In the last step, you need to generate at least 320 randomly chosen characters. If you have a mouse connected to the computer, you can move the mouse around to generate the characters. Otherwise, you'll have to type the characters by hand. This step is important for the quality of the encryption key -- the longer you move the mouse, stronger the key will be.

Finally, TrueCrypt will create the volume. Depending on your volume size, this might take a few minutes. When it's done, you'll be notified, and you can start using the volume.

Before you can start copying sensitive data on your newly created TrueCrypt volume, you need to mount it first, using a command like:

sudo truecrypt /dev/hdb1 /mnt/
Enter password for '/dev/hdb1':

Once you type in your password, the new volume is mounted on /mnt, and you can copy, move, and create files on it just as you would on any other volume. When you're done with your sensitive files, unmount the volume so that other users who are logging on to your system can't see the volume content:

sudo truecrypt --dismount

TrueCrypt can be useful for securing data on a server or on a laptop that can boot both Windows and Linux. You can have a special partition on your disk that contains a TrueCrypt volume that holds your sensitive data, and it can be accessed from both Windows and Linux.

Share    Print    Comments   

Comments

on Filesystem encryption in mixed environments with TrueCrypt

Note: Comments are owned by the poster. We are not responsible for their content.

pretty nice, but there's choice

Posted by: Anonymous Coward on February 15, 2007 04:57 AM
Truecrypt seems to pretty nice, but I suggest that you look at the license before you use it (it seems to have some clauses that e.g. prevent it from being accepted in Debian).

If you're using Linux, then there's a couple of other choices you might look into, i.e. dm-crypt (which is in the vanilla kernel), loop-aes (which is very well established) and a few others. If you're not looking for file-system encryption but simply want to encrypt a folder, you can also use encfs or ecryptfs. Finally there's gnupg if all you want to encrypt is a couple of files.

#

Re:pretty nice, but there's choice

Posted by: Anonymous Coward on February 15, 2007 10:48 AM
Did you read the article or even the title? Do your suggestions support Linux and Windows? Do tell.

#

Re:pretty nice, but there's choice

Posted by: Anonymous Coward on February 15, 2007 01:27 PM
Have you ever tried to use truecrypt on a 2.6.18 kernel? Don't bother; it won't work and the developers refuse to take any patches from the open source community at large. That's one of the main issues I had with truecrypt; it doesn't work on all recent kernels so I don't know how cross platform it really is.

#

Re:pretty nice, but there's choice

Posted by: Anonymous Coward on February 15, 2007 04:57 PM
Actually dm-crypt can be used in Windows.

FreeOTFE: A free "on-the-fly" transparent disk encryption program for PCs
(MS Windows 2000/XP) and PDAs (Windows Mobile 2003/2005)

Linux compatibility (Cryptoloop "losetup", dm-crypt and LUKS supported)

<a href="http://www.freeotfe.org/" title="freeotfe.org">http://www.freeotfe.org/</a freeotfe.org>

#

Re:pretty nice, but there's choice

Posted by: Anonymous Coward on February 15, 2007 10:54 PM
Encfs is cross-platform too: It works with fuse which is available for Linux, various BSDs and Mac OS X. What makes you think that something that is cross-platform has to support Windows?

#

Re:pretty nice, but there's choice

Posted by: Anonymous Coward on February 15, 2007 10:57 PM
Oh, right, and what about gnupg? If that's not cross-platform, then I don't know what is.

#

Re:pretty nice, but there's choice

Posted by: Anonymous Coward on February 15, 2007 06:43 PM
>>> Truecrypt seems to pretty nice, but I suggest that you look at the license before you use it (it seems to have some clauses that e.g. prevent it from being accepted in Debian).

You probably mean the clause that requires derived works to carry a different name. This clause is also in the PHP license, Apache license, they're both in Debian. We all know that Firefox requires that too, but Debian makes fuss about it. You need to understand that it's free software, not free brand.

#

Re:pretty nice, but there's choice

Posted by: Anonymous Coward on February 15, 2007 10:45 PM
I actually didn't mean just that clause. Have a look at <a href="http://lists.debian.org/debian-legal/2006/06/msg00295.html" title="debian.org">http://lists.debian.org/debian-legal/2006/06/msg0<nobr>0<wbr></nobr> 295.html</a debian.org> if you're interested in that issue! The main thing is that the license is way too unclear.

#

Re: pretty nice, but there's choice

Posted by: Anonymous [ip: 116.193.128.34] on January 18, 2008 07:06 AM
Run TRUECRYPT Easily On FEDORA - I HAVE THIS PATCH!
Visit my blog here http://worldoftama.blogspot.com/. Download the installers and runtruecrypt file and do as directed. BINGO! u have it! http://worldoftama.blogspot.com/

#

Hmm

Posted by: Anonymous Coward on February 15, 2007 11:15 AM
I like that TrueCrypt supports "plausible deniability".

I too don't like that it has its own license, instead of using an established free open source software license.

#

Looks like copy of bestcrypt

Posted by: Anonymous Coward on February 16, 2007 12:19 AM
I have used bestcrypt (<a href="http://www.jetico.com/" title="jetico.com">http://www.jetico.com/</a jetico.com>)
sometimes, and truecrypt looks like a copy of it.

#

Re:Looks like copy of bestcrypt

Posted by: Anonymous Coward on February 16, 2007 06:25 PM
Truecrypt is based on E4M whos authors created commercial DriveCrypt. Both TrueCrypt, DriveCrypt (and E4M) are very resistant to unexpected reboots (or pressing reset button). The containers are not damaged and only a few unwritten data may be lost which is ok for journalled file systems.
On the other hand two times I tried BestCrypt and pressed reset during copying file to an encrypted disk, after reboot the container was damaged.
IMHO BestCrypt sucks and it is very dangerous to store any valuable data in its containers.

#

Re:Looks like copy of bestcrypt

Posted by: Anonymous Coward on February 16, 2007 07:26 PM
So DriveCrypt is a copy of BestCrypt<nobr> <wbr></nobr>;)

#

Re(1):Looks like copy of bestcrypt

Posted by: Anonymous [ip: 60.234.149.58] on September 18, 2007 12:55 PM
I have Bestcrypt containers as well as Truecrypt containers under XP and getting the Bestcrypt containers to close can be a pain in the ass. I find that Bestcrypt will often fail to close containers until I run Memturbo with scrub RAM option. I have no idea what is holding the Bestcrypt containers open but to me it is a big security hole. I am gradually moving away from Bestcrypt because of this bug and will only revert if the option of forced dismount becomes available in Bestcrypt.

#

Filesystem encryption in mixed environments with TrueCrypt

Posted by: Anonymous [ip: 84.59.10.36] on December 07, 2007 07:55 PM
please, don't mount directly under /mnt ; you are supposed to mount it in a subdirectory there

#

Filesystem encryption in mixed environments with TrueCrypt

Posted by: Anonymous [ip: 24.162.128.27] on January 22, 2008 09:06 PM
Someone needs to stick a lightning rod (with provided natural electricity) into the 'genuses' who make those URLs appear.

My only gripe with DriveCrypt's makers is that they made TrueCrypt withdraw 98 support. I can see people using 98 and TrueCrypt to make a cheap, single-purpose antispying machine. And making people illegally (at least I think it might be) compile in the Win98 code from v 1.0 is not a good solution either. Lame either way you look at it, to remove code like that. It's not exactly like they get a lot of sales from people running a Pentium MMX anyways. ;)


#

This story has been archived. Comments can no longer be posted.



 
Tableless layout Validate XHTML 1.0 Strict Validate CSS Powered by Xaraya