Slashdot Mirror

Mmm... I've been looking at TrueCrypt today and it allows you to use something called keyfiles.

Exactly. Beside, the data should have been on an encrypted TrueCrypt virtual drive on the disk!

You only mention windows and Linux. Truecrypt supports those two operating systems. Future support for OSX is planned.

Truecrypt has a clever dodge for this. They offer the ability to make a hidden encrypted volume. They do this by making an encrypted volume, and filling its blank space with random data. Yet inside of that random-filled blank space is another truecrypt container, which holds deniable data. If you don't know the key, you never see anything other than random padding in that blank space. See their page on it here.

Integrity of the inner volume seems quite fragile, due to the possibility of it being overwritten through the outer volume, but aside from that it seems like a good plan.

We had someone at work talk about this...

http://www.truecrypt.org/

Its not a HW controler, but a mount the file system encrypted. It seems like a well thought idea anyway. And available for Linux.

When properly written it can recover well from corrupt data. Just like regular disks, if a single 512-byte sector is damaged you will lose *all* the data in that sector. If a single x-byte encrypted block is lost you will lose *all* the data in that block.

TrueCrypt is an example of software that does this.

It's not a technological problem -- everyone in Windows & Linux land should be using Truecrypt or something similar and being smart about how they handle data. Rather it's a social problem.

Which means nothing as soon as you decrypted the first container. Probably the second is not listed then (and only available "if you know it exists"), but given the software is known (Using a software capable of, even advertising, doing this is likely enough, legally, to assume you may have used that feature) and the "random" bytes still have to be somewhere, it's absolutely possible to deduce the existance of further containers once the first is decrypted (total-container-size - encrypted(known-content-byte-size) = probable-secondary-containers).

It is necessary to use something that can be used in a non-deniable (regular) mode as well is in deniable mode. If you use Windows or Linux, I recommend the open source TrueCrypt [truecrypt.org].

Exactly. Using TrueCrypt you have an encrypted container where you for instance can keep your credit card numbers, password lists and other sensitive stuff. It can also contain a hidden volume which can contain the real secrets. If you read the writeup on this, you'll see that there's absolutely no way you can prove the existence of the hidden volume in the unused space of the primary container because all free space in any volume (hidden or otherwise) can be scrambled (actually it's random data encrypted) so that no analysis can see the difference between this encrypted garbage and the encrypted data of the hidden volume. This is called plausible deniability. With TrueCrypt you can even hide a volume inside a hidden volume, hidden inside a hidden volume etc.

I'm using TrueCrypt obviously and I'm not telling whether there's something hidden inside the free space on my encrypted disks... ;)

There ways one can protect the privacy.

One can deny the knowledge or the existence of encrypted data using the following.

http://www.truecrypt.org/

Another interesting concept of plausiable deniability.

http://it.slashdot.org/article.pl?sid=04/12/16/194 6216

GPG is better than PGP. There is no customer database. The UK government could request the customer database of all UK customers then they have an instant "hit list" so to speak. GPG requires no install so it is [almost] impossible to trace (use a file shredder to securly delete it, etc. making it as close to impossible as you can get).

It will also force more people to use much more sophisticated technoligies. Things such as TrueCrypt's Hidden Volume feature for Plausible Deniability. Again TrueCrypt requires no install, is open source so people can be happy knowing that others can review the code to ensure there are no back doors and it uses well known (and therefore well tested) algorithms.

Also the government are kidding themselves if they think they will catch terrorists with this. If you are willing to kill hundreds or thousands of people and more than likely kill yourself in the process, are you going to be worried about going to prison for with holding your private key? Of course not. The same holds true for the really evil pedos. Going to prison for with holding your private key isn't as bad as going to prison for having 20,000 pictures of naked 3 year olds.

The only thing this will do is hurt our country. More rights lost with no real gain. If they could be 100% sure it would remove terrorism and pedos I would think about it but it won't, it won't make any difference what so ever. Next they will be requesting a copy of a key to your house so they can secretly search it without you knowing to ensure you are not breaking the law.

Go to http://www.truecrypt.org/ and check out their product. It allows you to store and encrypted drive inside another encrypted drive in such a way that it's impossible to tell that the first one even exists. They can't force you to give them the keys to something that they don't know is there.

So I guess everyone will just switch to a solution like TrueCrypt:

You can create hidden encrypted volumes within other encrypted systems. Even if you are forced to give up your password it's impossible to tell if their is another hidden volume present.

From the TrueCrypt site:
The principle is that a TrueCrypt volume is created within another TrueCrypt volume (within the free space on the volume). Even when the outer volume is mounted, it is impossible to prove whether there is a hidden volume within it or not, because free space on any TrueCrypt volume is always filled with random data when the volume is created* and no part of the (dismounted) hidden volume can be distinguished from random data.

Or just use something like truecrypt where you hide a second encrypted file system inside the first, if you use one key you get the goods, you use another key you just get fake files. If you set it up right there is no way to prove that there is a second set of encrypted data.

Unfortunately, this won't work. Obviously, there is no reason to use a stego file system other than to hide data. Why? Because there is always certain overhead. The fact that you use a stego file system is a proof that hidden data exist.

It is necessary to use something that can be used in a non-deniable (regular) mode as well is in deniable mode. If you use Windows or Linux, I recommend the open source TrueCrypt.

Plausible deniability is your friend. At least one good open source encryption package, Truecrypt, implements this feature whereby a ciphertext can have an arbitrary number of (or just one) encryption key(s), each one giving access to a different plaintext, and no mathematically known method of proving which is the "real" key.

So if the cops come around asking for your keys, you could give them the one that decrypts it to harmless family photos. Of course your decoy payload would need to be interesting enough that your adversary is less likely to suspect your hiding something (eg dont use photos of the family dog as the decoy if it's likely you're hiding state secrets, instead your decoy should consists of similar but benign content).

Enter TrueCrypt and hidden volumes made for exactly that reason: http://www.truecrypt.org/hiddenvolume.php

If the police requests your encryption keys, you can actually give it to them (i.e. comply) without actually giving them access to your encrypted files.

All you need is TrueCrypt, which is open source on-the-fly disk encryption software for Windows and Linux.

The software provides something called Plausible Deniability and it is further enhanced by the so-called hidden volume method.

Basically, it is impossible to prove that you have TrueCrypt-encrypted data and you can even supply a key to decrypt a decoy volume containing some not-really-sensitive data. The bottom line, you comply with the law (order to decrypt) and your data stay private.

:j

Firstly, tor with Privoxy and a Firefox plugin that makes it easy to switch between it and a direct connection. Others may use FreeNet, but I personally don't bother.

For IRC, connect using SSL (If you trust the network admins. Even if you don't, still better than nothing) and perhaps through Tor as well. For email, anything PGP-ish.

Also, for protecting my files, I use TrueCrypt.

If you're concerned about cross platform compatibility then use user space encryption rather than kernel space encryptiong.

Kernel-level encryption does not mean whole disk encryption. There is a free open-source on-the-fly disk encryption format that does not have to span an entire disk. It's called TrueCrypt. With it you can encrypt a partition and mount it under Windows and Linux. It can also create virual file-based drives.

To anyone worried about privacy (and, actually - anyone who ends up using these type of services), may I suggest Truecrypt? I won't use a USB drive without it - and I won't use Gdrive or Livedrive without it either.

Open Truecrypt, create a new volume as a file (using a strong password), plunk it up on the remote drive, mount the encrypted volume it as a local drive letter. And you have an encrypted drive that you can access remotely without Microsoft (or Google) knowing what you have in there. Without the password it looks like nothing more than random data.

I use AES-Twofish-Serpent (yes, Truecrypt can do multiple layers of encryption) on my USB drive, giving a key size of 768 bits. I'd consider that fairly inpregnable to any known codebreaking organisation.

http://www.truecrypt.org/

Problem solved.

Not so easily. It is unlikely that they will give you block-level access to the drive. That is, you can't format it. However, there is a solution. You just fill the drive with one huge file that contains a virtual disk image, and now you can format that with anything you want, and raid it with other disk images on other servers.

As a bonus, you get disk encryption essentially for free. Here is a great app for Windows and Linux for creating and mounting encrypted drives in a file that I've used to do exactly this (on SMB servers). For those of you using XP, here is a guide on how to hack XP to enable the raid5 features that are disabled in the non-server versions.

I've never really contemplated using an online backup service. I suppose I'm far too casual a user to be the "target" for such things, but I've found optical media to be sufficient, taking into account that I often end up regenerating the discs every so often. Although it's more convenient, I still think it's a gamble on whether their backups on their servers are going to be as long-term reliable as my discs in hand, or stored somewhere local and reliable. Add to that the relatively slow thoroughput of any online connection versus physical media, and I'm just content to go with the "multiple CDs, squirreled about" method.

As for security, if you have a subset of information on your computer that has to be secure, you could use some manner of file encryption on it before you send it up. I'm no expert, but I've been quite happy with the simplicity and security of TrueCrypt (on Windows) of late.

Proprietary formats are always a gamble. For that matter, any format is a gamble. Who's to say the open standard of the month won't get laughed out by the "de facto" standard by the time you want to restore those years-old backups. I suppose the best bet is to save in the simplest format that still preserves the usability information, and keep the software as backed-up and on-hand as the data.

Even on windows, using truecrypt, is really easy. Would be better than nothing.

* Crimson Editor An amazingly powerful freeware text / script editor.

  * uTorrent Is there an open source Torrent Client in under 200k? Does it have RSS searching, bandwidth scheduling, automatic resume, and trackerless support? Yes? Oh, good then.

  * As -U- Type. Spell check anywhere. It's a great piece of software, if you can get over the fact that the author barely speaks any english.

  * 3 Plane Soft Screensavers. Ok, they're screensavers. And they're a rip off. But damn they're nice.

  * Trillian. 'nuff said.

  * The Bat! The second best mail client created, behind only KMail.

  * IZarc If there were need for zip clients anymore, this would be the one to have. Also handles about 50 other file standards, integrates really well with explorer, is small and efficient, and did I mention free? Best unzipper out there, including the pay options.

  * Folder Size Shows you how big your folders are. If explorer were made by Apple, it would do this by default.

  * True Crypt Data so secure even it doesn't know if there is more to be found in a file.

  * Thumbs Plus Arguably there are a lot of good applications in this space, and there are ones out there with better interfaces. But it is the only thumbnail application I've ever used that can handle upwards of 20,000 files in a single directory. If you take lots of pictures, this is the one.

  * DVD Decrypter Recently bought out by Macrovision to shut down it's decryptey goodness, DVD Decrypter is really a no-nonsense, no-fuss DVD ripper and burner. Want to rip a movie from a DVD so you can watch it later? One button. Want to rip it back to a DVD? Another button.

  * Microsoft Power Toys Nifty stuff from people who both hate and make the operating system.

And remember to use an antivirus, a firewall, and two anti-spyware suites. My personal favorites are AVG Antivirus, Kerio Personal Firewall, Spybot, and Ad Aware.

If you are an american citizen that is not a secure method. The gov. has the right to request all keys/passwords if a judge has so ordered. You must pass over the key/password or face jail time. The only way to hide information from the gov. is to make sure they don't know it even exists. I ran across this website a while ago and it's just what I'm talking about. http://www.truecrypt.org/

Truecrypt

Go ahead, seize my computer...

TrueCrypt can do this with encrypted volumes. You can have it create a hidden volume within another encrypted volume, but using a different password. You can store all your porn in the hidden volume, and all your incriminating stuff in the main volume. When forced to give up your password, give up the password to the hidden volume and they just get a load of porn. Because of the way TrueCrypt is built, it's impossible to tell that there is another volume present, or that the password given is the password to the hidden volume and not the main volume.

Check this out ... a similar idea, already implemented and ready to go. An encrypted volume within an encrypted volume; its impossible to detect its existence without knowing its there and the relevant key.

In the UK, you get sent to prison for 2 years if you withhold a decryption password.

There will always be oppressive regimes around, it's in the nature of Man.

In earlier times you were put on the rack until you confessed to heresy against the Church, now you get slammed in prison if you refuse to provide a key to allow men in power to go fishing against you. Only the details have changed, not the substance.

Maybe some small help will come from the direction of TrueCrypt, which offers the hope of some plausible deniability. But at the end of the day, if they want to put you in jail they will, regardless.

Freedom and justice are just a facade, and beneath the thin veneer of social respectability conferred by official positions and titles, the protocols of civilization dissolve rapidly into the old historical nastiness.

Upload truecrypt files

Open source, cross-platform, creates a strongly encrypted file that the program can mount as a real HD, you can mount it on any platform, does transparent encryption (for example in WinXP, it mounts itself with a drive letter, you can throw stuff in directly just as if it were a real drive, and it encrypts as it goes in)

http://www.truecrypt.org/

You can do it in say N meg chunks or something, I guess you'd have to create a new truecrypt partition every time, but I don't really know much about it, just tried it out and it seems neat

A much safer method would be to use an app like http://www.truecrypt.org/ with the hidden volume. The keys to the primary volume can be given away to the company and can contain company confidential docks, while your data is on the hidden volume. That is what I do.
-nB

That's what things like Truecrypt are for.

Of course the majority of people will not use this and happily hand over all their private information...

TrueCrypt has offered this type of integration in Linux for years.

The real reason not to buy Windows Vista is that Microsoft has a history of abusing its customers. This version will be secure?

Remember that Windows XP had many problems, besides being extremely vulnerable, until Service Pack 2. I suggest everyone wait until Vista SP2 to evaluate Vista. That would save a lot of time.

Remember the last Microsoft encryption scheme, that is built into Windows XP? No? If you have never heard of EFS, I can tell you why. Many, many people lost all their files because of the bugginess and poor documentation of EFS. EFS doesn't work at all on stand alone computers, unless you think that not being able to have a valid backup is "working". (If you argue with this, you will be arguing with Microsoft technical support, who has verified this more than once. On stand alone computers, EFS encryption is tied to the SID of the OS installation. If you change stand alone computers, you cannot decrypt your files.)

Will you trust your files to encryption by a company whose last version was buggy and poorly documented and lost customer files? (Try TrueCrypt instead.)

Remember that Windows NT, Windows 2000, Windows XP, and Windows Vista are ALL the same operating system, but just new versions. Microsoft renames their products and takes advantage of people with little technical knowledge, who think that they are buying a new product.

Remember that Bill Gates is the Dr. Death of software. HE decides when Microsoft's software is no longer usable, not the customers.

When someone abuses you, never forget. Try not to be involved with habitual abusers.

--
Before, Saddam got Iraq oil profits & paid part to kill Iraqis. Now a few Americans share Iraq oil profits, & U.S. citizens pay to kill Iraqis. Improvement?

But what if you actually did forget the password?
After a few rounds of torture anyone would dance ballet and sing "spank me, Charlie", but it wouldn't help retrieve the lost password.

In truecrypt there's a way, however, namely using 2 passwords on the same volume.
When you've created an encrypted volume/disk, backup the header and remember that password (the "admin" pwd).
Change your password to your everyday use (the "user" pwd). If things go bad you can restore the backup and use the admin pwd.
It's still a pwd to remember though.

Truecrypt User Guide page 68.

TrueCrypt allows you to give away a password to decrypt dummy data in your encrypted disk, without giving away the true password. They can't prove that the dummy password isn't the real one since it does indeed decrypt data.

See http://www.truecrypt.org/hiddenvolume.php for a more thorough/accurate explanation.

You can get around RIP through plausible deniability.

TrueCrypt has a brief explanation on it's front page.

Yes. TrueCrypt can create an encrypted file-system, with a secondary, "invisible" encrypted file-system inside of it.

The only problem? Headers are still going to be visible no matter how you encrypt a file system. While it works fine for fooling someone initialy, it won't get rid of anyone who really knows what they're doing, and is really dedicated to tearing apart your HD.

I can "recover" your windows password in all of 10 minutes, so someone with physical access to your computer won't have much of a problem logging in as you and accessing all your encrypted documents. As long as the Windows SAM database continues to leak live a seive, the level of encrpytion used on the file system is irrelevant, and "back-doors" are unneccesary. In fact, it could be argued that the poor encryption of the SAM file IS a back door.

That's why I personally use TrueCrypt. It's platform independent and opensource. It's pretty much impossible to brute-force. It won't lose all my data if I have to re-install windows. AND it won't be compromised just because someone gets access to my LANMAN hash.

Anybody know of a system that works like that?

Truecrypt. For Windows and free operating systems. http://www.truecrypt.org/hiddenvolume.php

Like TrueCrypt for instance.
http://www.truecrypt.org/

Let them try.
We have alternatives.
http://www.truecrypt.org/

I use gmail to hold/transfer files sometimes also, but I always create TrueCrypt volumes to store the files. It makes it secure and its good for transferring lots of stuff (better than zip, which if it contains any executables wont work with gmail)

My gmail has like 30 mini encrypted hard drives in it, I love it =P

The parent couldn't be more right.

I have a completely encrypted drive in my laptop for sensitive information in case I lose it or it is stolen. This is just wise in my humble opinion and can be easily achieved by many tools, like truecrypt. For everything else, there is Gmail! =)

is there a program that can encrypt/decrypt an entire (relatively) small drive with some sort of key system or something?

TrueCrypt is a Free/OpenSource project for Windows and Linux that allows you to encrypt removable devices (and create files as encrypted volumes) easily, and with your choice of open and well-tested algorithms (including AES).

I use this with great success, and would recommend it for Enterprise use in a heartbeat. I have no association with the project, I'm just a thrilled user.

There is always encryption programs that can be used if implimented properly. Truecrypt(http://www.truecrypt.org/) axcrypt, bitht from sourcefordge. Plus I am quite sure there are a few commercial alternatives that offer support as well. Point is, its not USB drives that are the problem, its the lack of a proper usage policy to control how they are used. Requiring all USB drives to be fully encrypted and/or haveing all data they contained backed up elseware would be a good start. Its all about policy and educating your employees on your companies acceptable use policy for such devices.

Of course getting the users to actually use encryption is another story...

TrueCrypt works pretty good for these situations and it comes with an open source license. The forums contain a lot of tips and tricks for using the application in odd ball situations.

Not affiliated at all, just a satisfied user.