Slashdot Mirror

I work as a consultant and often use Truecrypt on my USB key in traveller mode on sites where I work. The top thing on my wishlist is to be able to run/install Truecrypt on a Windows machine without admin rights.

The issue is described in full here:

[..] In Windows, a user who does not have administrator privileges can use TrueCrypt, but only after a system administrator installs TrueCrypt on the system. [...]

Full release notes can be found here.

You dont need Admin rights with TCexplorer
Ideal for USB key
http://www.codeproject.com/KB/files/TCExplorer.aspx

I work as a consultant and often use Truecrypt on my USB key in traveller mode on sites where I work. The top thing on my wishlist is to be able to run/install Truecrypt on a Windows machine without admin rights.

The issue is described in full here:

[..] In Windows, a user who does not have administrator privileges can use TrueCrypt, but only after a system administrator installs TrueCrypt on the system. [...]

Full release notes can be found here.

You dont need Admin rights with TCexplorer
Ideal for USB key
http://www.codeproject.com/KB/files/TCExplorer.aspx

From the release notes:

Ability to create and run an encrypted hidden operating system whose existence is impossible to prove (provided that certain guidelines are followed). For more information, see the section Hidden Operating System. (Windows Vista/XP/2008/2003)

It appears to work just like a hidden volume (also described in this post).

In other words, you worry to much, these guys are really really smart.

From the release notes:

Ability to create and run an encrypted hidden operating system whose existence is impossible to prove (provided that certain guidelines are followed). For more information, see the section Hidden Operating System. (Windows Vista/XP/2008/2003)

It appears to work just like a hidden volume (also described in this post).

In other words, you worry to much, these guys are really really smart.

Project homepage is here: http://www.truecrypt.org/
Release notes here http://www.truecrypt.org/docs/?s=version-history

(Btw, these links should be in the article, instead of an external (sponsored?) one).

Project homepage is here: http://www.truecrypt.org/
Release notes here http://www.truecrypt.org/docs/?s=version-history

(Btw, these links should be in the article, instead of an external (sponsored?) one).

[..] In Windows, a user who does not have administrator privileges can use TrueCrypt, but only after a system administrator installs TrueCrypt on the system. [...]

Full release notes can be found here.

[..] In Windows, a user who does not have administrator privileges can use TrueCrypt, but only after a system administrator installs TrueCrypt on the system. [...]

Full release notes can be found here.

Can FileVault do this?

Of course not. He's just an Apple fanboy who needs to promote Apple's weak-ass encryption tool whenever someone suggests a non-Apple solution.

As the GGP suggested, OS X users would be better off with the free OS X version of TrueCrypt.

From Dare Obasanjo's excerpts of Sergey Solyanik's blog, about Google: "Everything is pretty much run by the engineering - PMs and testers are conspicuously absent from the process. While they do exist in theory, there are too few of them to matter."

To me, the story lacks sufficient deep analysis to be sure we understand Mr. Solyanik's experiences.

I doubt that very many people are moving from "Do no evil" to "Doing a lot of evil is the only way we know to make a living".

What is Windows Vista but a rather unimportant update to Windows XP, that failed? Microsoft Word has new menus, but changing the menus also means that Microsoft now has two menu arrangement standards in use at the same time, and users must master them both. Internet Explorer version 7 has a third menu arrangement, further breaking the standard with which those who just want to use their computers are so familiar. TrueCrypt developers are talking about suing Microsoft in European court because of anti-trust violations.

Is that the direction successful people want to go?

To understand this story, it's good to know more about Dare Obasanjo, in my opinion. He's intelligent, he's a good communicator, and he has a history of being very effective at promoting himself. To me, his story is just him being himself, and promoting himself to Microsoft. Maybe it is not very indicative of what is happening at Microsoft.

Dare Obasanjo's excerpts of Sergey Solyanik's blog start with, "Last week I left Google to go back to Microsoft".

In contrast, Sergey Solyanik says "There are many things that Google does really well, and I plan to advocate that some of these things be adopted at Microsoft."

Mr. Solyanik went back to Microsoft because he didn't like the openness and lack of structure at Google. He wants more structure. He doesn't want to be a manager, and he doesn't want to decide himself the direction of what he is doing.

Dare Obasanjo's excerpts are misleading, in my opinion. As I said, he seems to me to be promoting himself to Microsoft, rather than understanding anything about why a particular person would quit Google after only a year there and go back to Microsoft. Also, Mr. Solyanik may have been given a very sweet deal; that is not discussed.

Proof that it isn't partly an ad for PGP, when GPG is available.

Do people who don't agree with the policies of the U.S. government really buy their encryption software online, using their credit cards? From a company in Menlo Park, California?

Shouldn't all encryption software be open source? Otherwise, how do you know it is secure? Maybe an unhappy employee built in a back door.

Oh, and TrueCrypt encrypts entire hard drives, including the boot partition.

The mention of political enemies of the U.S. government using closed-source software from a U.S. company makes me wonder about the entire article. Quote from the article: "Files are protected using PGP, or Pretty Good Privacy, a virtually unbreakable form of encryption software that is also used by intelligence agencies around the world."

I'm VERY doubtful about that. The U.S. government, under the present administration, has established that it can require companies to cooperate, and to keep the cooperation secret. That means that any U.S.-made product could be suspect. That's one of the unintended consequences of being sneaky.

http://www.truecrypt.org/
http://w2.eff.org/patent/
http://www.gnu.org/software/gnuradio/
http://www.wikileaks.org/
http://www.cryptome.org/
http://www.torproject.org/
http://freenetproject.org/

TrueCrypt is a standard application fully compatible with Windows XP. You can keep saying it isn't, but it's not going to help you.

http://www.truecrypt.org/
Free open-source disk encryption software for Windows Vista/XP, Mac OS X, and Linux

Most people know wtf TrueCrypt is, maybe YOU don't. IT is a DISK ENCRYPTION utility. Therefore, it more than a simple WIN32 applicaiton.

Look, freaking look...

Creates a virtual encrypted disk within a file and mounts it as a real disk.

Encrypts an entire partition or storage device such as USB flash drive or hard drive.

Encrypts a partition or drive where Windows is installed (pre-boot authentication).


You are either insane or retarded to think that something that is modifying a volume would NOT NEED more than Win32 ACCESS on NT.

Which means it is NOT JUST WIN32. (Just like it also wouldn't be ONLY Cocoa or KDE on OSX or Linux)

The same is also true of PGP encryption software, which a lot of our clients use in the Insurance industry, and yes the application had to be rewritten to support Vista because of the 'pre-boot' and 'low level (NT) access' it needs to freaking work.

What is really sad is you keep mentioning this like it is a STANDARD Win32 level application, and IT IS NOT. A standard Win32 application would ONLY BE USING Win32 APIs. (Maybe I should give you a lesson on APIs too?)

These applications and their compatibility from XP to Vista HAVE NOTHING TO DO WITH THE UAC in Vista. (The Security system in NT has NOT changed since 1993, it always has been very robust with ACLs and is a token/object based security model. Vista just FORCES it on, and no longer allows applications to run without regard for system security; hence, the freaking need for a UAC system.)

The irony to this conversation is that tools like TrueCrypt and even PGP are becoming obsolete in the Windows world as people move to Vista. NT has had file level encryption for 10 years, and Vista itself added full volume level encryption(called BitLocker), and these two basic aspects of Vista replace the need for tools like TrueCrypt or PGP volume software.

How on earth did you get to SlashDot and a point where you can type by yourself, and NOT REALIZE software that is managing volume encryption would actually use lower level OS functions?

Holy freaking batman crap crazy...

I would start here:System encryption , and System encryption

I would start here:System encryption , and System encryption

It's basically only a matter of time before the fear-mongers and political demagogues in the U.S. and elsewhere outlaw any form of encryption that doesn't include a backdoor for the NSA and other "trusted" government agencies. There has already been evidence of commercial encrytption (such as Windows encryption) including such backdoors. And when the commercial companies all cave, how long do you think it will be before the government comes after the open source projects too?

Use Truecrypt to create an encrypted file container, load your data and email or FTP at your leisure. You can phone the receiving party with the password and they can work with the data in the encrypted file container and neither of you have to worry about losing it, provided they unmount the file container when they're done and don't store the copied data anywhere else. I do it all the time. You can even transfer files back and forth between Windows and Linux with Truecrypt 5. I haven't tried the trifecta with OS X but I'm not seeing any reason that wouldn't work as well.

There really isn't any reason not to use encryption these days.

If you find Truecrypt useful, maybe making a little donation to support development might be nice.

...using TrueCrypt to secure the file then sending it via a secure FTP? It's exceedingly simple to use, and you secure it to your needs. All she has to do is mount the file and type in the password you give her. Tell her you will send the password via another means, and send it via registered mail making sure that there is absolutely no clue on the paper as to what the text means.

I'm sorry, but truecrypt volumes have no header....

Sorry, but TC volumes DO have a header. If you read through the documentation there's a section on backups. In it it states that you should backup your volume headers. Heck, even the GUI in KDE Linux for TC has an option to export or import a volume header.

Here's the link to the documentation on backing up volume headers: http://www.truecrypt.org/docs/?s=backing-up-volumes-and-headers

The principle is that a TrueCrypt volume is created within another TrueCrypt volume (within the free space on the volume). Even when the outer volume is mounted, it is impossible to prove whether there is a hidden volume within it or not, because free space on any TrueCrypt volume is always filled with random data when the volume is created* and no part of the (dismounted) hidden volume can be distinguished from random data.

Using Traveler-Mode you can run the binary from a USB-disk, for example.

trucrypt has a dual password feature with a hidden encryption sector in the main sector. Give the border inquisitor the primary password that unlocks your grandmothers receipe collection - truecrypt claims it's impossible to determine if a second password to a hidden volume exists - the hidden volume is stored in seemingly random data.

or wear more tinfoil, i hear that protects against multiple vectors.

Schneier actually mentions TrueCrypt in his article too. However, strangely, he ignored the single most important feature of TrueCrypt regarding this topic, the plausible deniability. The hidden volume feature is exactly designed to prevent Big Brothers from breaching your privacy.

There are a couple of ways to hide your data; one is to have two Truecrypt volumes, one hidden and one standard. This is easy, but it still lets the customs agent know you are using Truecrypt. This may not be a problem in the US (right now) but what about other countries where simply knowing about a program like Truecrypt could look suspicious?

This post on the Truecrypt forums describes a way to install two OSes, one for show, and one hidden. Unless there is a Truecrypt rescue CD or bootable USB thumbdrive inserted the system will boot to a normal Windows desktop. This method would hold up to any casual sort of inspection, such as those customs agents carry out dozens of times per day. There are a couple of traces that would need to be removed in order to actually have "plausible deniability", but to me not having the questions asked in the first place is preferable to being able to deny one of the potential answers.

It's sad that you might need to do things like this, but there are often technological solutions to social problems.

The whole point of encryption is that it cannot be easily bypassed. The only way to get past the encryption is to decrypt the encrypted information. Now obviously Microsoft may have included back door keys or other mechanisms as "safety valves" for law enforcement, but nobody who is serious about their cryptography is going to trust the Microsoft disk encryption services. The full disk encryption services provided by TrueCrypt (free and open source), for example, are NOT going to be easily defeated by any external technical analysis.

• hardware
  • Limited access to audit encryption implementation, although AES is ridiculously simple to implement
• software
  • Requires unencrypted kernel to be stored on a disk

TrueCrypt will encrypt your entire hard drive if you want it to do so, and a recent case decided that the government cannot force you divulge your password, as that's self-incrimination.

Yes, some of my secret data may or may not be held in a volume hidden inside of the free space of a filesystem within a file hidden away and encrypted with Serpent-Twofish-AES. (TrueCrypt).

Of course, the only information I have held in there is the kind of stuff I wont even describe.

I keep all my porn in a file-backed device encrypted using geli (FreeBSD Handbook page on disk encryption) using a key located inside of an encrypted partition on a usb key so that the USB key must be present to mount the drive.

ND

"... government gets to meet its agenda."

What happens if your laptop is encrypted? Can they tell you how it is supposed to work if the boot code is temporarily disabled? Can they expect you to supply a password? What happens if you carry the laptop hard drive in your pocket?

The free, open source TrueCrypt works with Windows and Linux and now encrypts the boot partition, on the fly, while the the computer is being used.

T.R.U.E. C.R.Y.P.T. D.O.T. O.R.G.

LEARN TO USE TRUE CRYPT or another encryption system TO PROTECT YOURSELF FROM THE PRYING EYES OF BIG BROTHER AGENTS WITH THEIR ARROGANT AGENDA OF PRIVACY VIOLATIONS. DOUBLE ENCRYPT (AT LEAST).

From: http://www.truecrypt.org/docs/

rueCrypt is a software system for establishing and maintaining an on-the-fly-encrypted volume (data storage device). On-the-fly encryption means that data are automatically encrypted or decrypted right before they are loaded or saved, without any user intervention. No data stored on an encrypted volume can be read (decrypted) without using the correct password/keyfile(s) or correct encryption keys. Entire file system is encrypted (e.g., file names, folder names, contents of every file, free space, meta data, etc).

Files can be copied to and from a mounted TrueCrypt volume just like they are copied to/from any normal disk (for example, by simple drag-and-drop operations). Files are automatically being decrypted on-the-fly (in memory/RAM) while they are being read or copied from an encrypted TrueCrypt volume. Similarly, files that are being written or copied to the TrueCrypt volume are automatically being encrypted on-the-fly (right before they are written to the disk) in RAM. Note that this does not mean that the whole file that is to be encrypted/decrypted must be stored in RAM before it can be encrypted/decrypted. There are no extra memory (RAM) requirements for TrueCrypt. For an illustration of how this is accomplished, see the following paragraph.

Let's suppose that there is an .avi video file stored on a TrueCrypt volume (therefore, the video file is entirely encrypted). The user provides the correct password (and/or keyfile) and mounts (opens) the TrueCrypt volume. When the user double clicks the icon of the video file, the operating system launches the application associated with the file type - typically a media player. The media player then begins loading a small initial portion of the video file from the TrueCrypt-encrypted volume to RAM (memory) in order to play it. While the portion is being loaded, TrueCrypt is automatically decrypting it (in RAM). The decrypted portion of the video (stored in RAM) is then played by the media player. While this portion is being played, the media player begins loading next small portion of the video file from the TrueCrypt-encrypted volume to RAM (memory) and the process repeats. This process is called on-the-fly encryption/decryption and it works for all file types, not only for video files.
Note that TrueCrypt never saves any decrypted data to a disk - it only stores them temporarily in RAM (memory). Even when the volume is mounted, data stored in the volume is still encrypted. When you restart Windows or turn off your computer, the volume will be dismounted and files stored in it will be inaccessible (and encrypted). Even when power supply is suddenly interrupted (without proper system shut down), files stored in the volume are inaccessible (and encrypted). To make them accessible again, you have to mount the volume (and provide the correct password and/or keyfile).

http://www.truecrypt.org/

I'd like to see them search my laptop.

I highly recommend using truecrypt and incorporating a hidden volume. That way if you need to divulge a password, you can just give them one that allows access to a volume that doesn't have the sensitive data they are looking for.

I think he wanted to continue using the laptop himself as well. I don't think "it's an anti theft device" will go very far when picked up by police, customs or those lovely TSA people.

The latter may even decide to check for more hiding places. Do you really want to invite the rubber glove treatment?

As for solution, there are forensic identity marking kits available. They're like a special liquid (also comes in a microdot form), and it comes with warning stickers. The stuff is nigh impossible to remove, it proves who the owner is and if you sell the laptop you just update the registration. And as someone else said, stick crypto on it so the data isn't vulnerable. You can do that in archive or bootup form with the latest version of Truecrypt (5.1a).

The only risk left is someone stealing it specifically for the reward :-)

I think your problem would be solved by selectively encrypting the data you need instead of encrypting the entire HD. Most security checks are satisfied by being able to boot fully. Keep a second encrypted volume with all of your sensitive data instead. Here's an example of using TrueCrypt to create a hidden volume inside of a encrypted drive: http://www.truecrypt.org/docs/plausible-deniability.php

There's always Truecrypt.

You could always TrueCrypt encrypt the contents of your drive to guard against seizure efforts without hampering your own use of the system.

For the love of convenience, sanity, and saving money, just use any flash memory drive and TrueCrypt.

"Free open-source disk encryption software for Windows Vista/XP, Mac OS X, and Linux"

Would something like TrueCrypt, where you can easily look at the source, be a better solution? At the very least, it could avoid problems like these.

If she had sensitive data on there, she should have pulled the HD first.

A non-tech person removing a hard drive... from a laptop... and voiding her warranty, sure, she should have done that, no doubt!

In related news, I'm glad that TrueCrypt 5 has been released. Might be useful whenever you send your laptop for repair and you don't want the world to know what data you have stored.

http://www.checkpoint.com/products/datasecurity/pc/index.html

Hell...

http://www.truecrypt.org/docs/?s=system-encryption

I wonder when stupidity actually became an asset in our society.

Guess you haven't heard of TrueCrypt? It does exactly what you are talking about, except better. http://www.truecrypt.org/

I much prefer KeePass, which I store in TruCrypt on a thumb drive (also backed up in multiple locations).

Also, full-disk encryption with the recent Truecrypt 5.0 might be of use.

http://www.truecrypt.org/

Also record their badge numbers, names and ranks. Their work locations and another other information such as what they said. Document, document. Then communicate your interactions with the puppets of Big Brother State Power, the officers and other agents of State Terrorism in action against 99.999999999% of people who are NOT terrorists. By communicating each incident in detail the terrorism of State Power can be revealed and potentially checked (limited).

This is *exactly* why truecrypt has hidden volumes. And there is no way - I mean, mathematically no way - to tell if a hidden volume is actually there. So you give them the password to the parent volume, which (if you're smart) you've filled with innocent-looking data.

Actually, the docs are pretty clear about this (from http://www.truecrypt.org/docs/hibernation-mode.php): "Note: If your system partition/drive is encrypted by TrueCrypt, the TrueCrypt driver automatically prevents Windows from hibernating the computer (for information on how to encrypt the system partition/drive, see the chapter System Encryption)."