Slashdot Mirror

← Back to Stories (view on slashdot.org)

TrueCrypt 5.0 Released, Now Encrypts Entire Drive

Posted by ryuzaki0 on from the wear-a-condom-people dept.

A funny little man writes "The popular open source privacy tool, TrueCrypt, has just received a major update. The most exciting new feature provides the ability to encrypt an entire drive, prompting the user for a password during boot up; this makes TrueCrypt the perfect tool for non-technical laptop users (the kind who are likely to lose all of that sensitive customer data). The Linux version receives a GUI and independence from the kernel internals, and a Mac version is at last available too."

12 of 330 comments (clear)

  1. Re:Independence from Kernel Internals? by Chris+Mattern · · Score: 5, Informative

    It is also, of course, impossible that it encrypts the *entire* disk. It may encrypt all the partitions your running system uses, but unless your BIOS has encryption support (which it doesn't), you can't have an encrypted boot partition.

  2. Re:Slashdotted - Download Mirror on Filehippo by HP-UX'er · · Score: 5, Informative

    Here it is

  3. Re:What about wake up? by apathy+maybe · · Score: 4, Informative

    In Windows at least (not sure with the other versions), you can set it to dismount mounted volumes whenever certain ACPI events (lid closing, suspend or hibernate etc.) happen.

    This forces you to re-enter your password to access the volume.

    Of course, you should have an option in your OS to ask you for your login password whenever you close and then open your lid as well.

    --
    I wank in the shower.
  4. Re:Slashdotted by telchine · · Score: 4, Informative

    The site is sooo slooow. Mirror please! But the update seems great! http://sourceforge.net/projects/truecrypt/

  5. Re:Independence from Kernel Internals? by Chris+Mattern · · Score: 5, Informative

    Yes, they can recover key and encryption algorithms from the unencrypted boot sector. But if they can crack you simply by knowing the unencryption program, you're boned anyways. What they *can't* recover, assuming that your encryption vendor hasn't screwed up, is your key. And without that, they can't read your encrypted partitions. If they've done it right, it's secure. Somebody in possession of your laptop but without your passphrase cannot read the disk, no matter what he does, except for the boot partition, and there won't be any useful data there. I don't use Truecrypt and haven't researched them, so I can't guarantee that they did it right (look at WEP, where they managed to botch the encryption for a major standard, resulting in it having to be replaced by WPA). I believe every laptop should be "whole disk" encrypted--it's just too easy for a laptop to disappear. I run debian on my laptop, so I used cryptmount to encrypt my disk. If you're not encrypting your laptop's disk, you definitely should be. A brief glance over some recent news stories should tell you why.

  6. Re:The final excuse. by Lord+Ender · · Score: 5, Informative

    No. Encryption imparts serious performance penalties. Normally, things like DMA allow you to transfer data directly from your disk to your RAM, another disk, or another device. With encryption, every bit must pass through the CPU to do crypto on it. It some cases, that is a very noticeable delay. At our company, that delay was too long for some purposes, so I had them use DriveLock instead, which has no performance penalty.

    --
    A slashdotter who didn't build his own computer is like a Jedi who didn't build his own lightsaber.
  7. Re:Independence from Kernel Internals? by CarpetShark · · Score: 4, Informative

    unless your BIOS has encryption support (which it doesn't), you can't have an encrypted boot partition.


    Of course you can. You just can't have an encrypted MBR... unless you boot from a floppy or a USB drive you keep on your person, or something like that. Note that bios limitations can also be circumvented with linuxbios ;)
  8. Re:Independence from Kernel Internals? by gweihir · · Score: 4, Informative

    I would like to encrypt my entire laptop drive, but I'm not going through all the trouble if its just another easy layer to break through. Any Truecrypt experts out there?

    I am not a TrueCrypt expert, but I follow the discoveries of the crypto community. It seems TrueCrypt is highly respected. While it cannot defeat a (hardare in this case) keylogger, the crypto used seems to be strong crypto implemented according to current standards. Not a snake-oil product with home-rolled ciphers or "passwordless" security or such nonsense. At the moment, nobody admits being able to breaking it and I am not aware of instances that indicate it has been broken. And, other than many other products, it is widely used. Personally I would say it is on a level with PGP/GnuPG/dm-crypt/LUKS with regard to security level offered.

    --
    Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
  9. Re:if truecrypt.org is still down by leuk_he · · Score: 4, Informative

    5.0

    February 5, 2008

    New features:

    *

    Ability to encrypt a system partition/drive (i.e. a partition/drive where Windows is installed) with pre-boot authentication (anyone who wants to gain access and use the system, read and write files, etc., needs to enter the correct password each time before the system starts). For more information, see the chapter System Encryption in the documentation. (Windows Vista/XP/2003)
    *

    Pipelined operations increasing read/write speed by up to 100% (Windows)
    *

    Mac OS X version
    *

    Graphical user interface for the Linux version of TrueCrypt
    *

    XTS mode of operation, which was designed by Phillip Rogaway in 2003 and which was recently approved as the IEEE 1619 standard for cryptographic protection of data on block-oriented storage devices. XTS is faster and more secure than LRW mode (for more information on XTS mode, see the section Modes of Operation in the documentation).

    Note: New volumes created by this version of TrueCrypt can be encrypted only in XTS mode. However, volumes created by previous versions of TrueCrypt can still be mounted using this version of TrueCrypt.
    *

    SHA-512 hash algorithm (replacing SHA-1, which is no longer available when creating new volumes).

    Note: To re-encrypt the header of an existing volume with a header key derived using HMAC-SHA-512 (PRF), select 'Volumes' > 'Set Header Key Derivation Algorithm'.

    Improvements, bug fixes, and security enhancements:

    *

    The Linux version of TrueCrypt has been redesigned so that it will no longer be affected by changes to the Linux kernel (kernel upgrades/updates).
    * Many other minor improvements, bug fixes, and security enhancements. (Windows and Linux)

    If you are using an older version of TrueCrypt, it is strongly recommended that you upgrade to this version.

    4.3a.......

    ==============
    System Encryption

    TrueCrypt can on-the-fly encrypt a system partition or entire system drive, i.e. a partition or drive where Windows is installed and from which it boots (a TrueCrypt-encrypted system drive may also contain non-system partitions, which are encrypted as well).

    System encryption provides the highest level of security and privacy, because all files, including any temporary files that Windows and applications create on the system partition (typically, without your knowledge or consent), swap files, etc., are permanently encrypted. Windows also records large amounts of potentially sensitive data, such as the names and locations of files you open, applications you run, etc. All such log files and registry entries are always permanently encrypted as well.

    System encryption involves pre-boot authentication, which means that anyone who wants to gain access and use the encrypted system, read and write files stored on the system drive, etc., will need to enter the correct password each time before Windows boots (starts). Pre-boot authentication is handled by the TrueCrypt Boot Loader, which resides in the first cylinder of the boot drive.

    Note that TrueCrypt can encrypt an existing unencrypted system partition/drive in-place while the operating system is running (while the system is being encrypted, you can use your computer as usual with

  10. Re:Independence from Kernel Internals? by filbranden · · Score: 5, Informative

    Oh, I forgot to mention. According to their website, TrueCrypt can encrypt the boot partition even after the OS is installed, even with Windows.

    Basically, you install it, then you ask it to encrypt the whole disk. It will install the boot code to ask the password and decrypt the partition before loading the OS, and then it will start encrypting your partition in the background, you may continue using the OS. You may even reboot the machine, it will boot correctly and continue encrypting from where it stopped. If it really works as they say it does, this version is indeed amazing.

  11. Re:Slashdotted by InvisiBill · · Score: 5, Informative

    FYI, http://www.truecrypt.org/downloads.php links to http://truecrypt.sourceforge.net/downloads/TrueCrypt%20Setup%205.0.exe.

  12. Re:Recovery CD by Xenoflargactian · · Score: 4, Informative

    TrueCrypt requires that you burn a Rescue Disk before encrypting your boot partition. It saves a 2-meg ISO to 'My Documents' and gives you links to free burning software. It won't let you proceed without the burned CD in the drive. The rescue disk can be used to restore the boot loader (which has the password-encrypted keys, etc) in case of corruption, but it also has a 'Decrypt entire disk now' option. If you need to boot from a BartPE, you can decrypt your whole disk, then boot from the BartPE.

    They've really thought this through. I've gotta hand it to the people at Truecrypt.org. I'm impressed, especially considering this is the first release of their whole disk encryption product.