TrueCrypt 6.0 Released

ruphus13 writes "While most of the US was celebrating Independence Day, the true fellow geeks over at TrueCrypt released version 6.0 of TrueCrypt over the long weekend. The new version touts two major upgrades. 'First, TrueCrypt now performs parallel encryption and decryption operations on multi-core systems, giving you a phenomenal speedup if you have more than one processor available. Second, it now has the ability to hide an entire operating system, so even if you're forced to reveal your pre-boot password to an adversary, you can give them one that boots into a plausible decoy operating system, with your hidden operating system remaining completely undetectable.' The software has been released under the 'TrueCrypt License,' which is not OSI approved."

More filesystems

[toQDuj]

Well, I hope that it now supports more filesystems, because mucking about with FAT on MacOS X didn't appeal to me last time.

Local admin rights on Windows

[millwall]

I work as a consultant and often use Truecrypt on my USB key in traveller mode on sites where I work. The top thing on my wishlist is to be able to run/install Truecrypt on a Windows machine without admin rights.

The issue is described in full here:

[..] In Windows, a user who does not have administrator privileges can use TrueCrypt, but only after a system administrator installs TrueCrypt on the system. [...]

Full release notes can be found here.

Re:Local admin rights on Windows

[TheLink]

You don't mind exposing your secrets to a machine you don't have control over (and thus should not trust)? I don't recommend it.

You should copy the files that you don't mind exposing, to the unencrypted partition of the USB key or a different no crypto USB drive.

Re:Local admin rights on Windows

[Jah-Wren+Ryel]

You don't mind exposing your secrets to a machine you don't have control over (and thus should not trust)? I don't recommend it.

You should copy the files that you don't mind exposing, to the unencrypted partition of the USB key or a different no crypto USB drive.

Obviously his specific use for truecrypt is to protect data in transit, should he lose the USB drive.
I think that's a very common scenario.
Your 'solution' completely negates the value of that use of truecrypt.

Re:Local admin rights on Windows

[EvanED]

You don't mind exposing your secrets to a machine you don't have control over (and thus should not trust)? I don't recommend it.

I'm not the OP, but this is being sillily unreasonable.

For instance, I don't have admin rights on the computer in my office. So maybe I don't want to trust this computer entirely. But if I'm walking back and forth with my USB key most days, the major threat is me leaving the key sitting on the bus seat or something like that, not information being stolen while I'm on the work computer.

It's not like just because you don't control a computer you don't trust it at all, or that just because something is in a TrueCrypt volume it's extremely sensitive.

Re:Local admin rights on Windows

[Atti+K.]

For instance, I don't have admin rights on the computer in my office. So maybe I don't want to trust this computer entirely.

I do have admin rights to my computer at the office, but I don't trust it 100%. Why? Because any network admin in the company also has admin rights on it. And of course it was not installed by me, and runs some of their custom stuff...

Re:Local admin rights on Windows

[subreality]

I'm not the OP, but this is being sillily unreasonable.

Not necessarily. Do you consider your data safe in the hands of everyone who has admin rights to the machine? Do they keep the machine patched and secured to a level appropriate for your secrets?

The answers to these questions depend on your threat model.

Re:Local admin rights on Windows

[clone53421]

Shares ending in $ are hidden... it's hardly obvious when a new one is created. That said, if someone was adequately nosy (or suspicious), guessing random drive letters might still get them into your new shared volume.

Re:Local admin rights on Windows

[khellendros1984]

The whole point of encryption is to make the algorithms as well-known as possible. After all, *anyone* can create encryption strong enough that they don't know how to break it. What you want is to have the smartest possible people looking at your code, to make sure someone above you hasn't found something sneaky that you didn't think of.

Only works if it's default install

[TheLink]

All this crypto stuff only works well if it's part of the default install and config.

Otherwise users get exposed to "rubberhose cryptography".

Basically if all users even Joe Sixpack get an encrypted partition by default, then people using crypto will be safe - they have plausible deniability.

Re:Only works if it's default install

The answer is hidden partition + shemale porn.

Give out the key to the shemale porn partition. No one would blame you for keeping that under encryption...unless of course, you are in a country where having shemale porn is punishable by death.If you have a girl friend (big if) take some semi nude photos of you and her. Very private stuff. Reasonable to keep encrypted..

and so on.

It's simply a matter of coming up with a good excuse in advance and preparing for it.

If you *really* are worried about a prison/torture/interrogation situation, just add layers. Like a terrorist who expects to be tortured for information, make up several plausible stories with lots of detail.

Initially, while you still have your strength you hand out layer after layer of well rehearsed bullshit. When you break, if the internal consistency is good enough the interrogators will have serious trouble determining if you have broken and is now telling the truth, or if you have broken, and is telling them what they want to hear.. or you may not have broken and is feeding another layer of bullshit.

The drawback of this approach is that you will be tortured even more, but your secrets can remain obscured if not hidden.

Re:Only works if it's default install

[TheLink]

Get a clue.

Does Joe Sixpack's computer come with Truecrypt? Does it come with a truecrypt container preinstalled?

The answer is NO.

So if the wrong people find Truecrypt on your computer guess what happens to you. If you say "Nothing" well: "Wrong answer!". They may give up after a few days of giving you the treatment, but it still means you get the treatment.

Whereas if everybody had truecrypt AND an encrypted partition, they could a) try to waterboard everyone, b) wait till they have more evidence.

And that is why I reported this bug/feature request: https://bugs.launchpad.net/ubuntu/+bug/148440

Encryption must appear to be in _use_ by default by all users, then you get safety in numbers. When even your grandma using Ubuntu has a crypto partition, things are better for the people actually using it.

Re:Only works if it's default install

[|DeN|niS]

Stop being an idiot and read up on it. You can *not* tell. And it certainly does not show up as free space. You can *not* prove OR disprove the existence of another hidden partition. Period. "Trained to look for it", oh please.

Re:Only works if it's default install

[patro]

"There is no way of knowing if that second hidden volume exists unless you have both passwords."

Plausible deniability is not really working here, since it is one of TrueCrypt's main features, so if one has TC installed then it's pretty obvious he wants to hide something.

If one installs TC by choice then he surely doesn't do it just to have it eat up some unused harddisk space.

Re:Only works if it's default install

[auric_dude]

I followed this back to the Ubuntu bug report 148440 and see that a comment has been added https://bugs.launchpad.net/ubuntu/+bug/148440/comments/4 that I think says it all.

Re:Only works if it's default install

[Minwee]

I have no hidden volume. I use truecrypt as a simple and easy way to keep my clients personal data secure.

No, I'm quite positive that you do have a hidden volume. It's where you're storing all of your terrorist secrets, and unless you reveal the password then this ballpeen hammer has a date with your fingers.

Still don't want to talk? Maybe you just need a little more electricity.

We'll stop when you are able to prove to the nice men who are protecting your country that you _don't_ have a hidden encrypted partition, and then they will let you go.

Re:Only works if it's default install

[vux984]

Unless it has a password that will *securely* wipe the hidden volume when entered, then it only has an illusion of a defence against that which is in reality no more than another example of security by obscurity.

Worse thant that, anyone with half a clue will be working on a clone of the original drive. No point in needlessly potentially damaging evidence. So if your dealing with someone competent, and who has time on their hands to do things right, a secure erase panic password will buy you nothing.

Re:Only works if it's default install

[TheLink]

Just change 1) in the original bug report from:

" Have crypto tools installed by default (if the user does not select the "use of encryption is illegal in my country" checkbox)."

to

" Have crypto tools installed by default (if the user does not select the "don't install encryption" checkbox)."

If the UK courts are going to jail your grandma just because she has an Ubuntu install with a container she has no key too, then I think grandma is living in the wrong country - in the old days the UK courts had the "Reasonable Man" thing, maybe now things have changed.

I see it more as a bug in the UK law than a bug in my proposal.

Re:Only works if it's default install

[eht]

Simple reason why I had seeks to an area that looks empty, it's because I *used* to have files there before I deleted them, then since I'm savvy enough to use Truecrypt, I ran one of those wipe programs that overwrites it with garbage, hence what you see if you look at the drive forensically, garbage.

I came up with that in the time it took to read your post.

Re:Only works if it's default install

[pla]

No, I'm quite positive that you do have a hidden volume. It's where you're storing all of your terrorist secrets, and unless you reveal the password then this ballpeen hammer has a date with your fingers.

Although you have something of a point, I think all those damned trees have blocked your view of the forest.

Very, very few of us use TC because we fear having our fingers broken to discover our secrets. We use it to keep client data safe from accidental loss; we use it to store personal info on shared machines at work; we use it to protect our financial records on home PCs from possible compromise. We may even use it to hide some questionably legal material, but generally nothing that will cause us to vanish one night and wake up in Jordan with a date with a rusty drillbit.

In theory, yes, I absolutely agree with you that easy-to-use encryption should come preinstalled everywhere. In practice, plausible deniability works well enough in the Western world that I simply don't care whether or not the NSA could theoretically detect whether or not I have a hidden TC volume.

Sad

[ebonum]

It's sad. I often travel between the US and China on business ( I live on the China side ). I've always been careful with sensitive data, but now I'm absolutely fascist. Why? I have no fear of the Chinese government. Besides, I work for a Chinese company. I fear my own country illegally accessing files to which they have absolutely no rights whatsoever.

Honestly. If someone works for the US government, pulls some CEO's laptop at the boarder for "inspection" and gets free access to all the company financials, would they do the right thing? How many semi-intelligent people wouldn't be tempted to start buying stock options or call their best friend with a really good "tip"? Even if they SEC investigated, they would never find the link.

Over the last several years, I've always been treated very respectfully inside China and going to and from. It is in the US, my own country, where I'm treated as if I'm already guilty.

Back to the topic at hand. TrueCrypt is a wonderful product. Everyone should be using it.

Re:Sad

[Gulthek]

If next time you enter China the border officers did decide they are going to take your laptop away, what could you do about it?

What could you do if your laptop gets taken at the US border? File a complaint? Woot.

Chiming in with the GP here, I feel much safer and much better treated going into China than going into the US. There I am treated as though I am an actual person, here I am treated as though I am an annoyance.

If DHS gets their way, we'll be treated worse than that. DHS wants to require all airline passengers to wear a taser bracelet

Independence day?

[Atti+K.]

While most of the US was celebrating Independence Day, the true fellow geeks over at TrueCrypt released version 6.0 of TrueCrypt over the long weekend.

That might not be just a coincidence.

Re:Breaking volumes

[Splab]

You know, if law enforcement "fucked up your volume" as you so nicely put it, they have just destroyed whatever evidence you where trying to hide. So why would anyone using true crypt have a problem with that?

Re:Breaking volumes

[mrvan]

AFAIK, yes, if you fill the decoy volume it will kill your hidden volume.

which makes you wonder how long it'll be until a tool is developed for law enforcement specifically designed to fuck up these volumes.

They can only do that if they've confiscated your laptop *and* acquired your 'decoy' password. At that point, your only concerns are they not getting your data and you being able to deny the data is there in the first place.

Somebody deleting all your sensitive files is not a bad thing to happen at that point.

Re:This message will self destruct in 5 seconds...

[Capt.+Skinny]

True, a lot of comments here refer to hypothetical situations using over-generalized terminology. But worrying about being forced to give out your password is indeed a legitimate concern.

ebonum describes one example in his "Sad" comment, although his specific concerns probably don't apply to very many of us. A more likely example, however, is if you become the target of a civil suit or a suspect in a criminal case; if (in the US) your computer equipment is seized by law enforcement and they ask for your encryption password, you could face additional criminal charges if you don't give it to them. Now, suppose that you're innocent, or don't feel like rolling over for a tort claim made with malicious intent. Do you really want to hand over all your private data to some cop or investigator who has no business accessing it? It's not as unlikely as you may think.

So yeah, "adversary" is probably a bad word choice, and those who made references to waterboarding are probably fair targets for sarcasm, but the geeks out there are putting together solutions to meet the valid and reasonable needs of the community.

It's not a silver bullet but it's good enough...

[mrboyd]

I have started using TrueCrypt a few months back after my laptop got stolen. I keep two encrypted files on my laptop, one contains my personal stuff like passport scan, bank information etc. and the other the work related important documents such as internal&confidential documents, client information etc. I have buried those files in the system folder and given them name that could pass for system temp files.

I keep a copy of both on a USB key drive and on an external hard drive which never leave my home. As well as a non-encrypted copy because I'm still wondering what happens to that encrypted file if I happen to have a fucked up cluster on the drive at some point.

The rational for using encryption is not that I am afraid of the local authorities, there is nothing on my computer that would cause me any long lasting trouble, despite the fact that I live and work in a limited freedom area (Middle East), but simply to avoid opportunity theft.

For example I can't recall how many time one of my clients or partner handed me a usb key drive containing all his companies financial statement, bank account number, internal price list with profit margin, internal memo, personal info and the wifey's naked picture so that I could copy them a few documents and then forgot about the keydrive because we kept chatting.

Sometime I too need to get some files from them and I don't want to look like I'm watching them while they dig around my keydrive. I now know that everything a casual observer should not see is encrypted so I don't mind throwing my key drive over the table to someone I don't know.

I don't understand the paranoid people here who believes in plausible deniability, decoy drive and other such thing. I also wonder if the same people only use their computers in safe room with controlled EM environment and bullet proof shade.
I didn't know either that so many people carried state secrets around international airports. To those I will say that if the NSA/FSB/Interpol/MI4/Mossad/Mafia or even the local police wants the content of your drive they will get it. period. It doesn't matter what you do. Unless of course you also work for one of the aforementioned in which case you might have been trained to accept that your life is worth less than the content of said drive.

I have never been subjected to physical or psychological torture (aside from clients and some ex-gf of course) but I am not Jack Bauer and I would "come clean" very quickly. I would give the real password, not the decoy, because I believe consequences would certainly worsen my situation if my interrogators were not convinced.

I am also pretty sure that the simple sentence: "The accused has so far always refused to give his encrypted drive password." would certainly help convincing a jury beyond "reasonable doubt" (In countries where such thing even exists).
Some people here should start to seriously look at themselves and wonder if what they are trying to hide is really worth it or if it's just about mommy not finding their downloadable girlfriend picture collection.

Non-geek friendly

[Mick+Malkemus]

I'm not very geeky, but I can use this program. The instructions, which are 117 pages, are pretty straightforward. With hackers (they type I don't respect) becoming more sophisticated by the day, it's nice to know it will take them many years to break my financial information. If they have that type of time, they're probably behind bars.

Who said it's torture-proof?

[argent]

If you have to worry about it being torture-proof, you're almost certainly dead anyway.

All it needs to be, for most people, is audit-proof.

And for that you need a business case for having it. Porn is probably not a good choice.

Multi-core support

[technienerd]

No one seems to be commenting about the new features of this release but simply on TrueCrypt in general. Am I the only one excited about the multi-core/processor support? Finally a piece of systems level software that scales with the number of cores! Makes getting a multi-core processor all the more worthwhile.

An open letter to all the paranoid freaks...

[jockeys]

Dear paranoid freaks,
if you are so concerned about getting captured and tortured for normal/hidden/hidden(hidden)/hidden(hidden(hidden)))/ad naseum passphrases, then quit having digital copies of your stuff in the first place.

99% of the TrueCrypt userbase is just fine using it on jump drives to keep stuff secure from the guy who finds it when you lose it on the train/plane/whatever.

Quit making up impossible "movie scenarios" (there, I used a Schneierism, you HAVE to respect me now!) about how gov't agents are going to come in black helicopters for your fetish vids and the 200 page backstory you wrote for a character you rolled in middle school. No one cares.

Yours truly,
-Reality.

Re:An open letter to all the paranoid freaks...

[Hatta]

You forget that the US is currently waging war on its own citizens in the form of the War on Drug Users. There are many people out there who are doing nothing but growing plants and consuming them in the privacy of their own home, for whom there is a real risk of government agents with black helicopters taking them and their data. That is the reality we live in.

Re:An open letter to all the paranoid freaks...

[Shihar]

I think you miss the point of things like multiple passwords with volumes hidden in volumes, and it doesn't involve being able to resist torture. Resisting an audit, legal threat, or annoying security agent is a more likely scenario.

I would be willing to bet that a non-trivial number of people who something illegal on their computer from pirated versions of software, "hacking tools", pirated entertainment, pr0n illegal in one country or another, etc. The ability to effectively resist being compelled (with legal threats, not hot irons) to prove you have it is a valuable thing.

Even something as simple as not wanting to show a border agent your pr0n collection or hiding sensitive data (corporate, personal, embarrassing foot fetish videos) is enough reason to have two passwords. Instead of putting up a stink about how it is unfair or you can't give up customer information, you shrug, give them a password to a clean drive, and even if they were paranoid enough to clone the entire thing they get nothing but a clean system with data hidden in noise that the NSA would struggle to decrypt. Eh, you could fight it out with the border agent, but I personally would rather smile, comply, and feel secure in knowing my companies data and pr0n of my girlfriend is still sitting snuggling amongst some random noise unknown to the border agent.

If you want to venture off into the slightly more paranoid realm, realize that you might not be encrypting for today. You might be encrypting to defend against an entity (government, corporate, UFOs, whatever) in the future. Forget applying laws retroactively, just imagine over the course of your life, how many computer laws have you broken. If someone was to go back and nail you for each and every single one, how many years in jail and millions of dollars would you be on the hook for? What laws have you violated that are legal in one places and illegal in another? A 16 year old kid who has watched two girls and one cup, has a 2 gig MP3 collection, a foot fetish pr0n collection, and a pirated version of Half Life is probably technically on the hook somewhere for a stoning and a 2 billion dollar fine.

There are good solid paranoid (OMG the black helicopters) and non-paranoid (I really don't want this border agent to see client information and my wife's nude pictures) reasons to go for crypto. Personally, I think that if you are crossing national borders and have anything on your computer you wouldn't feel happy showing to any client or any security agent of any nation you travel to, you are being a little foolish.

Re:first

[mikeasu]

Not a replacement cipher - Caesar cipher with a shift of 13.

Re:That might betray the presence of a hidden volu

[PRMan]

Since I didn't understand anything you just said, and I'm a C# Programmer who has Ubuntu installed on a few machines, I highly doubt the $10/hour lunk at the airport is going to notice...