TrueCrypt 6.0 Released

ruphus13 writes "While most of the US was celebrating Independence Day, the true fellow geeks over at TrueCrypt released version 6.0 of TrueCrypt over the long weekend. The new version touts two major upgrades. 'First, TrueCrypt now performs parallel encryption and decryption operations on multi-core systems, giving you a phenomenal speedup if you have more than one processor available. Second, it now has the ability to hide an entire operating system, so even if you're forced to reveal your pre-boot password to an adversary, you can give them one that boots into a plausible decoy operating system, with your hidden operating system remaining completely undetectable.' The software has been released under the 'TrueCrypt License,' which is not OSI approved."

More filesystems

[toQDuj]

Well, I hope that it now supports more filesystems, because mucking about with FAT on MacOS X didn't appeal to me last time.

Local admin rights on Windows

[millwall]

I work as a consultant and often use Truecrypt on my USB key in traveller mode on sites where I work. The top thing on my wishlist is to be able to run/install Truecrypt on a Windows machine without admin rights.

The issue is described in full here:

[..] In Windows, a user who does not have administrator privileges can use TrueCrypt, but only after a system administrator installs TrueCrypt on the system. [...]

Full release notes can be found here.

Re:Local admin rights on Windows

[TheLink]

You don't mind exposing your secrets to a machine you don't have control over (and thus should not trust)? I don't recommend it.

You should copy the files that you don't mind exposing, to the unencrypted partition of the USB key or a different no crypto USB drive.

Re:Local admin rights on Windows

[Jah-Wren+Ryel]

You don't mind exposing your secrets to a machine you don't have control over (and thus should not trust)? I don't recommend it.

You should copy the files that you don't mind exposing, to the unencrypted partition of the USB key or a different no crypto USB drive.

Obviously his specific use for truecrypt is to protect data in transit, should he lose the USB drive.
I think that's a very common scenario.
Your 'solution' completely negates the value of that use of truecrypt.

Re:Local admin rights on Windows

[EvanED]

You don't mind exposing your secrets to a machine you don't have control over (and thus should not trust)? I don't recommend it.

I'm not the OP, but this is being sillily unreasonable.

For instance, I don't have admin rights on the computer in my office. So maybe I don't want to trust this computer entirely. But if I'm walking back and forth with my USB key most days, the major threat is me leaving the key sitting on the bus seat or something like that, not information being stolen while I'm on the work computer.

It's not like just because you don't control a computer you don't trust it at all, or that just because something is in a TrueCrypt volume it's extremely sensitive.

Re:Local admin rights on Windows

[Atti+K.]

For instance, I don't have admin rights on the computer in my office. So maybe I don't want to trust this computer entirely.

I do have admin rights to my computer at the office, but I don't trust it 100%. Why? Because any network admin in the company also has admin rights on it. And of course it was not installed by me, and runs some of their custom stuff...

Re:Local admin rights on Windows

[subreality]

I'm not the OP, but this is being sillily unreasonable.

Not necessarily. Do you consider your data safe in the hands of everyone who has admin rights to the machine? Do they keep the machine patched and secured to a level appropriate for your secrets?

The answers to these questions depend on your threat model.

Re:Local admin rights on Windows

[khellendros1984]

The whole point of encryption is to make the algorithms as well-known as possible. After all, *anyone* can create encryption strong enough that they don't know how to break it. What you want is to have the smartest possible people looking at your code, to make sure someone above you hasn't found something sneaky that you didn't think of.

Only works if it's default install

[TheLink]

All this crypto stuff only works well if it's part of the default install and config.

Otherwise users get exposed to "rubberhose cryptography".

Basically if all users even Joe Sixpack get an encrypted partition by default, then people using crypto will be safe - they have plausible deniability.

Re:Only works if it's default install

[TheLink]

Get a clue.

Does Joe Sixpack's computer come with Truecrypt? Does it come with a truecrypt container preinstalled?

The answer is NO.

So if the wrong people find Truecrypt on your computer guess what happens to you. If you say "Nothing" well: "Wrong answer!". They may give up after a few days of giving you the treatment, but it still means you get the treatment.

Whereas if everybody had truecrypt AND an encrypted partition, they could a) try to waterboard everyone, b) wait till they have more evidence.

And that is why I reported this bug/feature request: https://bugs.launchpad.net/ubuntu/+bug/148440

Encryption must appear to be in _use_ by default by all users, then you get safety in numbers. When even your grandma using Ubuntu has a crypto partition, things are better for the people actually using it.

Re:Only works if it's default install

[|DeN|niS]

Stop being an idiot and read up on it. You can *not* tell. And it certainly does not show up as free space. You can *not* prove OR disprove the existence of another hidden partition. Period. "Trained to look for it", oh please.

Re:Only works if it's default install

[auric_dude]

I followed this back to the Ubuntu bug report 148440 and see that a comment has been added https://bugs.launchpad.net/ubuntu/+bug/148440/comments/4 that I think says it all.

Re:Only works if it's default install

[Minwee]

I have no hidden volume. I use truecrypt as a simple and easy way to keep my clients personal data secure.

No, I'm quite positive that you do have a hidden volume. It's where you're storing all of your terrorist secrets, and unless you reveal the password then this ballpeen hammer has a date with your fingers.

Still don't want to talk? Maybe you just need a little more electricity.

We'll stop when you are able to prove to the nice men who are protecting your country that you _don't_ have a hidden encrypted partition, and then they will let you go.

Re:Only works if it's default install

[vux984]

Unless it has a password that will *securely* wipe the hidden volume when entered, then it only has an illusion of a defence against that which is in reality no more than another example of security by obscurity.

Worse thant that, anyone with half a clue will be working on a clone of the original drive. No point in needlessly potentially damaging evidence. So if your dealing with someone competent, and who has time on their hands to do things right, a secure erase panic password will buy you nothing.

Re:Only works if it's default install

[TheLink]

Just change 1) in the original bug report from:

" Have crypto tools installed by default (if the user does not select the "use of encryption is illegal in my country" checkbox)."

to

" Have crypto tools installed by default (if the user does not select the "don't install encryption" checkbox)."

If the UK courts are going to jail your grandma just because she has an Ubuntu install with a container she has no key too, then I think grandma is living in the wrong country - in the old days the UK courts had the "Reasonable Man" thing, maybe now things have changed.

I see it more as a bug in the UK law than a bug in my proposal.

Re:Only works if it's default install

[eht]

Simple reason why I had seeks to an area that looks empty, it's because I *used* to have files there before I deleted them, then since I'm savvy enough to use Truecrypt, I ran one of those wipe programs that overwrites it with garbage, hence what you see if you look at the drive forensically, garbage.

I came up with that in the time it took to read your post.

Sad

[ebonum]

It's sad. I often travel between the US and China on business ( I live on the China side ). I've always been careful with sensitive data, but now I'm absolutely fascist. Why? I have no fear of the Chinese government. Besides, I work for a Chinese company. I fear my own country illegally accessing files to which they have absolutely no rights whatsoever.

Honestly. If someone works for the US government, pulls some CEO's laptop at the boarder for "inspection" and gets free access to all the company financials, would they do the right thing? How many semi-intelligent people wouldn't be tempted to start buying stock options or call their best friend with a really good "tip"? Even if they SEC investigated, they would never find the link.

Over the last several years, I've always been treated very respectfully inside China and going to and from. It is in the US, my own country, where I'm treated as if I'm already guilty.

Back to the topic at hand. TrueCrypt is a wonderful product. Everyone should be using it.

Re:Sad

[Gulthek]

If next time you enter China the border officers did decide they are going to take your laptop away, what could you do about it?

What could you do if your laptop gets taken at the US border? File a complaint? Woot.

Chiming in with the GP here, I feel much safer and much better treated going into China than going into the US. There I am treated as though I am an actual person, here I am treated as though I am an annoyance.

If DHS gets their way, we'll be treated worse than that. DHS wants to require all airline passengers to wear a taser bracelet

Independence day?

[Atti+K.]

While most of the US was celebrating Independence Day, the true fellow geeks over at TrueCrypt released version 6.0 of TrueCrypt over the long weekend.

That might not be just a coincidence.

Re:Breaking volumes

[Splab]

You know, if law enforcement "fucked up your volume" as you so nicely put it, they have just destroyed whatever evidence you where trying to hide. So why would anyone using true crypt have a problem with that?

Re:Breaking volumes

[mrvan]

AFAIK, yes, if you fill the decoy volume it will kill your hidden volume.

which makes you wonder how long it'll be until a tool is developed for law enforcement specifically designed to fuck up these volumes.

They can only do that if they've confiscated your laptop *and* acquired your 'decoy' password. At that point, your only concerns are they not getting your data and you being able to deny the data is there in the first place.

Somebody deleting all your sensitive files is not a bad thing to happen at that point.

It's not a silver bullet but it's good enough...

[mrboyd]

I have started using TrueCrypt a few months back after my laptop got stolen. I keep two encrypted files on my laptop, one contains my personal stuff like passport scan, bank information etc. and the other the work related important documents such as internal&confidential documents, client information etc. I have buried those files in the system folder and given them name that could pass for system temp files.

I keep a copy of both on a USB key drive and on an external hard drive which never leave my home. As well as a non-encrypted copy because I'm still wondering what happens to that encrypted file if I happen to have a fucked up cluster on the drive at some point.

The rational for using encryption is not that I am afraid of the local authorities, there is nothing on my computer that would cause me any long lasting trouble, despite the fact that I live and work in a limited freedom area (Middle East), but simply to avoid opportunity theft.

For example I can't recall how many time one of my clients or partner handed me a usb key drive containing all his companies financial statement, bank account number, internal price list with profit margin, internal memo, personal info and the wifey's naked picture so that I could copy them a few documents and then forgot about the keydrive because we kept chatting.

Sometime I too need to get some files from them and I don't want to look like I'm watching them while they dig around my keydrive. I now know that everything a casual observer should not see is encrypted so I don't mind throwing my key drive over the table to someone I don't know.

I don't understand the paranoid people here who believes in plausible deniability, decoy drive and other such thing. I also wonder if the same people only use their computers in safe room with controlled EM environment and bullet proof shade.
I didn't know either that so many people carried state secrets around international airports. To those I will say that if the NSA/FSB/Interpol/MI4/Mossad/Mafia or even the local police wants the content of your drive they will get it. period. It doesn't matter what you do. Unless of course you also work for one of the aforementioned in which case you might have been trained to accept that your life is worth less than the content of said drive.

I have never been subjected to physical or psychological torture (aside from clients and some ex-gf of course) but I am not Jack Bauer and I would "come clean" very quickly. I would give the real password, not the decoy, because I believe consequences would certainly worsen my situation if my interrogators were not convinced.

I am also pretty sure that the simple sentence: "The accused has so far always refused to give his encrypted drive password." would certainly help convincing a jury beyond "reasonable doubt" (In countries where such thing even exists).
Some people here should start to seriously look at themselves and wonder if what they are trying to hide is really worth it or if it's just about mommy not finding their downloadable girlfriend picture collection.

Who said it's torture-proof?

[argent]

If you have to worry about it being torture-proof, you're almost certainly dead anyway.

All it needs to be, for most people, is audit-proof.

And for that you need a business case for having it. Porn is probably not a good choice.

Multi-core support

[technienerd]

No one seems to be commenting about the new features of this release but simply on TrueCrypt in general. Am I the only one excited about the multi-core/processor support? Finally a piece of systems level software that scales with the number of cores! Makes getting a multi-core processor all the more worthwhile.

An open letter to all the paranoid freaks...

[jockeys]

Dear paranoid freaks,
if you are so concerned about getting captured and tortured for normal/hidden/hidden(hidden)/hidden(hidden(hidden)))/ad naseum passphrases, then quit having digital copies of your stuff in the first place.

99% of the TrueCrypt userbase is just fine using it on jump drives to keep stuff secure from the guy who finds it when you lose it on the train/plane/whatever.

Quit making up impossible "movie scenarios" (there, I used a Schneierism, you HAVE to respect me now!) about how gov't agents are going to come in black helicopters for your fetish vids and the 200 page backstory you wrote for a character you rolled in middle school. No one cares.

Yours truly,
-Reality.

Re:That might betray the presence of a hidden volu

[PRMan]

Since I didn't understand anything you just said, and I'm a C# Programmer who has Ubuntu installed on a few machines, I highly doubt the $10/hour lunk at the airport is going to notice...