Hardware Tokens and TrueCrypt

Just wondering if any one is using a hardware token with truecrypt? I use keyfiles but in theory one of these should be more secure. I'm looking at either getting a USB token or smart card. Do you think they are better then keyfiles? If so what are you guys using?

 

Depends on the use, if for home use I'd say a keyfile would probably be sufficient stored on an USB. Reason being the extra overhead of a smartcard, plus its reader, plus its authentication source. If this is for a corporate environment, yes I can see how a token or smartcard would be a better rollout. I've personally never used TC in this manner, but it does support such a feat as long as the token or card complies with the PKCS #11 (2.0 or later) standard [23] and additionally allows the user to store a file (data object) on said token/card. I see no reason why TC can’t be made to mend with your current PKI infrastructure.

Most of what I use in terms of PKI is all built in house, that being said I’ve seen most environments that use RSA’s devices. Though from the breach that hit them last year it is up to you if you trust them.

Here are some alternatives to RSA you can check out though I cannot vet for personally:
CA Arcot ID
Ironkey
CryptoCard
Vasco DIGIPASS GO
SecureAuth (not for personal use)

 

By the way, a few days ago I came across an open source software that allows to turn a regular USB flash drive into a Token.

What do you folks think of such thing?

 

I use the Yubikey. It works great and gives excellent security.

 

@EncryptedBytes

Thanks for that! I will have to look it over.


@MoonBlood

Any links? Sounds interesting.



@silver0066

I actually have two yubikeys for personal use. Sadly the don't support this. So i have two options:

1) Use it in static mode by itself (weaker)

2) Use it in static mode + a password I know by hand (stronger).

I use 2 for my laptop with FDE.

Downside is it's still just a password and only "psuedo-twofactor" authentication.

 

Aladdin E-token 72K is probably the most affordable at $20 (on Ebay).
It's PKCS#11 compatible and works with TC.

 

I was actually wondering - why would I want to use a security Token in a home / personal environment, assuming that I already have a very strong password (62 characters, absolutely random and comprised from the whole charset)? Is it because a security Token is immune to keyloggers, or is there some other rational behind it?

 

Something you have, something you know. Is a 64 Char password enough? Almost certainly. But we are 50/50, as far as the courts go, with being compelled to reveal a pass phrase. A key file can disappear in a nanosecond and your diety of choice can't open the container if it's gone. If you create 10,000 text files filled with random data with a tool such as Disk Tools http://www.soft.tahionic.com/download-file-generator/help.html and then encrypt those with GPG or Axcrypt, in bulk with a random pass, you've also just created a whole lot of extra work for someone. A backup key file on a MicroSD card, can be hidden inside or outside, easily, as well. Key Files are just very handy to develop a data security policy around.

PD

 

Sounds good! Luckily I live in a country where there is no problem with revealing the password to the courts - it has never happened here as far as I know, and I read a lot about these kinds of cases.

My current setup is like this: encrypted drive -> encrypted virtual machine -> encrypted container -> second encrypted (hidden) container. VM snapshots are encrypted within yet another container -> second container setup, on my main machine. Each of those 6 containers is protected with a fully random passphrase between 45 and 62 characters (none of the passwords repeat, each one is entirely original). The passwords are not saved anywhere. Do you think that a security token is useful in this case, or is it overkill? My data is very valuable, but it isn't something that any National Security Agencies would come after.

I do have a few pendrives lying around, and I might as well make use of one of them if there is some open source software that allows me to convert that USB pendrive into a TC compatible security token. Do you know of any by chance?

 

Yeah, I was able to find it. -http://sourceforge.net/projects/mysafekey/

I don't know how great it is, as I don't have any spare USB flash drive to use.

I also came across another open source project, but I'm unable to find the link now. I'll see if I can find it again.

On the other hand, I also found this non open source application. It's a paid application. I don't know if you could use it freely with limitations. There's a 15-day trial, though.

-http://www.rohos.com/products/rohos-logon-key/

 

I wonder how these differ from putting SysKey on a USB device?

http://thecustomizewindows.com/2010/12/create-an-usb-key-to-lock-and-unlock-windows-7/

PD

 

Looking at a lot of the links posted in this thread to USB pendrives or software, I get the feeling that they would not work with TrueCrypt - it seems that they do not possess the capability of holding any keyfiles. I might be mistaken though.

 

A plain USB drive works...just put the keyfile on it (if you are talking container or device encryption...system encryption can't use a key file). Just stick the USB drive in, mount the container/device with the 'Use Keyfiles' option, specify the keyfile on your USB, mount, and then pull the USB out.

PD

 

I think it was the Rohos one I read that, if due to some unfortunate event you lose access to your USB key, then there's still a way to access your system. They mention it at their website.

With SysKey, if you lose it, you lose it.

 

Sounds like some here are maybe confused between a pre-authentication security token used for, among other things, authorizing access to a windows computer versus Truecrypt keyfile(s). You can put TC keyfiles on certain tokens for added security with volumes and partitions, but Truecrypt does not support the use of pre-boot, pre-auth tokens with full system encryption.

Maybe this will help:
http://www.truecrypt.org/docs/?s=keyfiles

 

Thanks for that! Sounds interesting. I would use the syskey method mentioned by others though. It's probably the most secure way for windows at least.

Thanks to all for replies sadly there's no multi-quote function which is very annoying. (Can wilders add that please!)

Anyways I can't find anything really good except on ebay which I don't trust that the hardware hasn't been compromised some how. I will stick with plain old keyfiles for now.

 

Nah, just two semi-related topics in one thread

PD