TrueCrypt behavior

Discussion in 'encryption problems' started by MatK, Jan 12, 2016.

  1. MatK

    MatK Registered Member

    Dec 27, 2009
    Hi folks!

    I'm using TC for years now and never had any serious problems with it. Recently I bought a new PC for my studio. I have one whole drive which stores actual files encrypted, os is on another (non-encrypted) drive. When leaving the studio I always shut the PC off and switch the general fuse off as well. I have a lot of lights and equipment in the studio so just to be safe I always turn the fuse off..
    So, one day I come back to the studio, turn the fuse ON, then power on the pc. The pc powers up, with my encrypted drive mounted..?! I should mention I have TC volume set to NOT store passwords or anything, it asks for a password everytime PC starts. So when the volume was mounted on power on it really suprised me, almost scared me. I'm now trying to figure out how/why this has happened.
    The only logical solution that I come to is that PC didn't shut down properly, or went to sleep mode by mistake, and that's why the TC volume remained mounted. But I'm still wondering how could pc remain in sleep mode without ANY power? Doesn't it need a small amount of power to remain in sleep mode? I had the fuse off and wasn't in the studio for 2-3 days.
    Anyhow, this is really bothering me now, I always thought that even if I leave the pc on and someone steals it, as soon as it would loose power it would dismount. Now I'm thinking that if thief puts pc in sleep mode and removes it, TC volume will remain mounted ?? :(
    I've set TC with everything that I could found: exit when there are no mounted volumes, dismount after user loggs off, dismount when entering power saving mode, dismount after no data has been read/written to it for 120 min, wipe cached password on exit, wipe cached password on auto-dismount,..

    Anyone have any other idea why this has happened and mainly, how to prevent it from happening ever again?

  2. Palancar

    Palancar Registered Member

    Oct 26, 2011
    Just checking one obvious thing that you didn't make clear. Is the PC a desktop OR a laptop? If laptop, any chance it was in standby and not shut off? If a desktop without a UPS on it then there is no power/battery.

    You only have three options. 1. PC has a battery and was on standby not shutdown. 2. Password is saved/cached and was used to auto-mount the volume. 3. You have an adversary that got to your machine. Option 3 is very unlikely for most of us and probably you as well.

    My wager would be on option 2 and if so its easy to fix. If you wanted a certain quick fix it would be to use a Keyfile on a usb stick. Just combine the keyfile with a password and the volume cannot be mounted without both present. So, no usb containing the keyfile means the volume cannot be mounted --- even by YOU. That means you need to backup and protect the keyfile or you'll lose access to all the data in the volume. Keyfiles can be set to auto "call up" when you go to mount the volume. You can elect to use a password OR just the keyfile. I would recommend a short but decent password too in case the usb gets discovered when you are gone.

    Advantage: when you leave the machine you can dismount the volume and take the usb with you. Then upon return you insert the usb and "auto mount" pretty easily. Its much safer than leaving the machine unattended with a mounted volume, which it sounds like you do. My .02
  3. MatK

    MatK Registered Member

    Dec 27, 2009

    it's a desktop PC, no ups..

    Password was not cached, I never have it cached. TC never ever mounted itself before, it always asks for a password on start up; the check box for saving the pass to cache was unchecked, that was the first thing that I checked. When I restarted the pc it asked for a password like it always does.

    Option 3 is, like you said, very unlikely and not an option atm.

    The PC is never left unattended and never ever left ON if I'm away for more then an hour.
    I've also googled and pc in sleep mode does need some power, so even if it went to sleep mode instead of shut down, when I turned the fuse off (which I did, 100% sure), it should not wake up, but restart (which should unmount TC if it was left mounted when going to sleep mode).

    I use TC on 4 PCs and a dozen usb keys, for 10 years or something, so I'm not new to it, but something like this has never happened before. Sometime I put my home PC to sleep mode and when I start it up in the morning all volumes are mounted, that's why my first thought was that it went to sleep mode. But if I remember correctly, it booted up, not woke up (can't be 100% sure, wasn't paying that much attention). Like it should, since the fuse was off.

    I know that option #2 is most likely, but TC was not set up to store the password. Not originally, not after I've checked it again.

    I used to have pass+key combo, but forgot the freaking key too often at home, so I stopped using it :)
    Atm I'm manualy unmouting the volume before I shut down the pc.
    I don't have anything important on studio pc, just some work files, but it's still something that concerns me and I would like to find the reason why it happened.. :/