Truecrypt Hidden o/s or Full disk Encryption?

Hi general question really, I hear some wilders on here suggesting FDE (full disk encryption) is the best route always, but can this be done for say your main os if its windows 7 or ubuntu even ?

Or perhaps it is wiser to have a TC hidden o/s and decoy os etc that way you can give up the password to the dummy o/s, and all an adversary would see is some important files but not the real os etc ?


Or perhaps to use both options ! and FDE on a separate drive ?

 

You can write volumes on your post. You have to decide what you are doing/protecting with TrueCrypt encryption. From a purely security standpoint nothing is safer than FDE. Every sector on the drive is encrypted excluding a small bootloader/MBR section on the front of the disk. Windows 7 works fine with TC. You'll have to get your specific answers from someone else here on Linux. I run linux in VM's on a windows host and that runs fine with the host encrypted. That is a far as I go with linux.

Whether of not you use a hidden OS is dependent on your threat model. No person can break open a normal volume/system disk but if forced to do so having a hidden one might save your bacon.

 

Yeah the odds that you'll need to rely on a hidden volume are quite low. It's definitely overkill for the vast majority of people (particularly if you're under legal protection against self-incrimination such as US 5th Amendment or similar statutes that prevent authorities from forcing you to divulge information/open locks.)

FDE is really all almost anyone would really need, and TC is tried and true in that area.

Just go through the documentation and follow every step, and take note of every recommendation...and have a backup of your important data BEFORE messing with your drive.

 

thanks for the suggestions I tend to agree FDE is the way to go, could one do this on there main os drive and somehow still use the password screen loader via a flash drive?

Suppose its tad greedy to want to have best of both methods and better denial ability factor as in not having to show an adversary you are using TC or lock/passport ?

 

Have you thought about just having the password screen show nothing at all? Or make it's display match what your system displays without any OS installed?

 

Can I edit that password screen to show nothing ?

I am not sure, I have never done the hidden os yet, I guess as I suggested before my goal was to have FDE on a hdd with windows on it, yet no password or prompt screen(hoping a pen drive could do this), this way I show no evidence of encryption at all and give me even better plausible deniability factor.

Surprised no mention of this idea, then again does seem tricky if not impossible to do....

 

Yes, you can. If you must enter something to display, just enter some space characters. I would also leave any error dialogs on a bad password entry blank too.

 

thanks just to confirm this again, your suggesting the tc password screen can be edited so it looks like a normal prompt screen or does not exactly say enter password ?

if that can be done that would be awesome....

 

TheCatMan,

Just realize that what you are doing (and its extremely easy to do) is only going to fool a newbie or casual friend. Any forensic adversary will almost immediately know you are using TC by examining the still present bootloader with basic forensic examination tools. That adversary won't be able to break open the encryption if your password is decent, but they will know the drive is TC encrypted. There is a place for hiding the TC splash screen from a spouse, friend, etc... so what you are wanting to do makes perfect privacy sense. Its just not security its privacy and nothing more!

 

Palancar makes some very valid points. This trick will only fool an unsophisticated adversary. But you also have to consider that your most likely adversary will be a burglar. A burglar's motives are typically not to get at your encrypted data at any cost (unless the burglar is employed by a 3-lettered government agency).

If you are going to use this trick, I wouldn't make your boot screen look like a "prompt screen". I would make it look like a "disk error" or "Operating System not found" screen. Or a blank screen if you can't mimic one of these closely.

Also if TC won't do it for you, consider using DiskCryptor. It will definitely let you change the boot prompt screen.

 

good idea thanks, yeah could not load o/s sounds a good idea

 

hi all,

I wasn't aware of the fact that TC prompt screen can be changed to something custom made. as someone mentioned I would just put some dots or something. and no error upon wrong pass inserted, just blank screen with the same dots.

How exactly is it done and can it be done afterwards, cos I've been using TC FDE on my 2 computers for a year already (v7.1a), and I'm very happy with it. I didn't see this mention of this in TC manual.

thanks.

 

TrueCrypt can display a custom message on the normal boot screen or nothing at all. Entering something in the custom text field doesn't hide the normal TC boot screen. I've been using DiskCryptor and Jetico BCVE for so long that I had forgotten how limited TC's boot screen options are.



DiskCryptor, on the other hand, lets you customize everything.



My apologies if any of my prior posts were misleading.

 

thanks think you just made me convert to DiskCryptor

Those options are really impressive!

I understand they wont fool a real a real adversary, so once has to always do as much as possible.

And DiskCryptor is meant to be more better then truecrypt also!

 

Stick with full disk encryption. Unless you are forced to disclose passwords to an adversary, full disk encryption is good enough. A Hidden o/s is trickier to set up and requires two passwords to remember or write down. Too much hassle IMO.

 

Hidden OS install - Create Rescue ISO, move to bootable MicroSD Card - Continue Hidden OS install/cloning - At completion, reinstall Windows to Partition 1 - Don't encrypt.

Power button = TSA friendly decoy OS.

Function x key boots to BIOS (BIOS pass optional)>Boot from MicroSD into Hidden OS.

(If it even gets this far from the neanderthals at checkpoints):

"What's this second partition?"

"Uhhh, I don't know"

"I'm going to hit you with a wrench!"

"Ok, ok, it's a Truecrypt partition. Let me plug in my TC Portable USB and mount it for you...please don't look at the nudie pics of my wife please".

MicroSD can be hidden anywhere...and you don't even have to travel with it - have the Rescue ISO available securely over the network - download and make new MicroSD.

PD

 

PD,

The "nudie" pics of your wife could be in the outer volume and the decoy OS could have TC installed but not be encrypted. This way you could open the outer volume without a flash media. To me that looks more realistic than carrying a flash just to look at "nudie" pics. Especially of your own wife. LOL!!

With the second partition's drive letter removed from Win Ex the agents won't see it and ask anyway. Either way you are covered for the "why" question. I am assuming of course the flash to mount the actual hidden OS is somewhere else for this transaction.

 

No, that's what I meant, kind of. Pics in Outer. I still like not having a trace of TC on the decoy. To me, it prevents any "Oh, I see you use encryption". I guesss it's 6 of one, half dozen of the other, as it's *somewhere* (Decoy or USB Drive) - but you can put it on another MicroSD instead...I'm pretty sure that a MicroSD in your pocket won't trip a metal detector. Then again, nothing says you have to travel with TC Portable either - "Here's what it is, but I forgot my USB drive at home".

But now you have me thinking - maybe burying TC Portable 10 folders deep in System32 would be good too.

I would think if it got that far, you're delayed and getting your stuff imaged anyway

PD

 

PD: its a great idea I like your way of thinking.

I think ill attempt my ubuntu live inram, and then install or run the apps from a pen drive and just leave the system on, provided its a low power unit like mintbox 2 or other

If any adversary wishes to they can attempt a data recover on a system with no hdd, no evidence it was even switched on or evidence of tc or anything for that matter.

May need to create a decent kill switch though Maybe there is a program that if the passport is entered in wrongly the entire pc switches off lol

 

I suggest Truecrypt FDE cause a well-trained computer forensics agent will easily identify the partition structure of a Truecrypt hidden layout.

I do not use Truecrypt nor Jetico for high-level FDE. May like to read my comments at https://www.wilderssecurity.com/showthread.php?p=2191129#post2191129

If you're using Truecrypt (since it's most popular), I recommend prep your hardware so that both HDD and RAM can be easily taken out in case of a raid from your adversary.

 

What do u mean with this? What should i do to prep them? Thank you redcell

 

Nice thread revival, I still like PaulyDefrans scenario, I guess the idea is to show you do not use tc or encryption at all. If they found it installed your hosed, I tried to even rename the tc portable files but it failed and said could not find truecrypt.dll etc

But placing the recovery iso to an sd card and then say leaving it in a digital camera or else where makes it appear normal a usb stick however would have adversary's doing an impression of the 3 stooges.

I do however feel its all a bit too drastic perhaps, why not just make the effort to keep the C drive and main os clean and simple and no evidence of encryption, this way an adversary has nothing ?

Encrypt an entire hdd and perhaps run a portable tc via sd or via online cloud account to open up a 2nd hdd, and even then run virtual machine on it with a copy or linux or windows for all your surfing and torrent distros needs

Not sure if its a good idea.... course an issue that comes up fast is windows logs shows you ran truecrypt or virtualbox/machine....


HungryToLearn:

I guess with if an adversary did raid your home, pulling out the hdd/ram is your "kill switch" but who would have the time to do all of that? if you did manage to pull the hdd out, your encryption is broken so that is good, but ram an adversary maybe able to get hold of the password from it but again very tricky given the nature or ram.

 

Thank u TheCatMan but the only thing i dont get is... if we store our files in the tcc the only way they have to watch them is to broke our password right? So why we should remove hdd/ram? Because we are assuming that they will surely break our password or because they could see our files even without broking it?

 

HungryToLearn:

Yes exactly, the worry is if an adversary can see your pc running in a live state and see what files and what is running and worse yet has full access to your hdd and system.

They could in theory take camera pictures, for evidence and even install software or tools to make an image of the complete hdd or worse plant evidence on you.

Removing the hdd unit, should break the connection and encryption. So once you install it again you would have to enter in the password to access the encrypted files.

They maybe able to break the encryption, if they worked very quick and the ram was still inside the pc and pc still up and running. Its been suggested that passwords or other important files may be held in the RAM itself. Switching off the PC and waiting more then 20 seconds should pretty much wipe all data on the ram itself. This is a very big if and but however and never heard of any cases where it has been done successfully. The same has been suggested regarding the Swap/page file on Windows, which can hold information and data.

All in all removing the ram/hdd is a good kill switch but imo tricky to pull off and in good timing, I prefer the electricity kill switch ie power off the whole pc. One can run an single extension with a power on/off button and just press it. Others on here have suggested more advanced ways involving cameras with sensors, any detection of movement and it could send a command to shut down the pc etc.

 

A forensic guy (if it gets that far - 99% of the time, you'll get a wage slave looking at your stuff. Even Mitnick had clueless guys looking at his stuff in Atlanta) can say "you have a partition of random data", not a TC Hidden OS.

The guru's on the TC forum say that the Hidden partition doesn't look *exactly* like a wiped drive with deep analysis, but that is beyond my knowledge level.

But get this: (I learned this on the TC forum too) What is the best way to "wipe" a drive? Dban? SecureErase? Total WipeOut? Nope, encrypt it with an unknown key! Ok, maybe Total Wipeout for DCO and HPA...but we just wanted to wipe *one* partition.

So - "What's this?"..."Oh, it had sensitive data on it, so I wiped it by encrypting it"..."Ok, open it"..."Can't, I just pounded on the keyboard for the password...don't need to ever get it back, sorry".

Also, if your *that* worried, with today's internet speed, you can just securely download your "working" hard drive image (In the clear compressed in a TC container) once you get to your destination...and travel with a completely open "decoy". You can get Windows down to a few gigs, compressed...so an hour or two download, at most. Sorted. Re-image back the decoy when your about to hit the airport again.

PD