truecrypt , ssds, and external drives

so ive been researching for quite awhile now , and need some protips from some veteran truecrypt users here

got all my crucial data thats nobody's buisness on my externals , only thing on my ssd is the OS , so anybody got some advice id appreciate it

p.s: ive got a crucial c300 256gb ssd for my os, heard about trim not working etc etc...

 

The Truecrypt documentation at http://www.truecrypt.org/docs/ indicates that it does function with SSD's and supports Trim and Wear-Leveling.

That being said there are some documented issues with respect to data leakage and Trim in general. Along with an increased attack surface (replicated sectors) by implementing wear leveling. Both of these negatively impact the overall security of Truecrypt on an SSD, due to current faults with SSDs. Does this mean having encryption on SSDs isn't worth it? Of course not, I believe your Truecrpyt SSD could defeat most adversaries. An attacker would need serious reverse engineering capabilities to take advantage of those weaknesses. In my own personal experience though it is best practice to make sure you encrypt an SSD drive prior to putting any sensitive or personal information on it, especially if it utilizes wear-leveling as there is no guarantee that the unencrypted information is fully encrypted reliably on such a drive or that information remains for an attacker to analyze.

 

well all my sensitive data is on my external mechanical hdds as ive said so yeah , there you have it , more feedback on my question would be appreciated thanks

p.s : and what about performance hits?

 

Yes there would be performance hits, it would vary on the type of encryption algorithm, you decide to use. (Or supports) You would need to benchmark the different types in truecrypt prior to performing the encryption. However honestly you more than likely wouldn’t even be able to notice.

 

any suggestion wich encryption algorithm is the best? heard twofish was boss

p.s: nobody here encrypt theyre external usb drives? -.-'

p.s.s: whats the merits portable vs regular truecrypt, any feedback on that would be awesome as well , thanks alot for all this great comments everyone , and im sure this will help other noobs as well xD

 

They all will do the job. There is no effective cryptanalysis on the full-round version of Blowfish known publicly as of 2011. I personally would suggest using Rijndael, its a fast symmetric algorithm, and proven secure even governments are using it up to 256 keybits. Rijndael was adopted by NIST and became today's current AES. [edit] Let my crypto nerd show a bit and realized I didn't give you a straight answer, use AES

Portable as it sounds allows you to carry and use Truecrypt on a USB device. I personally do not encrypt the entire USB drive and instead stick to containers. The reasoning behind that is portable TC requires some drivers to operate, and if you do not have admin privileges on the machine you are connected to you will not be able to mount the usb stick and decrypt the data.

 

ok aes it shall be then xD you crypto nerd lols xD

and i guess i should install truecrypt on the os then instead of the stick kinda lost me there for sec hmmmm....not fully encrypt my external drives and make containers instead now ? i thought FDE is the best way to go? -.-'

i do have an nicely empty stick here thou if its a good thing xD

p.s: now repeat that in english and where all good xD

p.s.s: it boggles the mind or im just having another half retarded moment, and thanks for all the patience with me yall xD

 

You will need to install truecrypt on your hard drive if you are planning to do FDE. If you want to completely encrypt your USB sticks as well, you can, that being said you can only use them on computers with truecrypt enabled. Otherwise they will not be usable. If you use truecrypt portable you can only mount to it on computers where you have admin rights.

I mentioned containers as an example for an alternative for USB sticks as I can carry my information securely and still use my usb sticks on public machines.

 

its usb external hard drives btw i store my sensitive data on, so do a fde on them too? do you install truecrypt to every drive you encrypt or is it more like installed like any regular program and counts for any truecrypt encrypted drive?

 

My mistake, I thought you were talking about USB sticks. For external drives all you need to do is have them plugged into your main machine to fully encrypt them, you do not have to have truecrypt on them just on your computer.

 

excellent good to know thanks xD, so lets sum this up ey?

1. us FDE on all drives including os drive

2. make new password once finished with tc and fde

3. any future data put on the drives will be auto encrypted

4. no need for a hidden volume within an fde os hdd since all sensitive info is on the externals

5. is it a wise decision to hide my extra sensitive info on my external in a seperate hidden volume within the fde volume?

6.and if i shut off my pc is that enough to lock the drives ? since ive heard about mounting and **** hmmm....

7.

8rofit xD

keep em comments comin and if possible as userfriendly as possible without comprimising security, yeah im a casual guy xD

 

I'll address your questions one at a time below:

Yes you can do FDE on all drives

Not sure about this question, you would have to decrypt and recrpyt your drives if you decide to change passwords around. I'd advise using a strong passphrase.

Yes.

This is a personal preference, you can even have hidden containers as well if you want to hide certain information on your external HDDs.

If you feel someone is going to force you to give up your passphrases then yes it is. If you want assurance in case of theft then no.

One of the weaknesses with FDE is you cannot encrypt the ram. When a drive is unplugged or your machine shut down for a couple of minutes will be enough to say the drives are secure. Unless someone pulls an evil maid attack on you.

Hope that helps

 

ok so hidden container not volume ,for extra sensitive info on externals

then wtf is it ive heard about encrypting the ssd and then changing the password thing on there? due to sectors being stored for trim or something -.-'

thanks for all the info and feedback, nice

read THIS! on password change topic

https://www.wilderssecurity.com/showthread.php?t=308724

p.s: and what about hidden containers being noticeable due to free space used up?

 

While all the precautions, issues, limitations, incompatibilities etc etc regarding NAND-based storage that are listed on the TC-site are all very valid in theory
there is NO KNOWN DOCUMENTATION of ANY of them actually
being a REAL problem ..

Isn't it time that somebody documented an actual problem ??

 

you got my vote

 

use encrypted volumes NOT full disk encryption w truecrypt... NEVER use full disk encryption with truecrypt ever

if seen this app destroy boot records and master keys more times than i can count AND ive seen the rescue disk simply not work at all to boot the system more times than i can count.

make encrypted volumes, use them for browser caches, tmp locations and other misc instead

since this thread is on external drives, format the thing for whatever os you're using and then make a big volume inside instead.

 

i see i guess ill be holding out abit longer till i get some more feedback on this then , anybody else wanna add to this?

p.s: my externals are already ntfs formatted btw and already contain important data

 

curious to know your setup was, as TC is tried and proven. Did you do anything that would corrupt your MBR? Use TC on unsupported devices? Not pointing fingers simply sounds more along the lines of user error than TC.

 

implementation has been done over numerous drives and os's and hardware that are widely supported as truecrypt is specific to the os not the drive.

hit the rescue disk section of their documentation, they outline a wide variety potential of issues w drives getting destroyed, which happens.

 

You're exaggerating the situation. TC itself is very stable and reliable, but yes, anytime you add another layer between the user and his data there are more things that can go wrong. The vast majority of problems are caused by users who don't read the documentation and who either perform inappropriate actions or install/run incompatible software. Bad hardware accounts for the rest.

Experienced TC users can use system encryption and whole drive encryption without problems. Less experienced users should start out with file-hosted volumes and then progress to partition-hosted volumes if needed. ALL users should back up their encrypted data and/or systems.

 

so what about hidden volume within a volume aka hidden os , heard that if you add or remove anything after the creation of a hidden volume itll be noticable and that your not supposed to be connected to the internet while using the hidden os , and so plausible deniability out of the window , and would i do the same for my external hdds? , say theyre stack full of important sensitive info and we all know the court can make you give up your password but if they dont realize you got a hidden volume then they cant make you since they dont notice, feedback as always appreciated,peace

p.s: and how in hell do you guys memorize 3 30+ character passwords wtf? since hidden os uses 3 passwords , my brain hurts just thinking about it exspecially after reading the tutorial over at tc site

 

Are you on the Hak5 forums? Same question was asked there

Hidden OS: Technically: yes, changing data, OVER TIME, can be detected. Real World: Do you routinely give physical access of your hard drive, to other people? It's a sophisticated attack. If it's in your threat model, use a laptop and take it everywhere. Containers are a little different, because a piece of malware can upload the volume (but again, uploading a 4 gig TC container multiple times isn't exactly easy to do without you noticing) for examination. They're in the manual, so they are real threats...but only you can decide if they would be attempted against you. And there are ways to mitigate them.

As far as pass phrases: Find a method that works for you. It takes some work, but once you find a way, it's a thing of beauty I don't worry about decoy OS or outer container passphrases...they're good, but their expendable...the hidden OS is a monster though.

PD

 

shhh your not supposed to tell xD

yeah i just so happen to gather opinions and feedback on more than one forum , need this to be 100% if you digg

p.s: thanks for the useful info it shall help, and find a way that works for me aint exactly helping lols xD ..-.-'

and nobody has replied to what method would be best for my jam-packed with sensitive data external hdds , should i use the same method like hidden os? and should i zero the drive twice before i do that? i have some spare empty externals i could back up to and do it then ...got 1 1tb hdd and 2 2tb hdds they got about each 150-240gb space left

and the spare hdds that are big enough should i have to move the data to them temporarily depending on yalls feedback

 

Yes ..
The real point here is : YOU SAW IT WHILE IT HAPPENED !
It happened as a result of something YOU DID !!
IF you know what you are doing, including the fundamental basic of keeping backups of whatever needs to be backed up, there is no problem .

The TC-documentation, and the program itself, tries to discourage people from creating device- and volume-based TC-volumes .
That's because the TC-developers KNOW that most of the users don't even know the difference between a 'device' and 'volume' ..

 

ummm so i guess fde with hidden volume for my externals too? i got 175-250gb on my external hdds each left the rest is jam packed with sensitive data so some ideas would be welcome