Flash Drive Full disk encryption?

Discussion in 'privacy technology' started by Noctis, Aug 8, 2014.

Thread Status:
Not open for further replies.
  1. Noctis

    Noctis Registered Member

    Joined:
    Nov 15, 2013
    Posts:
    15
    Hello guys i have a question.

    Considering the version 7.1a of TrueCrypt which should be the last safe version of the software i have this doubt...

    A usb stick flash drive could be considered safe if we use tc for full encryption or is it last safe comparing with a classical hard disk?

    I would like to encrypt some documents on a portable usb flash drive but i wanted know if its useless because a flash drive can be easily decrypted, im not expert so i hope you can help me.

    Moreover, every usb flash drive could be ok or i should choose a model in particular for this purpose?
    Thanks so much for the help
     
  2. blainefry

    blainefry Registered Member

    Joined:
    Jan 25, 2014
    Posts:
    165
    Good questions.

    In general, there should be no difference in terms of security when encrypting flash memory versus a traditional HDD.

    However, there's another recent thread on Full Disk Encryption (FDE) where I mentioned a couple of caveats...

    So if you need plausible deniability, you'll want to make sure your flash drive doesn't use any wear-leveling mechanisms. But as far as just general security (i.e. having the files unreadable), there is no real difference between files encrypted on SSD/flash drives vs HDDs.

    Outside of wear-leveling, you can just pick a brand based on the price/capacity/quality scale. Price and storage capacity should be obvious. As far as quality, some argue that some brands are more reliable than others. And there's also suggestions that some perform better. Here's one unscientific comparison:

    http://www.zdnet.com/usb-2-0-and-3-0-in-the-real-world-7000023226/

    This obviously doesn't have anything to do with security though.

    The only remaining things you'll need to consider are:

    1) Do you just want to encrypt some files, meaning you just need to supply a password to access specific things, or do you want the whole flash drive encrypted, meaning you have to supply a password to use the drive at all?

    If it's just a few files and you have no need to have the entire drive encrypted, you might just consider using encrypted container(s). (See the TrueCrypt documentation)​

    2) Are you going to need to access this material on a machine that doesn't already have TrueCrypt installed and that you don't have admin rights to?

    If the answer to #2 is yes, you'll need to figure another scheme, because while TC can be used in a portable form (meaning you don't have to install it on the machine), it does require administrator privileges to run. So that's something to keep in mind. One possible solution is AxCrypt, which will encrypt individual files (as opposed to creating encrypted volumes (e.g. file containers or entire partitions/devices) like TrueCrypt).

    The only drawback to keep in mind when dealing with simple file encryption like what is done using AxCrypt, is that to access the files, they have to be temporarily decrypted. This means the possibility of leaving residue on the computer where you're accessing the files; even if the temporary files are overwritten/wiped, it does mean they're temporarily available in plaintext... and if you're modifying them with a program that uses "save-to-tempfile-then-rename" in order to achieve safe saves, then wiping will not get rid of that residue. (TrueCrypt avoids these issues, as it employs OTFE). Also, as mentioned above, if the target system is using an SSD, wear leveling means that the old data will be available.

    I've read Password Safe also has a file encryption feature, but I'm not sure how it works in terms of leaving that residue. KeePass has support for adding file attachments to password records, but I'm not sure what the limitations are on that.​

    3) Something else to be mindful of...

     
    Last edited: Aug 10, 2014
  3. Noctis

    Noctis Registered Member

    Joined:
    Nov 15, 2013
    Posts:
    15
    BlaineFry, first of all thanks for your post, very helpfull : )

    I explain you the situation, this is what i would like to do if its usefull, if you think its gonna be useless please tell me : )

    - I would like to encrypt the whole usb flash drive (so like a full disk encryption) using the tc version 7.1a

    - Once i save my documents on it, i permanently erase them from the pc.

    - Then i create a linux virtual machine on my host

    - I insert the usb flash drive into the pc, i use the password and i open the documents in the guest host (the linux virtual machine)

    - After that i close the virtual machine and i run privazer or cc cleaner on my main host to erase the ram (that could be store the tc password i think)

    - I eject the usb flash drive

    Is this process safe in your opinion or could leave any traces? Moreover how they can decrypt my usb flash drive? Only with brute force attack (in this case i will use a super long pass with symbols, numbers, lecters etc etc) or finding any traces on my main host right? Thats why i wanted use Privazer at the end.

    Thank you for your help
     
  4. blainefry

    blainefry Registered Member

    Joined:
    Jan 25, 2014
    Posts:
    165
    Yeah I think that should be sufficient, although I'm not positive in regard to using a virtual machine that way. If you used a Live CD, that would definitely ensure against data leaks. In theory a virtual machine would work the same way, but I'm actually not sure if there are any implications as far as the removable media (e.g. flash drives)...because in the end they are still plugged in to a machine that has the original OS running. It's possible there's no implications there, but I honestly just don't know. That's a good question to ask.

    Definitely see the section on Security Requirements and Precautions. Provided the concerns there are acknowledged, and those recommendations are followed, you should be pretty secure.

    As far as decrypting, yes, there are no known viable cryptanalytic attacks on any of the algorithms used by TrueCrypt. (If you asked for a recommendation though, for most situations I'd probably go with Twofish and SHA-512).

    That means the only attacks would be side-channel or brute force. And provided your password is good enough (i.e. not only long enough, but random enough), it will be virtually impossible to brute force. (That is, as stated in Applied Cryptography, the laws of thermodynamics "strongly imply that brute-force attacks against 256-bit keys will be infeasible until computers are built from something other than matter and occupy something other than space.")

    This is why the math is the strongest link in the security chain. The algorithms available are pretty darn good. The much more economical (and plausible) way to get passed encryption is to engineer a way around it. So you should be safe against actual "cracking," and as long as you make your password strong enough, you also won't have to worry about brute force.

    Definitely read through these two:

    A Really Good Article on How Easy it Is to Crack Passwords

    zxcvbn: realistic password strength estimation

    Of course I personally recommend a password manager like Password Safe or KeePass.
     
  5. Noctis

    Noctis Registered Member

    Joined:
    Nov 15, 2013
    Posts:
    15
    Thanks mate, i really appreciated your advice.

    So in few words IF i understood good...

    Its better i download and i burn a linux live cd?

    Then i make my pc boot from it

    But then i have this doubt...i should install true crypt on linux to be able to access to my usb flash drive fully encrypted or not?

    After i opened my documents on the linux live cd and i finish. Should i run any program like privazer or cc cleaner on the linux live cd or its not necessary cause it doesnt store anything?

    Last question could u advice me any good usb flash drive model that you think its safe for this purpose? Thanks so much
     
  6. Noctis

    Noctis Registered Member

    Joined:
    Nov 15, 2013
    Posts:
    15
    And yes i perfectly know what you mean, i think too that there could be any leaks in my main host, but i thinked i coulded remove them using privazer or cc cleaner, what do you think? Thanks again
     
  7. blainefry

    blainefry Registered Member

    Joined:
    Jan 25, 2014
    Posts:
    165
    You'd either need to have it installed on the live CD, or just run the portable mode with admin rights.

    But it doesn't have to be a Linux CD. There are Windows and OS X ones as well...

    https://en.wikipedia.org/wiki/List_of_live_CDs

    http://lifehacker.com/5157811/five-best-live-cds


    Correct, there isn't going to be any static data for you to erase because with a live CD any data written to the system volume is written to a RAM disk.

    However, it's possible for unencrypted information to remain in RAM (again see the Precautions section on Unencrypted Data in RAM).

    So as that box area says:

    ...after each session in which you work with a TrueCrypt volume or in which an encrypted operating system is running, you must shut down (or, if the hibernation file is encrypted, hibernate) the computer and then leave it powered off for at least several minutes (the longer, the better) before turning it on again. This is required to clear the RAM (see also the section Hibernation File).

    It's possible some of those programs like Privazer might claim to clear RAM, but you're safer just powering off the machine.


    I'm not as familiar with Privazer, but as far as I know none of those kind of programs claim to be able to clear all possible data leaks. I've never heard of any program wiping all of the potential sources of data leak mentioned in the Precautions section. You can turn off hibernation (which would eliminate the hibernation file) and disable memory dump data, but there'd still be the paging file at least, if not more potential areas of leak.

    This is why if you're not on a machine that has the system partition (or drive) encrypted, you're best off booting from a live CD.


    Good question. I don't really have any off the top of my head. SanDisk seems to make good quality flash products, in terms of both performance and durability. But read in a forum that all of their flash products contain wear-leveling. (Keep in mind that doesn't mean it's true, but it probably is.) I think it's the same with Corsair. I'm actually not aware of any flash drives that don't use wear leveling. (That doesn't mean they don't exist, I just don't know how numerous they might be or which ones.) The easiest thing might be to call various manufacturers and just ask.

    https://en.wikipedia.org/wiki/Wear_leveling#Types

    But you only need a device that doesn't have wear leveling if you need plausible deniability. If you don't need that, just follow the instructions from the documentation.

    To be honest, the wear-leveling threat is a low risk one for most situations. You would need to have higher-level adversaries for that to pose an issue. For most people, it should not be a problem, especially if you don't need plausible deniability.
     
    Last edited: Aug 10, 2014
  8. Noctis

    Noctis Registered Member

    Joined:
    Nov 15, 2013
    Posts:
    15
    Ooooook here we go : ) Thank you, im learning a lot with your help


    Thank you, im trying to choose between those 2 livecd, Ubuntu and Backtrack. I think Backtrack is the most safe but i know better Ubuntu, and i think its pretty good too.
    The problem is how can i install truecrypt 7.1a on ubuntu every time... maybe its better i save the installer on a usb. So everytime i install it from there.


    On this purpose, sorry for the stupid question but... i should just switch off my power strip or i must take off the plug of my psu? Take notice that my main host is Windows 8 and it has hibernation mode always on to boot up quicker i read.




    Mmmm it seems to be very tricky to call the manufactures etc, I read that this issue regards ssd and flash drives so at this point what do you think if i buy and i fully encrypt an external hard drive? It would be safer for this purpose since it doesnt have the wear leveling... i hope... or i am wrong?
     
  9. blainefry

    blainefry Registered Member

    Joined:
    Jan 25, 2014
    Posts:
    165
    As I said before, you don't have to install it. You can run it in portable mode. See the documentation:

    http://andryou.com/truecrypt/docs/truecrypt-portable.php

    https://superuser.com/questions/615481/how-to-create-a-cross-platform-traveler-disk-with-truecrypt


    Switching off the power strip would have the same effect as taking out the plug on the machine. You're just cutting the flow of electricity at a different location along the chain.

    The bottom line is, to clear the RAM you need to ensure the machine does not have any power (the longer the better). This means if the machine has battery power of any kind, you need to cut that too. NO power of any kind.

    And if you're booting to a live CD, your Windows 8 with hibernation is NOT going to be running. Booting into an OS literally means the initialization of a computer system. So your host OS on the machine is irrelevant. You're not going to be using it. That's the whole point of the live CD.


    I'm not sure what you mean by "tricky" to call manufacturers. They all have customer support numbers.

    Yes, a HDD is not going to include wear-leveling, so you wouldn't have to worry about it there, but as I said before, the wear-leveling threat is a low risk one for most situations. You would need to have higher-level adversaries for that to pose an issue. For most people, it should not be a problem, especially if you don't need plausible deniability.

    Unless you have some seriously tech-savvy people with pretty good resources and know-how after you, a flash drive should be fine.
     
  10. Noctis

    Noctis Registered Member

    Joined:
    Nov 15, 2013
    Posts:
    15
    Thanks BlaineFry, now i read the link, ill try to run in on portable mode, just in case i wont able to do that i downloaded from there: cyberside.planet.ee/truecrypt/ the version 7.1a of trucrypt for Ubuntu, just hope this site is trustwhorty... anyway i thinked to putted it on a usbflash drive, then when i will run Ubuntu from the livecd i will first block the internet connection, then i will install it from the usb. I think its a pretty quick way. You think its ok?



    About windows 8 and the switchoff of the powerstrip thanks so much, now i understood better.



    I decided to buy a little external hard drive, it works the same way as a usb and it doesnt have the problem of the wear leveling so its perfect : )


    About the high level adversaries i dont have, but i just like overkill setups, its a personal preference, thanks a lot for your help Fry i really appreciated it. I have just a last question.

    If i do full disk encryption of my external hard drive im able to use the hidden containers or not?
    I ask because i never did a full disk encryption i only encrypted containers and there was the possibility to create a main one and an hidden one, for plausible deniability you know, is it possible with a FDE? Would you advise me to do it? Thanks so much
     
  11. blainefry

    blainefry Registered Member

    Joined:
    Jan 25, 2014
    Posts:
    165
    ? Where did you even get that site from? Why did you not just get it from one of the reliable links I gave you?

    http://truecrypt.ch/

    https://github.com/DrWhax/truecrypt-archive

    https://www.grc.com/misc/truecrypt/truecrypt.htm


    Once again, you're not "installing" anything. You'll boot from the live CD, then just run TrueCrypt in portable mode from a flash drive.


    You can create hidden volumes in any of the encryption modes. (You can check out a quick description of them here.) Obviously, you will not be using "System encryption."

    I would recommend you go through the Tutorial in the TC documentation...

    http://andryou.com/truecrypt/docs/tutorial.php

    To encrypt the entire device (instead of just a partition on it) you have to remove any partitions on the device. You can use a free tool like Partition Wizard to do this. (If you're interested, here is a thread on partition encryption vs. device encryption.)

    After that, when you run TrueCrypt, in Step 3 of the Tutorial linked above, you select the second option. Later in the prompts, select to "Encrypt entire device."

    BEFORE DOING ANY OF THIS...

    1) You need to have a BACKUP of your data. Never mess with encryption (especially as a beginner) without having a backup of your data in some other location.

    2) Read through this list of common mistakes.

    3) I cannot stress this enough: Backup the data. It's fine if you want to have your backup encrypted as well. But always have it. What you might do is remove any partitions on the HDD you bought, set up device encryption. Then COPY your data to that encrypted device. Dismount it, shut it down, and start up again and mount it and make sure you can access it. Then go about encrypting the source. If you need to get another HDD and do the same process, so you have two separate HDDs with the same data, that'll work.

    4) You can read about my process here:

    Backing up data, keeping it private
     
  12. Noctis

    Noctis Registered Member

    Joined:
    Nov 15, 2013
    Posts:
    15
    Hi BlainFry thank you again and sorry for the patience...

    About the link i posted before, i found it trough one of your links. Iv been on https://github.com/DrWhax/truecrypt-archive/blob/master/TrueCrypt 7.1a Source.zip and this page linked to: http://cyberside.net.ee/truecrypt/.
    Anyway i downloaded again the "truecrypt-7.1a-linux-x86.tar.gz" from http://truecrypt.ch/ just to be more safe.


    About your second statement... then is this the correct procedure to do?
    1) I put the file "truecrypt-7.1a-linux-x86.tar.gz" on a usb flash drive.
    2) I boot my pc from Ubuntu live cd
    3) I insert the usb flash drive and i click on that file ("truecrypt-7.1a-linux-x86.tar.gz")
    4) I plugin in the other usb port my external hard drive

    If i wrong any passage could you correct me pls with the right passages? Thanks a lot


    About the backup thanks so much for the advice but i was planning to buy a new external hard drive for the fde so there wont be nothing to back up i think

    Thanks so much again for the help
     
  13. lotuseclat79

    lotuseclat79 Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    5,097
    Hi Noctis,

    Have you thought about separating the encryption of the documents you want to put onto a USB versus the notion your thread seems to be following i.e. encrypting the USB device? Once you encrypt a document, then no matter where you put it, it remains encrypted until you decrypt it - in a presumably secure environment.

    -- Tom
     
  14. blainefry

    blainefry Registered Member

    Joined:
    Jan 25, 2014
    Posts:
    165
    That might work, but you may run into an issue when trying to run TC from the flash drive. You may need to at least extract it and put the resulting files on the flash drive instead.

    If it gives you problems, see these:

    http://www.hecticgeek.com/2011/12/best-encryption-software/

    http://askubuntu.com/questions/153656/how-do-i-run-an-executable-truecrypt-file-from-a-pendrive

    http://www.linuxquestions.org/questions/linux-software-2/portable-truecrypt-linux-904837/

    http://mygeekopinions.blogspot.com/2011/06/install-truecrypt-in-ubuntu-1104-natty.html


    I don't know what you mean by this: "nothing to back up". You are going to have data on an encrypted USB drive. What I am saying is that that data needs to be on some OTHER drive too. That's what a "backup" is. You originally said that once you put the data on the USB drive, you were going to wipe it from the source drive. That's fine, so long as it's stored SOMEWHERE in addition to the USB drive you are encrypting. As I said, you can get a second USB drive and encrypt that too, and keep a copy of the data on that second drive.[/QUOTE]
     
  15. blainefry

    blainefry Registered Member

    Joined:
    Jan 25, 2014
    Posts:
    165
    As you can see I recommended considering using encrypted containers multiple times, but he said he wants the whole drive encrypted.
     
  16. Noctis

    Noctis Registered Member

    Joined:
    Nov 15, 2013
    Posts:
    15
    Hi Tom thanks for your answer, yes like BlaineFry stated above i prefered to encrypt the whole drive, i read its the most safe possibility of all so id like to go for it.


    Thanks for the links Blaine Fry im gonna read them all, hope it wont give me any issue if i extract the "truecrypt-7.1a-linux-x86.tar.gz" on the flash drive itself like you said, im gonna test it soon before buying the external hd, if all will works ill go to buy it.


    About the backup yes now i get what u mean, u right its better i buy a second small external hard drive for the backup of the documents.
     
  17. Noctis

    Noctis Registered Member

    Joined:
    Nov 15, 2013
    Posts:
    15
    I think i found out the best possible solution, id like to share with all the forum, A customized ubuntu live cd with tc included and many other safe features.
    This is the link and the features of the last version (05/07/14): https://www.privacy-cd.org/

    What you think guys?




    New Features and Changes in UPR 12.04r1

    * Updated base system to Ubuntu 12.04.4, using Kernel 3.8 and X.Org 7.7. Runs on nearly all modern hardware.
    * Boots on UEFI machines, including Secure Boot
    * Furthermore, other than included in Ubuntu 12.04, newer Versions of LibreOffice (4.2), Scribus (1.4.2) and GIMP (2.:cool:
    * New software packages: Texmaker fronted for LaTeX, PiTiVi & Ariste for video editing, Inkscape vector graphics program
    * Updated printer drivers
    * Uses GNOME Classic for maximum compatibility with older hardware
    * Bug fixes and minor new features in the frontends for TrueCrypt and GnuPG
    * New security feature: RAM wiping at shutdown - prevents so-called "Cold Boot Attacks"
     
  18. blainefry

    blainefry Registered Member

    Joined:
    Jan 25, 2014
    Posts:
    165
    Yes it looks like UPR already includes TrueCrypt, so you probably won't even have to mess with the flash drive and portable mode.

    For the record though, there isn't really anything "safer" or "more secure" about encrypting an entire USB drive vs. making encrypted containers and storing them on the drive, as far as cryptography goes. It's not like someone would have an easier time cracking a container as opposed to a full device. The encryption is the same.
     
  19. LockBox

    LockBox Registered Member

    Joined:
    Nov 20, 2004
    Posts:
    2,275
    Location:
    Here, There and Everywhere
    Actually, it is less safe to simply use TC containers on a flash drive. If those containers are decrypted on said drive, they will leave deleted files on the drive that could be recovered. If the drive is fully encrypted, that is not an issue. A hardware encrypted flash drive (with TC as well if desired) is clearly a "safer" method.
     
  20. Noctis

    Noctis Registered Member

    Joined:
    Nov 15, 2013
    Posts:
    15
    Hi Lockbox, i read this somewhere too, everyone always advise for fde instead of simple tc container.
    Moreover if i understood good, if an adversary get a fully encrypted hd it will looks like an hard drive totally wiped and you can say that you formatted it using eraser or privazer or ccleaner or tools like that.
    If you have encrypted containers they can see them and if you live in some country like in uk for example you could be forced to reveal your password.
    Did i understood good? I read all of this on this and other forums
     
  21. Noctis

    Noctis Registered Member

    Joined:
    Nov 15, 2013
    Posts:
    15
    I have also an important question guys since im not expert in this field.

    When i will fully encrypt my external hd with tc it will ask me to choose between Fat or NTFS...

    Since im gonna use this external hd on os like windows and Ubuntu (the UPR live cd has Ubuntu 12.04.4 with Kernel 3.8 if i read good) which should i choose? Fat or NTFS? If i choose Fat i cant store files which are bigger than 1gb?

    And last question, apart from true crypt... when i will go to buy my new external hd which one should i choose? I read that external hard disk with NTFS can ONLY be read on Linux but i cant modify nothing... so i should always choose a FAT hd?

    Please help me to understand better this, thank you so much
     
  22. blainefry

    blainefry Registered Member

    Joined:
    Jan 25, 2014
    Posts:
    165
    I'm not sure I understand. You're suggesting that one type of encrypted volume is not as secure as another, because you might remove the encryption and leave files exposed? Obviously if you decrypt something it's not as secure as something that is not decrypted. We're not talking about decrypted things versus encrypted things. My statement assumes you're not removing the encryption.

    Obviously if you're decrypting stuff, we could make the exact same argument against your "safer" method: "Actually, it is less safe to simply use FDE on a flash drive. If the device is decrypted, the contents (and the deleted files) will be on the drive and could be recovered."

    The second part of that statement is not support for the first.

    You'll also notice I said it wasn't safer as far as the cryptography goes...as in "It's not like someone would have an easier time cracking a container as opposed to a full device. The encryption is the same."

    Noctis seemed concerned that containers would for some reason be easier to crack than other volumes. That isn't the case. And "decrypting a container, thus leaving traces of files on a drive" has nothing to do with the strength of the encryption.

    Also, where flash drives are concerned, as we already covered in this thread, thanks to wear-leveling, plausible deniability is put at risk regardless of whether you encrypt the full device or just use containers.
     
  23. blainefry

    blainefry Registered Member

    Joined:
    Jan 25, 2014
    Posts:
    165
    Well here you're talking about plausible deniability, which I've been bringing up throughout this whole thread. If you need plausible deniability, there are many specific precautions you need to take and things you need to be aware of. You have never expressed any interest or need for this before now.


    Yes you can choose. Again this is covered in the documentation. Once again I must strongly encourage you to read it. As far as advantages and disadvantages to each, you can easily find this all over the web:

    http://www.theeldergeek.com/ntfs_or_fat32_file_system.htm

    https://www.microsoft.com/resources...n-us/choosing_between_ntfs_fat_and_fat32.mspx

    http://www.pcmag.com/article2/0,2817,2421454,00.asp
     
  24. Noctis

    Noctis Registered Member

    Joined:
    Nov 15, 2013
    Posts:
    15
    Thank you BlaineFry i read it and i choosed the best option for me.
    And you right i didnt express specific need about plausible deniability but since i stated that i woulded like an overkill setup (or better saying a setup with the less possibilities of exploits) i think the full disk encryption is way better than a simple tc container (besides the fact that you are right when you say that the encryption is the same between fde and containers).

    Anyway thanks again to all of you for your help and i hope this topic could help other users too
     
  25. LockBox

    LockBox Registered Member

    Joined:
    Nov 20, 2004
    Posts:
    2,275
    Location:
    Here, There and Everywhere
    Decide on an identity already.
     
Loading...
Thread Status:
Not open for further replies.