Hardware Tokens and TrueCrypt

Discussion in 'privacy technology' started by x942, Mar 23, 2012.

Thread Status:
Not open for further replies.
  1. x942

    x942 Guest

    Just wondering if any one is using a hardware token with truecrypt? I use keyfiles but in theory one of these should be more secure. I'm looking at either getting a USB token or smart card. Do you think they are better then keyfiles? If so what are you guys using?
     
  2. EncryptedBytes

    EncryptedBytes Registered Member

    Joined:
    Feb 20, 2011
    Posts:
    449
    Location:
    N/A
    Depends on the use, if for home use I'd say a keyfile would probably be sufficient stored on an USB. Reason being the extra overhead of a smartcard, plus its reader, plus its authentication source. If this is for a corporate environment, yes I can see how a token or smartcard would be a better rollout. I've personally never used TC in this manner, but it does support such a feat as long as the token or card complies with the PKCS #11 (2.0 or later) standard [23] and additionally allows the user to store a file (data object) on said token/card. I see no reason why TC can’t be made to mend with your current PKI infrastructure.

    Most of what I use in terms of PKI is all built in house, that being said I’ve seen most environments that use RSA’s devices. Though from the breach that hit them last year it is up to you if you trust them.

    Here are some alternatives to RSA you can check out though I cannot vet for personally:
    CA Arcot ID
    Ironkey
    CryptoCard
    Vasco DIGIPASS GO
    SecureAuth (not for personal use)
     
  3. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    By the way, a few days ago I came across an open source software that allows to turn a regular USB flash drive into a Token.

    What do you folks think of such thing?
     
  4. silver0066

    silver0066 Registered Member

    Joined:
    Dec 31, 2004
    Posts:
    929
    I use the Yubikey. It works great and gives excellent security.
     
  5. x942

    x942 Guest

    @EncryptedBytes

    Thanks for that! I will have to look it over.


    @MoonBlood

    Any links? Sounds interesting.



    @silver0066

    I actually have two yubikeys for personal use. Sadly the don't support this. So i have two options:

    1) Use it in static mode by itself (weaker)

    2) Use it in static mode + a password I know by hand (stronger).

    I use 2 for my laptop with FDE.

    Downside is it's still just a password and only "psuedo-twofactor" authentication.
     
  6. Countermail

    Countermail Registered Member

    Joined:
    Aug 7, 2009
    Posts:
    167
    Location:
    Sweden
    Aladdin E-token 72K is probably the most affordable at $20 (on Ebay).
    It's PKCS#11 compatible and works with TC.
     
  7. syncmaster913n

    syncmaster913n Registered Member

    Joined:
    Mar 24, 2012
    Posts:
    153
    I was actually wondering - why would I want to use a security Token in a home / personal environment, assuming that I already have a very strong password (62 characters, absolutely random and comprised from the whole charset)? Is it because a security Token is immune to keyloggers, or is there some other rational behind it?
     
  8. PaulyDefran

    PaulyDefran Registered Member

    Joined:
    Dec 1, 2011
    Posts:
    1,163
    Something you have, something you know. Is a 64 Char password enough? Almost certainly. But we are 50/50, as far as the courts go, with being compelled to reveal a pass phrase. A key file can disappear in a nanosecond and your diety of choice can't open the container if it's gone. If you create 10,000 text files filled with random data with a tool such as Disk Tools http://www.soft.tahionic.com/download-file-generator/help.html and then encrypt those with GPG or Axcrypt, in bulk with a random pass, you've also just created a whole lot of extra work for someone. A backup key file on a MicroSD card, can be hidden inside or outside, easily, as well. Key Files are just very handy to develop a data security policy around.

    PD
     
  9. syncmaster913n

    syncmaster913n Registered Member

    Joined:
    Mar 24, 2012
    Posts:
    153
    Sounds good! Luckily I live in a country where there is no problem with revealing the password to the courts - it has never happened here as far as I know, and I read a lot about these kinds of cases.

    My current setup is like this: encrypted drive -> encrypted virtual machine -> encrypted container -> second encrypted (hidden) container. VM snapshots are encrypted within yet another container -> second container setup, on my main machine. Each of those 6 containers is protected with a fully random passphrase between 45 and 62 characters (none of the passwords repeat, each one is entirely original). The passwords are not saved anywhere. Do you think that a security token is useful in this case, or is it overkill? My data is very valuable, but it isn't something that any National Security Agencies would come after.

    I do have a few pendrives lying around, and I might as well make use of one of them if there is some open source software that allows me to convert that USB pendrive into a TC compatible security token. Do you know of any by chance?
     
  10. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    Yeah, I was able to find it. -http://sourceforge.net/projects/mysafekey/

    I don't know how great it is, as I don't have any spare USB flash drive to use.

    I also came across another open source project, but I'm unable to find the link now. I'll see if I can find it again.

    On the other hand, I also found this non open source application. It's a paid application. I don't know if you could use it freely with limitations. There's a 15-day trial, though.

    -http://www.rohos.com/products/rohos-logon-key/
     
  11. PaulyDefran

    PaulyDefran Registered Member

    Joined:
    Dec 1, 2011
    Posts:
    1,163
  12. syncmaster913n

    syncmaster913n Registered Member

    Joined:
    Mar 24, 2012
    Posts:
    153
    Looking at a lot of the links posted in this thread to USB pendrives or software, I get the feeling that they would not work with TrueCrypt - it seems that they do not possess the capability of holding any keyfiles. I might be mistaken though.
     
  13. PaulyDefran

    PaulyDefran Registered Member

    Joined:
    Dec 1, 2011
    Posts:
    1,163
    A plain USB drive works...just put the keyfile on it (if you are talking container or device encryption...system encryption can't use a key file). Just stick the USB drive in, mount the container/device with the 'Use Keyfiles' option, specify the keyfile on your USB, mount, and then pull the USB out.

    PD
     
  14. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
  15. LockBox

    LockBox Registered Member

    Joined:
    Nov 20, 2004
    Posts:
    2,275
    Location:
    Here, There and Everywhere
    Sounds like some here are maybe confused between a pre-authentication security token used for, among other things, authorizing access to a windows computer versus Truecrypt keyfile(s). You can put TC keyfiles on certain tokens for added security with volumes and partitions, but Truecrypt does not support the use of pre-boot, pre-auth tokens with full system encryption.

    Maybe this will help:
    http://www.truecrypt.org/docs/?s=keyfiles
     
  16. x942

    x942 Guest

    Thanks for that! Sounds interesting. I would use the syskey method mentioned by others though. It's probably the most secure way for windows at least.

    Thanks to all for replies sadly there's no multi-quote function which is very annoying. (Can wilders add that please!)

    Anyways I can't find anything really good except on ebay which I don't trust that the hardware hasn't been compromised some how. I will stick with plain old keyfiles for now.
     
  17. PaulyDefran

    PaulyDefran Registered Member

    Joined:
    Dec 1, 2011
    Posts:
    1,163
    Nah, just two semi-related topics in one thread :D

    PD
     
Loading...
Thread Status:
Not open for further replies.