Is it safe to continue using TrueCrypt

Discussion in 'encryption problems' started by Melita, Oct 25, 2016.

  1. Melita

    Melita Registered Member

    Joined:
    Nov 20, 2014
    Posts:
    138
    Location:
    Spain
    OS Windows 7 Home Premium.

    I have a small partition on my HDD, encrypted with TrueCript where I store my sensitive personal data. On the Internet I find two factions - those against using TrueCript and those who are in favour of using it. Should I ditch TueCript and find a substitute or should I continue using it?

    Thank you.
     
  2. TairikuOkami

    TairikuOkami Registered Member

    Joined:
    Oct 10, 2005
    Posts:
    3,418
    Location:
    Slovakia
    TrueCrypt has been discontinued, their own webpage describes it nicely.

    https://veracrypt.codeplex.com is basically a continued development of TrueCrypt, you should at least use that or something else as a replacement.
     
  3. Melita

    Melita Registered Member

    Joined:
    Nov 20, 2014
    Posts:
    138
    Location:
    Spain
    Thank you for your reply and the links. I noticed, in this forum and elsewhere, that many people continue to use TrueCript. Hence my inquiry here.

    Regards
     
  4. deBoetie

    deBoetie Registered Member

    Joined:
    Aug 7, 2013
    Posts:
    1,832
    Location:
    UK
    Truecrypt was at least audited, and if you read the audit report carefully and use it appropriately to your circumstances, and adopt measures which are relevant to any encryption tool, then it remains hard-to-crack encryption.

    With the Veracrypt audit, that makes that tool much more attractive, but you still need to use good procedures if you want strong encryption.

    As usual, I hope you'll understand my standard warning that, if you're using W7HP, you have other worries apart from the strength of Truecrypt or not. For example, I am much more concerned with remote threats these days, which are not mitigated by Truecrypt, veracrypt or bitlocker for that matter.
     
  5. 142395

    142395 Guest

    I second to deBoetie, when you hear about vuln in crypt, look carefully about its conditions. If you carefully look at details, you'll find vuln in TC is not a serious problem at all. I looked at VC audit result but not details (is it available anywhere?). As long as you use strong password (trully random characters w/ around 40 char long), TC is okay (Otherwise VC may be better since TC's PBKDF2 w/ 1000 iteration is weak against brute force). Well, as a rather theoretical problem, if you use default hash algorithm of RIPEMD-160 and use 256 bit crypt algorithm (AES256, TWOFISH, Serpent), then more than 160 bit security will not be guaranteed. Although 160 bit is secure enough until quantum computer come to use Shor's algorithm, you may want to change hash algorighm in TC.
     
  6. JRViejo

    JRViejo Super Moderator

    Joined:
    Jul 9, 2008
    Posts:
    97,440
    Location:
    U.S.A.
    FYI. https://ostif.org/the-veracrypt-audit-results/ Scroll down to:
     
  7. Melita

    Melita Registered Member

    Joined:
    Nov 20, 2014
    Posts:
    138
    Location:
    Spain
    Thank you for the replies.

    While reading the other posts in this forum, at the time I started this thread, an idea I had for some time to encrypt my entire Hard Drive, became irresistible. My knowledge of this subject is very elementary but I can do anything on the computer with guidance. I have never made a mistake when instructions were available. I found much information on the following threads, where the importance of avoiding the 'quick format' option, backing up the MBR and the Volume Headers are shown as mandatory requirements for safe encrypting. Of course I had to go on the internet to find the meaning of most of the technical terms!
    https://www.wilderssecurity.com/threads/truecrypt-header-backup.388888/
    https://www.wilderssecurity.com/thre...t-password-on-external-formated-drive.388028/
    https://www.wilderssecurity.com/threads/truecrypt-and-veracrypt-on-same-pc.388059/

    In the past we only had to worry about our love letters getting in to the wrong hands. You know what the present situation is, better than me. In the event of a lost or stolen laptop I want to prevent the finder or the thief getting anything out of it.

    I like to do this but I am petrified of getting locked out. Aside from backing up the MBR and the Volume Headers, avoiding 'quick format', is there anything more that I have to know before I encrypt the entire Hard Drive?

    Thank you
     
    Last edited: Oct 26, 2016
  8. Palancar

    Palancar Registered Member

    Joined:
    Oct 26, 2011
    Posts:
    2,402
    Melita --

    Yes,

    If you want to avoid potential problems down the road do NOT do singular key entire disk encryption. Assuming you are on Windows and using either VC or TC, encrypt the system disk (C drive) separately, and then encrypt the remaining space/partitions with their own volume keys. You can set the password the same so they auto-mount when you enter the PBA password to mount Windows. The pitfalls you can avoid by using this method are plentiful. This means that you will need to backup the volume headers of the other partitions, but those backups are very small and can be done in a few minutes each.

    Consider this a friendly warning/suggestion, which if you heed, you will likely end up thanking me for later.
     
  9. quietman

    quietman Registered Member

    Joined:
    Dec 27, 2014
    Posts:
    511
    Location:
    Earth .... occasionally
  10. guest

    guest Guest

    In this case the user simply forgot to protect the hidden volume:
    More user awareness is needed if volumes are encrypted and/or the user is using hidden volumes.
    Always have a header-backup of all encrypted volumes, a backup of the TrueCrypt/VeraCrypt Rescue-disk. And don't forget to protect the hidden volume if the outer volume is mounted.
     
  11. Melita

    Melita Registered Member

    Joined:
    Nov 20, 2014
    Posts:
    138
    Location:
    Spain
    Thank you all for the replies. Your advice is much valued and I shall certainly follow them. The small encrypted partition that I have, was set up for me by a friend. It has personal data that I access infrequently. I simply use the password to open it and never messed with it. So I had no problems. Since I am going to do this now on my own, I printed the User Manual of TrueCript and I am trying to learn as much as I can before I do anything. It looks to me like a damn good manual. They don't seem to have left anything to chance. In fact, I saw the section where they warn against doing the very thing that the user you refer to above ("I stupidly copied files in to the outer volume.................."), has done and got messed up. I certainly don't want to be in his boots, where I have to post a message like that :eek:

    Regards
     
  12. 142395

    142395 Guest

  13. deBoetie

    deBoetie Registered Member

    Joined:
    Aug 7, 2013
    Posts:
    1,832
    Location:
    UK
    I know this sounds dumb - and it probably is - but I view the risk of getting locked out of FDE as just another form of disk failure.

    I have to protect against disk failure anyway, so data backup is a critical part of safe operation of facilities. Rather obviously, those backups need to be well protected themselves and you don't want any single points of failure (like forgetting passwords!), and there's the added problem of key/header/keyfile/certificate management in these schemes, but that's an extension of backup anyway.

    So what I do is to run a set of encrypted usb3 hdd for data backup, along with an airgapped encrypted Linux based password management system on a usb3 stick (itself backed up), which stores all the keys and headers and subsidiary passwords. I have a limited hierarchy of remembered long strong passwords, ultimately I just need to remember the one to the password management system.

    PS - reading the manual carefully is an often overlooked precaution, and the TC advice is very pertinent and solid, so well done for becoming familiar with that. The audit reports are also not too intimidating if you read between the lines.
     
  14. Melita

    Melita Registered Member

    Joined:
    Nov 20, 2014
    Posts:
    138
    Location:
    Spain
    I find the 150 pages of the manual quite fascinating. It is written so well that a non technical person like me can understand and appreciate the important things, even if I am not familiar with some of the technical terms. Being a novice I hesitate to say this, but while reading the manual I got the impression that some of the hopeless situations mentioned in certain threads here, could easily have been avoided by doing just that - reading the manual.
     
  15. Palancar

    Palancar Registered Member

    Joined:
    Oct 26, 2011
    Posts:
    2,402

    Ditto, with bolding and underscores!! The problems are that they come here after the damage is done and then its too late.
     
  16. Melita

    Melita Registered Member

    Joined:
    Nov 20, 2014
    Posts:
    138
    Location:
    Spain
    I need some help. I encrypted a USB drive and created a hidden volume inside the USB (Entire USB drive is the outer volume). I assumed that I must back up the headers of both volumes. I started to back up the volume headers but aborted after a few steps because I was not sure of what was going on.

    *I understood that both headers (outer and hidden volume), have to be backed up at the same time
    and not separately. Did I understand correctly?
    *Can I save the header backups to any available destination or is there a preferred location for this? The default destination that opened was Windows system 32 folder.

    Any further advice would be most welcome.

    Thank you
     
  17. Palancar

    Palancar Registered Member

    Joined:
    Oct 26, 2011
    Posts:
    2,402
    I will answer you but beware that while using that old TC code it is somewhat easy to determine that a hidden volume exists. Not saying I can break into it, only saying someone like me can tell you its there about 90% of the time. i.e. - its not hidden anymore!

    When you create a volume header backup TC will produce the exact same size output file regardless of whether or not there is a hidden volume. As you noticed you will be asked IF there is a hidden volume and if so you will need to provide the hidden password as well as the decoy/shell password. After entering those correctly you can then save the file to any location you want. It is NOT the same as the actual header because TC introduces a hash/seed into the volume header backup. When you reverse the process with the correct password it will restore as needed. Its a small size. I will recommend that you also make a backup of the device MBR especially if you are using Windows. An MBR is 512 bytes and will save your A@@ if you ever need it.
     
  18. guest

    guest Guest

    And better copy your backup headers to different places so you'll have always access to them.
    Always prepare for the worst... :)
    For example, if you place the backup headers on C:, you don't have access to the backup headers if your system drive is damaged.
     
  19. Melita

    Melita Registered Member

    Joined:
    Nov 20, 2014
    Posts:
    138
    Location:
    Spain
    This is OK with me.
    Does TC create backups for both outer and hidden volume in one back up file?
    Isn't this for system encryption? I have not done that yet.
     
  20. Melita

    Melita Registered Member

    Joined:
    Nov 20, 2014
    Posts:
    138
    Location:
    Spain
    For each volume, copy the same backup file to different destinations and save them?
     
  21. Palancar

    Palancar Registered Member

    Joined:
    Oct 26, 2011
    Posts:
    2,402
    The backup is ONE file for both. Back when TC was coded we wanted to be certain that the hidden volume was just that, so a backup couldn't realistically be saved for ONLY a hidden volume. What would the point of that be?

    Regarding the MBR ----- no for all devices where an encrypted volume is created. e.g. - You create a 2 TB volume on an external usb drive. Now Windows in its stupid fix everything mode wacks your external drive during an update. It wacks the MBR and most if not all of the TC volume header. Even if you have a TC header backup, now you have to create or rebuild the MBR on the device. Not all software creates an MBR in the exact same fashion. So, how hard is it to save 512 bytes, which contain the entire partition table for the device?
     
  22. guest

    guest Guest

    Yes. The same backup file but different destinations (another hard disc/another partition/usb stick)
    In the case of a lost partition (where you had your backup files stored) or a damaged backup file or whatever reason, you can switch to your "alternate destination" and have access to your backup header.

    And i also recommend to backup the MBR:
     
  23. Melita

    Melita Registered Member

    Joined:
    Nov 20, 2014
    Posts:
    138
    Location:
    Spain
    Volume header backup is done. Did some looking around about MBR backup but I am uncertain. How should I do the MBR backup?
     
    Last edited: Dec 14, 2016
  24. The Count

    The Count Registered Member

    Joined:
    Jun 13, 2016
    Posts:
    177
    Location:
    France
    Good procedures like?
     
  25. deBoetie

    deBoetie Registered Member

    Joined:
    Aug 7, 2013
    Posts:
    1,832
    Location:
    UK
    Being aware of the vulnerabilities in the audit report and mitigating/avoiding them.
    Long strong password, not duplicated elsewhere
    If keyfile used, ensure it's not obviously guessable
    Spend time on the mouse key generation sequence for the random pool
    Algorithm selection to taste (including multiple algorithms)
    Hash algorithm to taste (some prefer sha256)

    Header backup etc.
    Data backup as usual

    Avoiding KSL to the extent possible - maybe, limit use to airgapped systems or usb bootable OS.
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.