Keyfiles and Truecrypt

Let's say I have a huge amount of keyfiles in a folder and that I used one of these keyfiles together with a password to make an encrypted container in Truecrypt.

Would there be any way to analyze which of the keyfiles I've used for the container? (Without knowing the correct password, of course).

NB: Should probably have written this on the Truecrypt-forums, but I don't have the silly ISP-mail required for doing so.

 

If I remember correctly truecrypt always preserves timestamps of keyfiels since version 4.3a but doing a search of the version 7a PDF document reveals this in the Limitations section:
"Preserving of the timestamp of any file (e.g. a container or keyfile) is not guaranteed to be reliably and securely performed (for example, due to filesystem journals, timestamps of file attributes, or the operating system failing to perform it for various documented and undocumented reasons)"

So if you are using Windows, it may be possible to determine if a keyfile has been recently accessed even if truecrypt tries to preserve the timestamp.

 

I don't think that what you asked for is possible. Without knowing the password for the TrueCrypt volume, it is not possible to find out if one of the keys you have is the one which was used to encrypt a specific container.

 

Are these informations saved on the file-system, or in the "recently accessed"-database on Windows?
Otherwise it would be quite easy to burn the keyfiles to static media like a CD, I guess?

 

In Ubuntu, you can update the access datetime of any file with ...

sudo touch -a filename

You could use a script to touch all of your keyfiles. Be careful, of course. And have backups.

 

The point of the disclaimer in the truecrypt document is that Windows can't be trusted. Undocumented "features" make it impossible for truecrypt to keep keyfile and container access a total secret.
Putting keyfiles on read-only media would eliminate a lot of the risk but not all.
If you have super secret data then do as hierophant suggests and access encrypted data only with LINUX. Run it from Virtualbox for example.

 

In a Windows environment, consider the use of the tool DirDate to modify any aspect of a file’s timestamp.

 

Just to clarify, truecrypt does leave timestamp data of keyfiles untouched. The issue is that Windows may track events associated with file access. This may or may not be a timestamp. For example, there may be some record of truecrypt access of a particular keyfile. Truecrypt can't prevent Windows from creating a file access log if that log is undocumented.

 

In Ubuntu, using keyfiles with TrueCrypt definitely does change the access datetime. I haven't determined how that's happening.