Keyfiles and Truecrypt

Discussion in 'privacy technology' started by raspb3rry, Nov 11, 2010.

Thread Status:
Not open for further replies.
  1. raspb3rry

    raspb3rry Registered Member

    Joined:
    Jun 8, 2010
    Posts:
    37
    Let's say I have a huge amount of keyfiles in a folder and that I used one of these keyfiles together with a password to make an encrypted container in Truecrypt.

    Would there be any way to analyze which of the keyfiles I've used for the container? (Without knowing the correct password, of course).

    NB: Should probably have written this on the Truecrypt-forums, but I don't have the silly ISP-mail required for doing so.
     
  2. chiraldude

    chiraldude Registered Member

    Joined:
    Jul 3, 2010
    Posts:
    157
    If I remember correctly truecrypt always preserves timestamps of keyfiels since version 4.3a but doing a search of the version 7a PDF document reveals this in the Limitations section:
    "Preserving of the timestamp of any file (e.g. a container or keyfile) is not guaranteed to be reliably and securely performed (for example, due to filesystem journals, timestamps of file attributes, or the operating system failing to perform it for various documented and undocumented reasons)"

    So if you are using Windows, it may be possible to determine if a keyfile has been recently accessed even if truecrypt tries to preserve the timestamp.
     
  3. Nebulus

    Nebulus Registered Member

    Joined:
    Jan 20, 2007
    Posts:
    1,582
    Location:
    European Union
    I don't think that what you asked for is possible. Without knowing the password for the TrueCrypt volume, it is not possible to find out if one of the keys you have is the one which was used to encrypt a specific container.
     
  4. raspb3rry

    raspb3rry Registered Member

    Joined:
    Jun 8, 2010
    Posts:
    37
    Are these informations saved on the file-system, or in the "recently accessed"-database on Windows?
    Otherwise it would be quite easy to burn the keyfiles to static media like a CD, I guess?
     
  5. hierophant

    hierophant Registered Member

    Joined:
    Dec 18, 2009
    Posts:
    854
    In Ubuntu, you can update the access datetime of any file with ...

    sudo touch -a filename

    You could use a script to touch all of your keyfiles. Be careful, of course. And have backups.
     
  6. chiraldude

    chiraldude Registered Member

    Joined:
    Jul 3, 2010
    Posts:
    157
    The point of the disclaimer in the truecrypt document is that Windows can't be trusted. Undocumented "features" make it impossible for truecrypt to keep keyfile and container access a total secret.
    Putting keyfiles on read-only media would eliminate a lot of the risk but not all.
    If you have super secret data then do as hierophant suggests and access encrypted data only with LINUX. Run it from Virtualbox for example.
     
  7. Pleonasm

    Pleonasm Registered Member

    Joined:
    Apr 9, 2007
    Posts:
    1,201
    In a Windows environment, consider the use of the tool DirDate to modify any aspect of a file’s timestamp.
     
  8. chiraldude

    chiraldude Registered Member

    Joined:
    Jul 3, 2010
    Posts:
    157
    Just to clarify, truecrypt does leave timestamp data of keyfiles untouched. The issue is that Windows may track events associated with file access. This may or may not be a timestamp. For example, there may be some record of truecrypt access of a particular keyfile. Truecrypt can't prevent Windows from creating a file access log if that log is undocumented.
     
  9. hierophant

    hierophant Registered Member

    Joined:
    Dec 18, 2009
    Posts:
    854
    In Ubuntu, using keyfiles with TrueCrypt definitely does change the access datetime. I haven't determined how that's happening.
     
Loading...
Thread Status:
Not open for further replies.