TrueCrypt container creation questions

Discussion in 'privacy technology' started by Page42, Dec 22, 2014.

  1. Page42

    Page42 Registered Member

    Joined:
    Jun 18, 2007
    Posts:
    5,829
    Location:
    Last Breath Farm
    My main reason for wanting to implement drive encryption is to foil any would-be thieves from getting my data. In other words, they might steal my computers, but I will have off-site backups and they won't be able to read what's on my hard drive. That would tend to temper the suckiness of having my stuff stolen. Don't know if that makes any difference or not, but just wanted to begin with that.

    Before beginning with TC for the 1st time, my plan is to create disk images (I run Macrium Reflect), and to have them on hand if I wish to restore an image.

    What I want to do is create a TC container into which I will dump a bunch of folders that I think would be ideal candidates for encryption. Those folders include:

    My Documents
    Desktop
    My Pictures
    Program Files
    Program Files (x86)
    Windows
    AppData

    Those folders comprise about 60GB of data. I am currently using about 25% of my available drive space.

    My questions are:
    1. Do you see any problems with placing those folders in a container?
    2. Is there any reason to create more than one container and spread the above folders over several containers?
    3. Is it simply better to just encrypt the whole disk and be done with it?
    I believe I read that new users can potentially run into more errors when doing full-disk encryption.

    Other random questions that someone might be interested in helping me with...

    Can I use KeePass to open TC containers?

    What special considerations do I need to take (if any) when using Macrium Reflect along with TC?

    Part of me wants to just go do it, and the other part of me says to research the crap out of it before I start messing with encryption. Guess which part is winning? :)
     
  2. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,029
    One downside about TC containers is that the filesize is determined by the capacity, not by what's stored. So creating a TC container with extra space can waste lots of space. And very large files are unwieldy, slow to move, etc. But not having space for new files is also problematic.

    Better I think would be several smaller containers, perhaps reflecting some classification of your data. That way, you can easily put them on a bunch of USB flash drives.
    I've never had a TC container go bad, and I've used perhaps 100-200 of them over the years. But I have had two TC FDE drives go bad (one flash, one HDD) out of maybe 20 total. And by "go bad" I don't mean that I formatted them or let Windows hose them or whatever.
    Just make sure that you have a simple unencrypted backup that you know for sure is good.
     
  3. Page42

    Page42 Registered Member

    Joined:
    Jun 18, 2007
    Posts:
    5,829
    Location:
    Last Breath Farm
    Really appreciate the response, mirimir.
    Do you have any input for me regarding...
    > Can I use KeePass to open TC containers?
    > What special considerations do I need to take (if any) when using Macrium Reflect along with TC?

    You mentioned several smaller containers being better... to open each container requires inputting a password, right? That could be cumbersome, with several or more containers.
    Which takes me back to the question regarding using a password manager.
    And what about backing up my HD after installing TC? The imaging software can't read what is in the containers, so doesn't that really leave gaping holes in the image?

    Also, I assume that after placing desired folders in a TC container, that it only makes sense then to erase the original files, right?
     
  4. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,029
    I don't know either of those. I remember long passwords mnemonically.
    For what you're doing, it would be easiest to use a keyfile plus a shorter password that you can remember and type quickly. After a while, typing it will become almost automatic. For a keyfile, you pick some file that you'll remember not to edit. Don't use system files, because they can change. And don't use files that get casually overwritten by apps. Simple text files or PNG image files are good.
    Well, the imaging software will just include the TC containers. If you use something like ShadowProtect, you can mount the image, and then decrypt and mount any of the TC containers.
    I'd start by using ShadowProtect or whatever to image the whole disk. Then create a TC container on a backup device, and store a copy of the disk image there. Then repeat that on a second backup device. It's not a good idea to copy TC containers from one backup device to another. There's some security risk. And large TC containers take a long time to copy.

    Once you're confident that you can recover data from the disk images in backup TC containers, you can create TC containers in your live system, and move stuff into them. For example, you might convert each top-level folder in My Documents into a TC container. So then My Documents would just contain links to TC containers.
     
  5. Enigm

    Enigm Registered Member

    Joined:
    Dec 11, 2008
    Posts:
    188
    You should encrypt the entire system-drive .
    I'll say it again : You should encrypt the entire system-drive !
    How are you planning on mounting a file-hosted TC-volume containing windblows-essential data during boot-up, where windblows NEEDS to be able to access those DIR's ?
    One of the reasons TrueCrypt even offers 'system-encryption' is so you don't have to mess around with file-hosted containers and deal with the issues arising from placing essential files in one .

    As for 'I've had 2 TC-disks go bad etc etc ' :
    NO proof is provided that the disks 'going bad' had ANYTHING to do with TrueCrypt .
    I've NEVER had a TC-disk go bad, does that not prove they are even safer than non-encrypted disks ?
    No it doesn't, all that is proven is : HDD's WILL go bad at some point, TC or not .

    Regarding backups :
    Read the goddamn TC-manual, it has a lengthy section dealing with that issue -
    And you really should read the goddamn manual , despite it's pretty hefty page-count, before using TrueCrypt,
    after all the nature of the program is to deny access to data unless ..
    So, read the damn thing, doing so can/will save you A LOT of headaches :)
    It will also demonstrate to you why you should encrypt the entire system-volume instead of putting at-boot needed files in a
    file-hosted container .

    (I'm not mocking you here, TC is one of those rare programs where you really need to read the manual unless you are willing to deal with some serious problems - Like not being able to access your data at all ..)
     
  6. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,029
    @Enigm

    I get your point. I didn't notice that he wants to encrypt apps.

    What you say about the reliability of TC FDE may be true. But look at the TC forum here!

    Anyway, what I really recommend is moving to Debian with RAID10 and dm-crypt/LUKS. He can run Windows as a VirtualBox VM if necessary.
     
  7. Page42

    Page42 Registered Member

    Joined:
    Jun 18, 2007
    Posts:
    5,829
    Location:
    Last Breath Farm
    So you think I should RTFM first?
     
  8. deBoetie

    deBoetie Registered Member

    Joined:
    Aug 7, 2013
    Posts:
    1,150
    Location:
    UK
    To be non-purist here, if we're talking thieves as in criminals nicking your stuff (as opposed to "perfectly legal" governmental equivalents), I'm OK with Bitlocker, because it's the only transparent solution (for the right edition of Windows) provided you've got a TPM. Otherwise you need to provide a strong password every time you boot. You need to take care with W8.1 backing up your recovery keys to the cloud if you do not want this to happen.

    Whichever route you go, by all means, back up your recovery keys/header info....

    I also use other protection depending on the application.
     
  9. Page42

    Page42 Registered Member

    Joined:
    Jun 18, 2007
    Posts:
    5,829
    Location:
    Last Breath Farm
    Thanks for reminding me of BitLocker, deBoetie. Somehow it had slipped into the dark recesses of my mind and I wasn't recalling it.
    Thing is, I was all set to use BL, but doing so required upgrading my two W7 machines to Ultimate, which I did, only to learn about Trusted Platform Modules... and the lack thereof on my systems!
    Bummer. I did learn, however, that I can Allow BitLocker without a TPM by making a quick change in Local Group Policy Editor. I am then required to use a startup key on a flash drive every time I start the computers.
    I believe it was at that point in the discovery process that the scales tipped back in favor of TrueCrypt, for me.
    Now I am rethinking BL.
    Thanks again.
     
  10. deBoetie

    deBoetie Registered Member

    Joined:
    Aug 7, 2013
    Posts:
    1,150
    Location:
    UK
    Perhaps we all go round the same loops! I was only able to get the TPM as a retrofit to the mobo, but it worked fine. From what I recall though, even with changing policy through GPE, it still required a password to go with the key on the flash drive. Also, I read some people had problems with getting the flash drive recognised during boot as needed, so I baulked at that method. Given that I had to put in a password anyway, I think I'd have gone down the TC route in that instance.

    Also, since you've gone down the Ultimate route, there are options for using EFS (which is the way I hack it on a laptop which has no TPM, with no swap). In that case, I do use Truecrypt container with an auto-mounted drive for cached data for Sandboxied applications (EFS doesn't work with Sandboxie because it runs in a different account so has no access to the relevant certificates).
     
  11. Palancar

    Palancar Registered Member

    Joined:
    Oct 26, 2011
    Posts:
    1,594
    Joining this thread a little late. In addition to years with TC I am also an avid Macrium Reflect user and it works perfectly for me with TC encryption. Don't waste your time doing a full sector by sector system disk backup in the situation your describe. By using Macrium you can write out a backup from a live OS with the backup being fully encrypted by Macrium. MR accepts long passwords and is AES so it solid for not allowing a "street thief" to access the data if stolen from home. This intelligent copy method means you only backup the data space used on your system disk. Many have 150 gig C drives with 50 gig being used as an example. Why continually backup the unused 100 Gig?

    Now on to the laptop. WDE/FDE is absolutely what you want to do. I could write volumes on the subject but many here have helped you already.

    Restore: using MR as I describe you can simply insert the boot media and select the backup image from an external drive, enter the backup password and go away for about 1/2 hour and your system disk is back to where the snapshot was taken. Now you will need to re-encrypt the system disk again and you are done. BTW - you don't have to decrypt the #@$@$@$ system disk because MR will write the backup directly to the original position in plain text handling it all for you seamlessly. It is much quicker to write a MR backup than it is to decrypt via TC and then do the fix. Many many times faster. Done it a hundred times at least.

    Minor repairs: if your system disk mounts (even if it is FDE TC encrypted) you can also do simple repairs using MR Pro as I do it often. Many times a software program may get hosed and for that simple stuff a repair is much faster than a system disk redo. TC is on the fly encryption and if the system disk is mounted MR will run "on the fly" through TC's software making this fast and easy.
     
  12. Page42

    Page42 Registered Member

    Joined:
    Jun 18, 2007
    Posts:
    5,829
    Location:
    Last Breath Farm
    Glad you dropped by, Palancar, and thanks for the valued input.
     
Loading...