Techgage logo

TrueCrypt Primer: Part 1 – What It Is & Why You Should Care

Date: November 20, 2012
Author(s): Mario Figueiredo

We’ve talked a lot in the past about keeping your computer safe and data backed-up, but we haven’t delved much into keeping your data secure. In this first part to a three-part series, we’re taking a look at one of the best (and easiest-to-use) cross-platform solutions for keeping your important data encrypted: TrueCrypt.



Introduction

Data has never been such a traveler. In our mobile devices, flash drives, computer desktops, on the Internet and in the multitude of cloud services, data is constantly being downloaded, uploaded, or synced. Data that we have generated ourselves – like a spreadsheet for a financial report, work we brought home from the office, our photo albums and more. If something has to be said about data these days, it’s that never before has data security been such an important consideration for humankind.

We’ve been experiencing the Internet through the filter of user names and passwords. Almost anywhere we go we are required to sign up for a new account, or sign in to an existing one if we have been there before and have already left our credentials stored on the website or Web database. But if passwords and usernames offer some amount of security, it’s just a modicum dose. I would go as far to argue that passwords aren’t a security measure at all; they are data like any other that needs to be secured and merely offers an authentication method to an in-place security measure.

As such, true security derives from how we store the actual data, including passwords. In modern times this has become an absolute imperative and anyone using the Internet should at one time or another become familiar with any security measures to protect their data. Encryption is one such measure and the most widespread.

TrueCrypt Logo

A General Look at TrueCrypt

In this three-part series, we are going to take a deep look at TrueCrypt. TrueCrypt is a free software tool that’s been developed since 2004 and is made available by the TrueCrypt Foundation. With this tool it is possible to create a virtual encrypted disk within a file, or encrypt a partition. Under Windows it is also possible to encrypt the entire boot drive.

As of this writing, TrueCrypt’s latest version is 7.1a. The three articles in this series will refer to this version. TrueCrypt is available for Windows, Linux and MacOs X operating systems — but what you can do with it depends on the type and version of your operating system.

 Virtual DisksPartition EncryptionSystem Encryption
Windows 8 (32 & 64 bits) 1YesNo
Windows 7 (32 & 64 bits)YesYes
Windows Vista (32 & 64 bits) 2YesYes
Windows XP (32 & 64 bits)YesYes
Windows Server 2008 R2YesYes
Windows Server 2008 (32 & 64 bits)YesYes
Windows Server 2003 (32 & 64 bits)YesYes
Mac OS X 10.7 Lion (32 & 64 bit)YesNo
Mac OS X 10.6 Snow Leopard (32 bits) 3YesNo
Mac OS X 10.5 Leopard (32 bits) 3YesNo
Mac OS X 10.4 Tiger (32 bits only)YesNo
Linux Kernel 2.6 or compatible (32 & 64 bits)YesNo

1 The TrueCrypt website makes it clear Windows 8 isn’t fully supported yet. Despite any success you might have encrypting a Windows 8 system partition, this is not recommended until full Windows 8 support is given on a future version of TrueCrypt.
2 System partition encryption is only possible with Windows Vista SP1 or above.
3 64 bit support can be obtained by installing OSXFUSE.

You can see from the table above that Linux-based systems don’t support system encryption. This is due to the OS design. Such a feature would have to be able to handle Linux-supported filesystems (at least the most widely used ext3, ext4, etc). It would also need to support more than one bootloader and be intelligent not to destroy their rules when placing its own. It would also need to locate and encrypt the distinct swap volume. While doable, the amount of work required may mean TrueCrypt will never provide support for Linux system encryption.

TrueCrypt Main Window
TrueCrypt main window

TrueCrypt supports the following encryption algorithms:

In addition, TrueCrypt supports Multiple Encryption. This technique (also known as Cascade) encrypts data using multiple encryption algorithms in succession. (The file is first encrypted with one algorithm, and then another encryption takes place on top of the previous one with another algorithm).

The supported Cascades are:

The cryptographic hash algorithms supported by TrueCrypt are:

Algorithms and hash functions will be discussed in more detail on the second part of this series.

TrueCrypt Volumes

TrueCrypt uses the concept of virtual disk volumes to help create, use and manage encrypted data. TrueCrypt volumes behave exactly as if a new disk drive had been installed on the system and, once mounted, can be accessed through normal file browsing tools (Windows Explorer, Mac Os X Finder and Linux ls command, for instance).

When you require a file or folder/directory to be encrypted, you simply mount your TrueCrypt volume of choice and move the file or folder/directory inside there. For all purposes, a TrueCrypt volume, once mounted, is entirely transparent to the user and the operating system makes no distinction between it and a regular disk drive on your computer. In parts II and III of this series you are going to learn exactly how these volumes are created and managed. TrueCrypt’s interface makes this a simple procedure.

TrueCrypt makes a distinction between three different volume types: File Hosted Volumes, Partition Hosted Volumes and Pre-Boot Authentication Volumes.

TrueCrypt Volumes
The three types of TrueCrypt Volumes

File Hosted volumes (known also as Containers) are virtual disk volumes represented by a single file on your computer, very similar to mounting an ISO file as a virtual drive on your computer. These volumes are the ideal choice if you do not want to encrypt the entire device or disk partition, but wish to have a file containing encrypted data inside. By far, this is the most common usage of TrueCrypt. File Hosted Volumes are an excellent option for sensitive or personal data that you wish to store in cloud-based Internet services like DropBox, SkyDrive or Google Drive. File hosted volumes are normal operating system files until they are mounted. They can be copied, moved or deleted just like any other file.

Partition Hosted Volumes (or Device Hosted Volumes, if the device contains only one partition) is a disk partition or an entire storage device encrypted by TrueCrypt. These partitions or devices become unrecognizable by the operating system and must be mounted with TrueCrypt before they can be used. This is an ideal choice when you want to encrypt an entire USB memory stick or other external storage devices. It is also the volume you should create when you wish to have an encrypted hard drive (or partition) for the single purpose of storing any sensitive data.

Pre-Boot Authentication Volumes are used when you wish to encrypt the entire system drive where Windows resides. They aren’t volumes per se since they aren’t mounted on a running operating system, But allow me to make the distinction since, on the case of system partition, TrueCrypt refers to it simply by the process name (System Encryption) and doesn’t name the resulting encrypted partition.

System encryption is discussed in more detail in part III of this series.

Plausible Deniability

TrueCrypt introduces in its arsenal of security features the concept of Plausible Deniability. The term refers to the ability of denying the existence of any encrypted data when being forced to reveal its authentication password under threat. TrueCrypt achieves this with Hidden Volumes.

TrueCrypt allows you to create Hidden Volumes when specifying the creation of Partition Hosted Volumes or when encrypting the operating system. A hidden volume is implemented by wrapping the encrypted volume you want to hide inside another TrueCrypt volume. The volume you want to hide is also moved to the free space area of the outer volume. TrueCrypt makes this easy to achieve through its wizard. Note that both the outer volume and the hidden volume must have different passwords. These passwords should also be significantly different.

TrueCrypt Hidden Volume
TrueCrypt hidden volume creation

The outer volume can contain some files that you will be able to reveal if forced to give a password. Ideally, these should be files that represent a security concern to you, in order for your deniability to remain plausible. However, after opening the outer volume, other than those files, all your opponent will see is empty space — unknowing to him that that empty space is in fact another TrueCrypt volume that requires another password to decrypt.

The empty space on a hard drive or any other storage media is usually represented internally by seemingly random data, especially after doing a disk wipe. This is exactly what an encrypted volume looks like. So you can safely give your password away for the outer volume and convince your opponent there is nothing more to it (admittedly, plausible deniability is 10% technological trick and 90% good acting).

However, the plausible deniability of TrueCrypt has been under the close scrutiny of security analysts. Some deficiencies have been pointed out. The most glaring one may be the fact that TrueCrypt volumes invariably pass two tests that attempt to introduce the concept of Probable Cause against that of Plausible Deniability. Namely, TrueCrypt volumes sizes are divisible by 512 and they pass a Chi-Square randomness test. In the presence of this, there may be some reasonable suspicion that the empty space is in fact a hidden volume (or for any purpose, encrypted data). More so if we consider TrueCrypt hidden volumes are a known feature of the program.

You can always argue you used a tool to wipe that empty space and that is the reason why it passes those tests. This strengthens the argument for plausible deniability because there are in fact disk wiping tools that specifically do this. But the truth of the matter is that a minimum amount of reasonable doubt should only deter law enforcement officials, not criminals trying to extort information from you.

Encryption and Performance

TrueCrypt uses On-The-Fly encryption. What this means is that data isn’t encrypted or decrypted until it is used. A mounted TrueCrypt volume hasn’t been entirely decrypted; only those parts needed for the operating system to recognize it as a new drive is. Individual files inside the volume will only be encrypted or decrypted when being used. This allows for very large TrueCrypt volumes to be quickly mounted and dismounted.

One question that will inevitably arise is how fast TrueCrypt really is. Encrypting and decrypting data is expected to have an impact on disk reading and writing operations, more so when we consider entire operating systems or partitions.

TrueCrypt makes use of two programming methodologies and one technology in order to boost the speed at which encrypted data is read and written to disk. These are Parallelization, Pipelining and Hardware Accelerated Encryption, respectively.

Through Parallelization, TrueCrypt will make use of all available cores on a processor, or all available processors on your computer. Through Pipelining, TrueCrypt allows applications to load (or files to be loaded into applications) without them having to wait to be fully decrypted. Through Hardware Accelerated Encryption (AES), TrueCrypt makes use of hardware-based encryption on processors that support it. A processor supporting the AES instruction set can boost TrueCrypt performance to as much as 8x, according to the TrueCrypt authors.

TrueCrypt doesn’t support the Linux Pipeline subsystem, so TrueCrypt pipelining is only available in Windows. The contribution of pipelining to the overall performance of TrueCrypt can be considered negligible if all you do with TrueCrypt is create File Hosted Volumes and do not perform intensive serial IO actions  on the encrypted files; like selecting 50 large pictures for opening in Photoshop.

TrueCrypt Benchmark Tool
The TrueCrypt benchmark tool

Doing a benchmark analysis of TrueCrypt is beyond the scope of these articles. One reason is because it has been done already. You can find two such articles here and here. TrueCrypt is very fast, even on processors not supporting AES. Parallelization and Pipelining alone can boost the performance to acceptable levels if you are making use of File Hosted Volumes or Partition Hosted Volumes which don’t carry performance-demanding applications. Processors supporting AES will boost performance even further, making the use of a fully encrypted drive very similar to an unencrypted one.

There’s however one thing to keep in mind. Intensive use of disk read/write operations will always augment and underline any IO performance bottlenecks. TrueCrypt isn’t immune. It can never be as fast as a non encrypted disk. Applications that are performance-critical will quickly reveal TrueCrypt associated bottlenecks. You shouldn’t encrypt databases or other IO intensive applications and files if performance is a critical factor.

TrueCrypt Trustworthiness

It is not just the encryption algorithms and overall security measures being used that should be under the watchful eye of anyone committed to securing their data. We provide a modicum amount of security to our daily lives by making use of a small network of trust. We tell a friend a secret if we trust them to keep it, we allow a director to write checks from our business account if we trust them to be honest. Likewise, we generally entrust our personal data to websites or services on a basis of trust.

TrueCrypt itself is not a security measure. It is a tool that implements a security measure. This distinction is important and because of it, it should be under close scrutiny. Does TrueCrypt do what its authors say it does? Does it have any backdoors? What are other people saying about TrueCrypt? Has it been broken before? Has anyone analysed TrueCrypt in any detail? Who makes TrueCrypt?

These questions make sense when we want to entrust TrueCrypt to secure our most sensitive data and no one should feel intimidated to ask them.

As you can expect, TrueCrypt has been under the scope of many a user. Through the years, some arguments have surfaced questioning TrueCrypt as a safe tool. Note that this is perfectly acceptable. From a security point-of-view, reports on the strengths of a security tool are mostly anecdotal and usually of little value. There’s good reason to keep a cynical mind about these matters, and want only to pay attention to that which may be revealing of its weaknesses. But an inquisitive and cynical mind isn’t enough. One should also remain rational and pass any information through the filter of common sense.

One such place that lists the security issues that some users have been pointing out is found on a personal blog: Privacy Lover. Here you will find the top concerns regarding TrueCrypt trustworthiness. Before reaching the end of this first article on TrueCrypt, I’d like to address a few of them myself:

Nobody knows anything about the developers, they do not want to identify themselves.

This is indeed troubling. It’s hard to imagine why the TrueCrypt developers wish to remain anonymous. There may be personal reasons we can’t be aware of, but in the face of it, one would expect (given the nature of the tool) the developers to be more open-minded about this issue and simply state — not the actual reasons — but their motivation to remain anonymous.

Closed source full disk encryption competitors like WinMagic, DriveCrypt (Securstar) and PGP Corporation have a full time team of software developers working in their products[…] meanwhile two unpaid TrueCrypt developers manage to work on Linux, MAC and Windows versions, on 32 and 64 versions and support the next Windows 7 as soon as it has been released, at the same time, presumably, these two TrueCrypt developers also hold full time jobs that pays them a salary to feed their families and covers their mortgages.

This is entirely incorrect. TrueCrypt has been under development since at least 2002. Its early versions were nothing like what we see today and it can be safely said TrueCrypt is a work in progress that has been constantly built upon the foundations of its earlier versions. Furthermore, TrueCrypt is based on well-known and publicly available algorithms and encryption methodologies the authors didn’t invent. The application complexity is evident. But a large part of this isn’t credited to TrueCrypt authors. The application’s About Dialog Box lists a good number of people that directly or indirectly contributed to TrueCrypt development.

TrueCrypt About Box

Meanwhile, there shouldn’t be a need to mention the tremendous contribution other solo developers have been giving to computer science and tooling in particular. The simple matter of fact is that there are passionate and dedicated individuals in this field that will reserve a large part of their lives for the pleasure of creating something truly useful to themselves and to others.

TrueCrypt’s source code has never been the subject of a thorough review.

This is speculative at best. There’s no reason to believe such is the case. Those interested in doing so (namely governments and large companies) do not usually publish the results of their findings, nor it is in their best interest to divulge what security measures they are using or which ones they have tested. But I’ll be speculating too if I keep on that line of reasoning. What’s perhaps more important to note is that the full source code is made available and can be compiled into a working executable. Regardless of how we analyse the issue of peer review, I’d be hard-pressed to believe the source code contained any backdoors; which would immediately stand out to any qualified reviewer.

As per TrueCrypt forum rule 3 you are not allowed to discuss about other encryption software, as per TrueCrypt forum rule 8 you can’t discuss TrueCrypt forks, as per TrueCrypt forum rule 9 you can’t discuss software that decrypts Truecrypt.

This falls flat in the face of a project the developers call open source (it isn’t for various reasons, but they call it such). It is indeed troubling that the software can’t be openly discussed. However this is simply an administrative decision. There’s nothing stopping anyone from discussing it on some other place on the Web, possibly with a lot more visibility than the TrueCrypt forums. It didn’t stop, for instance, Peter Kleissner from developing the Stoned MBR rootkit — which under certain conditions is capable of bypassing TrueCrypt’s Windows system encryption — and speak about his results at the most prestigious computer security conference on the planet.

I’m going to conclude this first article on TrueCrypt by noting that this is not a tool you should consider trustworthy. It’s like beating a dead horse, saying that no tool offers complete security or trust. But the real meaning of this sentence is often lost. What is important to keep in mind is that we should make realistic concessions based on who we are and what type of information we want to hide. Assuming some agency like the CIA (or your local flavor of a secret service agency) has access to a backdoor on TrueCrypt, it is very unlikely they would blow the lid on it because of someone hiding embarrassing pictures, pirated music or the plans for a more efficient combustion engine.

On a comical note, according to a certain Brazilian banker it may be good enough to hold data that contains all your corrupt activities. You may work from that baseline.

Copyright © 2005-2019 Techgage Networks Inc. - All Rights Reserved.