Complete System Encryption through TrueCrypt? - Tilted Forum Project Discussion Community

Hain · 02-07-2008, 04:53 AM

You can encrypt your entire system partition, i.e. where Windows is installed, without destroying the data laying on it. Your Windows machines will operate exactly as before (depending on hardware, possible a bit slower due to decryption speeds and encryption method). And now one can even create a [anchorlink=Hidden Operating System]hidden operation system[/anchorlink].

original post click to show

Quote:

System Encryption

TrueCrypt can on-the-fly encrypt a system partition or entire system drive, i.e. a partition or drive where Windows is installed and from which it boots (a TrueCrypt-encrypted system drive may also contain non-system partitions, which are encrypted as well).

System encryption provides the highest level of security and privacy, because all files, including any temporary files that Windows and applications create on the system partition (typically, without your knowledge or consent), swap files, etc., are permanently encrypted. Windows also records large amounts of potentially sensitive data, such as the names and locations of files you open, applications you run, etc. All such log files and registry entries are always permanently encrypted as well.

System encryption involves pre-boot authentication, which means that anyone who wants to gain access and use the encrypted system, read and write files stored on the system drive, etc., will need to enter the correct password each time before Windows boots (starts). Pre-boot authentication is handled by the TrueCrypt Boot Loader, which resides in the first cylinder of the boot drive.

Note that TrueCrypt can encrypt an existing unencrypted system partition/drive in-place while the operating system is running (while the system is being encrypted, you can use your computer as usual without any restrictions). Likewise, a TrueCrypt-encrypted system partition/drive can be decrypted in-place while the operating system is running. You can interrupt the process of encryption or decryption anytime, leave the partition/drive partially unencrypted, restart or shut down the computer, and then resume the process, which will continue from the point it was stopped.

To encrypt a system partition or entire system drive, select System > Encrypt System Partition/Drive and then follow the instructions of the wizard. To decrypt a system partition/drive, select System > Permanently Decrypt System Partition/Drive.

The mode of operation used for system encryption is XTS (see the section Modes of Operation). For further technical details of system encryption, see the section Encryption Scheme in the chapter Technical Details.

Craven Morehead · 02-07-2008, 06:51 AM

There are other products that do that as well. My previous employer installed one product on all PC/laptops and then after a couple of years replaced that with another. I can not recall the names of either. Both required a log on during the Windows boot process and both encrypted/unencrypted in realtime. Corporate said the performance would not be effected. Nearly every user disagreed with that. I did experience a HD problem and the disk had to be unencrypted (took forever) before any maintenance could be done. Fortunately, it survived long enough to copy the files to a server.

Xazy · 02-07-2008, 07:09 AM

How much slower does it make your system?

Hain · 02-07-2008, 07:15 AM

I've used TrueCrypt before, not like this, but it honestly depends on the algorithm you choose for encryption. There are algorithms faster than some hard drive read/write rates and performance is barely depreciated, while other algorithms are much more intense to decrypt.

Still, once I have some time, I will do this to my system.

OK, had a friend explain that I would still need a small partition somewhere on my hard drive not encrypted for the TC bootloader to go. The article does not mention this, instead says, "Pre-boot authentication is handled by the TrueCrypt Boot Loader, which resides in the first cylinder of the boot drive."

So can someone explain to me the requirements of accomplishing this?

Pragma · 02-07-2008, 06:04 PM

It uses the boot sector for the TC Boot Loader. This is the standard area on the hard drive that GRUB, LILO, or the Windows boot loader resides. You don't "lose" any space or compromise your security in any real way.

To clarify, this does not a "small partition" somewhere.

Scorpion23 · 02-16-2008, 12:43 PM

I have to say, I've used TrueCrypt for years and never noticed this. My laptop is encrypted automatically with IBM's Client Security Software, but I've been looking for something to use on my desktop. I'm going to do it right now

edit:
It turns out I missed it because I was running a version of TC that didn't support it. Thanks for catching my eye with it.

Hain · 02-16-2008, 04:28 PM

Scorpion, tell me how that works out. I am have some deadlines that make me chicken-shit to try this out immediately. Come the end of March, viola! We'll see what this baby can do.

Scorpion23 · 02-17-2008, 07:33 AM

Well I did my system drive last night, and here are the results. I started off by running a test of all encryption methods in TC to look at theoretical speeds, and picked Twofish encryption. The benchmark put it at a mean speed of 54 MB/s, which is right at the max speed for my HD.

As far as installation goes, it couldn't be easier. The bootloader works perfectly, and it forces you to create a rescue CD in case the HD is damaged. Total time to encrypt my 250 GB HD was around 3 hours, with no overwriting.

Once everything was encrypted though, the benchmarks were a little disappointing.

Hard Drive: Western Digital 250 GB SATA 150 (WD2500YD)

Before:
Average Transfer: 46.5 MB/s
Access Time: 13.9 ms
CPU Usage: 4.3%

After:
Average Transfer: 36.2 MB/s
Access Time: 13.7 ms
CPU Usage: 38%

One thing that I can't show is the transfer speed over time. On the normal drive it decreases over time in a fairly linear fashion, but for the encrypted drive it stays more or less constant. So for the normal HD the transfer speed for small files is around 56 MB/s.

In all, I haven't noticed any dramatic changes in the performance of windows. I'm afraid to load up Crysis though

Hain · 02-17-2008, 07:45 AM

38%.... ouch...

I will perform similar tests, comparing before and after.

Scorpion23 · 02-17-2008, 09:30 AM

Quote:

Originally Posted by Augi

38%.... ouch...

I know it seems like a lot, but that's only during sustained read/write periods. I'm still below 5% at idle. I can see a jump in CPU usage when I call up a large directory, but it doesn't appear to be any slower. I'm giving it a week to see how all my programs respond then I'll decide if I keep it this way.

Hain · 02-17-2008, 03:47 PM

I convert video for my media center. Video conversion is intense for both hard drive and processor. In addition, I participate in a number of BOINC projects---extremely processor intensive.

38% is a lot...

Scorpion23 · 02-17-2008, 08:55 PM

Well, it's definitely a lot for media applications. I would never do it to my HTPC, since it can barely code MPEG-2 on-the-fly. But then again there's nothing on there that I need to encrypt.

From what I've seen my BOINC projects use CPU more than the HD. I believe mine is set to flush to the HD every 5 min, and runs in RAM the rest of the time.

I agree though, 38% is quite large. I'm also running a P4 with Hyperthread, so it's not the best CPU out there.

Hain · 02-17-2008, 10:48 PM

Quote:

Originally Posted by Scorpion23

I agree though, 38% is quite large. I'm also running a P4 with Hyperthread, so it's not the best CPU out there.

Same here on my desktop, 3.2GHz HT P4.

Scorpion23 · 06-13-2008, 09:36 PM

I wanted to update this thread since TrueCrypt 5.1a is out now. They've increased the speed of AES encryption/decryption by 30-140% based on the system, and enabled hibernation on encrypted system drives. I've also been using a fully encrypted system disk since February and haven't really noticed any performance drops.

mikec · 06-15-2008, 10:21 PM

my company recently deployedcredant encryption software to laptops - I haven't ran a benchmark, so I don't know for sure, but I haven't noticed any system performance hits - just had to give it time to encrypt everything on the HD... doesn't make me give a PW pre-windows. That said I am curious as to what would happen if I took the HD out and hooked it up to an external enclosure...

all that said, truecrypt looks pretty sweet, especially for free!!

MikeSty · 06-15-2008, 10:30 PM

I've not tried this total system encryption yet, and I don't plan on it, but I was a bit confused when I first read about it myself.

I'm not really sure I can "vouch" for truecrypt, as I've never actually tried to "decrypt" anything I've locked up. It's nice for hiding stuff, though, and I have a few volumes where I store some passwords / information.

Does porn count as information?

Thanks Scorpion23 for the news on the update. Speed hasn't been an issue for me thus far, but that's good to know.

Hain · 06-15-2008, 10:38 PM

Actually, I forgot I made this thread, and I have had my system encrypted with AES for the past month now.

Hain · 07-04-2008, 06:06 AM

Want another reason to encrypt your system? An article linked through Information Week:

Quote:

View: [ANCHOR]Laptop Losses Total 12,000 Per Week at US Airports[/ANCHOR] (link)
Source: Darkreading (http://www.darkreading.com)

Abstract: "Nearly 70% are never recovered; many go unreported"

Quote:

Laptop Losses Total 12,000 Per Week at US Airports
JULY 2, 2008 | 6:00 PM
by Tim Wilson
from Darkreading, http://www.darkreading.com

Companies lose a lot more laptops than they disclose, according to a report published Monday.

According to a study of 106 major U.S. airports and 800 business travelers published by the Ponemon Institute and Dell Computer, about 12,000 laptops are lost in airports each week. Only 30 percent of travelers ever recover the lost devices. Nearly half of the travelers say their laptops contain customer data or confidential business information.

The report offers a very different view from sources that collect breach disclosure information, such as Attrition.org, where only a few companies disclose laptop thefts each week. Many employees are embarrassed to report the loss of a laptop, and many companies don't report them, experts say.

"It’s staggering to learn that up to 600,000 laptops are lost in U.S. airports annually, many containing sensitive information that companies must account for," said Larry Ponemon, chairman and founder of the Ponemon Institute. "IT departments must re-evaluate the steps they’re taking to protect mobile professionals, the laptops they carry, and company data stored on mobile devices."

Dell used the report to support its launch of Dell ProSupport Mobility Services, a suite of modular asset and data protection services to help companies protect laptop computers and company information, especially when the computers are lost.

The Ponemon study indicates that most airport laptop losses occur at the security checkpoints or at the departure gates, where it's easy to leave things behind. More than 70 percent of business travelers say they feel rushed when trying to get on their flights, and 69 percent said they are usually carrying too many items while trying to catch their flights.

Los Angeles's LAX reported more laptop losses than any other airport, about 1,200 per week. Most of the airports said they generally keep the laptops for some period of times, then destroy them if they are unclaimed.

Sixty-five percent of the business travelers admit that they do not take steps to protect the confidential information contained on their laptops when traveling on business, according to the study. Forty-two percent say they don't back up their data before going on a trip. Fewer than 20 percent of respondents said they have whole disk encryption or file encryption on their machines.

Interestingly, only 1 percent of the respondents admitted personally losing a laptop computer. However, 84 percent say they know someone who has lost a laptop while traveling on business.

Go to Laptop Losses Total 12,000 Per Week at US Airports from Darkreading, http://www.darkreading.com.This post was created with FASS.

30% of 12,000 are returned: that leaves 8,400 laptops never recovered.

Aviation Week posted a similar article on the matter.

Quote:

View: [ANCHOR]12,000 Laptops Lost Weekly At U.S. Airports[/ANCHOR] (link)
Source: Aviationweek (http://www.aviationweek.com)

Abstract: "A new study sponsored by the Dell computer company estimates that more than 12,000 laptop computers are lost or stolen each week at U.S. airports, and only 33% of those that turn up in "lost and found" are reclaimed."

Quote:

Full Article click to show

12,000 Laptops Lost Weekly At U.S. Airports
Jul 3, 2008
by David Hughes
from Aviationweek, http://www.aviationweek.com

A new study sponsored by the Dell computer company estimates that more than 12,000 laptop computers are lost or stolen each week at U.S. airports, and only 33% of those that turn up in "lost and found" are reclaimed.

The other 67% remain in the airport awhile before being disposed of, meaning there are "potentially millions of files containing sensitive or confidential data that may be accessible to a large number of airport employees and contractors," the study issued on June 30 reports.

Ponemon Institute LLC, a for-profit research organization and consultancy that focuses on privacy issues, began the lost laptop study, and Dell later agreed to became a sponsor. However, Dell did announce a new computer security service it plans to offer to corporations on June 30, showing that it does have a dog in this fight. Ponemon does research on the trust in privacy and information security practices in the banking, retail, telecommunications and airline industries as well as in government. The chairman and founder of the Institute, Larry Ponemon, was previously global managing partner of PricewaterhouseCoopers, where he founded the firm's privacy practice. Researchers visited 106 airports in the U.S. and surveyed 864 business travelers.

The research numbers are believe able, according Airports Council International North America. Charles Chambers, senior vice president of security for ACI-NA, says based on a back-of-the-envelope calculation, thinks the 12,000 per week prediction is plausible. He notes that the percentage of laptops lost is small when viewed in terms of the total number of passengers traveling. Only less than one half of one percent of the roughly 3.5 million business travelers flying each week would have to lose their laptops to reach the 12,000 number, he notes.

Ponemon did field research at 106 airports in 46 states, interviewing several people at each location because missing laptops that are recovered can end up with the airport, with airlines, police or even be kept in a frequent flyer lounge until a passenger returns to claim it.

The study states that the major (Class B) airports with the biggest problems are Los Angeles International, where 1,200 laptops are lost or stolen each week, and Miami International, with 1,000. New York City airports weigh in at positions three, five and six with John F. Kennedy International having 900 laptops lost or stolen each week, Newark Liberty International 825, and LaGuardia 630. There are 36 Class B airports in the U.S. and the average loss is 286 laptops per week.

Not surprisingly, 40% of laptops are lost at security checkpoints where procedures require passengers to separate from their property during electronic screening and pat downs. The Transportation Security Administration did not reply to a request for information on how many laptops go missing each year at airport security checkpoints.

More than 53% of business travelers say their laptops contain confidential or sensitive information, but 65% of these people admit they don't take steps to protect it. Yet the average business cost when confidential personal information is lost or stolen is $197 per record, according to another Ponemon study.

A full copy of the report can be found here. (pdf)

Go to 12,000 Laptops Lost Weekly At U.S. Airports from Aviationweek, http://www.aviationweek.com.This post was created with FASS.

Hain · 07-05-2008, 09:52 AM

You can now create hidden operating systems with TrueCrypt.

Quote:

View: [ANCHOR]Hidden Operating System[/ANCHOR] (View Original Article) ([ANCHORLINK=Hidden Operating System]Link to Here[/ANCHORLINK])
Source: Truecrypt (http://www.truecrypt.org)

Abstract: "A hidden operating system is a system (for example, Windows Vista or Windows XP) that is installed in a hidden TrueCrypt volume. It is impossible to prove that a hidden TrueCrypt volume exists (provided that certain guidelines are followed; for more information, see the section Hidden Volume) and, therefore, it is impossible to prove that a hidden operating system exists."

Quote:

Hidden Operating System
July 4, 2008
by TrueCrypt – Free Open-Source Disk Encryption Software (TrueCrypt Foundation)
from Truecrypt, http://www.truecrypt.org

If your system partition or system drive is encrypted using TrueCrypt, you need to enter your pre-boot authentication password in the TrueCrypt Boot Loader screen after you turn on or restart your computer. It may happen that you are forced by somebody to decrypt the operating system or to reveal the pre-boot authentication password. There are many situations where you cannot refuse to do so (for example, due to extortion). TrueCrypt allows you to create a hidden operating system whose existence will be impossible to prove (provided that certain guidelines are followed — see below). Thus, you will not have to decrypt or reveal the password for the hidden operating system.

Before you continue reading this section, make sure you have read the section Hidden Volume and that you understand what a hidden TrueCrypt volume is.

A hidden operating system is a system (for example, Windows Vista or Windows XP) that is installed in a hidden TrueCrypt volume. It is impossible to prove that a hidden TrueCrypt volume exists (provided that certain guidelines are followed; for more information, see the section Hidden Volume) and, therefore, it is impossible to prove that a hidden operating system exists.

However, in order to boot a system encrypted by TrueCrypt, an unencrypted copy of the TrueCrypt Boot Loader has to be stored on the system drive or on a TrueCrypt Rescue Disk. Hence, the mere presence of the TrueCrypt Boot Loader can indicate that there is a system encrypted by TrueCrypt on the computer. Therefore, to provide a plausible explanation for the presence of the TrueCrypt Boot Loader, the TrueCrypt wizard creates a second encrypted operating system, so-called decoy operating system, during the process of creation of a hidden operating system. A decoy operating system must not contain any sensitive files. Its existence is not secret (it is not installed in a hidden volume). The password for the decoy operating system can be safely revealed to anyone forcing you to disclose your pre-boot authentication password.*

You should use the decoy operating system as frequently as you use your computer. Ideally, you should use it for all activities that do not involve sensitive data. Otherwise, plausible deniability of the hidden operating system might be adversely affected (if you revealed the password for the decoy operating system to an adversary, he could find out that the system is not used very often, which might indicate the existence of a hidden operating system on your computer).

There will be two pre-boot authentication passwords — one for the hidden system and the other for the decoy system. If you want to start the hidden system, you simply enter the password for the hidden system in the TrueCrypt Boot Loader screen (which appears after you turn on or restart your computer). Likewise, if you want to start the decoy system (for example, when asked to do so by an adversary), you just enter the password for the decoy system in the TrueCrypt Boot Loader screen.

Note: When you enter a pre-boot authentication password, the TrueCrypt Boot Loader first attempts to decrypt (using the entered password) the last 512 bytes of the first logical track of the system drive (where encrypted master key data for non-hidden encrypted system partitions/drives are normally stored). If it fails and if there is a partition behind the boot partition, the TrueCrypt Boot Loader (even if there is actually no hidden volume on the drive) automatically tries to decrypt (using the same entered password again) the area of the first partition behind the boot partition where the encrypted header of a possible hidden volume might be stored. Note that TrueCrypt never knows if there is a hidden volume in advance (the hidden volume header cannot be identified, as it appears to consist entirely of random data). If the header is successfully decrypted (for information on how TrueCrypt determines that it was successfully decrypted, see the section Encryption Scheme), the information about the size of the hidden volume is retrieved from the decrypted header (which is still stored in RAM), and the hidden volume is mounted (its size also determines its offset). For further technical details, see the section Encryption Scheme in the chapter Technical Details.

When running, the hidden operating system appears to be installed on the same partition as the original operating system (the decoy system). However, in reality, it is installed within the partition behind it (in a hidden volume). All read and write operations are being transparently redirected from the system partition to the hidden volume. Neither the operating system nor applications will know that data written to and read from the system partition are actually written to and read from the partition behind it (from/to a hidden volume). Any such data is encrypted and decrypted on the fly as usual (with an encryption key different from the one that is used for the decoy operating system).

Note that there will also be a third password — the one for the outer volume. It is not a pre-boot authentication password, but a regular TrueCrypt volume password. It can be safely disclosed to anyone forcing you to reveal the password for the encrypted partition, where the hidden volume (containing the hidden operating system) resides. Thus, the existence of the hidden volume (and of the hidden operating system) will remain secret. If you are not sure you understand how this is possible, or what an outer volume is, please read the section Hidden Volume. The outer volume should contain some sensitive-looking files that you actually do not want to hide.

To summarize, there will be three passwords in total. Two of them can be revealed to an attacker (for the decoy system and for the outer volume). The third password, for the hidden system, must remain secret.

System Drive Containing Hidden Operating System

Example Layout of System Drive Containing Hidden Operating System

Process of Creation of Hidden Operating System

To start the process of creation of a hidden operating system, select System > Create Hidden Operating System and then follow the instructions in the wizard.

Initially, the wizard verifies that there is a suitable partition for a hidden operating system on the system drive. Note that before you can create a hidden operating system, you need to create a partition for it on the system drive. It must be the first partition behind the system partition and it must be at least 5% larger than the system partition (the system partition is the one where the currently running operating system is installed). However, if the outer volume (not to be confused with the system partition) is formatted as NTFS, the partition for the hidden operating system must be at least 110% (2.1 times) larger than the system partition (the reason is that the NTFS file system always stores internal data exactly in the middle of the volume and, therefore, the hidden volume, which is to contain a clone of the system partition, can reside only in the second half of the partition).

In the next steps, the wizard will create two TrueCrypt volumes (outer and hidden) within the first partition behind the system partition. The hidden volume will contain the hidden operating system. The size of the hidden volume is always the same as the size of the system partition. The reason is that the hidden volume will need to contain a clone of the content of the system partition (see below). Note that the clone will be encrypted using a different encryption key than the original. Before you start copying some sensitive-looking files to the outer volume, the wizard tells you the maximum recommended size of space that the files should occupy, so that there is enough free space on the outer volume for the hidden volume.

Remark: After you copy some sensitive-looking files to the outer volume, the cluster bitmap of the volume will be scanned in order to determine the size of uninterrupted area of free space whose end is aligned with the end of the outer volume. This area will accommodate the hidden volume, so it limits its maximum possible size. The maximum possible size of the hidden volume will be determined and it will be verified that it is greater than the size of the system partition (which is required, because the entire content of the system partition will need to be copied to the hidden volume — see below). This ensures that no data stored on the outer volume will be overwritten by data written to the area of the hidden volume (e.g. when the system is being copied to it). The size of the hidden volume is always the same as the size of the system partition.

Then, TrueCrypt will create the hidden operating system by copying the content of the system partition to the hidden volume. Data being copied will be encrypted on the fly with an encryption key different from the one that will be used for the decoy operating system. The process of copying the system is performed in the pre-boot environment (before Windows starts) and it may take a long time to complete; several hours or even several days (depending on the size of the system partition and on the performance of the computer). You will be able to interrupt the process, shut down your computer, start the operating system and then resume the process. However, if you interrupt it, the entire process of copying the system will have to start from the beginning (because the content of the system partition must not change during cloning). The hidden operating system will initially be a clone of the operating system under which you started the wizard.

Finally, the wizard will encrypt the operating system under which you started the wizard. It will become the decoy operating system. The system partition (where the system is installed) will be encrypted in-place while the operating system is running (while the system is being encrypted, you can use your computer as usual without any restrictions).

Plausible Deniability and Data Leak Protection

For security reasons, when a hidden operating system is running, TrueCrypt ensures that all local unencrypted filesystems and non-hidden TrueCrypt volumes are read-only (i.e. no files can be written to such filesystems or TrueCrypt volumes). Data is allowed to be written to filesystems within hidden TrueCrypt volumes.

There are two main reasons why such countermeasures have been implemented:

1. It enables the creation of a secure platform for mounting of hidden TrueCrypt volumes. Note that we officially recommend that hidden volumes are mounted only when a hidden operating system is running. For more information, see the subsection Security Precautions Pertaining to Hidden Volumes.

2. In some cases, it is possible to determine that, at a certain time, a particular filesystem was not mounted under (or that a particular file on the filesystem was not saved or accessed from within) a particular instance of an operating system (e.g. by analyzing and comparing filesystem journals, file timestamps, application logs, error logs, etc). This might indicate that a hidden operating system is installed on the computer. The countermeasures prevent these issues.

If you need to securely transfer files from the decoy system to the hidden system, follow these steps:

1. Start the decoy system.
2. Save the files to an unencrypted volume or to an outer/normal TrueCrypt volume.
3. Start the hidden system
4. If you saved the files to a TrueCrypt volume, mount it (it will be automatically mounted as read-only).
5. Copy the files to the hidden system partition or to another hidden volume.

Until the process of creation of a hidden operating system is completed, paging files must disabled on the system. Otherwise, plausible deniability of the hidden operating system might be adversely affected. Note that, for security reasons, the TrueCrypt installer disables paging files by default when TrueCrypt is installed or updated (see the section Paging File). In addition, the wizard verifies that paging files are disabled on the system before the process of creation of the hidden operating system begins. If they are enabled, the user cannot continue creating the hidden system (and is asked to reinstall TrueCrypt using the default settings).

Note: Windows uses paging files to hold parts of programs and data files that do not fit in memory. This means that sensitive data, which the user may believe are only stored in RAM, can be written to a hard drive by Windows without the user knowing. Therefore, if an adversary analyzed the content of a paging file (residing on the system partition of the decoy system), he might find out that the user used the wizard in the hidden-system-creation mode (which might indicate the existence of a hidden operating system on the computer).

Before the process of creation of a hidden operating system begins, the wizard also warns the user that the computer must not be hibernated until the process of creation of the hidden operating system is completed. Otherwise, plausible deniability of the hidden operating system might be adversely affected.

Note: When a computer hibernates, the content of its system memory is written to a hibernation storage file residing on the system drive. Therefore, if an adversary analyzed the content of the hibernation storage file (residing on the system partition of the decoy system), he might find out that the user used the wizard in the hidden-system-creation mode (which might indicate the existence of a hidden operating system on the computer). For more information, see the section Hibernation File.

Possible Explanations for Existence of Two TrueCrypt Partitions on Single Drive

An adversary might ask why you created two TrueCrypt-encrypted partitions on a single drive (a system partition and a non-system partition) rather than encrypting the entire disk with a single encryption key. There are many possible reasons to do that. However, if you do not know any (other than creating the hidden operating system), you can provide, for example, one of the following explanations:

* If there are more than two partitions on a system drive and you want to encrypt only two of them (the system partition and the one behind it) and to leave the other partitions unencrypted (for example, to achieve the best possible performance when reading and writing data, which is not sensitive, to such unencrypted partitions), the only way to do that is to encrypt both partitions separately (note that, with a single encryption key, TrueCrypt could encrypt the entire system drive and all partitions on it, but it cannot encrypt only two of them — only one or all of the partitions can be encrypted with a single key). As a result, there will be two adjacent TrueCrypt partitions on the system drive (the first will be a system partition, the second will be a non-system one), each encrypted with a different key (which is also the case when you create a hidden operating system, and therefore it can be explained this way).

If you do not know any good reason why there should be more than one partition on a system drive at all:

It is generally recommended to separate non-system files (documents) from system files. One of the easiest and most reliable ways to do that is to create two partitions on the system drive; one for the operating system and the other for documents (non-system files). The reasons why this practice is recommended include:

o If the filesystem on one of the partitions is damaged, files on the partition may get corrupted or lost, whereas files on the other partition are not affected.
o It is easier to reinstall the system without losing your documents (reinstallation of an operating system involves formatting the system partition, after which all files stored on it are lost). If the system is damaged, full reinstallation is often the only option.

* A cascade encryption algorithm (e.g. AES-Twofish-Serpent) can be up to four times slower than a non-cascade one (e.g. AES). However, a cascade encryption algorithm may be more secure than a non-cascade one (for example, the probability that three distinct encryption algorithms will be broken, e.g. due to advances in cryptanalysis, is significantly lower than the probability that only one of them will be broken). Therefore, if you encrypt the outer volume with a cascade encryption algorithm and the decoy system with a non-cascade encryption algorithm, you can answer that you wanted the best performance (and adequate security) for the system partition, and the highest possible security (but worse performance) for the non-system partition (i.e. the outer volume), where you store the most sensitive data, which you do not need to access very often (unlike the operating system, which you use very often, and therefore you need it to have the best possible performance). On the system partition, you store data that is less sensitive (but which you need to access very often) than data you store on the non-system partition (i.e. on the outer volume).

* Provided that you encrypt the outer volume with a cascade encryption algorithm (e.g. AES-Twofish-Serpent) and the decoy system with a non-cascade encryption algorithm (e.g. AES), you can also answer that you wanted to prevent the problems about which TrueCrypt warns when the user attempts to choose a cascade encryption algorithm for system encryption (see below for a list of the problems). Therefore, to prevent those problems, you decided to encrypt the system partition with a non-cascade encryption algorithm. However, you still wanted to use a cascade encryption algorithm (because it is more secure than a non-cascade encryption algorithm) for the most sensitive data, so you decided to create a second partition, which those problems do not affect (because it is non-system) and to encrypt it with a cascade encryption algorithm. On the system partition, you store data that is less sensitive than data you store on the non-system partition (i.e. on the outer volume).

Note: When the user attempts to encrypt the system partition with a cascade encryption algorithm, TrueCrypt warns him or her that it can cause the following problems (and implicitly recommends to choose a non-cascade encryption algorithm instead):
o For cascade encryption algorithms, the TrueCrypt Boot Loader is larger than normal and, therefore, there is not enough space in the first drive track for a backup of the TrueCrypt Boot Loader. Hence, whenever it gets damaged (which often happens, for example, during inappropriately designed anti-piracy activation procedures of certain programs), the user must use the TrueCrypt Rescue Disk to repair the TrueCrypt Boot Loader or to boot.
o Due to increased memory requirements, on some computers, it is impossible to encrypt the system partition/drive.
o On some computers, resuming from hibernation takes longer.

* In contrast to a password for a non-system TrueCrypt volume, a pre-boot authentication password needs to be typed each time the computer is turned on or restarted. Therefore, if the pre-boot authentication password is long (which is required for security purposes), it may be very tiresome to type it so frequently. Hence, you can answer that it was more convenient for you to use a short (and therefore weaker) password for the system partition (i.e. the decoy system) and that it is more convenient for you to store the most sensitive data (which you do not need to access as often) in the non-system TrueCrypt partition (i.e. in the outer volume) for which you chose a very long password.

As the password for the system partition is not very strong (because it is short), you do not intentionally store sensitive data on the system partition. However, you still prefer the system partition to be encrypted, because potentially sensitive or mildly sensitive data is stored on it as a result of your everyday use of the computer (for example, passwords to online forums you visit, which can be automatically remembered by your browser, browsing history, applications you run, etc.)

Note: You can change the password for the decoy system by booting it and selecting System > Change Password. To change the password for the outer volume, boot the decoy operating system, click Select Device, select the partition behind the system partition, click OK, and select Volumes > Change Volume Password.

* When an attacker gets hold of your computer when a TrueCrypt volume is mounted (for example, when you use a laptop outside), he can, in most cases, read any data stored on the volume (data is decrypted on the fly as he reads it). Therefore, it may be wise to limit the time the volume is mounted to a minimum. Obviously, this may be impossible or difficult if the sensitive data is stored on an encrypted system partition or on an entirely encrypted system drive (because you would also have to limit the time you work with the computer to a minimum). Hence, you can answer that you created a separate partition (encrypted with a different key than your system partition) for your most sensitive data and that you mount it only when necessary and dismount it as soon as possible (so as to limit the time the volume is mounted to a minimum). On the system partition, you store data that is less sensitive (but which you need to access often) than data you store on the non-system partition (i.e. on the outer volume).

Safety and Security Precautions Pertaining to Hidden Operating Systems

As a hidden operating system resides in a hidden TrueCrypt volume, a user of a hidden operating system should follow all of the security precautions that apply to normal hidden TrueCrypt volumes. These precautions, as well as additional precautions pertaining specifically to hidden operating systems, are listed in the subsection Security Precautions Pertaining to Hidden Volumes.

WARNING: If you do not protect the hidden volume (for information on how to do so, refer to the section Protection of Hidden Volumes Against Damage), do not write to the outer volume (note that the decoy operating system is not installed in the outer volume). Otherwise, you may overwrite and damage the hidden volume (and the hidden operating system within it)!

If all the instructions in the wizard have been followed and if the security precautions mentioned in the subsection Security Precautions Pertaining to Hidden Volumes are followed, it will be impossible to prove that the hidden volume and hidden operating system exist, even when the outer volume is mounted or when the decoy operating system is decrypted or started.

* It is not practical (and therefore is not supported) to install operating systems in two TrueCrypt volumes that are embedded within a single partition, because using the outer operating system would often require data to be written to the area of the hidden operating system (and if such write operations were prevented using the hidden volume protection feature, it would inherently cause system crashes, i.e. 'Blue Screen' errors).

Go to Hidden Operating System from Truecrypt, http://www.truecrypt.org.This post was created with FASS.

02-07-2008, 07:15 AM	#4 (permalink)
Hain has a plan Location: middle of Whywouldanyonebethere	I've used TrueCrypt before, not like this, but it honestly depends on the algorithm you choose for encryption. There are algorithms faster than some hard drive read/write rates and performance is barely depreciated, while other algorithms are much more intense to decrypt. Still, once I have some time, I will do this to my system. OK, had a friend explain that I would still need a small partition somewhere on my hard drive not encrypted for the TC bootloader to go. The article does not mention this, instead says, "Pre-boot authentication is handled by the TrueCrypt Boot Loader, which resides in the first cylinder of the boot drive." So can someone explain to me the requirements of accomplishing this? __________________ ////\\// IRONSKY.NET \\//\\\\ Last edited by Hain; 02-07-2008 at 07:31 AM.. Reason: Automerged Doublepost

02-07-2008, 06:04 PM	#5 (permalink)
Pragma I am Winter Born Location: Alexandria, VA	It uses the boot sector for the TC Boot Loader. This is the standard area on the hard drive that GRUB, LILO, or the Windows boot loader resides. You don't "lose" any space or compromise your security in any real way. To clarify, this does not a "small partition" somewhere. __________________ Eat antimatter, Posleen-boy!

02-16-2008, 12:43 PM	#6 (permalink)
Scorpion23 Psycho	I have to say, I've used TrueCrypt for years and never noticed this. My laptop is encrypted automatically with IBM's Client Security Software, but I've been looking for something to use on my desktop. I'm going to do it right now edit: It turns out I missed it because I was running a version of TC that didn't support it. Thanks for catching my eye with it. Last edited by Scorpion23; 02-16-2008 at 12:47 PM..

02-16-2008, 04:28 PM	#7 (permalink)
Hain has a plan Location: middle of Whywouldanyonebethere	Scorpion, tell me how that works out. I am have some deadlines that make me chicken-shit to try this out immediately. Come the end of March, viola! We'll see what this baby can do. __________________ ////\\// IRONSKY.NET \\//\\\\

06-13-2008, 09:36 PM	#14 (permalink)
Scorpion23 Psycho	I wanted to update this thread since TrueCrypt 5.1a is out now. They've increased the speed of AES encryption/decryption by 30-140% based on the system, and enabled hibernation on encrypted system drives. I've also been using a fully encrypted system disk since February and haven't really noticed any performance drops. __________________ "Empirically observed covariation is a necessary but not sufficient condition for causality" - Edward Tufte

02-07-2008, 06:51 AM	#2 (permalink)
Craven Morehead Custom User Title	There are other products that do that as well. My previous employer installed one product on all PC/laptops and then after a couple of years replaced that with another. I can not recall the names of either. Both required a log on during the Windows boot process and both encrypted/unencrypted in realtime. Corporate said the performance would not be effected. Nearly every user disagreed with that. I did experience a HD problem and the disk had to be unencrypted (took forever) before any maintenance could be done. Fortunately, it survived long enough to copy the files to a server.

02-07-2008, 07:09 AM	#3 (permalink)
Xazy People in masks cannot be trusted Location: NYC	How much slower does it make your system?

02-17-2008, 07:33 AM	#8 (permalink)
Scorpion23 Psycho	Well I did my system drive last night, and here are the results. I started off by running a test of all encryption methods in TC to look at theoretical speeds, and picked Twofish encryption. The benchmark put it at a mean speed of 54 MB/s, which is right at the max speed for my HD. As far as installation goes, it couldn't be easier. The bootloader works perfectly, and it forces you to create a rescue CD in case the HD is damaged. Total time to encrypt my 250 GB HD was around 3 hours, with no overwriting. Once everything was encrypted though, the benchmarks were a little disappointing. Hard Drive: Western Digital 250 GB SATA 150 (WD2500YD) Before: Average Transfer: 46.5 MB/s Access Time: 13.9 ms CPU Usage: 4.3% After: Average Transfer: 36.2 MB/s Access Time: 13.7 ms CPU Usage: 38% One thing that I can't show is the transfer speed over time. On the normal drive it decreases over time in a fairly linear fashion, but for the encrypted drive it stays more or less constant. So for the normal HD the transfer speed for small files is around 56 MB/s. In all, I haven't noticed any dramatic changes in the performance of windows. I'm afraid to load up Crysis though

02-17-2008, 07:45 AM	#9 (permalink)
Hain has a plan Location: middle of Whywouldanyonebethere	38%.... ouch... I will perform similar tests, comparing before and after.

02-17-2008, 03:47 PM	#11 (permalink)
Hain has a plan Location: middle of Whywouldanyonebethere	I convert video for my media center. Video conversion is intense for both hard drive and processor. In addition, I participate in a number of BOINC projects---extremely processor intensive. 38% is a lot...

02-17-2008, 08:55 PM	#12 (permalink)
Scorpion23 Psycho	Well, it's definitely a lot for media applications. I would never do it to my HTPC, since it can barely code MPEG-2 on-the-fly. But then again there's nothing on there that I need to encrypt. From what I've seen my BOINC projects use CPU more than the HD. I believe mine is set to flush to the HD every 5 min, and runs in RAM the rest of the time. I agree though, 38% is quite large. I'm also running a P4 with Hyperthread, so it's not the best CPU out there.

06-15-2008, 10:21 PM	#15 (permalink)
mikec I flopped the nutz... Location: Stratford, CT	my company recently deployedcredant encryption software to laptops - I haven't ran a benchmark, so I don't know for sure, but I haven't noticed any system performance hits - just had to give it time to encrypt everything on the HD... doesn't make me give a PW pre-windows. That said I am curious as to what would happen if I took the HD out and hooked it up to an external enclosure... all that said, truecrypt looks pretty sweet, especially for free!! __________________ Until the 20th century, reality was everything humans could touch, smell, see, and hear. Since the initial publication of the charted electromagnetic spectrum, humans have learned that what they can touch, smell, see, and hear is less than one millionth of reality

06-15-2008, 10:30 PM	#16 (permalink)
MikeSty The Computer Kid :D Location: 127.0.0.1	I've not tried this total system encryption yet, and I don't plan on it, but I was a bit confused when I first read about it myself. I'm not really sure I can "vouch" for truecrypt, as I've never actually tried to "decrypt" anything I've locked up. It's nice for hiding stuff, though, and I have a few volumes where I store some passwords / information. Does porn count as information? Thanks Scorpion23 for the news on the update. Speed hasn't been an issue for me thus far, but that's good to know.

06-15-2008, 10:38 PM	#17 (permalink)
Hain has a plan Location: middle of Whywouldanyonebethere	Actually, I forgot I made this thread, and I have had my system encrypted with AES for the past month now. __________________ ////\\// IRONSKY.NET \\//\\\\