[ Sunday, 10 February 2008, Bastion ]
A few days ago TrueCrypt 5.0 has been released, a great tool for encrypting your hard drives. It can be used to encrypt existing partitions or create a virtual one located in a single file. In this article we cover the changes in version 5.0 and provide you some useful benchmarks.
Author: Korneliusz Jarzębski
We have covered TrueCrypt before on polishlinux.org, in particular the article TrueCrypt Tutorial: Truly Portable Data Encryption explained how to encrypt your Linux partitions with TrueCrypt using the command line. This text will therefore focus on the new GUI tool.
Here are the major improvements over version 4.0:
- Ability to encrypt the root partition or disk with authorization during system bootup,
- Mac OS X support,
- Graphical user interface for Linux,
- XTS mode — faster and more secure than previous LRW mode. Disks/partitions encrypted with LRW are still usable in TrueCrypt 5.
- Hash algorithm SHA-1 replaced with SHA-512. In order to switch to the new algorithm for existing encrypted partitions you need to choose “Set Header Key Derivation Algorithm” option when re-encrypting your disk
- Redesigned Linux version, which should make TrueCrypt work way better with Linux kernel (it used to be very sensible to kernel upgrades before),
- Lots of other fixes together with security hardening
Creating an encrypted area
Encrypting your disk is now extremely easy. The graphical wizard tells does almost everything automatically. Here is how the process looks like, in a nutshell.
1. First we choose the volume type.
2. Then we pick the file that will be used to encrypt our data. We can also choose a disk partition or another device in this step.
3. Now we need to specify the maximum size of the encrypted area
4. Choosing the encryption algorithm
5. Important step: selecting a password to the encrypted area
6. If the password is to easy to break, the wizard tells us about it.
7. We are free to choose the file system to use on encrypted area. FAT is recommended if you are need to access the encrypted data from multiple operating systems. If it’s just Linux, it’s better to choose EXT3.
8. Finally we watch the formatting process
9. Operation complete!
Mounting the encrypted volume
We set up the encrypted volume properly, now it’s time to mount it and save some data on it. This is pretty easy as well.
TrueCrypt 5: main window
Checking the properties of the volume
Mounted secure volume: /media/truecrypt1
So, what’s the cost of encryption?
Obviously encrypting secret data is one of the essentials of computer security. It prevents from accessing the data even when the attacker has physical access to the hard drive (for instance, on a stolen laptop). Normally, when using password protection only, it’s trivial to access any files saves on your hard drive.
Encrypting has its down sides, however. Better security costs performance. As the encryption process is done programically, it’s obvious that it takes more time to access your data and modify it in case the system needs to always perform the encryption/decryption on the go. Let’s check how much more it costs then….
For benchmarking purposes I used two partitions of identical size: 1GB each. This should more or less ensure that the conditions are similar for both partitions. Next, I encrypted one of them with AES algorithm.
Processor: Core 2 Duo E6400
Disk: Seagate ST3320620AS 320GB sATA II 16MB
- Test 1: Unpacking kernel sources for Linux 2.6.24:
time tar jxvf /home/owner/linux-2.6.24.tar.bz2 -C /mnt/volume/
time tar jxvf /home/owner/linux-2.6.24.tar.bz2 -C /media/truecrypt1/
- Deleting the unzipped files:
time rm -R /mnt/volume/linux-2.6.24
time rm -R /media/truecrypt1/linux-2.6.24
- Copying a file of size 367MB:
time cp pbs03e11.avi /mnt/volume/
time cp pbs03e11.avi /media/truecrypt1/
- Reading the file of size 367MB:
time cat /mnt/volume/pbs03e11.avi > /dev/null
time cat /media/truecrypt1/pbs03e11.avi > /dev/null
As you can see, the most time-consuming operation for the encrypted volume was writing (saving a file). This was almost 5 times slower than exact same operation on unencrypted volume. Reading was way better, only 30% slower than in the insecure mode.
So, is it worth encrypting your data? This question needs to be answered individually by each of you. In most cases a good compromise is to only encrypt sensitive data by saving it on a special encrypted partition or file, while the rest of the OS stays unencrypted for performance reasons. You need to however realize that such solution does not make you 100% secure. Some data may still be saved on /tmp folder or stay in RAM in an unencrypted form. So if you require 100% security, encrypting all volumes, including SWAP space, is necessary.
This article has been originally published on /dev/jarzebski blog. It has been translated and reprinted with author’s permission.