TrueCrypt 5: Encrypt your drive in GUI

[ Sunday, 10 February 2008, Bastion ]



A few days ago TrueCrypt 5.0 has been released, a great tool for encrypting your hard drives. It can be used to encrypt existing partitions or create a virtual one located in a single file. In this article we cover the changes in version 5.0 and provide you some useful benchmarks.

Author: Korneliusz Jarzębski

We have covered TrueCrypt before on polishlinux.org, in particular the article TrueCrypt Tutorial: Truly Portable Data Encryption explained how to encrypt your Linux partitions with TrueCrypt using the command line. This text will therefore focus on the new GUI tool.


TrueCtypt 5.0

Major changes

Here are the major improvements over version 4.0:

  • Ability to encrypt the root partition or disk with authorization during system bootup,
  • Mac OS X support,
  • Graphical user interface for Linux,
  • XTS mode — faster and more secure than previous LRW mode. Disks/partitions encrypted with LRW are still usable in TrueCrypt 5.
  • Hash algorithm SHA-1 replaced with SHA-512. In order to switch to the new algorithm for existing encrypted partitions you need to choose “Set Header Key Derivation Algorithm” option when re-encrypting your disk
  • Redesigned Linux version, which should make TrueCrypt work way better with Linux kernel (it used to be very sensible to kernel upgrades before),
  • Lots of other fixes together with security hardening

Creating an encrypted area

Encrypting your disk is now extremely easy. The graphical wizard tells does almost everything automatically. Here is how the process looks like, in a nutshell.


1. First we choose the volume type.


2. Then we pick the file that will be used to encrypt our data. We can also choose a disk partition or another device in this step.


3. Now we need to specify the maximum size of the encrypted area


4. Choosing the encryption algorithm


5. Important step: selecting a password to the encrypted area


6. If the password is to easy to break, the wizard tells us about it.


7. We are free to choose the file system to use on encrypted area. FAT is recommended if you are need to access the encrypted data from multiple operating systems. If it’s just Linux, it’s better to choose EXT3.


8. Finally we watch the formatting process


9. Operation complete!

Mounting the encrypted volume

We set up the encrypted volume properly, now it’s time to mount it and save some data on it. This is pretty easy as well.


TrueCrypt 5: main window


Checking the properties of the volume


Mounted secure volume: /media/truecrypt1

So, what’s the cost of encryption?

Obviously encrypting secret data is one of the essentials of computer security. It prevents from accessing the data even when the attacker has physical access to the hard drive (for instance, on a stolen laptop). Normally, when using password protection only, it’s trivial to access any files saves on your hard drive.

Encrypting has its down sides, however. Better security costs performance. As the encryption process is done programically, it’s obvious that it takes more time to access your data and modify it in case the system needs to always perform the encryption/decryption on the go. Let’s check how much more it costs then….

Benchmarks

For benchmarking purposes I used two partitions of identical size: 1GB each. This should more or less ensure that the conditions are similar for both partitions. Next, I encrypted one of them with AES algorithm.

Testing platform:

Processor: Core 2 Duo E6400
Disk: Seagate ST3320620AS 320GB sATA II 16MB

  1. Test 1: Unpacking kernel sources for Linux 2.6.24:

    time tar jxvf /home/owner/linux-2.6.24.tar.bz2 -C /mnt/volume/
    real 0m19.250s
    user 0m17.509s
    sys 0m2.716s

    time tar jxvf /home/owner/linux-2.6.24.tar.bz2 -C /media/truecrypt1/
    real 0m27.737s
    user 0m17.449s
    sys 0m2.696s

  2. Deleting the unzipped files:

    time rm -R /mnt/volume/linux-2.6.24
    real 0m1.134s
    user 0m0.048s
    sys 0m1.084s

    time rm -R /media/truecrypt1/linux-2.6.24
    real 0m1.308s
    user 0m0.056s
    sys 0m1.240s

  3. Copying a file of size 367MB:

    time cp pbs03e11.avi /mnt/volume/
    real 0m5.173s
    user 0m0.024s
    sys 0m0.852s

    time cp pbs03e11.avi /media/truecrypt1/
    real 0m23.022s

    user 0m0.012s
    sys 0m0.856s

  4. Reading the file of size 367MB:

    time cat /mnt/volume/pbs03e11.avi > /dev/null
    real 0m5.497s
    user 0m0.068s
    sys 0m0.380s

    time cat /media/truecrypt1/pbs03e11.avi > /dev/null
    real 0m7.088s
    user 0m0.028s
    sys 0m0.308s

As you can see, the most time-consuming operation for the encrypted volume was writing (saving a file). This was almost 5 times slower than exact same operation on unencrypted volume. Reading was way better, only 30% slower than in the insecure mode.

So, is it worth encrypting your data? This question needs to be answered individually by each of you. In most cases a good compromise is to only encrypt sensitive data by saving it on a special encrypted partition or file, while the rest of the OS stays unencrypted for performance reasons. You need to however realize that such solution does not make you 100% secure. Some data may still be saved on /tmp folder or stay in RAM in an unencrypted form. So if you require 100% security, encrypting all volumes, including SWAP space, is necessary.

This article has been originally published on /dev/jarzebski blog. It has been translated and reprinted with author’s permission.


Warning: include_once(/sites/polishlinux.org/wp-content/themes/jakilinuxorg/google_article_inside.php): failed to open stream: No such file or directory in /sites/polishlinux.org/wp-content/themes/jakilinuxorg/single.php on line 48

Warning: include_once(): Failed opening '/sites/polishlinux.org/wp-content/themes/jakilinuxorg/google_article_inside.php' for inclusion (include_path='.:/usr/share/pear:/usr/share/php') in /sites/polishlinux.org/wp-content/themes/jakilinuxorg/single.php on line 48

Subscribe to RSS feed for this article!

10 Comments

fold this thread McPop  Monday, 11 February 2008 o godz. 2:13 am #  Add karma Subtract karma  +0

I used TC on Windows, very handy tool indeed. Now that I am 100% on Linux, I am spoiled with many different encryption methods such as LUKS/dm-crypt or EncFS. Each of these make TC seem like a bit of a clumsy way to do your encryption.

TC does have the nifty feature of a hidden partition, brought about by the (healthy) paranoia of its author…hopefully plausible deniability is something we never have to encounter!

McPop.

(Comments wont nest below this level)
 
fold this thread Saqib Ali  Monday, 11 February 2008 o godz. 6:06 am #  Add karma Subtract karma  +0

I installed TrueCrypt on my laptop and ran some benchmark tests.

Benchmark Results:
http://www.full-disk-encryption.net/wiki/index.php/TrueCrypt#Benchmarks

Pros:
1) Easy to use product. Simple clean interface. Amazingly user-friendly!
2) Free and Open Source
3) Multiple Encryption and Hashing algorithm available.

Cons:
1) Buffered Read and Buffered Transfer Rate were almost halved after TrueCrypt FDE was enabled :-( .
2) Access Time for large file (250+MB) increased by 11%.
3) The initial encryption of the 120 GB HDD took 2 hours.

(Comments wont nest below this level)
 
fold this thread foo  Monday, 11 February 2008 o godz. 10:17 am #  Add karma Subtract karma  +0

I installed it on ubuntu 7.10 from the ubuntu deb on the site, the only filesystem choice was FAT … how does one get to use ext3?

The new GUI and wizard makes it _much_ easier than 4.3a which I tried previously and is very similar to using encrypted volumes in osx.

Thanks for the article, very clear.

You could include a bit on using keyfiles (http://www.truecrypt.org/docs/keyfiles.php) I found that quite interesting.

(Comments wont nest below this level)
 
fold this thread foo  Tuesday, 12 February 2008 o godz. 9:44 am #  Add karma Subtract karma  +0

after playing with keyfiles … they dont seem to work in my version, even when i specify one in creating a volume if you try to open that volume with a keyfile it doesnt work …

(Comments wont nest below this level)
 
fold this thread John  Wednesday, 13 February 2008 o godz. 11:12 am #  Add karma Subtract karma  +0

If you want full partition encryption on Linux from boot, I’d recommend cryptsetup with the luks extensions. Like McPop said, TC just seems a bit clumsy in comparison, though a lot easier to set up. Cryptsetup can take care of the /tmp and swap issues too.

Here’s a post of how I did my laptop with cryptsetup, http://www.velvetcache.org/2008/01/25/linux-encrypted-laptop/. There are some benchmarks at http://www.fsckin.com/2008/01/15/howto-setup-and-benchmark-encrypted-partitions-in-ubuntu/.

Thanks for showing off the new features!

(Comments wont nest below this level)
fold this thread michuk  Thursday, 14 February 2008 o godz. 9:27 pm #  Add karma Subtract karma  +0

We published an article on cryptsetup a while ago, as well: Encrypted home partition in Linux with DM_Crypt. Indeed this is a good option if you don’t need Windows compatibility and demand performance.

 
 
fold this thread I_AM  Tuesday, 25 March 2008 o godz. 2:13 am #  Add karma Subtract karma  +1

I have used TC in Windows, than used it in OpenSUSE with command line.
I’ve installed new one on my Ubuntu… what can i say… GUI – sucks. It has more time to mount partition clicking all that buttons. While i did truecrypt -i and typed password and path…
And the biggest drawback is that it just hangs all my system if i am copying big files from one encrypted partition to another. Anyway that is some (documented) problem with large files copying. I can’t afford instability while working with valuable data… so I am moving to dm-crypt!

(Comments wont nest below this level)
fold this thread Lance  Sunday, 29 June 2008 o godz. 12:31 am #  Add karma Subtract karma  +0

Having the same hanging issues mentioned above when copying large files (though I only have one encrypted partition so it hangs copying to and from a single encrypted partition).

I have a dual quad core system with 8 gigs of RAM running Vista Ultimate SP1. So speed isn’t an issue and the hanging is only for anything new that wants to access drives, previously running programs seem fine.

I too can’t afford instability (specially one that happens every single time), so going to uninstall it.

 
 
fold this thread dave  Wednesday, 17 September 2008 o godz. 11:28 pm #  Add karma Subtract karma  +0

I installed it on ubuntu 7.10 from the ubuntu deb on the site, the only filesystem choice was FAT … how does one get to use ext3?

The new GUI and wizard makes it _much_ easier than 4.3a which I tried previously and is very similar to using encrypted volumes in osx.

Thanks for the article, very clear.

You could include a bit on using keyfiles (http://www.truecrypt.org/docs/keyfiles.php) I found that quite interesting.
_________________________________________________________

to use ext create the volume with no filesystem
start your terminal and type truecrypt
select the volume to mount
click mount
you should see Options >
click this and check do not mount
now you will see your encrypted volume mounted into one of the slots
right click on the volume you wish to create a partition on and click Properties you will see Virtual Device :/path/to/it or eg /dev/mapper/truecrypt1

now make the filesystem

for ext2 mkfs.ext2 /path/to/it eg /dev/mapper/truecrypt1
root privileges may be required so in that case sudo mkfs.ext2……
also you may have do do a chmod of the drive as root
mail me if u need help

(Comments wont nest below this level)
 
fold this thread hstec  Thursday, 15 January 2009 o godz. 11:55 am #  Add karma Subtract karma  +0

Nice comparison.
I made performance comparison (under VMware) truecrypt vs compusec:
http://sites.google.com/site/hstecproj/pub/crypt-test

(Comments wont nest below this level)
 
Name (required)
E-mail (required - never shown publicly)
URI

Adjust field size: shrink | enlarge)


You can use simple HTML in your comments. Some examples are as follows:
  • A hyperlink: <a href="polishlinux.org">GNU/Linux for everyone!</a>,
  • Strong text: <strong>Strong text</strong>,
  • Italic text: <em>italic text</em>,
  • Strike: <strike>strike</strike>,
  • Code: <code>printf("hello world");</code>,
  • Block quote: <blockquote>Block quote</blockquote>

About the Author

Korneliusz Jarzębski

Free software enthusiast, KDE fan. Author of a popular blog: /dev/jarzebski (in Polish). Contributes to PolishLinux.org since October 2007.

New AdTaily ads!

Are you a film buff?

film buffs community, movie recommendations and reviews

RSS: Comments

You can follow the comments to this article through a special channel RSS 2.0 .

Related articles: HOWTOs

 more »

PolishLinux Top Content


Become our fan on Facebook!

PolishLinux.org on Facebook

Follow PolishLinux on Twitter!

Follow polishlinux on Twitter

Google Ads