truecrypt interview questions
Top truecrypt frequently asked interview questions
I would expect a TrueCrypt volume to be fragile when it suffers from data corruption. This could happen for example because the hard disk, CD or DVD start to deteriorate, or when an USB stick is unplugged while a write is in progress.
On the TrueCrypt FAQ it is mentioned that this problem is limited because the data is encrypted in blocks of 16 bytes. However, I'dd like to know if this really so in practice. Is there anyone who has experienced severe data loss due to only small corruptions?
Source: (StackOverflow)
I am encrypting a volume with TrueCrypt. I have decided to use AES
as the encryption algorithm, seeing as it is the government standard.
But which hash algorithm is better (more secure)? RIPEMD-160
or SHA-512
or Whirlpool
?
I am using Mac.
Source: (StackOverflow)
Can you safely upgrade from Windows 7 to Windows 10 when using Truecrypt 7.1a without risk of corrupting the bootloader and without first decrypting the drive?
Source: (StackOverflow)
I want to encrypt a part of my HDD. But before that I wanted to benchmark the different algorithm available wondering if I should choose aes-xts-256
or aes-xts-512
.
Note: I don't have aes
hardware acceleration. The benchmarks were repeated multiple times without much change. I'd like to state clearly that these benchmark are only valid on my computer (Debian, core 2 duo). This is not intended to be a complete LUKS-TrueCrypt comparison.
TL;DR: go to part 4
1- Cryptsetup
So I downloaded cryptsetup v1.6.0
to make use of the new cryptsetup benchmark
command.
Command
$cryptsetup benchmark
Results
# Algorithm | Key | Encryption | Decryption
aes-cbc 128b 128,2 MiB/s 157,2 MiB/s
serpent-cbc 128b 49,6 MiB/s 57,7 MiB/s
twofish-cbc 128b 138,0 MiB/s 183,8 MiB/s
aes-cbc 256b 97,5 MiB/s 121,9 MiB/s
serpent-cbc 256b 51,8 MiB/s 57,7 MiB/s
twofish-cbc 256b 139,0 MiB/s 183,8 MiB/s
aes-xts 256b 156,4 MiB/s 157,8 MiB/s
serpent-xts 256b 55,7 MiB/s 58,7 MiB/s
twofish-xts 256b 161,5 MiB/s 165,9 MiB/s
aes-xts 512b 120,5 MiB/s 120,9 MiB/s
serpent-xts 512b 55,7 MiB/s 58,5 MiB/s
twofish-xts 512b 161,5 MiB/s 165,3 MiB/s
Thoughts
In cbc
mode, serpent
is surprisingly fast at decrypting!
In xts
mode, serpent
is clearly the fastest.
- The key size seem to have almost no noticable effect on
serpent
twofish
.
aes
does not behave well when the key size is increased.
Updates out of VM
2- TrueCrypt
I was really surprised as aes
is known to be the fastest (even without hardware acceleration). So I downloaded TrueCrypt
to double-check these results. TrueCrypt
uses the xts
mode by default so I assume it also use it in its benchmarks.
Method
- Tools > Benchmark
- Choose any buffer size (here, 5MB)
- Click on "Benchmark"
Results
# Algorithm | Encryption | Decryption
AES 106 MB/s 107 MB/s
Twofish 78 MB/s 76 MB/s
Serpent 41 MB/s 42 MB/s
Thoughts
These results corresponds much more to what is expected but do not match well with cryptsetup
's results.
3- General thoughts
cryptsetup
provided better general performance than TrueCrypt
in this case. This could be explained the following way:
cryptsetup
was compiled on my system with compiler optimization routines while TrueCrypt
was already compiled in a generic way;
- AFAIK
cryptsetup
uses kernelspace crypto modules while TrueCrypt
uses userspace crypto routines.
- However, I can't explain why
serpent-xts-512
seems to be the way to go with cryptsetup
while aes-xts
the only cipher worth using.
4- Question
cryptsetup
and TrueCrypt
give completely different qualitative (relative cipher speed) and quantitative (actual speed of each cipher) results in in-RAM benchmarks.
- Is that something you have already noticed?
- Should I trust
cryptsetup
and use serpent-xts-512
cipher for speed?
Source: (StackOverflow)
Since Windows 8 is currently still not 100% supported, I was wondering if full disk encryption is more or less safe to use in Windows 8.
I couldn't find any info on that on the internet, so I used a VM to simulate - everything worked there like a charm.
Does anyone have any experience with using TrueCrypt FDE on Windows 8, or knowledge about the portential risks (besides the obvious)?
Source: (StackOverflow)
I guess am a bit of a paranoid ha... anyway i encrypted my HDD with truecrypt using all printable ASCII characters and the password is 64 characters long. It is quite random, certainly no dictionary words but it is still possible to memorize easily.
Can it be brute-forced? The thing is, i know that its supposed to be secure, but isn't there a chance that someone can just guess the password after like 10 attempts?
Surely that possibility exists. Sometimes lightning strikes as they say.
Source: (StackOverflow)
is it possible to put a truecrypt container on a net share and access/mount it form multiple machines (windows) at the same time?
I fear that if both would write the file could be corrupted.
Source: (StackOverflow)
I want Truecrypt to ask for password for Windows XP as usual but with the standard [ESC] option, on selecting that, i.e via Escape key, I want it to find the grub for the (unencrypted) Ubuntu install.
I've installed Windows XP on the 120Gb hard drive of a Toshiba NB100 netbook then partitioned to make room for Ubuntu 10.04 and installed that after the Windows XP install.
When I encrypt Windows XP, Truecrypt will overwrite the grub entry in the master boot record (MBR), I believe (?) and I won't be able to choose between XP and Ubuntu anymore. So I need to restore it back.
I've searched fairly extensively for answers on Ubuntu forums and elsewhere but have not yet found a complete answer that covers all eventualities, scenarios and error messages, or otherwise they talk of legacy GRUB and not GRUB2. Ubuntu 10.04 uses GRUB2.
My setup:
Partitions:
- Windows XP, NTFS (to be encrypted with Truecrypt), 40Gb
- /boot (Ext4, 1Gb)
- Ubuntu swap, 4Gb
- Ubuntu / (root) - main filesystem (20gb)
- NTFS share, 55Gb
I know that the Truecrypt boot loader replaces the GRUB when boot up because I've already tried it on another laptop.
I want boot loader screen to look something like the usual:
Truecrypt
Enter password:
(or [ESC] to skip)
password is for WindowsXP
and on pressing [ESC] for it to find the Ubuntu grub to boot from
Thanks in advance for your help.
The key area of the problem is how to instruct Truecrypt when escape key is pressed, and how the Grub/Ubuntu can be made visible to the truecrypt bootloader to find it, when the esc key is pressed. Also knowing as chaining.
Source: (StackOverflow)
I'd like to hear from TrueCrypt users who've had both good and (if any) bad experiences with it: Is it reliable enough for business-critical use? In my case, I expect to use file-based containers rather than encrypting entire partitions.
For me the nightmare scenario is: I go to open the container, supply the right authentication information (whether it's a passcode, a key, whatever), and TrueCrypt just can't open the container for whatever reason. Perhaps there was a write error on the last update. Perhaps a stray cosmic ray hit just the wrong part of a data structure. Perhaps the machine I last used the container on was destroyed by a falling satellite and I'm now trying to open the container on a different machine with a different architecture (Windows 32-bit instead of *nix 64-bit, whatever). You get the idea.
I don't care about horror stories of lost keys or what-have-you; nothing without a backdoor can protect you from doing something dumb. I'm talking about the software actually failing in a way that loses your data.
(And yes, obviously, if I'm dealing with business-critical data, I'm going to keep backups of the container — multiple point in time going back days/weeks/etc. — to mitigate the effects of some of the above.)
Source: (StackOverflow)
Possible Duplicate:
How do I disable "you need to format this disk" message in Windows Vista/7?
I have a USB drive. The entire device is encrypted with TrueCrypt. When I plug in the drive, Windows 7, understandably, doesn't realize the drive has a file system. So Windows always offers "You need to format the disk in drive G: before you can use it. Do you want to format it?" I dismiss this dialog, and mount the drive with TrueCrypt and everything is fine.
The problem is, a. that dialog is annoying and b. I'm concerned that one of these days I'm going to accidentally hit the Format button and blow away my encrypted drive.
Is there a way to tell Windows 7 to NEVER offer to format a drive it does not recognize?
Source: (StackOverflow)
I've purchased a HP Envy 15-j005ea laptop which I have upgraded to Windows 8.1 Pro. I have also removed the HDD and replaced it with a 1TB Samsung Evo 840 SSD. I now wish to encrypt the drive to protect my company's source code and my personal documents but I can't work out how to do it or if its even possible.
I gather that it is not recommended to use Truecrypt on a SSD but please correct me if I'm wrong. I also understand that the 840 Evo has built-in 256 bit AES encryption so it is recommended to use that.
The Evo has been updated to the latest EXT0BB6Q firmware and I have the latest Samsung Magician. I don't know what UEFI level I have but I do know that the machine was built in December 2013 and has the F.35 BIOS made by Insyde.
This is what I have tried:
Bitlocker. The latest Samsung firmware is supposedly Windows 8.1 eDrive compatible, so I followed the instructions I found in an Anandtech article. First of all it would seem the laptop has no TPM chip, so I had to allow Bitlocker to work without TPM. Once I'd done that I tried to turn Bitlocker on. Anandtech say that "If everything is eDrive compliant you won’t be asked whether or you want to encrypt all or part of the drive, after you go through the initial setup BitLocker will just be enabled. There’s no extra encryption stage (since the data is already encrypted on your SSD). If you’ve done something wrong, or some part of your system isn’t eDrive compliant, you’ll get a progress indicator and a somewhat lengthy software encryption process." Unfortunately I was asked if I want to encrypt all or part of the drive so I cancelled that.
Setting the ATA Password in the BIOS. I don't appear to have such an option in the BIOS, only an admin password and boot-up password.
Using Magician. It has a "Data Security" tab, but I don't fully understand the options and suspect that none are applicable.
The info in this question and answer helped but didn't answer my question.
Clearly then, what I would like to know is how do I encrypt my solid state drive in the HP Envy 15 or am I in fact out of luck? Are there any alternative options or do I have to either live without encryption or return the laptop?
There is a similar question on Anandtech but it remains unanswered.
Source: (StackOverflow)
I have several files that I need to keep encrypted on my home hard disk.
I currently use a TrueCrypt file container, currently around 100MB in size. I need to backup this file daily, and I'm looking for an incremental backup solution.
I read that on encrypted volumes even a small change in a file would change the whole volume and prevent the use of an efficient incremental backup solution. Any ideas how to backup in this case in an efficient way which would allow incremental solution?
I currently use TrueCrypt as my backup solution and CrashPlan as my backup utility, but I'm willing to experiment with alternatives.
Source: (StackOverflow)
So, right now we're using Dropbox to share various data files around between approximately 10 Mac OS X systems.
However, we already have an S3 account and everyone on the lowest Dropbox plan of $10/month seems too expensive. We'd like to avoid any kind of local storage (share a disk on a desktop or something) since we're a geographically distributed team).
So, I am contemplating something that would allow us to replace Dropbox with our own home-grown solution. We are all fairly technical people and/or smart enough to follow some steps, so if it's not as "user friendly" as Dropbox we're all comfortable with that.
There are plenty of docs out there that have bits and pieces of what I want but some of the tools don't seem to fit the requirements:
- Transport security via SSL to the bucket
- Encryption of bucket contents
- Bi-directional syncing
Most of the scripts I can find on the internet use duplicity which appears to fail #1. It doesn't look like duplicity supports SSL to S3 — the docs don't state but the protocol looks like plain old HTTP.
Many scripts use GPG to encrypt files. This seems like it could work, however I have to make sure that each OS X client is able to use the same key to encrypt and decrypt files (key management is left to me to manage). FTP and other client-based apps don't seem to support this at all.
Finally, most of the scripts use one-way replication, e.g. using Amazon S3 as a simple backup store. As we'd be using Amazon S3 as the "repository" they fail this one.
Whew. So, I'd love a single tool that does this but after an exhaustive search I don't think one exists. In my mind, the magical tool would be some combination of TrueCrypt and rsync.
I'd be happy just knowing which tools out there can fulfill my 3 requirements, after that I can stitch together the rest. Any thoughts?
Source: (StackOverflow)
I have a TrueCrypt file container in the Google Drive folder. I add stuff into it, make sure TrueCrypt changed the timestamp of the container. Google Drive syncs with the server, but it seems it transfers the whole file instead of the bit which is changed in the TrueCrypt container.
Would you know how to make it only sync the changed bit of the container instead of 5GB every time?
Source: (StackOverflow)
TC runs, but I get this error when trying to mount a volume:
Failed to load
/Library/Filesystems/fusefs.fs/Support/fusefs.kext
- (libkern/kext) link error.
I've seen various posts talking about 64-bit support for both TC and MF, but nothing conclusive. I'm running TC v6.3 and MF v2.0.3. Anyone know if this combo works without having to recompile TC from scratch?
Source: (StackOverflow)