Full bore encryption with TrueCrypt

Started by Bloody Jack Kidd, April 30, 2010, 11:19:51 AM

Previous topic - Next topic

0 Members and 1 Guest are viewing this topic.

Bloody Jack Kidd

Again - due to being a recent victim of computer theft, my new Windows 7 64-bit laptop required an encryption solution, to protect against future hardware theft being a huge data breach.  Windows 7 is actually a very good candidate for full drive encryption using TrueCrypt.

http://www.truecrypt.org/

With only the basic install and OS activation complete, I downloaded TrueCrypt, followed the online documentation, ran the wizard and was well on my way to a fully encrypted hard disk.  The initial encryption stage ran for about 3 hours, but now due to TrueCrypt's pipelining and parallelization, there is no discernible performance hit.

I preferred this solution to Microsoft's own Bitlocker offering and so far I'm totally satisfied with TrueCrypt.  It's free and very potent... if you need to secure your data - this is well worth looking into.
Sysadmin - Parallel42

Che Guevara

If it is free did you make sure they were not sending all your data to them during that 3 hour session  :-)

Bloody Jack Kidd

nothing to send - was a fresh OS install... but regardless, the folks who do TrueCrypt are just serious security professionals who believe good encryption should be the right of everyone.

The product has be well reviewed and has been around for sometime now.
Sysadmin - Parallel42

Kevin Crow

TrueCrypt is one of the poster children of the open source community. If there were any vulnerabilities or anything malicious in the code, it would be all over the web. I've used it for years and been amazed at how little it effects performance. We encrypt all our corporate laptops with it at the system level. Thanks to a handy little feature in the program, we've set the password prompt to "NO HARD DISK FOUND" so it looks like a dead soldier if someone steals/finds one of our laptops.
Kevin Crow
Kapnick Insurance Group
@kevincrow1 on Twitter
www.linkedin.com/pub/kevin-crow/8/8b6/4bb/

stevenhart

I'm a huge fan of Truecrypt and we avidly use it for our clients that have a limited number of computers they want to protect.  It is missing the enterprise features that Bitlocker has - like storing the recovery password within Active Directory, support for TPM, support for USB key boot authentication, configuration settings through GPO, etc.

So I think in some scenarios Truecrypt is advantageous - fast to deploy, works on various OS's, reliable.  But if one is tasked with supporting the encryption of dozens of computers, I think Bitlocker has some important advantages.

Jeff Zylstra

Quote from: Kevin Crow on April 30, 2010, 02:02:24 PMwe've set the password prompt to "NO HARD DISK FOUND" so it looks like a dead soldier if someone steals/finds one of our laptops.

Or maybe...

Police contacted and en route.  Please wait here...   ;D

Hey, you may as well have a little fun with the little jerks.
"We hang the petty thieves, and appoint the great ones to public office"  -  Aesop

insurebaltimore

I've been using a TrueCrypted laptop for quite a while now, and I can't complain at all.  Performance is great, as is security.

I've heard rumors of bad sectors on the drive causing unrecoverable data corruption, but I can't verify this.  Nothing a good backup won't solve.

We also use TrueCrypt to encrypt and password protect flash drives.  Good stuff.
Jason Gobbel
Microsoft Certified | Six Sigma - Lean/DFSS Certified

"I even put the router lower than the server so the bits gain speed going downhill!" - Rick

Bloody Jack Kidd

Folllow-Up:

over the weekend my system became caught in a boot loop - involving a BSOD declaring UNMOUNTABLE_BOOT_VOLUME 0xEB (IIRC)

TC forums indicate I am not alone and this usually results in a emergency decryption from the Rescue CD - sure enough, I'm currently decrypting my entire sys volume.

Root cause - unknown.
Sysadmin - Parallel42

Gene Foraker

Is there really a point to encrypting the entire C: drive rather than creating a partition for data and putting My Docs and such on it?   Enough already can go wrong with boot drives.
Gene Foraker CPCU
Gates-Foraker Insurance Agency
Norton, OH


My posts are a natural hand made product. The slight variations in spelling and grammar enhance its individual character and beauty and in no way are to be considered flaws or defects.

Bloody Jack Kidd

If you can trust the OS not to leak anything critical out of the encrypted "sandbox" - then yes, you could just encrypt docs and settings.  I don't trust Windows or Windows application authors enough to say that something important won't get put in another directory though.

In the near future full hardware encryption hard disks becoming commonplace, esp. in the notebook sector.

Presently I'm not sure what my response to this incident is going to be.
Sysadmin - Parallel42

insurebaltimore

Quote from: Rick Chisholm on May 17, 2010, 11:56:59 AM
Presently I'm not sure what my response to this incident is going to be.

Be curious to see if a bad sector (or several) was at fault.  How old is the drive?
Jason Gobbel
Microsoft Certified | Six Sigma - Lean/DFSS Certified

"I even put the router lower than the server so the bits gain speed going downhill!" - Rick

Bloody Jack Kidd

Quote from: insurebaltimore on May 17, 2010, 01:35:46 PM
Be curious to see if a bad sector (or several) was at fault.  How old is the drive?

It's a brand new Dell e6400...  :-[
Sysadmin - Parallel42

Kevin Crow

Re:
QuoteIs there really a point to encrypting the entire C: drive rather than creating a partition for data and putting My Docs and such on it?

For example when you open an attachment in TAM, it puts a copy in the Windows TEMP folder. Also, OWA (Outlook Web Access) downloads opened attachments to the IE or Windows TEMP folder (also a good reason not to open attachments in OWA on public computers).
Kevin Crow
Kapnick Insurance Group
@kevincrow1 on Twitter
www.linkedin.com/pub/kevin-crow/8/8b6/4bb/

insurebaltimore

And don't forget all those "work related" photos of Megan Fox in your IE files...

On Linux/OSX, I'd say no...  no need to encrypt the entire drive.  But Windows is such a <bleep>ing "free for all" that it's almost a requirement.
Jason Gobbel
Microsoft Certified | Six Sigma - Lean/DFSS Certified

"I even put the router lower than the server so the bits gain speed going downhill!" - Rick