OnPoint by Keith Ng


The Big Guns: Truecrypt and Tails


One of the simplest ways to encrypt stuff is with Truecrypt. It runs on Windows, Macs and Linux. It requires no installation, so you can run it off a thumbdrive. You can use it to create an encrypted container file, or to encrypt an entire drive.

Encryption containers are quite handy. When decrypted, they work just like a normal drive. But once you lock it, the whole drive disappears and becomes an encrypted file which can't be read without the password. Apart from that, it's like any other file - you can copy it wherever, put it on a USB stick, or even put it on Dropbox so that it syncs between your computers.

You can also encrypt entire drives. The whole drive will look like random data, and be unreadable without the password. Of course, anyone looking at the drive will see that it contains random data, and conclude that it must be an encrypted drive. This comes back to the problem I mentioned last time - that you can be compelled to give up your password, so what's the point of encryption?

This is where Truecrypt works its magic. You can create a hidden volume with Truecrypt - that is, create a hidden encrypted drive *inside* another encrypted drive. A drive with hidden encryption (i.e. Two layers, one hidden beneath the other) looks exactly the same as a drive with normal encryption (i.e. One layer). It's easy to prove that there is an encrypted layer, and you can be compelled to give up *a* password - but it is impossible to prove the existence of the second layer, so they can't compel you to give up the password to it.

This is, of course, some tricky shit. If you're going to go down this path, you really need to read the full documentation.


Encryption is maths. You can't hack maths, but you can hack computers. Rather than trying to break your encryption lock, it's much more likely that any adversary will just try to steal your key by compromising your computer. There's also a decent chance that your computer is compromised not because you're a target, but just because you clicked on the wrong thing at some point in the past.

One catch-all solution is to bypass your computer operating system altogether. The A in TAILS stand for "amnesiac". The whole operating system boots from the USB drive and straight onto your RAM. Nothing is saved - this means that you can click on all the viruses and trojans in the world, but when you reboot, you start with a clean system again.

Tails and Truecrypt combined is a very powerful combination. Your data is encrypted by Truecrypt, and your password only ever goes between you and the temporary operating system, which ceases to exist when you turn the computer off. The only way, in this system, to crack your data is to plant a physical bug in your computer, to install a camera over your keyboard, or to beat/coerce the password out of you.

Tails also comes packaged with Tor Browser, which uses Tor to redirect your traffic and mask where its coming from. It also comes with its own PGP tools, which you can use for encryption/decryption on the fly. Truecrypt is turned off by default, but if you want to use it, you can just type in "truecrypt" on boot (or carry the file in the drive containing Tails).


I think that's it for now. Feel free to post links to your favourite tools in the discussion below. Keep in mind that the focus here is on practical solutions for users with minimal expertise fighting real world, resource constrained adversaries. So let's not go overboard eh.

In other news, the Lavabit story is out. And jesus. It's a depressing read. If you think the state shouldn't be omniscient, please help the cause by donating to his defence fund. If you liked my security stuff so far and/or found it useful, please do me a favour by donate to his defence fund, so I can feel a little less nauseous about where we're headed.

68 responses to this post

First ←Older Page 1 2 3 Newer→ Last

First ←Older Page 1 2 3 Newer→ Last

Post your response…

This topic is closed.