1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Hard Drive Encryption Programs

Discussion in 'BlackHat Lounge' started by dreambigger, Nov 14, 2011.

?

What Hard Drive Encryption would you use?

  1. TrueCrypt

    0 vote(s)
    0.0%
  2. Diskcryptor

    0 vote(s)
    0.0%
  3. Kremlin

    0 vote(s)
    0.0%
  4. Physical Hardware Encryption

    0 vote(s)
    0.0%
Multiple votes are allowed.
  1. dreambigger

    dreambigger Newbie

    Joined:
    Oct 15, 2011
    Messages:
    18
    Likes Received:
    10
    I have done some research and tried to look at the facts from different angles and so far I have come up with a few good contenders as follows: Truecrypt, DiskCrypter, and Kremlin.

    This thread is for those who care about the highest standard of hard drive encryption and I will be very interested in hearing your insight on the subject. I am attempting to distill the facts from rumors and promote reasonable discussion of the benefits and possible risks of using different encryption programs for hard drive encryption.

    Here is a list of possible factors that could be important when choosing encryption software:

    Reliability?
    Cryptography strength?
    Source code trustworthy?
    Cost(freeware/shareware)?
    Backdoor possibility?
    Cross platform compatibility (Windows/Linux/Mac)?
    Software agenda (Corporation/Government involvement)?
    System/Partition and volume encryption?
    Hidden system/partition and hidden volume encryption?


    Now currently I am using TrueCrypt but upon research I have been having doubts about it being the best program out there. It should be noted that if you are looking to stop the average crook on the street you should look no further than TrueCrypt. My research is geared mainly towards Truecrypt as I have not had time to research the other programs yet.

    Here is some research on TrueCrypt that has provided some different takes on this program. For argument credibility I have made sure you can access the links for your own scrutiny just replace the DOT with a "." to access the websites.

    Interesting thread posted by Mike Rowave
    "I believe that TrueCrypt might be provided by the NSA, CIA, or one of those big Federal agencies for the purpose of promoting encryption for which they have the back door, in order to decrease the use of other encryption that they can't crack. That's the reason for their secrecy around it, and that's why it also is such a well-polished product with good documentation, despite neither being a commercial product nor having the widespread participation of open source developers.

    See this document, which explains that the government's goal is to encourage the widespread use of encryption for which they can recover the keys:

    wwwDOTjusticeDOTgov/criminal/cybercrime/cryptfaqDOThtm

    Actually, the Administration encourages the design, manufacture, and use of encryption products and services that allow for recovery of the plaintext of encrypted data, including the development of plaintext recovery systems, which permit through a variety of technical approaches timely access to plaintext either by the owners of data or by law enforcement authorities acting under lawful authority. Only the widespread use of such systems will both provide greater protection for data and protect public safety. The Department's goal -- and the Administration's policy -- is to promote the development and use of strong encryption that enhances the privacy of communications and stored data while also preserving law enforcement's current ability to gain access to evidence as part of a legally authorized search or surveillance. In this regard, we hope that the availability of highly reliable encryption that provides recovery systems will reduce the demand for other types of encryption, and increase the likelihood that criminals will use recoverable encryption."

    An interesting Article about TrueCrypt.


    "Analysis: Is there a backdoor in Truecrypt? Is Truecrypt a CIA honeypot?

    August 14th, 2010
    Truecrypt domain registed with a false address

    The domain name ?truecrypt.org? was originally registered to a false address (?NAVAS Station, Antarctica?), and was later concealed behind a Network Solutions private registration.

    Truecrypt developers identity hidden

    The TrueCrypt developers used the aliases ?ennead? and ?syncon?, but later replaced all references to these aliases on their website with ?The TrueCrypt Foundation? in 2010. The TrueCrypt trademark was registered in the Czech Republic under name of ?David Tesařk?.

    Nobody knows anything about the developers, they do not want to identify themselves. Everyone likes to be known and congratulated for their great work, but apparently not Truecrypt developers, they do not care about the glory and honour and all that comes with it.

    Truecrypt developers working for free

    Closed source full disk encryption competitors like WinMagic, DriveCrypt (Securstar) and PGP Corporation have a full time team of software developers working in their products, creating such a product is not an easy feat as any of them will tell you.

    Meanwhile two unpaid Truecrypt developers manage to work on Linux, MAC and Windows versions, on 32 and 64 versions and support the next Windows 7 as soon as it has been released, at the same time, presumably, these two Truecrypt developers also hold full time jobs that pays them a salary to feed their families and covers their mortgages .

    Are closed source full disk encryption software developers overpaid lazy bastards and Truecrypt developers the finest, most hard working and charitable software developers on Earth?

    Compiling Truecrypt source code increasingly difficult

    Very few people compile the Windows binaries from source; it is exceedingly difficult to generate binaries from source that match the binaries provided by Truecrypt (due to compiler options, etc.)

    This would be very convenient for a CIA mole, they are more likely to attack the software implementation other than the algorithm and the best way to do that is to insert some hard to find vulnerability during packaging. If someone else compiled the source code their plan would not work.

    Truecrypt license contains distribution restrictions


    Truecrypt is released under its own ?Truecrypt license?, it is open source but it contains distribution and copyright-liability restrictions, most major Linux distributions do not want to know anything about it, Fedora has included TrueCrypt in its forbidden items list and forked it to RealCrypt instead.

    Reference:
    wwwDOTfedoraprojectDOTorg/wiki/ForbiddenItems#TrueCrypt

    UPDATE 2011: Truecrypt removed from The Amnesic Incognito Live system

    The developers of the anonymous live CD called Tails have now decided to remove Truecrypt from their distribution claiming that development is done in a closed fashion, the licensing is restrictive and it is not being reviewed by too many people.

    Reference:

    wwwDOTtailsDOTboumDOTorg/support/truecrypt/indexDOTenDOThtml



    Truecrypt open source code has never been reviewed

    Truecrypt?s source code has never been the subject of a thorough review, nor is there any reason to rely on the credentials of the developers, since they remain anonymous.

    Good thorough code review and testing is hard, tedious and painstaking work, very few people have the skills to do it, and Truecrypt hasn?t been validated through a comprehensive review by any qualified cryptographer.

    Censorship at Truecrypt forums

    As per Truecrypt forum rule 3 you are not allowed to discuss about other encryption software, as per Truecrypt forum rule 8 you can?t discuss Truecrypt forks, as per Truecrypt forum rule 9 you can?t discuss software that decrypts Truecrypt.

    You can?t say anything about their competitors and you are not even allowed to say anything about software that decrypts Truecrypt. If you post any criticisms or negative comments about their software, you will find that those posts will mysteriously disappear.

    Truecrypt forum rules:

    wwwDOTforumsDOTtruecryptDOTorg/viewtopicDOTphp?t=1651

    Can the FBI crack Truecrypt?

    The CIA would never share their intelligence with their FBI puppies unless it is a real national security matter, terrorism, et al. And they would not want to kill the cow that produces their milk in a public trial where their capabilities are revealed.

    Furthermore, there has been recently a case of a corrupt Brazilian banker who has escaped prosecution after the FBI failed to break his fully encrypted disk, he was using Truecrypt.

    Reference:

    httpsCOLON//secureDOTwikimediaDOTorg/wikipedia/en/wiki/Daniel_Dantas

    Given those news I do not believe the FBI can crack Truecrypt and unless your name is Bin Laden you are probably still safe with Truecrypt, even if it has a backdoor and the FBI seizes your computer.

    Alternatives to Truecrypt forums

    Computer security and privacy newsgroups such as alt.privacy.anon-server ; alt.security.pgp , alt.privacy and alt.scramdisk

    Computer and security internet forums such as Wilders Security Forums.

    Alternatives to Truecrypt

    The only free full disk encryption open source software that I have found and can rival Truecrypt is Diskcryptor.

    Conclusion about Truecrypt reliability


    Don?t get paranoid, even if you are using Truecrypt I could as well be wrong on my analysis and it is highly unlikely the CIA will ever come after you anyway.

    Everyone has something to hide, but take it easy,you will need to trust some encryption product in the end and nobody out there knows 100% sure which one is safe, because what is safe today might not be tomorrow.

    Just use the best encryption product according to your opinion and relax, there is no point in keeping in your head what could happen to you if you got it wrong, hopefully you did not, and as long as you did your best research on it, that is all that is needed.

    For the record, I still recommend Truecrypt, they are my second choice of full disk encryption software after DiskCryptor. I am just raising what I believe are some fair points, because in security, you TRUST NOBODY"
    Again I am currently using TrueCrypt, but I think there may be better options out there. I'm looking forward to hearing your thoughts on the subject! Take care.
     
    • Thanks Thanks x 3
  2. Autumn

    Autumn Elite Member

    Joined:
    Nov 18, 2010
    Messages:
    2,197
    Likes Received:
    3,041
    Occupation:
    I figure out ways to make money online and then au
    Location:
    Spamville
    Thanks, that was pretty interesting. Currently I use openssl and AES 256 bit encryption to encrypt tarballs of my backups, but I use truecrypt to do whole disk encryption on the usb key that goes on my keyring, which contains my latest daily backup.

    I've also read about a couple of FBI cases where the defendant got off because the FBI couldn't crack truecrypt, so it's probably still suitable for typical low key blackhat stuff... but definitely food for thought!
     
    • Thanks Thanks x 2
  3. keinehabe

    keinehabe Supreme Member

    Joined:
    Nov 4, 2008
    Messages:
    1,207
    Likes Received:
    472
    Gender:
    Male
    Occupation:
    -= CEO =-
    Location:
    Heaven
    Home Page:
    I`ve used in past ( for very serious reasons ! - and I doubt there are let's say 10% peoples who really need disk encryption for their day-to-day workflow computers ) truecrypt , it's pretty good and well done toy . But I take it off when I found actually perfect crypting / hidding service sold on virtually all high-streets stores . Since then forever fan Dell ( I didn't tested on other brand computers but maybe works same ) . Anyway for everyone who really have something to '' keep fkin secret '' , for all paranoia of you guys who keep the damn passwords from hostgator shared account on the desktop . The '' perfect '' crypting service come sold on all Dell laptops for free , not even the manufacturer can break this password if you will need to do , use virtually no memory , no interaction whatsoever with OS . So ... if you own an Dell laptop , just go to the BIOS , and you will have there an option to password your hdd . Carefully ! and seriously take your risk with this . THIS password , atleast from DELL laptops have NO chance to be recovered , the hdd will be crypted , and NO WAY to break it :) ... if you lose important infos when you will forget the password don't swear me since I`ve warned . The hdd will be virtually worthless if your laptop '' die '' :) ( no way to use the hdd on other machine if if password locked on there ) . End of the story :) ... and for the record the method was tested also with law enforcement reputable agency , their technicians wasn't able to '' open '' the hdd :)
     
    • Thanks Thanks x 1
  4. dreambigger

    dreambigger Newbie

    Joined:
    Oct 15, 2011
    Messages:
    18
    Likes Received:
    10
    Thanks guys. Usb encryption is must for me too as far as the dell hardware I'm working with a limited budget at the moment, but that does sound like a good alternative.
     
  5. Black.Star

    Black.Star Junior Member

    Joined:
    Oct 4, 2011
    Messages:
    185
    Likes Received:
    1,028
    Occupation:
    IT security specialist
    Location:
    Europe
    Truecrypt + automatic acid harddrive destruction/electro magnet destrcution security system.
     
  6. dreambigger

    dreambigger Newbie

    Joined:
    Oct 15, 2011
    Messages:
    18
    Likes Received:
    10
    I like the acid/magnet destruction idea, however it is out of range it is a bit expensive for me at the moment. Ideally I would prefer software, but a hard drive with physical encryption and the acid/magnet features would be nice!

    Anyone have any thoughts on encryption programs for a standard hard drive? I would be most interested in an independent software encryption program...Thanks again.
     
  7. Black.Star

    Black.Star Junior Member

    Joined:
    Oct 4, 2011
    Messages:
    185
    Likes Received:
    1,028
    Occupation:
    IT security specialist
    Location:
    Europe
    Ahh it´s not out of range.
    Everyone can build that at home :D
     
  8. Roparadise

    Roparadise BANNED BANNED

    Joined:
    May 25, 2011
    Messages:
    786
    Likes Received:
    1,417
    What about using a combination of encryption programs?
     
  9. dreambigger

    dreambigger Newbie

    Joined:
    Oct 15, 2011
    Messages:
    18
    Likes Received:
    10
    Hmm building one of those contraptions could be time consuming and expensive...However, I am really looking for something less permanent so that I can continue to use the discs. If I were looking to kill them permanently more than likely I would scrub pseudo random and throw it in a hard drive shredder.

    Using multiple encryption programs has crossed my mind although I am unsure if there would be compatibility issues.
     
  10. neuromancer

    neuromancer Newbie

    Joined:
    Jun 12, 2010
    Messages:
    48
    Likes Received:
    26
    if you want maximum security you buy an Ironkey (USB hardware FIPS encrypted) or wait for Cryptostick 2 which should be out soon made by the German Privacy Foundation

    on it you make truecrypt containers, each with hidden containers inside .. so you have two passwords. one password opens the decoy container, and if you enter a different password it opens up your seekrit drive full of haxx.

    now they have to break hardware encryption + your truecrypt containers.

    FDE/full disc encryption is only good if you always leave your system OFF. The key resides in memory, so if you're a member of Antisec and the feds bust down your door pointing guns at you while you're taking a whizz with your comp on in the other room FDE is useless.

    FDE is also feeble unless you do certain things like disabling windows system restore, disable hibernate mode, and page file. If running OpenBSD you'll have no problems since swap memory is encrypted for your win. You should do FDE on your regular comp, then your seekrit haxx files should be on the Ironkey or on a seperate partition all together that doesn't have any bootloaders on it.

    There is also bootloader attacks that can happen to your truecrypt FDE such as the 'evil maid attack' where somebody with access to your house or syrian police who gain access when you're not home can install a rootkit/keylogger to capture your password in the clear and email it to them without you ever knowing (FDE does not encrypt boot.. your CPU needs clear instructions to boot the comp can't pass it encrypted info)

    If in doubt look up Max Vision who was busted running cardersmarket.com he used DriveCrypt a 1344 bit military encryption program but it was useless as his servers were powered on when the USSS broke into his safe house and simply extracted the key from comp memory. His criminal associate used the same program on his laptop, which was off at the time and the USSS were unable to get any info from it.

    Keep in mind this is all pointless if you live in a country that employs 'Rubber hose cryptography' which basically means they will beat the living hell out of you until you give up the password. This is where plausible deniability/truecrypt are essential. If you're a Syrian and just picked up in a random sweep and they want into your laptop you better hope there's a decoy partition you can open for them that you use frequently or else you end up giving away your revolution seekritz which is basically an instant death sentence for you and everybody found on the drive.

    i'd also recommend only ever accessing your encrypted USB stick with a live CD like Tails/Amnesic Incognito Tor CD (which erases memory when shut down) so you don't end up screwed by keyloggers or backdoors in your XP/win7 setup

    also the dell bios password thing is useless. don't rely on that if you're a carding kingpin or defacto leader of some worldwide hacking collective (derp sabu)

    this also depends on your passwords. remember forensic labs in universities like Carnegie Mellon and MIT are contracted to break drives. they will brute force using supercomputers and dozens of GPUs to do like 1 million words per second on your disk. if your password is a word or bunch of word's you are done. pick something not at all a word, like the first letters of every song lyric with random numbers thrown in, or pick a book off the floor and use the entire table of contents as your password choosing the first and last letter of every word with alternate caps and numbers/special chars. then you are g2g. if you bought an Ironkey, they can't bruteforce it it will self delete. win

    simply choosing !!Nobody can guess this password!1 as your password is useless. i would imagine MIT could slice through that in around an hour or so. if you live in a different country, guess what they all have contracts with US to send encrypted drives to them to bust open. UK especially
     
    • Thanks Thanks x 1
    Last edited: Dec 10, 2011
  11. d4rkterror

    d4rkterror Jr. VIP Jr. VIP

    Joined:
    Jan 27, 2009
    Messages:
    147
    Likes Received:
    51
    i have always used truecrypt it works great
     
  12. gargamel159

    gargamel159 Newbie

    Joined:
    Jun 6, 2011
    Messages:
    46
    Likes Received:
    2
    if you use a lot remote desktops, vps and servers, and you don't need a big hdd of 10-20gb and you do everything on servers, use firadisk(google it ) it turns 2gb of your ram into a hdd, so basically you have a ssd made out of your ram, there you have it, no hard drive, no worries. :), i know i do
     
  13. Stalli0n

    Stalli0n Junior Member

    Joined:
    Nov 17, 2010
    Messages:
    115
    Likes Received:
    83
    Location:
    Europe
    Nobody questions that, but with future versions the risk gets higher that there is some kind of built-in backdoor...
     
  14. slate2011

    slate2011 Regular Member

    Joined:
    Feb 6, 2011
    Messages:
    314
    Likes Received:
    70
    Occupation:
    IT MANAGER
    interesting post...
     
  15. Monrox

    Monrox Power Member

    Joined:
    Apr 9, 2010
    Messages:
    615
    Likes Received:
    579
    I use a one time pad where the pad is an easy to reconstruct (for me) sequence of books, pages and chapters and illustrations from other books. Since all is findable online at the library of congress I don't even have to store the key anywhere.
     
    • Thanks Thanks x 1
  16. Roparadise

    Roparadise BANNED BANNED

    Joined:
    May 25, 2011
    Messages:
    786
    Likes Received:
    1,417
    What about creating a 30 character password key thats a combination of lower case,capital,numbers,and special characters such as ! and ^ and % etc. In your head and memorizing it,instead of using a software to remember it
     
    Last edited: Dec 10, 2011
  17. Stalli0n

    Stalli0n Junior Member

    Joined:
    Nov 17, 2010
    Messages:
    115
    Likes Received:
    83
    Location:
    Europe
    Do you even know what hard drive encryption does?
    Either i'm confused or you should maybe read the thread first...
     
    Last edited: Dec 10, 2011
  18. paulpapapump

    paulpapapump Junior Member

    Joined:
    Aug 21, 2011
    Messages:
    138
    Likes Received:
    29
    Occupation:
    Rock Star
    Location:
    T DOT Baby
    i use truecrypt and kingston blackbox. works well for me.
     
  19. Roparadise

    Roparadise BANNED BANNED

    Joined:
    May 25, 2011
    Messages:
    786
    Likes Received:
    1,417

    I meant randomly creating a password for use with encryption program instead of using a "code" like Book index from several books that someone can figure out.
     
  20. Stalli0n

    Stalli0n Junior Member

    Joined:
    Nov 17, 2010
    Messages:
    115
    Likes Received:
    83
    Location:
    Europe
    My bad didn't see Monrox post ;)