Re: Newbie question: How secure is TreuCrypt 6.3a?

Discussion in 'Computer Security' started by nemo_outis, Jul 12, 2010.

  1. nemo_outis

    nemo_outis Guest

    Richard Malchik <> wrote in
    news::

    > It obviously protects against neighborhood break-ins, but
    > is it really secure against all others that may want access
    > to financial records and writings and the like? Are there
    > any "back-doors?"
    >
    > Richard



    The short answer is: Yes, Truecrypt is secure (but see my
    paranoid PS)

    Truecrypt uses secure algorithms and methods and its source
    code is available for inspection (although it isn't quite open
    source).

    You must understand that there are some things that software
    encryption, no matter how good, cannot, by its very nature,
    protect against, such as hardware keyloggers, video/acoustic
    surveillance, evil maid attacks, firewire attacks, etc. And
    the internet!
    (Truecrypt only protects data "at rest" - if you're running
    and online, you're as vulnerable as anyone else to Trojans,
    viruses, etc.)

    A few good practices:

    1) BACK UP everything before encrypting. If you make a
    beginner's mistake you don't want to find yourself locked out
    of your own data. With encryption, backups are even more
    important than for ordinary computing. CONFIRM you can restore
    the backup (You'd be amazed how many backups turn out to be
    worthless because they won't restore!) Later on when you're
    experienced you will make frequent encrypted backups but at
    the outset use plain unencrypted ones and keep them for a few
    weeks/months at least.

    2) Pick a strong password (or passphrase - diceware is also
    good). And backup the Truecrypt header (i.e., make a rescue
    disk)

    3) Whole disk encryption is superior to container encryption
    but there are more possibilities to shoot yourself in the foot
    until you become experienced. Did I mention you should make a
    backup?

    4) Oh, and in case I forgot to tell you: Make a backup!

    Regards,

    PS I (as a certified paranoid :) have many misgivings about
    how trustworthy Truecrypt is and whether it contains
    backdoors, etc. The authors are far too secretive for my
    taste and I REALLY don't like the way they manage their
    forums, purge code from the internet, etc.

    But, at least on the face of it, Truecrypt is well done.

    You only need to begin worrying about how truustworthy
    Truecrypt is re backdoors, etc. if your activities are so
    high-profile that you could be a target of major intelligence
    agencies (NSA, etc.). Below that, you're bombproof.
    nemo_outis, Jul 12, 2010
    #1
    1. Advertising

  2. "nemo_outis" <> wrote:

    > PS I (as a certified paranoid :) have many misgivings about
    > how trustworthy Truecrypt is and whether it contains
    > backdoors, etc. The authors are far too secretive for my
    > taste and I REALLY don't like the way they manage their
    > forums, purge code from the internet, etc.
    >
    > But, at least on the face of it, Truecrypt is well done.
    >
    > You only need to begin worrying about how truustworthy
    > Truecrypt is re backdoors, etc. if your activities are so
    > high-profile that you could be a target of major intelligence
    > agencies (NSA, etc.). Below that, you're bombproof.


    As a benchmark - the FBI will at least CLAIM they're unable t crack
    Truecrypt if you're a brazilian criminal billionaire ;-)

    http://www.theregister.co.uk/2010/06/28/brazil_banker_crypto_lock_out/

    --
    Juergen Nieveler
    Juergen Nieveler, Jul 12, 2010
    #2
    1. Advertising

  3. nemo_outis

    nemo_outis Guest

    Richard Malchik <> wrote in
    news::

    > On Mon, 12 Jul 2010 18:22:06 GMT, "nemo_outis"
    > From what you say, I don't attract any attention that is
    > skilled enough to crack my PC's encryption. All my drives,
    > including my boot drive, are 100% encrypted.



    Pick a good password/passphrase. For Truecrypt (and any other
    well-implemnted AES encryption program) the only ways to
    defeat it are 1) assorted trickery (evil maid, firewire,
    trojan, video, etc.) and 2) cracking the password (NOT the
    encryption algorithm).

    Cracking most folks' passwords is **well within the range of
    possibility** for a motivated adversary using only moderate
    resources.

    Full 256-bit equivalence (i.e., as strong as the underlying
    AES-256 encryption) requires a password of about 45 RANDOMLY-
    chosen characters (upper & lower case) - impossible for most
    mortals to remember.

    But don't go lower than, say, 11 random characters. (64-bit
    equivalence or so). I assume (using Moore's 24-month law)
    that decrypting power will increase by one bit each 2 years so
    this has some small "futurity" reserve (perhaps a few decades)
    against up to ordinary-power adversaries (say, local LEAs). A
    64-bit password ISN'T enough against serious adversaries (the
    kind who have supercomputers :)

    Or go the diceware route for a good tradeoff between security
    and memorability.
    http://world.std.com/~reinhold/diceware.html

    Regards,
    nemo_outis, Jul 12, 2010
    #3
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. KerplunKuK

    Secure and non secure warnings

    KerplunKuK, Aug 24, 2004, in forum: Computer Support
    Replies:
    8
    Views:
    545
    Blinky the Shark
    Aug 24, 2004
  2. Miss Mary
    Replies:
    1
    Views:
    1,454
    sean.archer
    Sep 21, 2007
  3. Replies:
    0
    Views:
    586
  4. Replies:
    0
    Views:
    664
  5. cade

    Secure Auditor secure your windows

    cade, Apr 28, 2008, in forum: Computer Security
    Replies:
    0
    Views:
    496
Loading...

Share This Page