Best encryption sw for home laptop

Discussion in 'Computer Security' started by emailchrisco, Jun 19, 2006.

  1. emailchrisco

    emailchrisco Guest

    I've been researching encryption software for a few days and I think
    I'd better ask for some help. Please excuse me if I say something
    here that shows my ignorance. And feel free to correct me, I'm trying
    to learn about this so I can make the best decision.
    It looks like PGP and Truecrypt are well thought of, but I don't think
    they have everything I want. I'm looking for
    1) Excellent encryption so that it would be beyond the means of any
    individual or group to get my data.
    2) Ability to set up sort of a virtual drive or set up a folder so
    that anything that I put there is automatically encrypted.
    3) Ability to create and send encrypted files to people and they can
    open them if I tell them the password or key
    4) Ability to put encrypted backups on DVDs.
    Am I asking too much for one product? I like the idea of an open
    source product, but I guess a lot of people trust products that aren't
    open source, so I guess I could too maybe. If there is something that
    meets my needs, I'm willing to pay for it, so it doesn't have to be
    free.
    Thanks a lot everybody, I appreciate your input.
     
    emailchrisco, Jun 19, 2006
    #1
    1. Advertisements

  2. EFS, TrueCrypt and GnuPG.
    EFS, TrueCrypt.
    TrueCrypt. Now for GPG this must be done manually.
    TrueCrypt, GnuPG. Again, the latter needs manual invocation.
     
    Sebastian Gottschalk, Jun 19, 2006
    #2
    1. Advertisements

  3. emailchrisco

    emailchrisco Guest

    Thanks Sebastian.
    I also wanted to ask about secure file delete (what hapens if I delete
    a file from the encrypted folder?) and about the danger of having some
    data in plain text in the swap file (or page file) that cold be taken
    from there more easily that the encrypted area. Also this. My
    situation is that I usually leave my computer up and running, even when
    I leave the house and overnight it is left on. So if a thief steals it
    (and they don't turn it off or reboot it) are they past my encryption
    defenses since I was just there and was working with encrypted data?
     
    emailchrisco, Jun 19, 2006
    #3
  4. TrueCrypt: The reference to the file data is deleted. Now if someone
    obtained your encrypted container, he could still recover the data if he
    knew the key.

    EFS: As above, but the symmetric key associated with file is
    overwritten. As this key is usually per-file and never exported, it's a
    bit safer.

    In any case, a secure overwrite of either the file itself or the free
    space after deleting removes the data. Now that's why I have an "shred
    -z" in my crontab.
    Yeah, that might be a problem. However, what about common crypto
    solutions for the swap file? On Linux you've got dmcrypt and
    crypto-loop, on Windows you may take a look at CryptoSwap Guerilla.
    Yes. A crypto filesystem only protects a cold filesystem and should be
    transparently accessible in active state. Either dismount it (manually
    or automatically on idling) or use/add a file-based encryption.
     
    Sebastian Gottschalk, Jun 19, 2006
    #4
  5. emailchrisco

    nemo_outis Guest

    wrote in @h76g2000cwa.googlegroups.com:

    0. You can delete a file from a truecrypt volume as simply (or as
    elaborately) as you wish - just as with any other drive. However, this
    does seem superfluous since the encryption provides all the protection you
    would normally need).

    1. It is possible to have the swap file encrypted by having it on a
    Truecrypt volume. The volume is mounted with the "system" mount option -
    it's in the Truecrypt documentation.

    2. You can encrypt much of the "user space" by using the third-party
    truecrypt addon TCGINA at:

    http://www.truecrypt.org/third-party-projects/tcgina/

    3. If you leave the machine up and running then the files on any mounted
    Truecrypt drives are accessible unencrypted - the thief has full access
    (how would the machine know the difference between the thief and you?). As
    a minimum you should use "Logo L" (or run the equivalent: rundll32.exe
    user32.dll, LockWorkStation This works better if you have fast user
    switching enabled - which you shouldn't!) to lock the machine (which will
    stop amateurs at least). Fanatics will make sure that there are no other
    routes in (LAN, firewire, etc.).

    Regards,
     
    nemo_outis, Jun 19, 2006
    #5
  6. Have been reading and searching and didn't find anything. Can you point
    me somewhere? Can we randomly generate a key and fast-format the volume
    or is the key static, therefore always available to Mallory? Also under
    Windows?
    Generally a good idea, but it creates a lot of hassles with system
    management and repair.
    Or, as recently pointed out, USB, which has the same remote direct
    memory access feature like FireWire. A sophisticated attacker would
    attach a module directly to the memory controller.
     
    Sebastian Gottschalk, Jun 19, 2006
    #6
  7. emailchrisco

    Zoltan Guest

    Can Truecrypt do this?

    Or are you assuming that the recipient has Truecrypt installed?
     
    Zoltan, Jun 19, 2006
    #7
  8. Have been reading and searching and didn't find anything. Can you point
    me somewhere? Can we randomly generate a key and fast-format the volume
    or is the key static, therefore always available to Mallory? Also under
    Windows?

    superseed: It's a third-party addon and seemingly not so stable.
    Generally a good idea, but it creates a lot of hassles with system
    management and repair.
    As an alternative on a vastly shared system, you might take a look at
    SUperior SU, which allows additional logons, but only layered (reads:
    you need to log off to get back to your previous user).

    to lock the
    Or, as recently pointed out, USB, which has the same remote direct
    memory access feature like FireWire. A sophisticated attacker would
    attach a module directly to the memory controller.
     
    Sebastian Gottschalk, Jun 19, 2006
    #8
  9. Definitely. Just create all your files in a TrueCrypt container mounted
    on a file, dismount and send the file.
     
    Sebastian Gottschalk, Jun 19, 2006
    #9
  10. emailchrisco

    nemo_outis Guest


    Go to:

    http://www.truecrypt.org/user-guide/?s=version-history

    and search on "swap" (11th bullet on page under "New Features" briefly
    describes the option)

    I haven't tried the option myself (I encrypt the whole drive with
    Safeboot Solo).


    I consider TCGINA to be "halfway" between partion/container-file OTFE
    encryption (e.g., Truecrypt) and full-HD OTFE encryption (e.g., Safeboot
    Solo)


    Yeah, locking the computer is better than nothing but not a lot better
    :) To my mind, it's for going to the can, not for leaving the machine
    running unattended overnight (for which, unhappily, there are no good
    solutions - short of a vault).

    Regards,
     
    nemo_outis, Jun 19, 2006
    #10
  11. emailchrisco

    Hadron Quark Guest

    So, they (the recipient) definitely need truecrypt installed?
     
    Hadron Quark, Jun 20, 2006
    #11
  12. Which is a requirement for every such scenario. I guess the only and not
    very preferable solution of asynchronous encrypted data transfer with
    Windows default programs would be an S/MIME encrypted eMail with Outlook
    Express.

    If you're daring for self-extracting executables: very bad idea!
     
    Sebastian Gottschalk, Jun 20, 2006
    #12
  13. emailchrisco

    TwistyCreek Guest

    Utter nonsense. PGP has SDA's and Truecrypt has "Traveller Mode".
    Total rubbish. There's no difference at all between the security of a
    Truecrypt Traveller Mode volume and a "normal" one, or a symmetrically
    encrypted PGP file that's decrypted with an existing PGP installation,
    or the code that's included in that file.
     
    TwistyCreek, Jun 20, 2006
    #13
  14. And both require the installation of a device driver. And they both must
    be present on the recipients system :)
    Except that the code can get modified by an attacker.
     
    Sebastian Gottschalk, Jun 20, 2006
    #14
  15. emailchrisco

    TwistyCreek Guest

    No, they do not.

    As is usually the case, Gottschalk has completely boogered up some basic
    and important information.

    http://www.truecrypt.org/user-guide/?s=traveller-mode

    There is also, or use to be, a "self decrypting" option for PGP files
    where the encrypted file also contains enough of the program to decrypt
    the file when the password is entered. I haven't looked at PGP in ages
    so it's up to you to hit their site. But this would also eliminate the
    need for a permanent installation just like Truecrypt's "Traveller
    Mode" does.
     
    TwistyCreek, Jun 20, 2006
    #15
  16. No, I didn't miss that. The users will still need to download it or get
    is transfered through a secure channel, and install at least the device
    driver. In any case, it is not pre-installed on Windows and the user
    need to get it from somewhere - which was the obvious intent on that
    question.
    And this is a very stupid idea. The attacker can simply modify the
    executable part to mail the password to him as well. Now verifying the
    executable bogs down to already having a verifier program, which just
    mirrors the initial situation...
     
    Sebastian Gottschalk, Jun 20, 2006
    #16
  17. Nonsense. You have no clue what you're talking about. Neither one
    requires any such thing. That is in fact why these modes exist; to
    allow access to encrypted data on machines where NOTHING is installed.
    Straw grabbing nonsense. The "code" for an installed version can be
    modified by an attacker. And symmetrically encrypted data is vulnerable
    to MITM attacks anyway because you're removing the PKI infrastructure
    and what little authentication it provides.

    There is no difference between SDA/Traveller and comprable "normal"
    modes. Again, you have no clue and you're spreading FUD.
     
    George Orwell, Jun 20, 2006
    #17
  18. emailchrisco

    TwistyCreek Guest

    It's painfully obvious you have no idea what so ever how any of this
    stuff works. None.
     
    TwistyCreek, Jun 21, 2006
    #18
  19. It's painfully obvious that you don't even have an argument, beside that
    these are real-world facts.

    And that your mail address is invalid as well, in strict violation of
    RFC 1036 and 2822.
     
    Sebastian Gottschalk, Jun 21, 2006
    #19
  20. emailchrisco

    Hadron Quark Guest

    Not according to the traveller mode information : it includes the
    encrypted file and necessary truecrype executables to open that file
    up. No more or less secure that having truecrypt installed from what i
    can see.
    That sounds to be true : if an attacker could replace the travelling
    code with his own he could prompt for passphrase and comprimise it.


    --
     
    Hadron Quark, Jun 21, 2006
    #20
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.