Protecting ones data on removable drives
Sunday, January 25, 2009
With large capacity drives and USB sticks getting cheaper for more capacity, the tendency to carry more and more around with you increases. With so much information being digitzed, losing a USB-key or a small passport sized backup USB drive would be akin to losing your wallet, keys and credit cards...
Truecrypt
I've been looking at Truecrypt which is an open-source encryption application which can encrypt entire partitions, drives and/or create a virtual drive as a file on an existing file-system. It has a rich set of encryption algorithms and can also chain them together. For example, it can chain AES256 (Rijndael), Twofish and Serpent the latter two being finalists for AES encryption standard. There's plenty of information out there on the strengths of these ciphers, so I won't go into detail here...
However, if you are interested, you can read NIST's entire 116 page report on the AES encryption round and their decisions to choose Rijndael. In summary none have any known security attacks let alone cracked (it would've never made it this far if it had been cracked before :) ). The strength testing they used was on purposely weakened versions of the algorithms - and usually provided by the team themselves. Twofish and Serpent came out slightly stronger in the 'weakend' versions submitted for analysis, but didn't fare so well in things like implementation (i.e. smartcards, memory footprint for asic implementation etc.).
Unfortunately, Truecrypt only comes with packages ready for SuSE and Ubuntu, however the source is available for download.
A guide is available here if you want to build and compile it yourself.
http://arbitness.blogspot.com/2008/07/installing-truecrypt-on-fedora-9-howto.html
There's good information here as well:
http://penguinenclave.blogspot.com/2008/12/truecrypt-61-install-guide-for-fedora.html
However, what is nice is that there are binaries for Fedora available from here:
http://www.lfarkas.org/linux/packages/fedora/9/
Since I run Fedora 9 x86_64 version, there was no binary, so I downloaded the srpm file from here:
http://www.lfarkas.org/linux/packages/fedora/9/SRPMS/
The basic process for building it from SRPM is as follows:
Truecrypt is easy to use. Once it's up and running it has a gui for mounting encrypted volumes and for creating them. Refer to the documentation at Truecrypts website.
PGP and GnuPG
Finally the other method I use is PGP or the linux implementation of it called GPG.
I've primarily been looking GPG to do symmetric cipher encryption on a single file, which basically asks for a passphrase prior to encryption. You just then need the passphrase to decrypt the file. Not as a secure as using public/private key encryption of course...
GPG defaults to 'CAST5' (or CAST-128) so I've forced it to use TWOFISH in this implementation. GPG supports a few ciphers, and you can check what's available on your system by running 'gpg --version'.
The best method to modify the cipher algorithm to use is to modify the ~/.gnupg/gpg.conf file and add the following items at the end. Modifying the 'personal-cipher-preferences' option as shown defaults TWOFISH as the cipher to use first.
You probably don't need to adjust the digest-preferences unless you're wanting to use it with private/public keys etc.
To decrypt you would just type:
If you want to encrypt multiple files, it's a lot easier to zip or tar them and then encrypt the final compressed file.
Windows users can use the win32 implementation of GnuPG available from here:
http://www.pgpi.org/download/gnupg/
A GUI front-end to GPG called WinPT is available from here:
http://winpt.gnupt.de/int/
Otherwise PGP is compatible.
http://www.pgp.com/downloads/desktoptrial/desktoptrial2.html#trial_or_freeware
Quick update, Truecrypt is now available in Fedora 11 called Realcrypt from the rpmfusion repositories. Make sure you have rpmfusion enabled and then install via yum.
Truecrypt
I've been looking at Truecrypt which is an open-source encryption application which can encrypt entire partitions, drives and/or create a virtual drive as a file on an existing file-system. It has a rich set of encryption algorithms and can also chain them together. For example, it can chain AES256 (Rijndael), Twofish and Serpent the latter two being finalists for AES encryption standard. There's plenty of information out there on the strengths of these ciphers, so I won't go into detail here...However, if you are interested, you can read NIST's entire 116 page report on the AES encryption round and their decisions to choose Rijndael. In summary none have any known security attacks let alone cracked (it would've never made it this far if it had been cracked before :) ). The strength testing they used was on purposely weakened versions of the algorithms - and usually provided by the team themselves. Twofish and Serpent came out slightly stronger in the 'weakend' versions submitted for analysis, but didn't fare so well in things like implementation (i.e. smartcards, memory footprint for asic implementation etc.).
Unfortunately, Truecrypt only comes with packages ready for SuSE and Ubuntu, however the source is available for download.
A guide is available here if you want to build and compile it yourself.
http://arbitness.blogspot.com/2008/07/installing-truecrypt-on-fedora-9-howto.html
There's good information here as well:
http://penguinenclave.blogspot.com/2008/12/truecrypt-61-install-guide-for-fedora.html
However, what is nice is that there are binaries for Fedora available from here:
http://www.lfarkas.org/linux/packages/fedora/9/
Since I run Fedora 9 x86_64 version, there was no binary, so I downloaded the srpm file from here:
http://www.lfarkas.org/linux/packages/fedora/9/SRPMS/
The basic process for building it from SRPM is as follows:
cd ~/rpmbuild/SRPMS
wget -c http://www.lfarkas.org/linux/packages/fedora/9/SRPMS/truecrypt-6.1-1.fc9.src.rpm
rpmbuild --rebuild truecrypt-6.1-1.fc9.src.rpm
cd ~/rpmbuild/RPMS/x86_64/
su -c"rpm -Uvh truecrypt-6.1-1.fc9.src.rpm"
Truecrypt is easy to use. Once it's up and running it has a gui for mounting encrypted volumes and for creating them. Refer to the documentation at Truecrypts website.
PGP and GnuPG
Finally the other method I use is PGP or the linux implementation of it called GPG.
I've primarily been looking GPG to do symmetric cipher encryption on a single file, which basically asks for a passphrase prior to encryption. You just then need the passphrase to decrypt the file. Not as a secure as using public/private key encryption of course...
gpg -v --cipher-algo TWOFISH --symmetric --output <encrypted file> <name of file you want encrypted>
GPG defaults to 'CAST5' (or CAST-128) so I've forced it to use TWOFISH in this implementation. GPG supports a few ciphers, and you can check what's available on your system by running 'gpg --version'.
$ gpg --version
gpg (GnuPG) 1.4.9
Copyright (C) 2008 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Home: ~/.gnupg
Supported algorithms:
Pubkey: RSA, RSA-E, RSA-S, ELG-E, DSA
Cipher: 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH
Hash: MD5, SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224
Compression: Uncompressed, ZIP, ZLIB, BZIP2
The best method to modify the cipher algorithm to use is to modify the ~/.gnupg/gpg.conf file and add the following items at the end. Modifying the 'personal-cipher-preferences' option as shown defaults TWOFISH as the cipher to use first.
personal-cipher-preferences TWOFISH AES256 AES192 AES BLOWFISH CAST5 3DES
personal-digest-preferences SHA256 SHA1 SHA512 SHA384 SHA224 RIPEMD160 MD5
personal-compress-preferences ZIP ZLIB BZIP2 Z0
You probably don't need to adjust the digest-preferences unless you're wanting to use it with private/public keys etc.
To decrypt you would just type:
gpg <name of encrypted file>
If you want to encrypt multiple files, it's a lot easier to zip or tar them and then encrypt the final compressed file.
Windows users can use the win32 implementation of GnuPG available from here:
http://www.pgpi.org/download/gnupg/
A GUI front-end to GPG called WinPT is available from here:
http://winpt.gnupt.de/int/
Otherwise PGP is compatible.
http://www.pgp.com/downloads/desktoptrial/desktoptrial2.html#trial_or_freeware
Quick update, Truecrypt is now available in Fedora 11 called Realcrypt from the rpmfusion repositories. Make sure you have rpmfusion enabled and then install via yum.
yum install realcrypt
Labels:
truecrypt gpg encryption
Interesting...