Truecrypt on nas: Truecrypt on NAS? : DataHoarder

FreeNAS with Truecrypt encryption | TrueNAS Community

Status: Not open for further replies.

Femtoaeon

Cadet

Jan 6, 2018

Hello,

I have got a performance issue by using a truecrypt container in the combination with FreeNAS. I would appreciate help to resolving and to understand the problem.

Test System:
Mainboard: Asus Z87-Plus
CPU: Intel Core i5-4430 4x 3.00GHz
RAM: 32 GB DDR3-1600 MHz
System drive: SSD 60GB 360/550 Flare SA3 PAT
RAID drives: 7 x WD 3TB
LAN: 1 Gbit/s

Every Hard Disk is put to RAID-Z2 configuration. I am aware that no ECC RAM is used in the test system. This will be changed later.

Test 1:
Read and write of 3.78 GB movies from a notebook over Ethernet.
Drive in the notebook: Samsung SSD 850 EVO M.2
Write: 110 MB/s
Read: 110 MB/s

Data rates as anticipated.

Test 2:
A Truecrypt container with a capacity of 20 GB is created on the RAID-Z2. Compression and atime is deactivated. Recordsize is the standard value of 128K. The container is mounted with a notebook. CPU @ notebook: Intel Core i7-6700HQ @ 2.6 GHz (with hardware acceleration). Copying the 3.78 GB data from SDD to container.

At first 600 MB/s are shown. Later the data rate sinks slowly to 2.5 MB/s.

Approximately 30 Minutes copy duration for 3.78 GB is not acceptable.

Test 3:
Test 2 is repeated with an recordsize of 512. There was no significant improvement.

Test 4:
If a QNAP System is used with RAID 6 and 5 x 1 TB the data rates for reading and writing of the container were bigger than 50 MB/s.

Guess:
As far as I am informed ZFS does not use copy on write (COW) but rather redirect on write (ROW). This means that new data as alway written to a new location the the disk which results in a fragmentation of the Container which could probably be the explanation of the performance drop. If this guess is right then I do not understand why the performance drop happens at the first write process.

While writing the “Disk Busy” status was between 40 % and 60 %.

Hopefully someone can help.

garm

Wizard

Jan 6, 2018

Don’t use truecrypt. . it’s broken, unsupported and discontinued..

https://en.wikipedia.org/wiki/TrueCrypt

Femtoaeon

Cadet

Jan 6, 2018

Hello garm,

thanks for the reply.
Even when I use VeraCrypt as alternative to TrueCrypt the same behaviour is shown.

garm

Wizard

Jan 6, 2018

What about swapping and ARC size? I might be wrong on this but, When you add content to a veracrypt container you actually change the entire container as you go, there is no way of knowing what block stores content and what is blank. So you need to load the whole thing into memory on the machine that mount the container and send the whole thing as changes happens. I’m guessing this quickly fills up your ARC and the system starts swapping, bringing your system to a crawl.

The good news is that you should be able so see this happen in the reports. Dealing with big files like this I would read up on the requirements for iSCSI, as I suspect the workload is similar.

Ps. Well actually I might be totally off on the workload thing.. but I still suspect ARC

Femtoaeon

Cadet

Jan 6, 2018

Again thanks for the reply.

I did the test shortly after turning on the system. At first the arc size was approximately 0.
After starting the copy process the arc size increased in maximum up to 8 GB. It did not rise above. So normally the RAM should be enough or the arc is somehow not used. Since the container has only 20 GB the complete container should fit inside the arc.
At first I had only 16 GB RAM. Then I was told that the RAM could be to less and I upgraded to 32 GB.
I posted here because even with 32 GB RAM the behavior did not change.

Are you sure, that the entire container will change?
I worked with container up to a few TB in size. The latency was minmal.
I would suspect that the container is divided up in small encrypted blocks. If data is written only the corresponding block should be changed. So only the corresponding block have to be read or written. But here I am not sure. It was hard to find information about the encryption process.

How can i access the reports?

I will read a bit about iSCSI.

garm

Wizard

Jan 7, 2018

No your right, veracrypt will encrypt block by block. Something else is going on

Femtoaeon

Cadet

Jan 7, 2018

As I read about iSCSI I found out that iSCSI works block-based while SMB works file-based.
Some sources explained that if I want an specific data block read and I use SMB then the whole data until the wanted data block is read and transferred. This could explain the low performance with SMB.
With iSCSI only the wanted data block has to be transfered.

So as a test I configure an SCSI of 50 GB.
The SCSI was integrated to my laptop.
Here write rate of 50 MB/s are possible.
The Truecrypt-container was then placed inside the SCSI-Volume.
The Truecryp-container was mounted.
If I now read towards the Truecryp-Container the same behavour as before is seen.

At first 600 MB/s are shown as transfer rate. Later the data rate sinks slowly to 4 MB/s.

garm

Wizard

Jan 7, 2018

Well the 600 MBps is not possible on a 1 GbE, you proabobly see windows writing to memory. Then it starts flushing memory to the container on the NAS and that is insanely slow for what ever reason. Do you get the same behavior with a container stored locally?

Femtoaeon

Cadet

Jan 10, 2018

This seems reasonable.
At 1 GbE the datarate should be limited to 125 MB/s.
Which is more or less the datarate reachable without using the encrypted container.
Even if there is cache at the server the connection is not faster than 125 MB/s.

So the 600 MB/s must be the datarate towards the cache of the notebook.

I copied my test file towards an 20 GB container on my SDD. So i copied from SDD to container at SDD.
The datarate also starts with 600 MB/s. Then the datarate sinks down to an range between 200 MB/s and 300 MB/s.

This cache at the notebook explains why the datarate starts so high.

Any more ideas what could be the reason for the slow copy process from the cache towards the container on the NAS?

Nick2253

Wizard

Jan 10, 2018

I’m not sure this is the solution that you are looking for, but you might be better off just creating an iSCSI zvol, and populating it with an encrypted file system. For example, on Windows you could use EFS with NTFS.

Steel || TrueNAS Core 12 || HP Z420 | Intel E5-1600 | 8x 4GB RAM | 10x 8TB HGST Ultrastar He | HP 600W PSU | 2x Silicon Power 32GB SSD
Iron || FreeNAS 9.10 || Silverstone DS380 | ASRock E3C224D2I | Intel G3420 | Crucial 2x 8GB RAM | 6x 4TB Seagate NAS RAIDZ2 | Silverstone 300W ST30SF | SanDisk Ultra Fit 16GB
Aluminum || TrueNAS CORE 12 || Supermicro 731i-300B | Supermicro X7SPE-HF-D525 | 2x 4GB SO-DIMM RAM | 4x 4TB Hitachi Ultrastar RAIDZ | Antec Earthpower 500W | 2x SanDisk Ultra Fit 32GB

The Math on Hard Drive Failure

joeschmuck

Old Man

Jan 10, 2018

Nick2253 said:

I’m not sure this is the solution that you are looking for, but you might be better off just creating an iSCSI zvol, and populating it with an encrypted file system. For example, on Windows you could use EFS with NTFS.

Click to expand…

I like this, I may try this myself just to see how well it works.

ESXi 7.0 (updates applied as available) | Intel E3-1230v5 (3.4GHz) Skylake CPU | Supermicro X11SSM-F | 64 GB Samsung DDR4 ECC 2133 MHz RAM | One IOCREST SI-PEX40062 4 port SATA PCI-E (in pass-thru for NAS Drives) | 256 GB SSD Boot Drive | 1TB Laptop Hard Drive for Datastores | Four HGST HDN726060ALE614 6TB Deskstar NAS Hard Drives (RAIDZ2, 8.72TB healthy usable space) | All wrapped up in a Cooler Master HAF 912 case | APC Back-UPS Pro BR1000G

FreeNAS 13.0-U2 | 2 CPU cores | 16GB RAM | Motherboard NIC for connectivity | 10GB Provisioned boot drive (on SSD) | Four HGST 6TB drives (RAIDZ2) via IOCREST cards

ESXi 7.0 (updates applied) | Supermicro A1SAM-F | 16GB RAM | 128GB SSD Boot Drive and datastore | Two 500GB Laptop Hard Drives

——————————
Hard Drive Troubleshooting Guide
Multi-Report Hard Drive/SSD/NVMe Reporting Script
RAID Capacity Calculator or Biduleohm RAID Calculator
Decode Your S. M.A.R.T. Data
FreeNAS Hardware Recommendations by Ericloewe

Status

Not open for further replies.

iSCSI performance: slower reads than writes

Maxlink

Mar 27, 2020

General Questions and Help

Replies

0

Views

465

Mar 27, 2020

Maxlink

Should I be happy with this performance?

DurkaDurkaDurka

May 16, 2020

General Questions and Help

Replies

19

Views

882

May 19, 2020

DurkaDurkaDurka

SLOG bottleneck on sync writes with smaller block sizes

xyzzy

May 20, 2017

General Questions and Help

2

Replies

21

Views

5K

May 27, 2017

xyzzy

Another FreeNAS+NFS+Vmware Speed

tahoo

Mar 23, 2017

Performance

Replies

6

Views

4K

Mar 24, 2017

tahoo

SSD Caching (ZIL/L2ARC)

grantd

May 2, 2017

General Questions and Help

Replies

5

Views

6K

May 2, 2017

Stux

Share:

hard drive — Cross Platform Encrypted File Server / NAS?

Ask Question

Asked
8 years, 2 months ago

Modified
8 years, 2 months ago

Viewed
494 times

I have a desktop computer running Windows and two Mac laptops. The desktop computer has two internal hard drives, both NTFS and both encrypted with TrueCrypt (yes, I know TrueCrypt is supposedly not safe to use anymore).

Every night, all three machines get backed up to the desktop computer’s secondary drive. Once a month, I clone the desktop computer’s secondary drive onto an external hard drive that I keep at work, which is also NTFS and encrypted with TrueCrypt. I think this is a pretty good setup because:

I have 3 copies of my data that is >1 month old

I have 2 copies of my data that is <1 month old

All copies of my data are encrypted

The downside I have found with this setup is that the data from the Mac laptops don’t always do well with being copied onto an NTFS drive. I think it would be better to have my three machines all get backed up to a drive that uses a file system that plays well with Windows and Mac data. I also want it to be encrypted, though. I’m wondering what the best approach for this is. I have very, very little experience with NAS, so I could be mistaken about this, but isn’t it typical for a NAS to try to be smart with your data and hold your hand through the process? I kind of don’t want that. I just want my data encrypted and I will create an off-site backup myself like I’m currently doing. Any suggestions? Thank you!

hard-drive

backup

filesystems

cross-platform

Fat32 should be a little more Mac friendly than NTFS. Depends on how important some NTFS features are to you.

From PCmag

FAT32 is read/write compatible with a majority of recent and recently obsolete operating systems, including DOS, most flavors of Windows (up to and including 8), Mac OS X, and many flavors of UNIX-descended operating systems, including Linux and FreeBSD.

NTFS, on the other hand, is fully read/write compatible with Windows from Windows NT 3.1 and Windows XP up to and including Windows 8. Mac OS X 10.3 and beyond have NFTS read capabilities, but writing to a NTFS volume requires a third party software utility like Paragon NTFS for Mac. There are other hacks and workarounds for NTFS on the Mac, but in any case NTFS is only semi-compatible with OS X. NTFS on Linux systems is spotty for both read and write operations. Look for NTFS-3G driver support on your Linux support page to see if it’s built in.

If NTFS features are important, you could try using one of the aforementioned third party utilities for Mac.

1

Sign up or log in

Sign up using Google

Sign up using Facebook

Sign up using Email and Password

Post as a guest

Email

Required, but never shown

Post as a guest

Email

Required, but never shown

By clicking “Post Your Answer”, you agree to our terms of service, privacy policy and cookie policy

TrueCrypt container as storage for XenServer virtual machines / Sudo Null IT News

There was a task to implement encrypted containers for a virtual machine on XenServer, and in addition to encrypt them using TrueCrypt. Having not found any useful information on the topic on the net, I decided to share a note on this issue. At the moment, the solution has been put into operation, it works and does not cough.

The taskmaster asks why a goat needs a button accordion?

There are many answers, but the most common is that there is private information that must be encrypted from unwanted eyes and persons in case of physical violence against the server.

Why not encrypt the data on the virtual machine then?

Yeah why not. But in my case, I would have to encrypt about 20 machines, and in the event of a reboot, I would have to connect all 20 containers, which is not very convenient. Therefore, we will immediately encrypt the disk and deploy all virtual machines to it.

From words to deeds

First things first, we need XenServer installed. There are a lot of manuals on the Internet for this process, so I’ll skip it.

We need disk space where the hypervisor is installed or a separate disk. I think it’s better to use a separate disk or even a raid array for such things, because if the information is so private that it needs to be encrypted, then its loss will probably make few people happy.

The procedure for preparing a disk is standard for linux systems and will not cause trouble for experienced users, but just in case, let me remind you:

Through mkfs.ext3 we will create a file system for the partition.

#: mkfs.ext3 /dev/sdx1

Let’s add the mount rules to fstab and we’re done.

/dev/sda1 /mnt/xen ext3 errors=remount-ro 0 0

It’s time to install truecrypt:

#: wget https://download.truecrypt.ch/current/truecrypt-7.1a-linux-console-x64.tar.gz #: tar -zxvf truecrypt-7.1a-linux-console-x64.tar.gz #: ./truecrypt-7.1a-setup-console-x64

Everything is cool, but xen lacks libfuse. so.2 by default. The hypervisor is controlled from a virtual machine on CentOS, so this is not a big problem for us:

#: yum --enablerepo=base --disablerepo=citrix install fuse-devel fuse

Now everything is ready to create an encrypted container:

#: truecrypt -c volume type: 1) Normal 2) Hidden Select[1]: 1 Enter volume path: /mnt/xen/dts Enter volume size (sizeK/size[M]/sizeG): 290G encryption algorithm: 1) AES 2) Serpent 3) Twofish 4) AES-Twofish 5) AES-Twofish-Serpent 6) Serpent-AES 7) Serpent-Twofish-AES 8) Twofish Serpent Select[1]: 1 hash algorithm: 1) RIPEMD-160 2) SHA-512 3) Whirlpool Select[1]: 1 filesystem: 1) None 2) FAT 3) Linux Ext2 4) Linux Ext3 5) Linux Ext4 Select[2]: 1 Enter password: Re-enter password: Enter keyfile path [none]: Please type at least 320 randomly chosen characters and then press Enter:

The process itself will take some time, it all depends on the disk subsystem and server capacity.
My ~300Gb container was created in about 2 hours…

After creating the container, we mount it into the system, we will forward it to xen:

#: truecrypt --password=*** --filesystem =none --protect-hidden=no /mnt/xen/dts

If everything is done correctly, then by executing truecrypt —list we will see a list of mounted containers:

1: /mnt/xen/vms1 /dev/mapper/truecrypt1 -

And finally, the very goal of all our preparatory actions is to forward the container to xenserver:

#: xe sr-create name-label=VMS shared=false device-config:device=/dev/mapper/truecrypt1 type=lvm sm- config:type=raw virtual-size=280GiB #: xe pool-param-set uuid=____ default-SR=____

uuid and default-SR can be found through xe pool-list and xe sr-list.

# xe pool-list uuid (RO) : f33ac257-3fcf-1653-7b8f-105c83bf98d1 name-label (RW): name-description (RW): master (RO): 8362a425-4bef-4712-8864-a7542ba19c80 default-SR (RW): 950d80a8-bc98-1879-ba5f-653a01d0ced6

#: xe sr-list . ... uuid (RO) : 950d80a8-bc98-1879-ba5f-653a01d0ced6 name-label (RW): VMS name-description (RW): host (RO): xenserver-luzdrjrf type (RO): lvm content-type (RO):

This is where the magic ends and with the help of OpenXenManager or XenCenter we can easily create new virtual machines in an encrypted container, without fear for their privacy in case of incidents with physical assault.

Naturally, in the event of a reboot, you will have to manually mount the container, forward it again, and only then start the virtual machines, but for this we tried, in fact.

P.S.: The note is aimed at beginners or people who have never solved such problems.

Instructions for using TrueCrypt. Advanced level

Anonymity and Security Software

01/22/2014

105 comments

Alexander Mayer

to read

Good day, reader! Today we will continue to get acquainted with a wonderful cryptographic tool called TrueCrypt. As you remember, in the first part of the article we got acquainted with the basic functions of this program, learned how to install and Russify it, create simple volumes (cryptocontainers), encrypt flash drives and non-system partitions and disks.

Today we will get acquainted with more advanced features of this wonderful program…

ADVANCED LEVEL:

Creating a Hidden TrueCrypt Volume

System disk and operating system (OS) encryption

Creating a hidden OS

A bit about decryption

TrueCrypt and virtual machines

Plausible Deniability

Security requirements, precautions, data leaks

For those who have not read the first part of the article, I highly recommend doing so. In it, among other things, a brief theory is also given. And without theory now nowhere.

Attention! I highly recommend reading the article about the recent TrueCrypt situation: TrueCrypt – Scandals, Intrigues, Investigations [+ Alternatives to TrueCrypt]

Creating a TrueCrypt Hidden Volume

TrueCrypt Hidden Volumes is one of the options for plausible deniability. It works like this: a simple volume is created, a hidden volume is placed inside it. In case there are 9 of you0126 will be taken by the ass «will ask you nicely», you will have the opportunity to give out a password for a simple volume. In which, for averting eyes, albeit confidential, but not so critical data is placed that are located in a hidden volume. Let’s understand everything in order.

First of all, the hidden volume needs to be created. Launch TrueCrypt and select «Create Volume». In the Volume Creation Wizard that opens, select «Create Encrypted File Container»:

At the next step, select «TrueCrypt Hidden Volume». At first do not forget to read the explanations in the program itself for each action.

At the «Volume Creation Mode» stage, we are offered two options: normal and direct. If you already have a file container (simple volume), then choose direct mode. But we will consider the creation «from scratch». Therefore, we select the normal mode:

Next, you should specify the location of the volume, i.e. select a file that will play the role of a cryptocontainer. I remind you that all the nuances of creating a simple volume (file container), as well as choosing a file and its extension are described in the first part of the article.

The next step is to set the parameters for outer volume — this is very important! After all, we will have two volumes. And for each of them, you can set your own parameters (encryption and hashing algorithms). But the main thing is that each volume needs its own password!

As for the choice of algorithms, as an example, we will consider the default options (in the future, you can experiment). So feel free to click «Next».

Now you need to specify the size of the volume. Again, I repeat that all the details on this subject are described in the first part. And let me remind you that now we are creating an external volume, and its size, of course, should be larger than the intended internal one.

Next, we will be prompted to choose a password for the external volume. This password may not be too complicated, but it should not be especially simple either. I believe that a password of about 6 characters, consisting of letters and a couple of numbers, will be enough.

Remember to save any passwords you create in KeePass, 1Password, or another password manager right away. I recommend using them instead of storing passwords in text files or Word files.

You can also use a key file or a password + file combination as a password. At your discretion.

The next step is to format the outer volume. Here everything is the same as when creating a simple volume. If you do not plan to store files larger than 4 GB in an encrypted container, then it is better to leave the FAT file system. The cluster size is also left at the default. Click «Mark» and wait for the formatting to finish.

TrueCrypt will notify you when the volume is created. And he will offer to put files in it that you supposedly want to hide, but which in fact do not represent any special value for you. For example, these may be some personal photos, better intimate content (to make it more believable that you wanted to hide them). It can also be some of your financial documents, but which, again, will not entail any legal punishment. Or it could be dumb porn.

By the way, the outer volume is already mounted at this point. Therefore, you just need to open it and copy the selected files into it. Then click «Next».

Now it’s time to create our hidden volume.

Then everything is the same as with the external volume — specify the algorithms (or leave everything by default), the volume size (moreover, TrueCrypt will tell you the maximum possible size) and the password.

The password must be sufficiently complex. From 10 characters and above, although TrueCrypt itself suggests using passwords no shorter than 20 characters, and I personally listen to it. You need to use not only letters and numbers, but also special characters. And most importantly — it must be is completely NOT like as the password for the outer volume!

Next, specify the file system and cluster size again, and click «Mark». Everything is similar to creating a simple volume.

After formatting the hidden volume, TrueCrypt will notify us with a very formidable warning:

This is indeed a very important point! We will talk about precautions below. But now we should talk about protection against damage to the volume.

The thing is that when you read files from an external container, there is no threat of damage to the internal volume. But, when you write some files to an external volume, this threat is very significant. Therefore, we need to protect the hidden volume.

To do this, start TrueCrypt, select the volume to mount (specify the file) and enter the password:

But before mounting this volume (the «OK» button), you must click on «Parameters». In the «Mount Options» dialog box, tick item «Protect hidden volume from being corrupted when writing to external volume» , enter password for hidden volume , and click OK.

There are a few things to understand here:

This procedure is a great help to plausible deniability, so I advise you not to neglect it

Hidden volume protection is active exactly until the volume is unmounted. At the next mount, the steps to protect the volume from damage must be repeated.

Hidden volume protection should only be used when you want to add some files to the outer volume! Therefore, in order to avoid these unnecessary procedures, it was proposed at the very initial stage of creating an external volume to immediately place the necessary files on it (which are placed to mislead the ill-wisher, i.e. those that are not really of particular value to you ).

I would like to mention one more important detail. If you are already puzzled by hidden volumes, then you really have something to hide. Therefore, I strongly recommend that you read (but what is there to read? study!) With the official TrueCrypt manual. In particular, what we have just talked about is very extensively and competently described in chapter 9.0046 «Protection of hidden volumes from damage.»

Well, now it remains to talk about the most important thing — how can we mount a hidden volume? =) To do this, like everything ingenious, is insanely simple! In order to mount it, you need to specify our cryptocontainer file, , but specify the password for it from the hidden volume . That is, if you specify a password for an external volume to this file, then the external volume will open (mount), if from hidden, then hidden. That’s all the magic! =)

We sort of figured out the hidden volumes, let’s move on and talk about another TrueCrypt feature…

Encryption of the system disk and operating system (OS)

TruCrypt is able to fully encrypt the entire disk (or partition) with the operating system. And this feature is primarily useful for laptop users. It looks something like this: when you turn on the computer (laptop), before loading the operating system, the Boot Loader (TrueCrypt loader) is loaded, which is located in the first track of the boot disk. And only after entering the TrueCrypt password, it will be possible to start the system. This procedure is called pre-boot authentication.

Why is OS encryption useful for laptop owners? Yes, everything is simple. In case of theft / loss of the laptop, all your data stored on it will be 100% inaccessible to third parties. Without knowing the password, it will be impossible to decrypt the data.

If we draw an analogy with regular methods of information protection, then we can say the following:
password in the BIOS is already a more effective method, but as far as I know, different manufacturers of laptops and BIOS have their own service passwords (master passwords) with which you can access the device in case you lose the user-created password. And if such master passwords exist, then the probability of their leakage is also very high.

In the case when the system is encrypted with TrueCrypt, third parties will never get access to it or to the data stored in it without knowing the password.

This method can be safely recommended to those who have very important information on their laptop (some projects, databases, access to the client-bank, etc., etc.), and who use it directly purpose, i.e. as a portable device.

Well, let’s now figure out how to encrypt a disk or partition with an OS. To do this, in the «System» menu, select the item «Encrypt system partition / drive …»

The Volume Creation Wizard , already familiar to us, will start (further I will not accompany each step with screenshots, unless this is required in some special cases). We select the usual type of system encryption (we will talk about the hidden type below). Next, select » Encrypt the entire disk».

In the next step, you will be prompted to choose whether to encrypt the protected area or not. Read the instructions carefully and make your choice. In most cases, you can select «Yes».

The next window is the choice of single or multi-boot. If one operating system is installed, select a single boot accordingly. If you plan to boot from multiple operating systems, choose multiboot.

Next, as in the case of simple and hidden volumes, encryption settings and password selection follow.

As for the password, I think this: if you encrypt the system solely for reasons of protection against theft, then you can not use a particularly complex password (after all, you will need to enter it before each start of the system). 6-10 characters will be enough — letters and numbers, you can add special characters (s). Also, this password should be convenient for you personally to dial. But in general, even the most difficult unreadable password, with its daily typing, you will learn to such an extent that you can type it blindly. Checked.

If the system is encrypted for other reasons (for example, it stores information that may come specifically to you), then a more secure password is needed. But this is all my humble opinion.

So, the password is set. The next step is to apply entropy. Just move the mouse around the window area. More preferably. This will increase the cryptographic strength of the encryption keys.

After generating the master key, there will be a very important step — creating a recovery disk — TrueCrypt Rescue Disk (TRD). TRD is necessary in case of some situations, for example, in case of damage to the TrueCrypt bootloader. But it should be understood that TRD without a password will not help anyway.

I remind you that in all cases of working with TrueCrypt, losing your password means that you will never get access to encrypted data. Therefore, these passwords should be stored carefully, have several backup copies, incl. and on a physical medium (e. g. paper).

In general, specify the path where the TRD iso image will be created and click «Next»

After that, the image must be burned to CD / DVD. It is to burn (!) As an ISO image, and not just copy the image file to disk. The presence of TRD is a prerequisite, without which the encryption of the system will not be completed.

After burning the image, click «Next» and TrueCrypt will check if the image was written correctly. If the verification is successful, click «Next» again.

The next step is to select the cleaning mode. Here again, you need to be guided solely by your goals. If you are protecting data from theft, it will be enough to leave everything at the default («No»). If the hidden information is such that you may not be pressed hard for it, choose 3, 7 or 35 passes.

35 passes — this is the so-called «Gutmann method», in which it is almost impossible to recover erased data, even with the help of magnetic force microscopy. But remember, the more passes during mashing, the longer this procedure will last. In the case of «Gutman» — it can take a whole day (depending on the size of the hard drive and the power of the PC), and even more.

In one of my future articles, we will talk about how to permanently delete data, methods of deletion and software for this purpose. And now just select the «No» option and click «Next» (we are considering the option of protection against accidental theft).

Then comes the final stage — the preliminary test. Read the explanations carefully and click «Test». Most importantly, do not forget to write down / remember the password to the encrypted system. Otherwise, you won’t be able to access it. In this case, the password, of course, must be OUTSIDE the encrypted system.

Before the pre-test starts, another «Important Notes» window will appear. Read everything very carefully. Save or print. If there is no printer, write down the most important points with a pen. Well, or throw it off on a memory card, and then on a smartphone. In short, this memo should be with you. Just in case of a fire.

Well, let’s go? Click «OK» and confirm the system reboot.

After the reboot, you will be greeted by TrueCrypt Boot Loader (the same bootloader), in which you need to enter the password for the encrypted system and press Enter.

This was a preliminary test. If the system boots, then everything is in order. And the final stage remains — the actual encryption of the disk with the OS.

In the TrueCrypt window, read the notification again (it is also advisable to make a backup copy of important files) and feel free to click on «Encryption» (another important notification will be shown, which would also be nice to save).

That’s it, now let’s go… More precisely, we just wait until the encryption is over. This process can take quite a long time. You can do something outside the computer for now. Do some household chores, drink tea.

By the way, if you still decide to encrypt the system, I recommend that you practice on a virtual machine first. Although the whole procedure is actually quite simple. The most important thing is to be very careful, read all warnings and tips. And do not forget (do not lose) the password.

At the end of the encryption procedure, TrueCrypt will notify you with another information window:

Note, by the way, that working with an encrypted OS is practically no different from working with an unencrypted OS. I mean the visual speed of work. Check it out yourself. At least, when performing everyday tasks, I don’t see any difference at all. But the speed of work will depend on the selected encryption algorithms and the power of the PC / laptop.

This completes OS encryption. It remains only to reboot and check if everything is in order.

But this is not the limit of TrueCrypt’s possibilities…

Creating a hidden operating system

A hidden operating system can serve as a good tool for hiding especially important data, and hiding work in the operating system in general. It is not possible to determine for certain its presence (subject to compliance with all security measures). This method is popular in some circles. But to be honest, I don’t see much need for this method. Moreover, there are much more interesting options (more on that later).

But for the sake of the integrity of this manual, let’s deal with this use case of TrueCrypt (I’ll try to be shorter, otherwise the article is already long).

To create a hidden OS, the system drive must have multiple partitions (2 or more). The partition in which we will place the hidden operating system must immediately follow the system partition . Usually the system partition is drive C.

If your hard drive is not partitioned (and you need a hidden OS), you will need to partition it. I will not describe how to do this in the framework of this article, there is a lot of information on the Internet (you can do this, for example, using Acronis Disk Director).

The partition where the hidden OS will be installed must be at least 5% larger than the system partition. Also, on the hard disk where the system partition is located, there must be an unallocated area of at least 32 KB in size — the TrueCrypt loader will be placed in this area.

It is more expedient to create a hidden operating system immediately after installing a clean operating system.

So let’s get started. In TrueCrypt, select the menu «System» — «Create a hidden OS …» and follow all the instructions of the wizard. We read all notifications and tips very carefully, there will be several of them.

During the creation of a hidden OS (and in fact it will be created by a complete copy of the current system), you will need to reinstall the current operating system (dummy). Therefore, prepare a disk with a distribution kit in advance.

Then choose the download option — single or multi-boot. An external volume is then created on the partition following the system volume. We have already considered the creation of such a volume using the example of creating hidden volumes. Everything is the same here: set the parameters (or leave the default), start formatting, wait.

After creating the outer volume, put meaningful files in it that you pretend to want to hide, but which are not really important to you.

The next step is to create a hidden volume inside the newly created outer volume. We have already gone through all this too =) The main thing — do not forget to read all the explanations!

And the final step is to clone the current OS. You just need to press «Start»

0092 you will need to enter the password for the hidden volume (!) . The cloning of the current operating system will begin…

This process, again, is very lengthy; stock up on patience. After creating a clone, TrueCrypt securely overwrites the existing OS (several options for passes will be offered, the more passes, the longer the procedure). After that, the program will prompt you to install a new OS, which will be fraudulent. The decoy OS will also be encrypted.

So, what did we end up with? I offer you a visual scheme:

We also now have 3 passwords: from a deceptive OS, from an external volume and from a hidden operating system. These passwords, of course, must be different and unlike each other. The first two passwords for us, in fact, are of no value, and in which case, we will issue them to the aggressors.

A bit about decryption

If for some reason you no longer need to use encryption, there are several ways to do it.

If you encrypted the system partition, or created a hidden OS, then you can perform a complete decryption. To do this, select the menu «System» — «Permanently decrypt the system partition / drive». The decryption procedure is also quite lengthy.

If you used a file cryptocontainer (a simple volume), encryption of a non-system partition or a USB device, then there is no decryption procedure as such. In this case, you will need to mount the required volume/device and copy all files from it to a regular unencrypted partition/device. After that, the volume can be deleted. If a simple volume was used, then it is enough to simply delete the file that is the cryptocontainer. If device/partition encryption was used, then it will be enough to format this device.

TrueCrypt and virtual machines

As I said a little earlier, using a hidden OS is somewhat inconvenient. In addition, the fact of using TrueCrypt in itself, under certain circumstances, may indirectly indicate the presence of hidden volumes or a hidden operating system.

Therefore, I personally do not really recommend using this method, but using virtual machines.

The circuit is quite simple. We create a simple file cryptocontainer. We place the image for the virtual machine in it.

As an operating system, in this case, we can recommend Liberte Linux (weighs a little more than 200 mb) or Whonix — these are distributions designed to provide fairly high anonymity right out of the box.

If you need to run such an OS, it will be enough to mount the volume and start the system from it in a virtual machine.

As for me, this method is much more efficient than creating a hidden OS. And by the way, Liberte Linux can generally be run from a flash drive, and not stored in a crypto container. In case of fawn flash drive ~~just eat~~ break / break / flush down the toilet … The main thing is to do it in time.

There are also options for creating any other OS in a virtual machine, which, in turn, will be on a portable medium — a flash drive, which, again, in turn, will be encrypted with Truecrypt. But, in this case, you will have to work a little and «dance with a tambourine», because. You can’t just run VirtualBox portable.

Plausible Deniability

Methods for plausible deniability in the TrueCrypt case include:

creating hidden volumes;

creation of hidden operating systems

As well as the fact that until a partition or device is decrypted, no one can guarantee that these volumes (devices, partitions) are TrueCrypt volumes.

But I personally have a slightly more negative attitude towards hidden volumes and OS than the use of file cryptocontainers. I will explain why, although I have already mentioned this.

The thing is that in the case of simple volumes it is much easier to completely hide the fact that TrueCrypt is being used. And this means that if «guests» come to you, the chances of keeping confidential information are higher than if the facts said that you use TrueCrypt at all. But in the case of a hidden OS and volumes, these facts are obvious:

an installed version of the software is required;

pre-boot authentication (in case of hidden OS)

And, believe me, if TrueCrypt is found on you (especially if you are suspected of some kind of cybercrime), then you will be tortured for the presence of hidden volumes or OS. Torture will be very skillfully and painfully. Perhaps they will also blackmail, threaten. And you will not only give out all the passwords and appearances, but also remember the name of Stalin’s grandfather. Therefore, it is better to hide the fact of using this software altogether.

There are, of course, many different variations of plausible deniability (like the ones I mentioned earlier, like keeping personal porn or intimate photos in an external container to avert one’s eyes, etc.). But I repeat, if they come to you purposefully, then you will be «split» unambiguously.

In all other cases, options for plausible deniability are viable. You can read more about this, with specific examples, in the same official TrueCrypt manual.

Security requirements, precautions, data leaks

In the final section of the article, I would like to briefly outline some points that any TrueCrypt user who, one way or another, is at risk must observe.

First of all, I would like to talk about data leaks. Unfortunately, TrueCrypt is not a panacea at all. And there are critical moments in his work. More precisely, these moments are not in TrueCrypt itself, but in the operating system. First of all, we are talking about the fact that Windows constantly monitors and logs all kinds of information. And the system can store, for example, such data as the last opened files, paths to them. And in case you are «taken warm» — all this can definitely play a cruel joke on you.

In addition, there are other channels of leakage: memory dump files, paging file, hibernation file.

The thing is that there is a special forensic (and hacker) software that can extract very important data from these files. For example, there is such a domestic software developer — Elcomsoft, which releases all kinds of «half-hacker-half-forensic» software. In general, they release software for selecting and cracking passwords for Wi-Fi, archives, documents, and the like.

But they also release very specialized software like Elcomsoft iOS Forensic Toolkit or Elcomsoft Forensic Disk Decryptor. The first is designed for forensic examination (read «hacking») of devices based on iOS. Officially, this product is only available for sale to law enforcement experts.

And here is the second tool that I mentioned (Elcomsoft Forensic Disk Decryptor) just created to «hack» encrypted containers, partitions, devices. More precisely, to extract encryption keys. And it works just with the hibernation file and with a snapshot of RAM. The software also supports attack through the FireWire port.

But not everything is so bad! For this or similar software to work, several key factors are needed:

If the «victim» computer is turned off, then the keys are retrieved from the hibernation file, BUT for a successful attack volumes must be mounted before turning off the PC, otherwise nothing will come of it.

If the computer is turned on, then a snapshot of the RAM is taken. But again, the volumes must be mounted when the impression is taken.

In general, in any case, at the time of some actions, the volumes must be mounted.