A Florida judge ruled that a suspect involved in a child porn case who had encrypted a laptop and five external hard drives with Truecrypt does not have to give up his password because he is protected by the US Constitution Fith Amendment right not to be a witness against himself.
The man can not be named as he has not be charged with any crime and has now been released from prison where he was being held in contempt of court. John Doe first came to the attention of the police on suspicion of uploading videos of under-age girls to Youtube, the computer IP was traced back to the hotel room where John Doe was staying. According to the ruling it is not enough for the Government to prove that the encrypted drives can store vast amounts of data , the Government would need to show what files are stored inside and the computer forensics expert has admitted that the drives might as well be empty.
This new ruling will help clarify future cases in which someone is compelled to give up his password to law enforcement when requested, at first glance it appears contradictory with an earlier bank fraud ruling where a judge ordered Ramona Fricosu to surrender her password, but they are totally different cases as Ramona Fricosu had been recorded over the phone admitting to hold incriminating evidence inside her encrypted laptop whereas John Doe had never admitted to holding the files the police is after.
DiskCryptor download is a tiny 750Kb, after installing it you will need to reboot the computer, you might notice that its 64bit drivers come signed by the ReactOS foundation a non for profit organization assisting open source projects not able to acquire an expensive signing certificate to distribute Windows 64bit drivers.
Encrypting my Windows 7 Home Premium 64bit OS, with a fairly powerful Intel i5 2200Hz (quad core) absorbed very low CPU, a steady 7% of the available resources, it took me 20 hours to encrypt a 1TB hard drive, it would have been considerably quicker using just the AES algorithm instead of the cascade algorithm I selected.
DiskCryptor lets you know how long it will take to encrypt your operating system, you can still work with your computer while it is being encrypted, I advice you to temporarily disable power management in Windows and set it to always on, Windows will not notice the hard disk being encrypted and send the OS into hibernation mode believing the computer is inactive, if this happens full disk encryption will stop and only resume once you switch the computer back on, I have found this problem to occur with both DiskCryptor and Truecrypt, more of a Windows problem than to do with the full disk encryption software.
Diskcryptor lets you benchmark the encryption ciphers (Tools>Benchmark) if you have a low spec CPU and are in a hurry you can choose the cipher that performs best in your system, AES was the quickest for me, by quite a lot of difference in contrast with Twofish and Serpent, once the OS has been encrypted it doesn’t matter what cipher you used to encrypt it, performance will be the same. You can benchmark ciphers in Truecrypt too but since only AES can be used for full disk encryption there is no point in doing it.
DiskCryptor encryption keyfile
Truecrypt will ask you to enter your password after rebooting your computer before encrypting your operating system, DiskCryptor will not, it assumes you entered the passphrase correctly twice as asked and did not make any mistake. When using special signs in your password be aware that in booting up your computer the keyboard has a US layout that will not correspond with a non US keyboard, I searched for a photograph of US keyboard layout on the Internet to make sure there would be no mistakes about what keys to pres.
Unlike Truecrypt, DiskCryptor bootloader is highly configurable, I have my own (Ascii) logo at logon and I instructed DiskCryptor to time out after 30 seconds of inactivity at which point the computer reboots, other options like halt and exit to BIOS are possible. Using DiskCryptor keyfile for full disk encryption is something possible and not supported by Truecrypt, a keyfile will thwart dictionary attacks on your passphrase but this keyfile can not consist of anything it has to be a 64 byte file generated by DiskCryptor.
Windows 7 FDE specific problem
Unlike Vista, XP and lower Windows versions, when you use a whole disk encryption product on Windows 7, or installing a dual boot, you will notice that Windows 7 automatically creates a 100MB system reserved partition, 24MB contains actual data the rest is there for future use like Bitlocker or system restore, this partition is hidden by Windows and only visible using a live CD or through DiskCryptor or Truecrypt interface.
Windows 7 100MB hidden system partition
Windows 7 system reserved partition contains some necessary boot files, do not attempt to encrypt Windows 7 system reserved partition like I did because the computer will not boot! There are hacks around to merge that partition with the main Windows 7 operating system, I managed to do it partioning the hard disk with PartedMagic before installing Windows 7 and ignoring Windows installation DVD asking me to create the system reserved partition, everything worked fine until I fully encrypted Windows 7 without the system reserved space and the computer refused to boot.
If you would like to use whole disk encryption in Windows 7 there is no choice but to give in and allow Windows to create the unencrypted 100MB system partition, this shouldn’t be a problem regarding data leakage, you can view the files it contains with a live CD, I managed to see a bootsect.bak file, bootmgr, and System Volume Information folder and a few others with no obvious danger.
Truecrypt vs DiskCryptor comparison table
TRUECRYPT
DISKCRYPTOR
Open source license
Truecrypt own license
Standard Linux GPL license
Forces you to burn a recovery CD
YES
NO (optional)
Works with RAID volumes
YES
YES
Hidden operating system
YES
NO (pseudo)
Cross platform (Windows, Linux and MAC)
YES
NO
Option of cipher for full disk encryption
AES,Twofish,Serpent & cascades
AES,Twofish,Serpent & cascades
Supports keyfiles for full disk encryption
NO
YES
Can place bootloader on external device
NO
YES
Can create single encrypted containers
YES
NO
Portable mode
YES (admin rights)
NO
Encryption of external devices (USB,etc)
YES
YES
Plausible deniability
DiskCryptor does not support the hidden operating system feature that Truecrypt has but allows you to install the bootloader on an external device, ie. USB thumbdrive or CD-Rom, that is where the files giving away that the operating system has been encrypted and what software has been used for that are stored, if anyone seized your hard drive it would be possible to claim that it has been wiped clean as no identifiable information can be extracted from the HDD other than random data and there is no boot loader.
Plausible deniability appears more sound than Truecrypt hidden operating system, if you give away the password for the non hidden OS in Truecrypt, the timestamps and las activities could give away that the computer has not been used for a long time.
DiskCryptor full disk encryption
A computer with no operating system and a wiped hard disk will look very suspicious, claims that it was wiped the day before would be held with incredulity but hard to prove it didn’t happen. Even better, I came across a thread in DiskCryptor forums to have a dual OS system where one of the Windows OS will only boot with the USB thumbdrive plugged in and when not present the other OS will boot, this set up makes one of the partitions look like random data and not like 2 operating systems on one hard disk.
Conclusion Truecrypt vs Diskcryptor
If you have a tablet or netbook without a CD-drive go for DiskCryptor because Truecrypt forces you to burn a recovery CD (there is a work around using CD-drive virtualization software, i.e. Alcohol 120% or using the command line /noisocheck).
If you would like to be able to open encrypted external devices using Linux or MAC go for Truecrypt as DiskCryptor is a Windows only program, if you want to create single encrypted containers go for Truecrypt as DiskCryptor can’t do that.
Something in which Truecrypt beats DiskCryptor is in documentation, Truecrypt manual is very complete and DiskCryptor consists of an incomplete online Wiki, DiskCryptor can make up for this showing off the ‘Blue Screen’ feature, a way to quickly crash your fully encrypted computer allowing you to set the quick emergency shutdown to any hotkey shortcut you like.
Security wise, both Truecrypt and DiskCryptor have the same credentials with their source code open to scrutiny and none of them reviewed by any qualified cryptographer, overall, DiskCryptor has more configuration features than Truecrypt, and Truecrypt is better at cross platform compatibility.
If you encrypt your whole hard drive including your operating system you will not have to worry about wiping data, clearing the Internet browser cache, deleting temporary files and encrypting individual files, all you will have to worry about is choosing a strong passphrase that can not be broken using a brute force attack (trying dictionary words).
The only way to access a fully encrypted operating system is by getting access to the computer while it is switched on (decrytped), you will save lots of time if you decide to encrypt your full operating system, it is not difficult and there is free software for that. Windows Vista and 7 come with BitLocker Drive Encryption for full disk encryption but only the more expensive business high end editions do and it has been designed for businesses with few home user features.
Full disk encryption software without backdoor
Truecrypt (Free): It’s wizard driven menu will guide you through the whole encryption process, there are many algorithm choices, if you do not understand what they mean leave all of the default choices on, they are secure enough for everyone. Truecrypt can encrypt external devices, create virtual encrypted drives and create a hidden encrypted operating system, to be used if you are forced to give up the password.
You will find it easy to find support for Truecrypt at computer security forums and Usenet groups as it is one of the most used full disk encryption programs.
Truecrypt encryption algorithm
DiskCryptor (Free): Open source encryption software, it can encrypt partitions that have already data on them, it supports AES, Twofish and Serpent encryption algorithms, allows you to encrypt USB flash drives and external hard disks with automatic mounting, support for key files, option to place the boot loader on an external device.
DiskCryptor full disk encryption
Symantec Encryption Dekstop: (Over $200): Suite of encryption applications to fully encrypt your operating system, external drive, USB thumbdrive, email and AIM Instant Messenger using PGP encryption. Software includes a data shredder. This product appears targeted at businesses, optionally it can deployed in multiple workstations using a central server.
Symantec Encryption Desktop PGP
DriveCrypt Plus Pack: (Over $100): Whole operating system encryption with AES256-bit, no backdoor, it can hide an undetectable operating system in the hard drive free space, this is useful if someone forces you give up your password, they would not be able to prove a second operating system exists, it can be used in conjunction with USB tokens for preboot authentication, login preboot screen can be changed, you can create your own.
DriveCrypt Plus Pack encryption
SecureDoc WinMagic (Over $100): Encryption of laptops, USB devices and desktop computers using AES 256 bit, certified FIPS 140-2 Level 2, it supports multifactor authentication at preboot level, no backdoor but password recovery is possible if you set it up, available in various languages, extended audit logging make SecureDoc a good option for businesses.
SecureDoc WinMagic full disk encryption
Full disk encryption performance
I have been using full disk encryption for over 5 years, I have used DiskCryptor, Truecrypt and DriveCrypt Plus Pack, in all cases there has been no computer slowdown while I was using full disk encryption, even using it on a low performance netbook with an Intel Atom CPU showed no noticeable performance issue.
If you are a home user you do not need to worry about full disk encryption slowing down your computer activities, the software normally needs very low resources to run on.
When you compress files you will be saving computer hard disk space, bandwidth and speeding up data transfers, file compression is useful to get around email maximum file attachments size too. Commendable file compression tools will allow for password protecting of compressed files, the most popular file compression software, WinZip and WinRar both have sound uncrackable file encryption protection, but they are not free, they show you a nagging screen asking you to buy the software.
BCArchive is %100 free from day one and its encryption features beat WinZip and WinRar hands down, this file compression and encryption tool is multilingual, available in Arabic, Chinese, German, Farsi, Russian, Spanish and Turkish, it creates its own .bca compressed encrypted file or a self extracting .exe for people without BCArchive installed to be able to decrypt it.
BCArchive encryption key manager
BCArchive integrates nicely with Windows shell right click, encryption and compression of a file can be done using two mouse clicks, if you use a password that is too short the software will not allow you to encrypt the file forcing you to use a better passphrase, when using symmetric encryption you can choose what encryption algorithm to use, some of the available ones are IDEA, Blowfish 448, AES Rijndael, Serpent, Gost, Cast5 and 3DES, you can choose the hashing algorithm as well SHA1, SHA256, RIPEMD160 or MD5. BCArchive symetric encryption ciphers are all well known in the cryptography community and considered sound, the best is to stick to the defaults if you don’t know which one to use.
It is possible to use asymmetric encryption with public and private secret encryption keys, you can create standard PKCS #12, X.509 public encryption keys within BCArchive key manager or import your own PGP keys created elsewhere, BC Keymanager allows you to import your PGP encryption keys directly from the Internet connecting to a PGP public key server.
To encrypt files use the interface or drag and drop files inside the BCArchive window, you can compress and encrypted files of up to 2 Terabytes in size. When you view files these are extracted to a temporary folder and securely wiped when the archive is closed, for those who are geeky, BCArchive can be run from the command line.
BCArchive main features
Self-extracting of encrypted files
Drag and drop of files and Windows shell integration
