TrueCrypt is that solid that its developers need to update it only once or twice a year. The last update dates back to September 2011 where support for Mac OS X 10.7 Lion was added to the application, and the update before that was almost a year before that.

Yesterday the first 2012 update was released. The change log over at the TrueCrypt website lists minor improvements and bug fixes as the only changes in TrueCrypt 7.1a. It does not go into further detail, other than stating that these have been applied to all supported operating systems.

TrueCrypt users can download the latest version of the application from the official project website. You need to close all TrueCrypt instances running on the system before the update can be installed.

Should you install the update if you are running a version of TrueCrypt that is not causing problems or issues on your system? I’d say you may still want to update to TrueCrypt 7.1a, considering that the update may have resolved rare bugs that you might experience in the future if you do not apply the update.

If you are a new TrueCrypt user you may be interested in our collection of TrueCrypt tutorials that we have published over the years. Here is a short selection of guides to get you started:

• Create a secure data safe with True Crypt
• Create a secure USB Data Safe
• How to Create a Hidden Encrypted Volume With True Crypt
• Storing Data In The Cloud With Dropbox And TrueCrypt
• Disguising True Crypt Volumes In MP4 Videos
• TruPax, Create TrueCrypt Containers Without True Crypt

Are you a TrueCrypt user, or do you prefer a different encryption software? (via Caschy)

The ruling may still get overturned, but at this point in time it is not clear how this will turn out.

Encryption makes sure that only authorized users can enable access to data provided that there is no loophole or backdoor built-into the software itself. People traveling to the US may have their mobile computers analyzed by federal agents even without probable cause.

Users have a number of options at their disposal to protect their data from prying eyes. Encryption for instance requires a pass phrase or key to be entered to decrypt the contents of the storage device. If you forget the password, you cannot open the encrypted contents anymore.

There is however a better option for users who want to make sure that they private files stay personal. True Crypt supports so called hidden volumes. These volumes are encrypted volumes inside an encrypted volume. True Crypt calls the concept plausible deniability. You put your important files into the hidden volume, and other files that you do not mind to share with others in the regular encrypted container. When someone asks you to decrypt your data, you enter the password to decrypt the first volume that you do not mind sharing with anyone.

It may happen that you are forced by somebody to reveal the password to an encrypted volume. There are many situations where you cannot refuse to reveal the password (for example, due to extortion). Using a so-called hidden volume allows you to solve such situations without revealing the password to your volume.

The principle is that a TrueCrypt volume is created within another TrueCrypt volume (within the free space on the volume). Even when the outer volume is mounted, it should be impossible to prove whether there is a hidden volume within it or not*, because free space on any TrueCrypt volume is always filled with random data when the volume is created** and no part of the (dismounted) hidden volume can be distinguished from random data. Note that TrueCrypt does not modify the file system (information about free space, etc.) within the outer volume in any way.

Hidden volumes can be created quite easily in True Crypt. New True Crypt users should read through the tutorial posted on the site first to understand the basics of creating encrypted volumes on the computer.

You have the option to create both volumes in one go though, by following the process outlined below. Click on Tools > Volume Creation Wizard. You have two options now how to proceed:

• Create an encrypted file container: This option can be used to create an encrypted file on one of the computer’s hard drive and add a hidden file container to it, or add a hidden file container to an existing encrypted file.
• Encrypt non-system partition/drive: This is basically the same option as above, only that it works partitions and hard drives, and not with files. Please note that all contents of the selected hard drive/partition will get deleted in the process.

I suggest you start with an encrypted file container to see how the process works.

Select Hidden TrueCrypt volume on the next page

Now you have the option to select normal or direct mode. Normal mode creates both the outer and the hidden volume in the process, while direct mode creates a hidden volume inside an existing True Crypt file container.

Lets pick normal mode to demonstrate how both the standard encrypted container and the hidden container within are created.

You now need to select a file name for the outer container. Pick any directory and file name that you want. You can use the file name to your advantage, for instance by making it a .tmp file or a .avi.

You are then asked to select the encryption algorithm and hash algorithm for the outer volume. Pick one each or keep the default settings.

You are then asked to select a size for the file container. Keep in mind that the hidden volume is added to this container file as well. Select a password on the next screen. This password is used to decrypt the files stored in the outer volume. The volume will be formatted afterwards. Move your mouse around to create random values. Click on Format afterwards to create the file. Depending on the size, you may need to switch the file system from FAT to NTFS.

Now that you have created the outer volume, you move on to the next step, the creation of the hidden volume.

The process is nearly identical. You first select the encryption and hash algorithms, then the file size. True Crypt will display the maximum possible hidden volume file size on that screen. Don’t select the maximum if you plan on adding files to the outer volume as well.

The remaining steps are identical. You now have one outer volume, one hidden volume and two pass phrases to decrypt the volumes on your computer.

Mounting the hidden volume

To mount either the outer or hidden volume do the following:

• Select a free drive letter in the True Crypt interface.
• Click on Select File and browse to the encrypted file that you want to mount.
• click on mount afterwards.
• Enter the pass phrase for the outer volume to mount it, or the password for the hidden volume to mount it instead.

If you mount the outer volume you may want to click on mount options to check the “protect hidden volume against damage caused by writing to outer volume” box to avoid to protect the hidden container from being partially or fully overwritten. You need to supply the hidden volume password though for this option.

The very same principle applies to the creation of a hidden volume inside an encrypted partition or hard drive.

What’s your take on this new ruling?

Even when the HDCP (High bandwidth Digital Content Protection) master key, which is a core element of the encrytion, was leaked last year the standard has still not been cracked because using it to build an decryption chip is very difficult and costly.

Any technology saying something is uncrackable however is just an invitation for most people to try, and not professor Tim Güneysu and Benno Lomb, a PhD student from the Ruhr University in Germany have used a “man in the middle” approach to crack the encryption for just $350.

Instead of designing and creating an HDCP-capable chip, the two men built a standalone hardware solution that is based on an inexpensive FPGA (Field Programmable Gate Array) board that contains an HDMI port and an RS232 Serial port.  These boards are programmable and designed to be configured by the user.

The purpose of the research was not to crack the HDCP encryption they said.

“Our intention was rather to investigate the fundamental security of HDCP systems and to measure the actual financial outlay for a complete knockout. The fact that we were able to achieve this in the context of a PhD thesis and using materials costing just €200 is not a ringing endorsement of the security of the current HDCP system”

The board modifies all the communications between the Blu-Ray player and a flat screen TV without the interruption being detected.  This is something that some set-top-boxes are already able to do and some boxes that can remove HDCP data from HD video have been available since shortly after the HDMI standard was introduced.  These boxes allow otherwise encrypted high-definition content that is broadcast to be compressed and recorded to disc or a hard drive.

At the moment pirates are using these boxes to copy high-definition content, admittedly in a compressed form.  But there is currently no way for them to intercept the uncompressed raw data from a Blu-Ray disc.

This solution then isn’t much use for pirates at the moment then as what would really be required is a software solution, much in the way DVD John did in 1999 when he and two friends released the DeCSS software that decrypted DVDs.  This hardware solution doesn’t offer anything that’s really useful for pirates, especially as the researchers aren’t saying how they did it.

It does prove though that with some know how and determination anything is crackable, and with a software emulated version of the hardware board a possibility in the future, encrypted Blu-Ray discs could still come under attack from pirates, not to mention the threat this poses to encrypted high-definition digital video downloads in the future.

Where this is of interest is the ease with which the researchers were able to do this and the affordability of the overall parts involved.  To claim something is uncrackable unless significant volumes of money are spent designing a new silicon chip overlooks the fact that much existing technology can emulate this process, providing anybody with full and unfettered access to unencrypted video.

Of the rest, I’m currently testing an Acer laptop that has a fingerprint scanner but no TPM chip, and a friend has recently bought a low-cost Lenovo laptop that includes the same and has the same ommission.  Neither of my tablets have any kind of TPM and neither does my smartphone or any other smartphone or tablet that I’ve tested.

A TPM chip is one that stores encryption keys that allow you to securely encrypt the contents of the full hard disk or SSD in the machine.  The TPM chip works in conjunction with operating system solutions, most well known being Bitlocker in Windows Vista and Windows 7, to unlock those drives on a passcode, use of a physical hardware key, contactless smartcard or automatically on log-in.  They can prevent that data from ever beaing read if the operating system is reinstalled or if the hard disk is physically removed, as the encryption key is tied to the TPM chip, which is physically undetachable from its host motherboard.

On my own laptop I use Bitlocker to encrypt all my files and data and, while it’s far from perfact still, it gives me the peace of mind I need that coupled with a very strong 10+ digit Windows password, nobody but me can ever gain access to my files.

The downside of facilities such as  Bitlocker is they’re only currently supported in the Enterprise and Ultimate editions of Windows, a problem I sincerely hope Microsoft will rectify with Windows 8, as I’ve only once been sent a laptop with Windows 7 Ultimate on it, and that was the afore-mentioned Acer that didn’t have a TPM chip anyway.

Of the laptops that include fingerprint readers, I can assure you these things are pretty useless and people soon stop using them.  Also what’s the point of just having secure access to Windows when it’s still simple to pop the hard disk out and plug it into another machine.

The situation with tablets is different, most of the time anyway, with bespoke flash storage modules that can’t be plugged into another computer and where the password can only be bypassed by flashing the machine.  With Windows 8 tablets coming next year this advantage may quickly disappear though in favour of more traditional mini-SSDs with larger capacities on board.

My argument is that, certainly on laptops, ultraportables and netbooks, but also and perhaps to a slightly lesser extent, tablets, smartphones and even desktops, TPM chips should now be everywhere and encryption should be simple and intuitive if not completely automatic and seamless (as it is on some new high-end hard disks).  The amount of data we all have and carry around with us now is incredibly valuable, not just to us but also to others.  With the prices of TPM chips at an all-time low, I really can’t see why we’re not seeing ubiquity here in the way they are implemented.

The software solutions will also need to drastically improve to make them much easier to understand and use.  We can’t still be in a position a year from now though where TPM chips are still only found on high-end business laptops costing more than $1,000.

For a long time, WEP was considered to be an extremely good method of encrypting wireless connections. The acronym simply means Wired Equivalent Privacy. Originally it was only available in 64-bit configuration, but soon after 128-bit and even 256-bit encryption became available. Entering a 64-bit WEP Wi-Fi key was as simple as choosing a ten character hexadecimal number. Each character represented 4 bits, making 40 bits in total, and then 24 bits were added to complete the 64-bit key. WEP however, was proved to have many flaws mainly involving the short key size, which were relatively easy to crack. WEP also does not provide for security against altered packets – a process where packets of information is intercepted by an intruder and then altered before sending them back, making it look like the intruder is valid user.

These days, WPA (Wi-Fi Protected Access) and WPA2 have completely taken over from the old WEP encryption methods. You’ll probably still find WEP available on most routers, but it’s being phased out and someday it probably won’t be available at all. The main advantage WPA has over WEP is that it employs a powerful new feature called TKIP, or rather Temporal Key Integrity Protocol. TKIP is 128-bit, but instead of the key being static, it generates a new key for every packet of information that is sent, meaning it is a lot more secure. WPA also integrates a method of message integrity checks, used to defeat network attackers intercepting and altering data packets. WPA2 goes even further and replaces TKIP with CCMP. CCMP is an AES based encryption method that is much stronger even than TKIP.

In the home, you’ll probably want to use an encryption method called WPA-Personal. This is sometimes also called WPA-PSK. PSK stands for Pre-Shared Key, and is designed for home users and small offices where a server is not required for authenticating messages. It works by having each wireless device such as a laptop or smart phone authenticating directly with the wireless access point using the same key. Offices and large buildings may employ WPA-Enterprise. You can’t generally use this without a complicated authentication server set-up, but it does provide additional security.

Both WPA-SPK and WPA-Enterprise are available in WPA2, meaning even home users can now benefit from AES encryption over their Wi-Fi connections. All of these methods can transmit data at maximum speed, and you won’t notice any speed differences between each type of encryption. Therefore the recommendation is to use the best encryption you can. This means going for WPA2-PSK where you can in a home environment. There are new and more exotic types of Wi-Fi encryption becoming available, but for now even advanced users will find WPA2 more than adequate for most security applications.

If you are using wireless connections, you may want to check your router to make sure that it does not use encryption that can easily be cracked by users with the right toolset.

If you have a laptop computer with a TPM chip then using BitLocker to encrypt the content of your hard disk is a very worthwhile activity, especially for work computers where you may be carrying sensitive personal data on staff or customers, or where any data you are carrying will be subject to local data protection regulations anyway.

Bitlocker is easy to use too, you just go into the BitLocker option in the Windows Control Panel, select your hard disk(s) you want to encrypt and, if your computer has  TPM chip, turn it on.  But what atre the problems and pitfalls of using BitLocker?

Bitlocker will work very effectively and silently in the background and you won’t even realise it’s there.  This can cause problems should something go wrong with Windows and you need to either restore it from a backup, or reinstall it completely.

When you encrypt your disk with BitLocker, Windows will prompt you to store a copy of your encryption key on a USB pen Drive.  There are good reasons for this and it’s wise to keep a copy of the encryption key on that Pen Drive and keep the drive itself somewhere safe but handy.  Obviously if you’re taking a laptop out and about you shouldn’t keep the Pen Drive with you at all times where it could be stolen with the laptop, this is almost as bad as having no encryption at all.

If you need to restore Windows from a backup image however Complete System Restore in Windows will ask you for a copy of the encryption key before it can work with your hard disk(s).  It will happily look on Pen Drives and find the appropriate keys.  Without these keys the restore process simply won’t work at all, neither will any the startup repair options in Windows 7.

When you come to reinstall Windows the problems will be worse.  Before you can do this it is extremely wise to completely decrypt your BitLocker-protected drives; a process that’s probably best left running over-night.  You can create yourself all types of security problems if you try to reinstall Windows 7 over a partition that’s already encrypted, or if you wipe the original partition and recreate it and have a second partition or disk for files.

A BitLocker encrypted disk is tied to the boot loader of a Windows installation, and it is this that it looks for to check it’s not been modified before the TPM chip releases the decryption key.  It would be too easy to reinstall Windows and then find you no longer have any access to your files and data because they’re encryped and not backed up in an unencrypted form somewhere safe.

Backups are essential when you are dealing with any form of file or disk encryption, even Windows EFS (Encrypted File System) which I personally hate as it strips useful metadata out of files when it compresses them for reasons that make no sense.  You should always make sure there is at least one fully unencrypted backup copy of your files stored in a secure location.

I would also recommended keeping a copy of your encryption key in a safe location, perhaps Microsoft’s SkyDrive service.  It wouldn’t even matter here if hackers gained access to your account and downloaded the keys, as without physical access to the computer they relate to, the keys are completely useless to them.

So while BitLocker is a fantastic idea and one that I use on my own laptop paired with a fingerprint scanner, you need to be very careful when putting it into implementation.

The developers have improved the software considerably over time. They added features like the ability to encrypt the system partition, improved the performance of the encryption algorithms considerably and added other features like hardware acceleration to the program.

There have not been lots of news in the last year, and no new version of the program since September 6, 2010. The last major version with new feature additions dates even further back to July of the same year. That’s when the developers added hardware accelerated AES, automatic mounting of devices when its host device gets connected to the computer, the favorites volume organizer and support for partition/device hosted volumes with a sector size of $096, 2048 and 1024 bytes on Windows and Linux.

A new version of TrueCrypt has been released yesterday. It is the first new version after a year of silence. TrueCrypt 7.1 comes with full 32-bit and 64-bit Mac OS X 10.7 Lion compatibility. This is the only new feature that has been added to version 7.1 of the encryption software.

The new TrueCrypt version furthermore comes with minor undisclosed improvements and bug fixes.

TrueCrypt users who want to update their version of TrueCrypt can download the newly released version from the official website. The download page offers links for all supported operating systems. The installer can be used on systems without TrueCrypt and to update existing TrueCrypt installations.

A restart of the computer is required to complete the process.

Are you using TrueCrypt or another encryption software on your computer? Let us know in the comments. (via)

Not many PCs have TPM chips in them though, they tend to be found mostly in high-end business laptops so we need to turn to other solutions.  There are third-party soutions like Laplink’s PC Lock and that old favourite TrueCrypt.  For many people though a good alternative is EFS (Encrypted File System) which has been a part of Windows since Windows 2000.

This is an excellent cryptography utility, able to encrypt and decrypt on the fly.  You can set folders to be automatically encrypted, including all their sub-folders and files.  If you then pair this with a password on your copy of Windows it makes the files pretty impregnable, even if they are stored on a different physical hard disk to your copy of Windows.

There are problems however, people can still see the full file names of the files, and the folder structure, but there’s no way they can be opened.

You might also find that there’s no way for you to open them either unless you back up your encryption key.  You can do this by typing the word encrypt into the Start Menu search box and selecting Manage file encryption certificates from the results that appear.

You can use this wizard to back up your encryption key for EFS.  It’s helpful too and will talk you through the procedure.  You should always keep your EFS key in a safe unencrypted location.  Personally I store mine in the cloud as not only do I then know it’s unencrypted, but I also know it’s a long way from my PC should anybody steal the machine.

There are problems with EFS Encrypted files though and I thought I’d deal with one of the biggest ones here, and something that you might not know is even affecting you.  Many people these days like to keep backsups of their data on either USB attached hard disks or Network Attached Storage (NAS) drives.

You’d assume that because these drives aren’t a physical part of your own computer, and because they’re external to the PC that anything you store there will be unencrypted and you can then, not only read the files on another PC, but also restore them in the event of a disaster and you lose your EFS key.  You might find though that when time comes to read the files that you can’t!

EFS is only supported on NTFS formatted drives, which is the default disk format option for Windows. If you try and copy an encrypted file to a disk that’s not formatted this way, such as a USB Pen Drive, then Windows will ask you if you want to copy the file without encryption. A problem arises though because EFS can’t tell the difference between internal and external NTFS formatted disks. If you have a USB hard disk or a NAS drive that’s formatted with NTFS (and with many NAS drives you may have been given no indication by the configuration software what file format type it’s used) then the encryption will also be copied with the file.

Thus if you lose your encryption key, or if something else goes wrong, then you’ll not only lose access to the files on your hard drive, but you’ll also lose access to your backup copy too.

It’s a warning that EFS doesn’t tell you about and it’s a mistake I’ve seen too many people make, including myself once which just goes to show how easy it is for a problem to occur. If you want to guarantee that you always have access to your files using EFS, make certain that you always keep an up to date copy of your encryption key in a safe place, and then all should always be well.

Scambled Egg is an Open Source cryptography program for Windows and Linux that offers an easy way to decrypt and encrypt messages.

When you start the program for the first time after installation you will notice that the interface is divided into two panes; The Encrypt Mode on the left and the Decrypt Mode on the right.

The left pane displays the original message, the right the encrypted message. To encrypt text paste textual information into the left pane or add it manually. The editor supports rich text, it will for instance retain different font sizes or types.

Various encryption algorithms and codecs are selectable at the top. You can keep the default selection which uses AES and Base64 Codec, or change it to other algorithms like Blowfish or DES3. It is furthermore possible and suggested to add a password which is then needed to decrypt the message.

The decrypt mode pane displays the encrypted information. You can copy and paste the information directly into text documents, emails or message boards on the Internet, or use the Export button at the bottom to add obfuscation to the protection.

Obfuscation? When you select Export, you get the option to save the encrypted message as a png image. An attacker would have to identify the right image before attempting to decrypt the message.

The image is an actual image, which means that you can post it on the Internet or send it as an image attachment via email.

Received messages can be decrypted in the application. If the message is inside an image, you need to import that image. If it is a message, you need to paste that message into the application, select the correct algorithms and the password.

If that’s all correct you get to see the message on the left pane. You need to make sure to add the password to the Decrypt Mode pane before you import encrypted images or messages. You’d otherwise get an error, and adding the password afterwards has no effect on the process anymore.

The developer has posted two example images on the project website. One is a 28 Kilobyte png image that contains the excellent Le Petit Prince by Antoine de Saint Exupery.

The encryption software Scambled Egg is available for download at Google Code.

Today, LapLink have announced their new PC Lock software.  This takes the task of encrypting your files and data to the next logical level and adds some interesting features.

According to research conducted by Ponemon Institute, Gartner and Intel, over 1,700 laptops are stolen every day and someone’s identity is stolen every 2 seconds. Files on a PC that are not encrypted are at constant danger of theft, increasing the user’s risk of identity theft, privacy invasion and significant financial loss.

It uses “a sophisticated EKE ‘Encrypted Key Encryption’ approach with military-grade 256-bit Advanced Encryption Standard (AES)” to secure your data but in addition to the software on your PC which encrypts and decrypts files on the fly, there’s a cloud management console too.

With this unique console, users can modify preferences, change settings, reset passwords, lock the data on a missing or stolen PC and remotely delete sensitive data. The Web Management Console is accessible from any web-enabled device, including smartphones, allowing management from virtually anywhere, even if the user is on the go; no need to rely on live customer support as with other products.

This is a very interesting approach meaning that you still have control of your data, and can securely erase it, if you lose your laptop or if your PC is stolen.  You will also be able to rest safe in the knowledge that the thief won’t have had access to the data in the interim because the files aren’t unlocked by your Windows log-in.

Files and folders on a PC remain protected even if the PC is lost or stolen. Users can trigger a remote wipe of their encrypted data from the Web Management Console, preventing access of stolen files. Even if the thief pulls the hard drive from the PC and never accesses the Internet, the data remains encrypted and inaccessible. PC Lock is also compatible with other security software, so it can provide an extra layer of protection and complement existing safeguards a user may already have in place or add in the future.

The main encryption software is run from a wizard which takes you through the process of encrypting your files and configuring the PC’s data.  The encryption takes place in the background and you won’t notice any degradation in performance on a standard home or business PC, as you shouldn’t these days.

Then for those of you in business, maybe a small business where you need to protect sensitive customer and user data how about these cherries on the cake?

Behavior Monitoring
PC Lock automatically takes steps to protect your encrypted data when it senses an unauthorized user. If someone repeatedly fails to login, PC Lock detects successive failures and will automatically take steps to protect encrypted data. These steps include destroying essential elements of the decryption key rendering access to the data impossible.

Protects against “Cold Boot Attacks”
The “Cold Boot” phenomenon occurs because other encryption software leaves encryption keys in RAM even when a PC is password protected by a screen saver, sleeping or hibernating. PC Lock deletes keys and overwrites them with random data during transitions to other power states ensuring they cannot be recovered in a cold boot situation.

Protects against Hackers
The PC Lock password is separate and different than the Windows password. So, even if a hacker is able to login to your Windows user account, they will also have to know your PC Lock password to unlock your data, which if they fail at guessing a set number of times (determined by the user in the Web Management Console) then PC Lock will trigger the key deletion to protect your data.

I like this approach as I’ve always been uneasy about EFS having lost data to it about 10 years ago.  The thought of having encryption that’s tied to your Windows log-in on a specific computer is a bit dangerous so I’ll certainly be giving LapLink PC Lock a try.  The additional peace of mind of having the web console with remote wipe access is an extra bonus.

LapLink has been around for decades now and made it’s name with hardware crossover serial cables that allowed you to easily transfer files from one computer to another (this was in the days before modern networks).  Now to celebrate the company’s 28th anniversary they’re giving away PC Lock completely free for 24 hours (Monday 16th May 2011).  After that it will be available at a discounted rate of $14.95 for a period before returning to the full retail price of $29.99.

If you value your data and keep personal files on your home or work PC or on your laptop or tablet then you should grab PC Lock while its free, you can get it here at www.laplink.com/pclock.  We all keep personal files on our computers and the thought of being able to log into a cloud management console on my smartphone and remotely wipe a device makes this not just a bargain, but potentially the software we must all have on our computers.

The chance that someone may look through your files may not be that enticing to you, especially if you have uploaded sensitive information to Dropbox.

Encryption is the best option if you want to sync sensitive or confidential files with Dropbox. Encrypted files can only be accessed by authorized users who have the right key to decrypt the files.

I have demonstrated in the past how to encrypt files that you sync with Dropbox with the help of the Open Source software True Crypt (sync confidential files with Dropbox). The process was lengthy, technical and not very comfortable, especially for users who have never worked with True Crypt before.

SecretSync is a standalone software programmed in Java that offers a more comfortable file storing solution. It is basically an add-on service for Dropbox that will automatically encrypt files for you before they are synced with Dropbox.

First time users need to create an account on first run. A username and password is mandatory for the account creation. Security can be improved further by adding a passphrase to the account.

All those information need to be entered on every computer that Secret Sync is installed on, to gain access to the encrypted files on those system.

Secret Sync creates a new folder on the user system and links that folder to the Dropbox folder. All files placed inside the Secret Sync folder will be encrypted before they are moved and synced with Dropbox.

Files moved or copied into the Secret Sync folder are encrypted with 256-bit AES encryption. Files are only decrypted on the user’s computer systems, and not on Dropbox.

Anyone accessing the files directly on Dropbox only gets garbage from that point on because of the encryption that is in place online. These files can also not be opened on systems where Dropbox is installed, but Secret Sync is not.
Dropbox would sync those files normally, but since they remain encrypted it is not possible to access them on those systems.

The core advantage of using Secret Sync over a manual solution is that it is way more comfortable to use. All you need to do is install the software, create an account and you are set to go. This does not take longer than a minute at most.

It is even easier on additional systems as you only need to supply your username, password and optionally the passphrase that you have configured during the first installation of the service.

All files that you move into the Secret Sync folder on your hard drive (the one outside of the Dropbox folder) will be automatically encrypted by the application before they are synced with Dropbox.

You get nothing if you try to open the files on Dropbox directly, while they open fine on the local computer.

This method has a disadvantage though that needs to be addressed. Secret Sync can only do its magic if the program is running in the background. The Windows beta version is using roughly 30 Megabytes of RAM. You may also need to add Java to the equation as it needs to be running as well.

The program runs silently in the background with no user interface to stop or start it. If you want to close the program, you need to kill it in the Windows Task Manager. This may change considering that this release is a beta version and not the final product.

Secret Sync is only available for Windows currently, but the developers have promised that Mac and Linux versions will be offered soon on the program homepage as well.

You can download the Windows release from this page (via Lifehacker)

Lets take a look at the basics first. If you are a free Dropbox users, you get 2 Gigabytes of space. That’s usually more than enough to store documents and files in the cloud. Dropbox uses encryption to protect data on their servers from unauthorized access. As I pointed out before, that may not sufficient considering that the company may decrypt all files in a legal process, which also means there is a chance that an attacker might do the same. (Dropbox has responded to the issue)

TrueCrypt is an Open Source encryption software for Windows, Linux and Macintosh that can encrypt data containers or full hard drives or hard drive partitions. Since we only have a maximum of 2 Gigabytes of storage on Dropbox, we need to create an encrypted container to store our files in.

The basic idea is therefor the following: We create a TrueCrypt container on the local system. The size depends on your preferences, I would suggest to keep it as small as possible. If you run out of space you can either increase the size of the TrueCrypt container or create a second container to store additional data in. My suggestion is a maximum size of 500 Megabytes, if you can live with less select that number. My personal container has a size of 100 Megabytes.

Download the latest version of True Crypt from the developer website. Install it and run it after installation. Locate the Create Volume button in the interface and click on it.

Click Next two times on the following screens to create an encrypted file container with a standard TrueCrypt volume (those are the default options). Click Select File and browse to a location where you want to create the new container. Make sure it is not in the Dropbox folder if Dropbox is running. You can name the container anyway you want, e.g. holiday2010.avi.

Click Next on the encryption options page unless you want to change the encryption algorithm or hash algorithm. Select the volume size on the next screen. I suggest you keep it at a few hundred Megabytes tops.

You need to enter a secure password on the next screen. It is suggested to use as many characters as possible (24+) with upper and lower letters, numbers and special characters. The maximum length of a True Crypt password is 64 characters.

Now it is time to select the volume format on the next screen. If you only use Windows computers you may want to select NTFS as the file system. If you use others you may be better of with FAT. Juggle the mouse around a bit and click on format once you are done with that.

Congratulations, the new True Crypt volume has been created.

Move your unmounted new data container to the Dropbox folder. That folder, but not its contents since Dropbox cannot access those, will now be synced with your space in the cloud. It can take minutes to hours depending on the upload speed of your Internet connection and the size of the container that you have created.

But this is a one-time transfer. Dropbox will only transfer the changed bits after the first upload. This is theoretically a security risk as well but it would require lots of energy and dedication which means it usually can be neglected for personal data.

You can now mount the container on your local system and use it normally just like any other True Crypt volume. You can add, delete or edit files in it. Whenever you unmount it, it gets synced with your Dropbox account. This means that you need to unmount it regularly before you shut down the computer in order to sync the data with Dropbox.

Install True Crypt on all your other devices to access the encrypted volume there as well. You can also copy a portable version of True Crypt to the Dropbox for direct access without installation.

Problems

The biggest problem is that you cannot access the encrypted data on Dropbox’s web interface anymore. All you see is that one big encrypted container that you cannot access because you cannot run True Crypt on the cloud. There is no way around it: You either use the encrypted container for additional security, or trust the standard Dropbox encryption to access the data on the web interface as well.

You also need to make sure to mount the encrypted data container on one computer at a time. Dropbox would otherwise create a copy of the file in the Dropbox folder which would cause files becoming out of sync.

Verdict

If you want that extra bit of security, and eliminate the minor chance that someone manages to decrypt your data on Dropbox, or that Dropbox decrypts the data for law enforcement, then your best bet is third party encryption of the data. It may sound complex and complicated to setup, when it is a straightforward process that’s done in less than five minutes.

About those events: Dropbox was in the news lately; The cloud storage hosting and synchronization service recently changed their terms of service to better reflect that they decrypt user data stored on Dropbox to comply with valid legal process and U.S. law. This currently affects about one user per month on Dropbox. Dropbox uses strong AES encryption automatically to encrypt all data transfers and data on their servers.

Dropbox came under fire earlier this month when a security researcher found out that Dropbox’s local authentication file was not linked to a specific system. Attackers could use the file on other compatible devices to sync all data from a Dropbox account without authenticating. What made matters worse was the fact that the access was not listed in Dropbox’s access history, and that changing the password did not invalidate that file.

And then there was Google who announced that they would close down Google Video for good. Users were given time to download their uploaded videos from the service for a period of about four weeks. After that, the videos and all stored information would be no longer available on the Internet.

These unrelated events outline two major cloud hosting dangers: Data availability and security.

Data Availability

Who would have thought that Google Video would be discontinued one day? Sure, it became pretty obvious after the purchase of Youtube, but before that? Closing down a service is an extreme but it happens frequently. You see services going down for a limited period of time more often than that. It recently hit Amazon’s cloud storage service which caused service disruptions for popular destinations such as Foursquare or Quora.

You may still believe that sites like Facebook will be there forever. Look at MySpace for instance to see that the logic is flawed. The site is still there but what was once the most popular social networking site on the Internet is now fighting for survival. If it goes down, so will data of all of its users.

Your consequence should be obvious: Keep a local copy of data that you hold dear. You can use backup software to store the data in save locations locally, for instance on DVD or an external hard drive.

Businesses should keep local copies as well, considering that a service disruption might otherwise cut them off from data that they need to run the business. So, instead of relying solely on cloud storage to store contact information, important documents or applications, they need to make those available locally as well to be prepared when the cloud service goes temporarily or permanently down.

Suggested Actions

• Local Backups and copies of data
• Regular backups or synchronization of data

Security

Data security is the second big issue that you need to address to protect your data in the cloud. Some users say, you should not upload anything to the cloud that needs to be kept secure and protected from third party access. While that’s a sound advice, it is not always as easy as that.

The next best thing is to make sure your data is properly encrypted. That’s on the other hand not possible in all scenarios. Sure, you can encrypt your data before you upload it to a storage solution like Dropbox or Microsoft’s SkyDrive. But you cannot encrypt videos that you upload to Youtube, or text that you publish on your Facebook wall.

You need to follow two different approaches when it comes to securing your data in the cloud. You encrypt what you can, usually files that you have direct access to. I suggest True Crypt for the job but you can use other encryption software as long as it is updated regularly.

I’m going to write a separate article on encrypting Dropbox data with True Crypt.

You need to evaluate data that you post in semi-public or public places, and data that you do not have direct control of once you have uploaded it to the cloud. This includes Youtube videos, wall posts on Facebook, a comment on a third party site or showing everyone your favorite artists on Last.fm.

You may have control over deletion on some services, but that does not mean that the data is gone for good. Someone may have read and liked your Facebook wall post or someone may have downloaded your Youtube video and published it on another video hosting site. You lose full control over your data as soon as you upload it to a semi-public or public place on the Internet.

There is not really a lot you can do once you have uploaded the data. Some services charge a premium to get data removed from the Internet, but even they cannot guarantee that every last bit gets removed.

Suggested Actions

• Encrypting data whenever possible
• Evaluate data before you post it online

Closing Words

Hosting data in the cloud can be very beneficial for individuals and businesses alike. The benefits have however overshadowed some of the dangers of storing data online. The dangers become more present as more and more people and organizations move to the cloud, and with news that put the focus on those dangers.

While it is not a problem for tech savvy users like you and me to encrypt a disk drive with encryption software, it may very well be one for normal computer users.

But even with encryption there is the chance that third parties may find ways to access the data on the hard drive, for instance by brute forcing the password or placing a trojan or other malicious code on a system.

Toshiba recently announced a new generation of self-encrypting drives with several advanced features that offer more than hardware data encryption.

The drives can be configured to only work on known host systems. Any attempt to connect them to an unknown host would automatically render the data on the drives useless.

The drives have been specifically designed to “address the increasing need for IT departments to comply with privacy laws and regulations governing data security” and are “ideally suited for PC, copier and multi-function printer, and point of sale systems used in government, financial, medial or similar environments”.

Drives can be configured to deny access or erase sensitive data if the authentication process fails. This would for instance be the case if someone connected the hard drive to an unauthorized computer system.

The hard drives will be offered with capacities between 160 Gigabytes and 640 Gigabytes, 7200 RPM, 16 Megabyte buffer and a Serial ATA 3,0 Gbps interface. All drives use the AES 256 encryption algorithm to protect data from unauthorized access.

The drives will be made available in the coming months, and will be first made available to OEMs and ISVs. The press release is available here.

It was only a matter of time until someone came up with a concept to hide the existence of a True Crypt volume on the computer. A method has been described in detail in February, months before the release of the TCHunt application.

TCSteg basically hides the True Crypt container inside a MP4 video file. Even better, that mp4 video is still playable which makes it more plausible that the file is indeed just a video and not host for an encrypted True Crypt volume.

There are still some limitations though, for instance a limitation to a maximum file size of 4 Gigabytes, or the fact that someone who would monitor the bitrate of the video could identify the manipulation. The method however makes it a less likely that someone will find the hidden True Crypt container on the system, as it renders software such as TCHunt useless.

The method combines the mp4 file with the True Crypt container, or to be more precise, the hidden volume of the True Crypt container. You may remember that you can create a hidden volume inside a True Crypt container for that extra bit of security? Exactly that volume is used for the process, the outer volume will not be used at all.

A Python script has been created that handles all the file merging, you can download it from the developer website. You also need a solid quality mp4 video file that’s encoded efficiently to make the combined file size more plausible.

You then create a True Crypt container and a hidden volume and give it a .mp4 name. You should follow the instructions on the developer site to the letter for maximum efficiency, for instance to select a plausible total size for the True Crypt volume and to select the maximum possible size for the hidden volume.

You run the Python script with the following command

python tcsteg.py RealVideo.mp4 TrueCryptContainer.mp4

where RealVideo.mp4 is the mp4 video that you want to use for the disguise, and TrueCryptcontainer.mp4 the encrypted True Crypt container.

Windows users need to first install Python before they can run the Python script.

The process combines the two files, and the end result should be that you can still play the resulting file in a video player and that you can mount the hidden True Crypt volume inside that video.

Additional instructions and the Python script are available at the developer’s website.

These volumes can have sizes from 19 Kilobytes onwards and completely arbitrary file names and extensions. The program has been designed to show that it is possible to identify those True Crypt containers even if they are reasonable small and disguised by the user. It is more or less impossible to verify the existence of a True Crypt container without technical help unless the container itself is rather large or placed in a location where it can be easily identified. While it is possible to analyze each possible container file on a system, it would take a very long time to do so.

TCHunt scans a select folder or partition on the computer for the following four attributes that are part of every TrueCrypt volume:

• The suspect file size modulo 512 must equal zero.
• The suspect file size is at least 19 KB in size (although in practice this is set to 5 MB).
• The suspect file contents pass a chi-square distribution test.
• The suspect file must not contain a common file header.

You need to accept the terms of service on start before you can use the folder browser to select a root folder for the scan. The application scans all files based on the attributes above and reports its findings back in the program interface. Not all files that are found are True Crypt containers, but you can be sure that all True Crypt containers stored under the selected root folder are found during the scan.

The program ignores the file name and extension completely, which many True Crypt users use to disguise the volume on the computer system. The program can also be helpful if you forgot where you placed your own True Crypt volume on a system, as it can reveal that location to you.

TCHunt demonstrates that it is possible to detect True Crypt volumes even if they are not mounted on the system. It stops here however, as it cannot brute force or bypass the encryption itself. True Crypt users should take note that it is possible to detect those volumes, and the True Crypt developers should consider randomizing the volumes if possible to avoid that detection.

True Crypt Hunt is available for the Windows operating system. The source code of the program is available for download on the website as well. According to the developer’s site the program is only compatible with Windows 7.

One of those is the Windows Pagefile, which is basically a hard drive cache for files. The file is used by Windows even if your computer has enough memory available. It is possible to delete the Pagefile on exit, but that does not guarantee that the information it contains cannot be recovered.

The only possible solution next to encrypting the system partition? Encrypting the page file. This thankfully can be done with the Windows program fsutil that is installed with the operating system.

Encrypt the Pagefile

Please note that the pagefile can only be encrypted if the containing hard drive uses the NTFS file system. The majority of Windows Vista and Windows 7 PCs should use NTFS file systems.

You need to open an elevated command prompt by clicking on the start orb, then All Programs > Accessories. Locate Command Prompt in the listing, right-click the program and select Run as administrator from the context menu. This is the way in Windows 7, it may be slightly different if you use a different version of Windows.

Issue the following command to encrypt the pagefile in Windows:

fsutil behavior set EncryptPagingFile 1

You need to restart the PC before the change takes effect.

Check the Pagefile for encryption

You can also check if the pagefile is encrypted. For that issue the following command.

fsutil behavior query EncryptPagingFile

A return value of 1 indicates that the pagefile is encrypted, 0 would indicate that it is not encrypted.

Remove Pagefile encryption

You can also remove the encryption of a pagefile again. This is done with the command

fsutil behavior set EncryptPagingFile 0

The pagefile is encrypted with the Encrypting File System (EFS) which provides the file encryption technology on NTFS volumes.

Generally speaking, you have three different situations that you need to be prepared for: Corrupt or overwritten headers, data loss on the hard drive and forgetting the True Crypt password.

A few years ago a friend of mine accidentally quick formatted a True Crypt encrypted partition on his computer which had the consequence that all data on the disk became inaccessible since he did not have a backup header.

To avoid those horror scenarios, backups are important. Here is what you can do to prepare for True Crypt emergencies:

True Crypt Password

If you forget the password, the data on the True Crypt volume becomes inaccessible. You have two options here to avoid this worst case scenario. You can either write down your password in a secure location, or create a backup header with a different, basic password. Both options are not ideal as it gives attackers more options to discover the password.

After you create a volume, back up its header to a file (select Tools -> Backup Volume Header) before you allow a non-admin user to use the volume. Note that the volume header (which is encrypted with a header key derived from a password/keyfile) contains the master key with which the volume is encrypted. Then ask the user to choose a password, and set it for him/her (Volumes -> Change Volume Password)

It is generally not advised to create a second header with a different weaker password for emergencies. You could write down the password and store it in a safe location, for instance at your parent’s house or a friend’s house.

Backing Up True Crypt Headers

True Crypt headers can be backed up and restored. This is important if the partition header becomes corrupt or is changed by malicious code or tools like format that modify the header. A click on Tools in the main True Crypt application window displays the options to backup and restore the True Crypt header.

The header is worthless without the password, keep that in mind. To Backup the header select Tools > Backup Volume Header after selecting an unmounted True Crypt volume (via Select File or Select Device). The Restore Volume Header function works in a similar fashion.

Backup data on a True Crypt volume

The third and final preparation is to backup the data that is stored on a True Crypt volume. True Crypt volumes are affected by hard disk failures just like any other storage device. You should therefor back up important data regularly. Since the data is encrypted, it is recommended to back up the data on another encrypted volume.

The suggested way is to create another encrypted True Crypt volume that matches or exceeds the size of the original volume. You then mount both volumes and copy the data from the old volume to the new volume. It is highly suggested that the new volume is located on another drive, local or network, or backup up on backup media like external hard drives, optical discs or the cloud / ftp servers.

The True Crypt documentation contains a guide on how to backup both standard True Crypt volumes and system volumes.

Closing Words

These three steps ensure that you can restore data or the full True Crypt volume in case of corruption or hard drive failures. Anything to add? Let me know in the comments.

A recent study of the Department of Computer Science and Engineering at the University of California came to the conclusion that individual file sanitizing techniques were ineffective on SSDs and that built-in disk sanitizing techniques were effective if implemented correctly which was not always the case.

But this article is about encryption and Solid State Drives, read on how the findings impact encryption as well.

The makers of the open source encryption software True Crypt for instance recommend that “TrueCrypt volumes are not created/stored on devices (or in file systems) that utilize a wear-leveling mechanism (and that TrueCrypt is not used to encrypt any portions of such devices or filesystems)”.

They basically ask their users to use True Crypt on conventional hard drives only and not on Solid State Drives and other Flash storage devices.

Why are they recommending that? For that, we need to take a look at how data is saved to SSDs.

Solid state drives use a technology called wear leveling to extend the lifetime of the device. Storage sectors on Flash drives have limited write-cycles which means that they cannot be written to anymore eventually. Wear leveling is used to avoid heavy use of specific sectors. With Solid State Drives it’s not possible to save data to a specific sector of the drive. The wear leveling mechanism makes sure that the data is evenly distributed on the drive.

This means that it is theoretically possible that data is stored multiple times on the drive. If you change the TrueCrypt volume header for instance it can be that the old header is still accessible on the drive as it is not possible to overwrite it individually. Attackers could exploit this if they have found the old header. A basic example. Lets say you have encrypted your SSD and found out that a trojan recorded the password or keyfile that you use to access the encrypted data.

All you need to do on conventional hard drives is to create a new password or keyfile to resolve the issue and protect the data from access. On solid state drives however it may still be possible to extract the old header and use it to access the data with the stolen password or keyfile.

But what if the drive is empty before you use it? What if you plan to erase it securely if it is compromised?

Even this may not be sufficient. First, we already established that some “secure erase” tools offered by manufacturers of SSDs implement the technology incorrectly which means that the data may still be accessible after the operation.

TrueCrypt recommends the following precautions prior to encryption a blank Solid State Drive.

Before you run TrueCrypt to set up pre-boot authentication, disable the paging files and restart the operating system (you can enable the paging files after the system partition/drive has been fully encrypted). Hibernation must be prevented during the period between the moment when you start TrueCrypt to set up pre-boot authentication and the moment when the system partition/drive has been fully encrypted.

Even then the makers do not guarantee that this “will prevent data leaks and that sensitive data on the device will be securely encrypted”.

What’s the conclusion then? It depends. The security implications are probably nothing that home users need to worry about as it requires some technical background and equipment to attack encrypted drives. If you run a business, are a government official or an individual with data that needs to be protected at all costs, then you need to avoid drives with wear leveling for now.

Have a different opinion? Let me know in the comments.

Setting up an encrypted BoxCryptor folder is a lot easier. Users need to enter a password which will be used to encrypt and decrypt the data in the folder on the fly. The folder can either be a folder of the Dropbox folder (selected automatically) or another folder on the hard drive. The folder is mounted as a drive in Windows Explorer which makes it independently accessible in the file manager.

It is possible to move, copy, create and delete files in the folder without container size limitations. That’s one of the strengths of the software. The size of the folder is only limited by local storage capacities and the available space on Dropbox.

Files become readable if the correct password is entered into the software. BoxCryptor has been designed with ease of use in mind, users of all experience levels should not have difficulties setting up and using the application.

The encryption software has limitations that need to be addressed. BoxCryptor is only compatible with the Windows operating system which means that it is not a suitable solution for multi-platform users. The data can only be only encrypted if the software is installed on the system and the correct password is entered by the user. This may not be feasible everywhere, especially if it is prohibited or not possible to install custom software on a computer system.

BoxCryptor is currently offered as an early alpha release that expires on March 31, 2011. The program falls back to read only mode on that day which means that it should not be used to encrypt important data unless backups are made regularly.

Users should monitor the developer website for application updates to update their version of BoxCryptor to avoid the expiration.

BoxCryptor is only compatible with 32-bit and 64-bit editions of the Microsoft Windows operating system. The application requires the Microsoft .NET Framework 2.0. (via)