• 0

Performance and Reliability of TrueCrypt Volumes


Question

I generally have two 10GB partitions that hold important documents and personal work (so generally small files but a very large number of them - some 3000). I am planning to merge them into a 100GB partition that holds multimedia files and store the contents are truecrypt files that I can then mount separately.

I have two questions in relation with this:

1. How reliable is a truecrypt partition? If there is a corruption in a single bit of the file, will the whole volume fail to load? What degree of tolerance can I expect (comparing with NTFS)? I don't really think I need to encrypt my stuff, but I like to follow best practices - since my system is a laptop and since some of the files include copies of very important documents. I'd probably much rather have someone steal my files than me lose access to them at a critical time. I do weekly backups to a non-encrypted external drive.

2. What about performance? What kind of settings (encryption) would give me the best performance for my requirements while not being easily hackable? Would it make sense to keep the volume files on a separate partition to prevent fragmentation? Or is it like once space is allocated to the volume file, truecrypt only overwrites the bits inside it (this is wrt to a volume of fixed size)?

Are there any "exploits" aside from keyloggers and brute-forcing that can give anyone else access to the contents of truecrypt volumes? Since it's open-source, I am not expecting there'd be any backdoors.

Link to comment
Share on other sites

14 answers to this question

Recommended Posts

  • 0

1. How reliable is a truecrypt partition? If there is a corruption in a single bit of the file, will the whole volume fail to load? What degree of tolerance can I expect (comparing with NTFS)? I don't really think I need to encrypt my stuff, but I like to follow best practices - since my system is a laptop and since some of the files include copies of very important documents. I'd probably much rather have someone steal my files than me lose access to them at a critical time. I do weekly backups to a non-encrypted external drive.

The most important part of a Truecrypt partition is the header. Without it, it's impossible to decrypt and access the data. It keeps two versions of the header, one at the beginning of the file and another at the end of the file. You can also backup the header to a separate file.

The data is encrypted in 128-bit (16 byte) blocks. So I'm just guessing, but if a single bit were to change, at most 16 bytes would be corrupted.

Truecrypt files are pretty safe. I would make sure System Restore is enabled on the drive, so you can recover incase anything ever happens to the file (e.g. deleted by accident).

I don't like to use partitions or full drive encryption because it's too easy to accidentally overwrite or format a drive / partition.

2. What about performance? What kind of settings (encryption) would give me the best performance for my requirements while not being easily hackable? Would it make sense to keep the volume files on a separate partition to prevent fragmentation? Or is it like once space is allocated to the volume file, truecrypt only overwrites the bits inside it (this is wrt to a volume of fixed size)?

Truecrypt is very secure using any settings really, as long as you choose a strong password (16+ alphanumeric characters should do). I personally choose AES for encryption and SHA-512 for hash. If you're worried about performance, you can run Tools -> Benchmark and see which algorithm gives the best performance. If you own a PC made in the last few years, especially dual core or greater, performance should be no issue.

TrueCrypt uses fixed size drives, and it allocates the entire file at once and fills it with random data, so fragmentation shouldn't be an issue.

TrueCrypt partitions do create overhead, but it's small enough that you'd probably never notice.

Are there any "exploits" aside from keyloggers and brute-forcing that can give anyone else access to the contents of truecrypt volumes? Since it's open-source, I am not expecting there'd be any backdoors.

Nope. TrueCrypt is the most popular drive encryption software, and as you said, it's open source plus well documented. So the chances of there being any exploits or backdoors is unlikely.

Link to comment
Share on other sites

  • 0

I currently use it for my company files. It has quite a few files in there and I had to boost it from 5gb to 20gb to allow for expansion and space. I have never seen a performance hit or any other issues with the reliability.

I use both a Keyfile and password to protect the disk. When I do this, the keyfile is named to be innocent looking by any casual onlooker. I also carry a copy of it on a thumb drive with me at all times.

One of these days, I will probably move into a security token type of setting similar to what is used in higher security environments.

Just DON'T EVER forget your password or lose your keyfile if you should choose to use it. It will be impossible to get into your file!

Link to comment
Share on other sites

  • 0

The most important part of a Truecrypt partition is the header. ...

Thank you Xinok for answering his questions thoroughly. I have been curious about Truecrypt's reliability for a while now.

From what I've gathered, a Truecrypt volume will not become fully corrupt if only a part of it is damaged, so long as the header for that truecrypt volume is not also corrupted. Seeing as the header is stored at both the beginning and the end, it would be highly unlikely for both of them to corrupt at the same time.

In my opinion, it would be better if the header was also stored in the middle of the truecrypt volume as an additional safeguard against corruption, but I'm not an expert.

One of the downsides I foresee to using a Truecrypt volume to store most files is it would be problematic accessing the files via network unless that volume is mounted on the active system. Otherwise, that volume would need to be copied through the network in its entirety.

Q. Can truecrypt volumes be mounted from another PC from across the network?

Also, one last problem would be accessing the files from a bootable media such as a UBCD.

Q. Can a UBCD include Truecrypt and mount a truecrypt volume through the network?

If anyone can provide answers to those 2 questions, that would be greatly appreciated. :-)

Thanks,

-Neil

Link to comment
Share on other sites

  • 0

Q. Can truecrypt volumes be mounted from another PC from across the network?

http://www.truecrypt.org/docs/?s=sharing-over-network

Q. Can a UBCD include Truecrypt and mount a truecrypt volume through the network?

You can run TrueCrypt from an UBCD. So it's a matter of if the UBCD supports network file sharing. If you're referring to UBCD4Win, that runs off XP. If you're running Windows 7 / Vista, you'd have to configure network sharing to be compatible with XP.

UCBD4Win includes TrueCrypt 6.1, and the latest version is 7.0a. You can run the portable version in UBCD as well, so use Tools -> Travel Disk Setup to make a portable version of the latest TrueCrypt.

Link to comment
Share on other sites

  • 0

To me your thread came down to these.

"I don't really think I need to encrypt my stuff"

"I'd probably much rather have someone steal my files than me lose access to them at a critical time."

"2. What about performance?"

These statements clearly point to you NOT encrypting them. Don't get me wrong I think truecrypt is a great product, and quite useful for where its required -- your statements shout that you have no valid need of encryption.

Best practice comes down to you would encrypt things that require encryption.. You clearly have stated that your stuff does not. Now sure the data encryption companies are going to tell you to encrypt freaking all data no matter where it is.. This is a bit paranoid and overkill and will cause clearly more loss of data then just hardware failure or normal user stupidity - since now you throwing into the mix a way for the user to completely and utterly lock themselves out of their own data with a simple slip of the finger or forgetting a password -- we all know users love to forget passwords ;)

Encryption if going to be any good is going to add overhead in access of the files, be it just the fact of you having to provide some form of auth to access them.. This is added overhead into you accessing your files. And sure could even prevent access even if nothing is corrupted - be it you forgot your password.. Happens quite often to be honest ;) For whatever reason you do not access the volume in a specific amount of time and forget it.. You just having a brainfart the morning after an all night drinking binge, etc ;) Or you are actually using "best practice" and using a password and key file that is not stored with the encrypted volume -- ie off your laptop.. Say a usb thumb drive, floppy, CD, etc. What if you forget or loose the keyfile - now you don't have access to your files ;)

If your files warrant encryption -- clearly their backups warrant encryption too? What if someone breaks into your house and steals your stack of DVDs or backup disk or computer? This clearly happens does it not? So if you files warrant encryption -- why would not all copies of said files no matter their location not warrant encryption?

If you files do not warrant encryption - why are we talking you doing it then? You clearly state

""I'd probably much rather have someone steal my files than me lose access to them at a critical time.""

Well no matter how unlikely you might think it is that you forget your password, or you lose your keyfile or it becomes corrupted it can happen.. So you have just increased your possible loss of access to your own files without even a hardware failure or theft.

Now also include the corruption/partial hdd failure that causes issues with the decryption.. Now matter how unlikely it is, or how good the software says it can deal with corruption of its headers, etc.. It clearly has increased the things that could cause loss of access to your files.

Now when it comes to performance -- it might be slight, users might not even be able to notice it? But there is clearly going to be a hit having to decrypt a file for you to view it vs not having too.. There clearly is going to be some sort of hit in encryption vs not having too.. No matter how slight this might be -- there clearly is a performance hit involved -- its impossible that there not be.

Now there is performance issues with just behind the scenes to write and read your encrypted files -- but there is also an overhead or performance issue with you just having to provide auth to access the files, or mount the encrypted volume, etc. etc. Clearly having to auth to access the files has to be slower than not having to auth to access the files ;)

If you automate the process so that when you login/auth to the OS you auth to your encryption solution -- this defeats the whole purpose of encryption does it not.. Since now anyone smart enough to either watch you type in your password, hold a gun to your head to get it, or just plain guess it.. Or for that matter even just boot a CD and change it ;) etc.. etc.. would have access to the keys or passwords that auth to your encryption system ;)

Before you think about the use of encryption you need to weigh the risks vs overhead of using it.. If the sensitivity of the data does not warrant the overhead of encryption which clearly there is from many different ways of looking at it - its pointless to use it.

From your statements I don't see how you could have any need of encryption of your data.. And worst create a small volume that you store you most sensitive information in, say passwords to other accounts or specific documents that have sensitive info in it - like other users personal info, etc.

IMPO users use encryption way to much, where its clearly not warranted and more times than not end up loosing access to their own data in the end, or just plain love the added overhead of accessing something without even adding any actual protection to the data in ;) Key file stored on the machine. Auto auths to encryption when user logs in, etc. I think quite often they do it just because they think its cool ;) Don't you love the threads where the user turns on EFS, but does not bother to read anything at all its proper use (backup of keys for starters) then proceeds to reinstall the OS and wonders why they no longer have access to their data - -they stored it on different partitions just so they would not have to worry when they reinstall the os ;) hehehe -- Maybe Im just a dick, but I kind of love those thread ;) heheheeh

its up to you - and truecrypt is a great product, and very stable and quick etc.. -- but I just see from your statements how any encryption is needed at all.

Link to comment
Share on other sites

  • 0

To me your thread came down to these.

"I don't really think I need to encrypt my stuff"

"I'd probably much rather have someone steal my files than me lose access to them at a critical time."

"2. What about performance?"

These statements clearly point to you NOT encrypting them. Don't get me wrong I think truecrypt is a great product, and quite useful for where its required -- your statements shout that you have no valid need of encryption.

Best practice comes down to you would encrypt things that require encryption.. You clearly have stated that your stuff does not. Now sure the data encryption companies are going to tell you to encrypt freaking all data no matter where it is.. This is a bit paranoid and overkill and will cause clearly more loss of data then just hardware failure or normal user stupidity - since now you throwing into the mix a way for the user to completely and utterly lock themselves out of their own data with a simple slip of the finger or forgetting a password -- we all know users love to forget passwords ;)

Encryption if going to be any good is going to add overhead in access of the files, be it just the fact of you having to provide some form of auth to access them.. This is added overhead into you accessing your files. And sure could even prevent access even if nothing is corrupted - be it you forgot your password.. Happens quite often to be honest ;) For whatever reason you do not access the volume in a specific amount of time and forget it.. You just having a brainfart the morning after an all night drinking binge, etc ;) Or you are actually using "best practice" and using a password and key file that is not stored with the encrypted volume -- ie off your laptop.. Say a usb thumb drive, floppy, CD, etc. What if you forget or loose the keyfile - now you don't have access to your files ;)

If your files warrant encryption -- clearly their backups warrant encryption too? What if someone breaks into your house and steals your stack of DVDs or backup disk or computer? This clearly happens does it not? So if you files warrant encryption -- why would not all copies of said files no matter their location not warrant encryption?

If you files do not warrant encryption - why are we talking you doing it then? You clearly state

""I'd probably much rather have someone steal my files than me lose access to them at a critical time.""

Well no matter how unlikely you might think it is that you forget your password, or you lose your keyfile or it becomes corrupted it can happen.. So you have just increased your possible loss of access to your own files without even a hardware failure or theft.

Now also include the corruption/partial hdd failure that causes issues with the decryption.. Now matter how unlikely it is, or how good the software says it can deal with corruption of its headers, etc.. It clearly has increased the things that could cause loss of access to your files.

Now when it comes to performance -- it might be slight, users might not even be able to notice it? But there is clearly going to be a hit having to decrypt a file for you to view it vs not having too.. There clearly is going to be some sort of hit in encryption vs not having too.. No matter how slight this might be -- there clearly is a performance hit involved -- its impossible that there not be.

Now there is performance issues with just behind the scenes to write and read your encrypted files -- but there is also an overhead or performance issue with you just having to provide auth to access the files, or mount the encrypted volume, etc. etc. Clearly having to auth to access the files has to be slower than not having to auth to access the files ;)

If you automate the process so that when you login/auth to the OS you auth to your encryption solution -- this defeats the whole purpose of encryption does it not.. Since now anyone smart enough to either watch you type in your password, hold a gun to your head to get it, or just plain guess it.. Or for that matter even just boot a CD and change it ;) etc.. etc.. would have access to the keys or passwords that auth to your encryption system ;)

Before you think about the use of encryption you need to weigh the risks vs overhead of using it.. If the sensitivity of the data does not warrant the overhead of encryption which clearly there is from many different ways of looking at it - its pointless to use it.

From your statements I don't see how you could have any need of encryption of your data.. And worst create a small volume that you store you most sensitive information in, say passwords to other accounts or specific documents that have sensitive info in it - like other users personal info, etc.

IMPO users use encryption way to much, where its clearly not warranted and more times than not end up loosing access to their own data in the end, or just plain love the added overhead of accessing something without even adding any actual protection to the data in ;) Key file stored on the machine. Auto auths to encryption when user logs in, etc. I think quite often they do it just because they think its cool ;) Don't you love the threads where the user turns on EFS, but does not bother to read anything at all its proper use (backup of keys for starters) then proceeds to reinstall the OS and wonders why they no longer have access to their data - -they stored it on different partitions just so they would not have to worry when they reinstall the os ;) hehehe -- Maybe Im just a dick, but I kind of love those thread ;) heheheeh

its up to you - and truecrypt is a great product, and very stable and quick etc.. -- but I just see from your statements how any encryption is needed at all.

Holy **** man. I can go overboard typing things but that's a step too far. (I haven't even begun reading it yet)

Link to comment
Share on other sites

  • 0

Condensed version:

You didn't encrypt yer filez. Truecrypt great, useful -- Y U NO LIKING IT?

Encrypt stuff needzing encryption, do not encrypt stuff does not needzing encryption, otherwise you dumb and will lose yer filez.

Encrypt make PC slow and steal yer filez if you dumb and forget you password.

Hide yo filez, hide yo backupz, hide yo filez, hide yo backupz... and hide yo PC cuz they hackin eerybody out hiyah.

If you don't, you dumb.

Just do it.

But it might hurt yer filez if yer PC gets hurted.

It slowz yer pc down, but it slowz it down SO good.

Typing yer pass takes lotsa time!

But don't let dem hackers see you type it, they will steal yer filez AND yer keyboardz.

In the left hand, I haz yer filez, in the right hand, I haz ur CPUs.

But I haz 2nd thoughts! Don't do it! Yew don't needz it apparentlies.

But addz all dees tings up, it not wooorth it! Specialums if you put yer keyz on yer drivez, so....

HIDE YO KEYZ, HIDE YO DRIVEZ, HIDE YO KEYZ, HIDE YO DRIVEZ AND HIDE YER FILEZ...

cuz dey hackin eerybody out hiyah!

but srsly, hide yo filez.

Link to comment
Share on other sites

  • 0

Holy **** man. I can go overboard typing things but that's a step too far. (I haven't even begun reading it yet)

So what you are saying is that your mom forgot to pickup your Ritalin prescription and you have not the attention span to read a detailed post?

Link to comment
Share on other sites

  • 0

So what you are saying is that your mom forgot to pickup your Ritalin prescription and you have not the attention span to read a detailed post?

Oh, I read it alright. See above.

Link to comment
Share on other sites

  • 0

...snipped...

Just wanted to let you know that you were replying to a nearly year old post that someone dug up. I've been using Truecrypt for quite a while now (on three volumes - documents, code and personal media - the last is not critical) with backups to a firmware encrypted external drive. I had no performance problems when I was using a traditional HDD - and I certainly have no issues now that I have an SSD installed. I appreciate you taking the time though.

And even though I said this: "I'd probably much rather have someone steal my files than me lose access to them at a critical time." that didn't mean I actually wanted my data exposed to easy theft if I could do something about it. The data I'm trying to secure has significant commercial value, and there are also legal liability issues for a small portion of the data. So yeah security is kind of important. But since I have discrete backups too, losing my laptop for eg. would only mean losing a day or two of additional information.

Link to comment
Share on other sites

  • 0

Seems this was quite old ;) heheh my bad.. But hopefully the next guy that comes along and has the attention span larger than a gnat will benefit from it.. Seems someone like it its been rep'd up..

As to the condensed version -- funny and all, but who would actually read anything written like?

But this is direct and to the point and very funny ;) heheheh

"Encrypt stuff needzing encryption, do not encrypt stuff does not needzing encryption, otherwise you dumb and will lose yer filez."

Link to comment
Share on other sites

  • 0

The data is encrypted in 128-bit (16 byte) blocks. So I'm just guessing, but if a single bit were to change, at most 16 bytes would be corrupted.

That's not a valid assumption. It depends on the cipher mode. If the cipher mode is CFB (cipher feedback block), each encrypted block is used by the algorithm that encrypts the subsequent block. This cipher mode is often used to prevent the guessing game where one can derive the clear text based on repetitive patterns appearing in the cipher text. In simple terms, using CFB to encrypt a file means that losing a single bit will prevent successful decryption of the entire file.

Link to comment
Share on other sites

  • 0

That's not a valid assumption. It depends on the cipher mode. If the cipher mode is CFB (cipher feedback block), each encrypted block is used by the algorithm that encrypts the subsequent block. This cipher mode is often used to prevent the guessing game where one can derive the clear text based on repetitive patterns appearing in the cipher text. In simple terms, using CFB to encrypt a file means that losing a single bit will prevent successful decryption of the entire file.

Truecrypt encrypts data in 512-byte blocks using XTS. So if a single bit were to change, at most 512 bytes of data would be corrupt.

TrueCrypt volume files have file sizes that are evenly divisible by 512

http://en.wikipedia.org/wiki/Truecrypt

Link to comment
Share on other sites

This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.