TrueCrypt User Guide - mia-net
Contents
1. Keyfiles In the Mount Options dialog window enable the option Protect hidden volume against damage caused by writing to outer volume In the Password to hidden volume input field type the password for the hidden volume Click OK and in the main password entry dialog click OK TrueCrypt Mount Options x J Mount volume as read only J Mount volume as removable medium Cancel 7 Use backup header embedded in volume if available I Mount partition using system encryption without pre boot authentication m Hidden volume Protection JV Protect hidden volume against damage caused by writing to outer volume dato cate es if empty cache is used I Display password Use keyfiles Keyfiles What is hidden volume protection Both passwords must be correct otherwise the outer volume will not be mounted When hidden volume protection is enabled TrueCrypt does not actually mount the hidden volume It only decrypts its header in RAM and retrieves information about the size of the hidden volume from the decrypted header Then the outer volume is mounted and any attempt to save data to the area of the hidden volume will be rejected until the outer volume is dismounted Note that TrueCrypt never modifies the filesystem e g information about allocated clusters amount of free space etc within the outer volume in any way As soon as the volume is dismounted the protection is lost2. TrueCrypt will now attempt to mount the volume If the password is incorrect for example if you typed it incorrectly TrueCrypt will notify you and you will need to repeat the previous step type the password again and click OK If the password is correct the volume will be mounted Continued on the next page 22 FINAL STEP lola File volumes Keyfiles Tools Settings Help Homepage D My Documents My Volume Normal Wipe Gache Create Volume volume Properties Volume D My Documents My volume Select File JV Never save history Volume Tools Select Device Auto Mount Devices Dismount All Exit t We have just successfully mounted the container as a virtual disk M The virtual disk is entirely encrypted including file names allocation tables free space etc and behaves like a real disk You can save or copy move etc files to this virtual disk and they will be encrypted on the fly as they are being written If you open a file stored on a TrueCrypt volume for example in media player the file will be automatically decrypted to RAM memory on the fly while it is being read Important Note that when you open a file stored on a TrueCrypt volume or when you write copy a file to from the TrueCrypt volume you will not be asked to enter the password again You need to enter the correct password only when mounting the volume You can open t
3. 3 In the Preferences window click OK 4 Ifthe volumes use a pre boot authentication password Alternatively if the volumes are partition device hosted and if you do not need to mount them to particular drive letters every time you can skip step 1 and in the Preferences window in the section Actions to perform upon log on to Windows enable the option Mount all devices hosted TrueCrypt volumes instead of Mount favorite volumes Note TrueCrypt will not prompt you for a password if you have enabled caching of the pre boot authentication password Settings gt System Encryption and the volumes use the same password as the system partition drive 105 Can my pre boot authentication password be cached so that can use it mount non system volumes during the session Yes Select Settings gt System Encryption and enable the following option Cache pre boot authentication password in driver memory How do mount a hidden volume A hidden volume can be mounted the same way as a standard TrueCrypt volume Click Select File or Select Device to select the outer host volume important make sure the volume is not mounted Then click Mount and enter the password for the hidden volume Whether the hidden or the outer volume will be mounted is determined by the entered password i e when you enter the password for the outer volume then the outer volume will be mounted when you enter the password for
4. To find out whether a device utilizes a wear leveling mechanism please refer to documentation supplied with the device or contact the vendor manufacturer Reallocated Sectors Some storage devices such as hard drives internally reallocate remap bad sectors Whenever the device detects a sector to which data cannot be written it marks the sector as bad and remaps it to a sector in a hidden reserved area on the drive Any subsequent read write operations from to the bad sector are redirected to the sector in the reserved area This means that any existing data in the bad sector remains on the drive and it cannot be erased overwritten with other data This may have various security implications For instance data that is to be encrypted in place may remain unencrypted in the bad sector Likewise data to be erased for example during the process of creation of a hidden operating system may remain in the bad sector Additional examples of possible security implications are listed in the section Wear Leveling Please note that this list is not exhaustive these are just examples Also note that TrueCrypt cannot prevent any security issues related to or caused by reallocated sectors To find out the number of reallocated sectors on a hard drive you can use e g a third party software tool for reading so called S M A R T data 86 Defragmenting When you defragment the file system in which you store a file hosted TrueCrypt container a copy of
5. 42 System Encryption TrueCrypt can on the fly encrypt a system partition or entire system drive i e a partition or drive where Windows is installed and from which it boots System encryption provides the highest level of security and privacy because all files including any temporary files that Windows and applications create on the system partition typically without your knowledge or consent hibernation files swap files etc are always permanently encrypted even when power supply is suddenly interrupted Windows also records large amounts of potentially sensitive data such as the names and locations of files you open applications you run etc All such log files and registry entries are always permanently encrypted as well System encryption involves pre boot authentication which means that anyone who wants to gain access and use the encrypted system read and write files stored on the system drive etc will need to enter the correct password each time before Windows boots starts Pre boot authentication is handled by the TrueCrypt Boot Loader which resides in the first track of the boot drive and on the TrueCrypt Rescue Disk see below Note that TrueCrypt can encrypt an existing unencrypted system partition drive in place while the operating system is running while the system is being encrypted you can use your computer as usual without any restrictions Likewise a TrueCrypt encrypted system partition drive can be decr
6. Let R be the randomness pool 2 Let H be the hash function selected by the user SHA 512 RIPEMD 160 or Whirlpool 3 l byte size of the output of the hash function H i e if H is RIPEMD 160 then 20 if H is SHA 512 I 64 4 z byte size of the randomness pool R 640 bytes 5 g z I 1 e g if His Whirlpool then q 4 6 Ris divided into byte blocks Bo B For0 i q ie for each block B the following steps are performed a M H Boll Bill Il B i e the randomness pool is hashed using the hash function H which produces a hash M b B B M 7 R Bo l By ll Il B For example if q 1 the randomness pool would be mixed as follows 1 Boll Bi R 2 Bo Bo H Bo I Bi 3 B B H Bo Il B 4 R Boll Bi 122 The design and implementation of the random number generator are based on the following works Software Generation of Practically Strong Random Numbers by Peter Gutmann 10 Cryptographic Random Numbers by Carl Ellison 11 123 Keyfiles TrueCrypt keyfile is a file whose content is combined with a password The user can use any kind of file as a TrueCrypt keyfile The user can also generate a keyfile using the built in keyfile generator which utilizes the TrueCrypt RNG to generate a file with random content for more information see the section Random Number Generator The maximum size of a keyfile is not limited however only its first 1 048 576 bytes 1 MB are processed
7. which may also contain processed keyfile contents cached in driver memory will be cleared when TrueCrypt exits Cache passwords in driver memory When checked passwords and or processed keyfile contents for up to last four successfully mounted TrueCrypt volumes are cached This allows mounting volumes without having to type their passwords and selecting keyfiles repeatedly TrueCrypt never saves any password to a disk however see the chapter Security Requirements and Precautions Password caching can be enabled disabled in the Preferences Settings gt Preferences and in the password prompt window If the system partition drive is encrypted caching of the pre boot authentication password can be enabled or disabled in the system encryption settings Settings gt System Encryption 57 Open Explorer window for successfully mounted volume If this option is checked then after a TrueCrypt volume has been successfully mounted an Explorer window showing the root directory of the volume e g T 1 will be automatically opened Close all Explorer windows of volume being dismounted Sometimes dismounting a TrueCrypt volume is not possible because some files or folders located on the volume are in use or locked This also applies to Explorer windows displaying directories located on TrueCrypt volumes When this option is checked all such windows will be automatically closed before dismounting so that the user does not have to c
8. 128 bit block is first encrypted with Serpent 256 bit key in XTS mode then with Twofish 256 bit key in XTS mode and finally with AES 256 bit key in XTS mode Each of the cascaded ciphers uses its own key All encryption keys are mutually independent note that header keys are independent too even though they are derived from a single password see the section Header Key Derivation Salt and Iteration Count See above for information on the individual cascaded ciphers Serpent AES Two ciphers in a cascade 15 16 operating in XTS mode see the section Modes of Operation Each 128 bit block is first encrypted with AES 256 bit key in XTS mode and then with Serpent 256 bit key in XTS mode Each of the cascaded ciphers uses its own key All encryption keys are mutually independent note that header keys are independent too even though they are derived from a single password see the section Header Key Derivation Salt and Iteration Count See above for information on the individual cascaded ciphers Serpent Twofish AES Three ciphers in a cascade 15 16 operating in XTS mode see the section Modes of Operation Each 128 bit block is first encrypted with AES 256 bit key in XTS mode then with Twofish 256 bit key in XTS mode and finally with Serpent 256 bit key in XTS mode Each of the cascaded ciphers uses its own key All encryption keys are mutually independent note that header keys are independent too even though t
9. 73 HASH ALGORITHMS 5 cchscivdsteuscepastuasss se cpacapsonnatosesonacessovsbeaus cnassyvossenoasesnsnboseesaanssesnicscuensoonseaheness 74 RIPEMD 160 siii iii 74 SA a 74 A ctse odes a lease Peedi dee tien Sanda eae alana etre er el age mien 74 SUPPORTED OPERATING SYSTEMS ccccccccssccssccsscssecsecssccssnsssecssessccssecssncssccsecssesseesceess 75 COMMAND LINE USAGE visir Ada 76 A asa OTET 78 Examples ia 78 SHARING OVER NETWORK picacicssectssvsdecsceessesdessodsssdacssosescadesetesssecdeeisdescoesesstecseadovedecnsenssstsdoedes 79 SECURITY REQUIREMENTS AND PRECAUTIONS eooccccccnoconcnncconnssonocacccancncncacononccccnaccnonoss 80 Data si i ee een or el eel eer pear 80 A O E AR 81 A O O 81 Memory Dump Piles ion ido ancladas 82 Unenery pied Data in RAM e a tas tl 83 O 83 Malware ii dr 84 Multi User Edo Most ii fis 84 AUMENTO 85 Changing Passwords and ela ie 85 Weller 86 Reallocated SECOS ii aaa 86 E Ge aasesata 87 SOUL Fil Systems ir AA E ea acta a ede ea A A ee 87 Wel C1 GRE Si O 87 Additional Security Requirements and Precautions eccceescecesececeeececeeceecseneecseeeeenteeeesaes 88 HOW TO BACK UP SECURELY e sessssososessssossesscoosossssoseosssossesesossosessoseosssssseseeossosossoseosessssssse 89 DOY SEED Volumes A A A A lve Sas ed Behe A a sd a 89 O 89 A cette tes lorie atin a ator CS cae edd Dank ea techni Seti EAE 91 TROUBLE SHOOTIN Gaara 92 INCOMPATIBILITIES scsisetdessedsssdccissesescacadecee
10. Encryption Scheme and TrueCrypt Volume Format Specification In volumes created by TrueCrypt 5 0 or later and for system encryption the area is encrypted in XTS mode see the section Modes of Operation The method that TrueCrypt uses to generate the header key and the secondary header key XTS mode is PBKDF2 specified in PKCS 5 v2 0 see 7 the document specifying PBKDF2 is also available courtesy of RSA Laboratories at http www truecrypt org docs pkesSv2 0 pdf 512 bit salt is used which means there are 2 keys for each password This decreases vulnerability to off line dictionary attacks pre computing all the keys for a dictionary of passwords is very difficult when a salt is used 7 The salt consists of random values generated by the TrueCrypt random number generator during the volume creation process The header key derivation function is based on HMAC SHA 512 HMAC RIPEMD 160 or HMAC Whirlpool see 8 9 20 22 the user selects which The length of the derived key does not depend on the size of the output of the underlying hash function For example a header key for the AES 256 cipher is always 256 bits long even if HMAC RIPEMD 160 is used in XTS mode an additional 256 bit secondary header key is used hence two 256 bit keys are used for AES 256 in total For more information refer to 7 1000 iterations or 2000 iterations when HMAC RIPEMD 160 is used as the underlying hash function of the key derivation fun
11. Operation The mode of operation used by TrueCrypt for encrypted partitions drives and virtual volumes is XTS XTS mode is in fact XEX mode 12 which was designed by Phillip Rogaway in 2003 with a minor modification XEX mode uses a single key for two different purposes whereas XTS mode uses two independent keys XTS mode was approved as the IEEE 1619 standard for cryptographic protection of data on block oriented storage devices in December 2007 Description of XTS mode Ci Exi PM Ern a Ex n a Where denotes multiplication of two polynomials over the binary field GF 2 modulo a al K1 is the encryption key 256 bit for each supported cipher i e AES Serpent and Twofish K2 is the secondary key 256 bit for each supported cipher i e AES Serpent and Twofish i is the cipher block index within a data unit for the first cipher block within a data unit i 0 n is the data unit index within the scope of K1 for the first data unit n 0 o 1s a primitive element of Galois Field 21 that corresponds to polynomial x 1 e 2 The size of each data unit is always 512 bytes regardless of the sector size For further information pertaining to XTS mode see e g 12 120 Header Key Derivation Salt and Iteration Count Header key is used to encrypt and decrypt the encrypted area of the TrueCrypt volume header for system encryption of the key data area which contains the master key and other data see the sections
12. This is accomplished by creating a special script file called autorun inf on the traveler disk This file is automatically executed by the operating system each time the traveler disk is inserted Note however that this feature only works for removable storage devices such as CD DVD Windows XP SP2 Windows Vista or a later version of Windows is required for this feature to work on USB memory sticks and only when it is enabled in the operating system Depending on the operating system configuration these auto run and auto mount features may work only when the traveler disk files are created on a non writable CD DVD like medium which is not a bug in TrueCrypt but a limitation of Windows Also note that the autorun inf file must be in the root directory i e for example Gil X l or Y etc of an unencrypted disk in order for this feature to work 67 Using TrueCrypt Without Administrator Privileges In Windows a user who does not have administrator privileges can use TrueCrypt but only after a system administrator installs TrueCrypt on the system The reason for that is that TrueCrypt needs a device driver to provide transparent on the fly encryption decryption and users without administrator privileges cannot install start device drivers in Windows After a system administrator installs TrueCrypt on the system users without administrator privileges will be able to run TrueCrypt mount dismount any type of TrueCrypt volum
13. When the volume is mounted again it is not possible to determine whether the volume has used hidden volume protection or not The hidden 29 volume protection can be activated only by users who supply the correct password and or keyfiles for the hidden volume each time they mount the outer volume As soon as a write operation to the hidden volume area is denied prevented to protect the hidden volume the entire host volume both the outer and the hidden volume becomes write protected until dismounted the TrueCrypt driver reports the invalid parameter error to the system upon each attempt to write data to the volume This preserves plausible deniability otherwise certain kinds of inconsistency within the file system could indicate that this volume has used hidden volume protection When damage to hidden volume is prevented a warning is displayed provided that the TrueCrypt Background Task is enabled see the chapter TrueCrypt Background Task Furthermore the type of the mounted outer volume displayed in the main window changes to Outer E TrueCrypt 215 xj File Volumes Keyfiles Tools Settings Help Homepage Drive Yolume Size Encryption Algorithm Device Harddisk1 Partition3 2 1GB AES Outer Create Volume Volume Device Harddisk1 Partition3 v Select File JV Never save history Volume Tools Select Device Auto Mount Devices Dismount All Exit volume Prop
14. ac nz pgut001 pubs usenix98 pdf Carl Ellison Cryptographic Random Numbers originally an appendix to the P1363 standard available at http world std com cme P1363 ranno html 132 12 13 14 15 16 17 18 19 20 21 22 23 P Rogaway Efficient Instantiations of Tweakable Blockciphers and Refinements to Modes OCB and PMAC Asiacrypt 2004 LNCS vol 3329 Springer 2004 Also available at http www cs ucdavis edu rogaway papers offsets pdf J Kelsey Twofish Technical Report 7 Key Separation in Twofish AES Round 2 public comment April 7 2000 NIST Secure Hash Standard FIPS 180 2 August 1 2002 available at http csrc nist gov publications fips fips 180 2 fips180 2 pdf U Maurer J Massey Cascade Ciphers The Importance of Being First Journal of Cryptology v 6 n 1 1993 Bruce Schneier Applied Cryptography Second Edition John Wiley amp Sons 1996 Peter Gutmann Secure Deletion of Data from Magnetic and Solid State Memory first published in the Sixth USENIX Security Symposium Proceedings San Jose California July 22 25 1996 available at http www cs auckland ac nz pgut001 pubs secure_del html Serpent home page http www cl cam ac uk rjal4 serpent html M E Smid AES Issues AES Round 2 Comments May 22 2000 available at http csrc nist gov archive aes round2 comments 20000523 msmid 2 pdf A Menezes P van Oorschot S Vansto
15. algorithm and the decoy system with a non cascade encryption algorithm you can answer that you wanted the best performance and adequate security for the system partition and the highest possible security but worse performance for the non system partition i e the outer volume where you store the most sensitive data which you do not need to access very often unlike the operating system which you use very often and therefore you need it to have the best possible performance On the system partition you store data that is less sensitive but which you need to access very often than data you store on the non system partition i e on the outer volume Provided that you encrypt the outer volume with a cascade encryption algorithm e g AES Twofish Serpent and the decoy system with a non cascade encryption algorithm e g AES you can also answer that you wanted to prevent the problems about which TrueCrypt warns when the user attempts to choose a cascade encryption algorithm for system encryption see below for a list of the problems Therefore to prevent those problems you decided to encrypt the system partition with a non cascade encryption algorithm However you still wanted to use a cascade encryption algorithm because it is more secure than a non cascade encryption algorithm for the most sensitive data so you decided to create a second partition which those problems do not affect because it is non system and to encrypt it wit
16. all remaining bytes are ignored due to performance issues connected with processing extremely large files The user can supply one or more keyfiles the number of keyfiles is not limited Keyfiles can be stored on PKCS 11 compliant 23 security tokens and smart cards protected by multiple PIN codes which can be entered either using a hardware PIN pad or via the TrueCrypt GUD Keyfiles are processed and applied to a password using the following method l Ze 3 See E 8 Let P be a TrueCrypt volume password supplied by user may be empty Let KP be the keyfile pool Let kpl be the size of the keyfile pool KP in bytes 64 i e 512 bits kpl must be a multiple of the output size of a hash function H Let pl be the length of the password P in bytes in the current version O pl 64 if kpl gt pl append kpl pl zero bytes to the password P thus pl kpl Fill the keyfile pool KP with kpl zero bytes For each keyfile perform the following steps a Set the position of the keyfile pool cursor to the beginning of the pool b Initialize the hash function A c Load all bytes of the keyfile one by one and for each loaded byte perform the following steps i Hash the loaded byte using the hash function A without initializing the hash to obtain an intermediate hash state M Do not finalize the hash the state is retained for next round ii Divide the state M into individual bytes For example if the hash output size is 4 by
17. by all logged on users for more information please see the section Settings gt Preferences subsection Cache passwords in driver memory DEP stands for Data Execution Prevention For more information about DEP please visit http support microsoft com kb 875352 http go microsoft com FWLink Linkld 84124 and http windowshelp microsoft com Windows en US help 80062dee 6203 42f8 b898 cfb79bde98891033 mspx 84 Also note that switching users in Windows XP or later Fast User Switching functionality does not dismount a successfully mounted TrueCrypt volume unlike system restart which dismounts all mounted TrueCrypt volumes On Windows 2000 the container file permissions are ignored when a file hosted TrueCrypt volume is to be mounted On all supported versions of Windows users without administrator privileges can mount any partition device hosted TrueCrypt volume provided that they supply the correct password and or keyfiles A user without administrator privileges can dismount only volumes that he or she mounted However this does not apply to system favorite volumes unless you enable the option disabled by default Settings gt System Favorite Volumes gt Allow only administrators to view and dismount system favorite volumes in TrueCrypt Authenticity and Integrity TrueCrypt uses encryption to preserve the confidentiality of data it encrypts TrueCrypt neither preserves nor verifies the integrity or authenticity
18. bytes 65536 131071 which contain solely random data when there is no hidden volume within the volume to RAM and attempts to decrypt it using the entered password Note that hidden volume headers cannot be identified as they appear to consist entirely of random data If the header is successfully decrypted for information on how TrueCrypt determines that it was successfully decrypted see the section Encryption Scheme the information about the size of the hidden volume is retrieved from the decrypted header which is still stored in RAM and the hidden volume is mounted its size also determines its offset A hidden volume can be created within any type of TrueCrypt volume i e within a file hosted volume or partition device hosted volume requires administrator privileges To create a hidden TrueCrypt volume click on Create Volume in the main program window and select Create a hidden TrueCrypt volume The Wizard will provide help and all information necessary to successfully create a hidden TrueCrypt volume When creating a hidden volume it may be very difficult or even impossible for an inexperienced user to set the size of the hidden volume such that the hidden volume does not overwrite data on the outer volume Therefore the Volume Creation Wizard automatically scans the cluster bitmap of the outer volume before the hidden volume is created within it and determines the maximum possible size of the hidden volume If there are any prob
19. disk value WARNING Performance of dynamic sparse file hosted TrueCrypt volumes is significantly worse than performance of regular volumes Dynamic sparse file hosted TrueCrypt volumes are also less secure because it is possible to tell which volume sectors are unused Furthermore if data is written to a dynamic volume when there is not enough free space in its host file system the encrypted file system may get corrupted Cluster Size Cluster is an allocation unit For example one cluster is allocated on a FAT file system for a one byte file When the file grows beyond the cluster boundary another cluster is allocated Theoretically this means that the bigger the cluster size the more disk space is wasted however the better the performance If you do not know which value to use use the default TrueCrypt Volumes on CDs and DVDs If you want a TrueCrypt volume to be stored on a CD or a DVD first create a file hosted TrueCrypt container on a hard drive and then burn it onto a CD DVD using any CD DVD burning software or under Windows XP or later using the CD burning tool provided with the operating system Remember that if you need to mount a TrueCrypt volume that is stored on a read only medium such as a CD DVD under Windows 2000 you must format the TrueCrypt volume as FAT The 48 reason is that Windows 2000 cannot mount NTFS file system on read only media Windows XP and later versions of Windows can Hardware Softwar
20. encrypted or read only filesystems are mounted during a session in which you work with sensitive data or o If you cannot do the above download or create a live CD version of your operating system i e a live system entirely stored on and booted from a CD DVD that ensures that any data written to the system volume is written to a RAM disk When you need to work with sensitive data boot such a live CD DVD and make sure that only encrypted and or read only filesystems are mounted during the session If you need plausible deniability o Create a hidden operating system TrueCrypt will provide automatic data leak protection For more information see the section Hidden Operating System or o If you cannot do the above download or create a live CD version of your operating system i e a live system entirely stored on and booted from a CD DVD that ensures that any data written to the system volume is written to a RAM disk When you need to work with sensitive data boot such a live CD DVD If you use hidden volumes follow the security requirements and precautions listed in the subsection Security Requirements and Precautions Pertaining to Hidden Volumes If you do not use hidden volumes make sure that only non system partition hosted TrueCrypt volumes and or read only filesystems are mounted during the session 80 Paging File Note The issue described below does not affect you if the system partition or system drive is en
21. field Header Key DE43AE5126C1DB1AC6645770143F2DF1 Random Pool DAAFDDDAOBC96D074424B935C0475071 Master Key A398B97AEE7F631020E15D67BA5A072A Note that only the first 128 bits of the pool keys are displayed not the entire contents You can create FAT whether it will be FAT12 FAT16 or FAT32 is automatically determined from the number of clusters or NTFS volumes however NTFS volumes can only be created by users with administrator privileges Mounted TrueCrypt volumes can be reformatted as FAT12 FAT16 FAT32 or NTFS anytime They behave as standard disk devices so you can right click the drive letter of the mounted TrueCrypt volume for example in the Computer or My Computer list and select Format For more information about creating TrueCrypt volumes see also the section Hidden Volume 49 Main Program Window Select File Allows you to select a file hosted TrueCrypt volume After you select it you can perform various operations on it e g mount it by clicking Mount It is also possible to select a volume by dragging its icon to the TrueCrypt exe icon TrueCrypt will be automatically launched then or to the main program window Select Device Allows you to select a TrueCrypt partition or a storage device such as floppy disk or USB memory stick After it is selected you can perform various operations with it e g mount it by clicking Mount Note There is a more comfortable way
22. from within another operating system Note 1 If you need to mount multiple partitions at once click Auto Mount Devices then click Mount Options and enable the option Mount partition using system encryption without pre boot authentication Please note you cannot use this function to mount extended logical partitions that are located on an entirely encrypted system drive Tools gt Clear Volume History Clears the list containing the file names if file hosted and paths of the last twenty successfully mounted volumes 55 Tools gt Traveler Disk Setup See the chapter Portable Mode Tools gt Keyfile Generator See the section Keyfiles gt Generate Random Keyfile Tools gt Backup Volume Header Tools gt Restore Volume Header If the header of a TrueCrypt volume is damaged the volume is in most cases impossible to mount Therefore each volume created by TrueCrypt 6 0 or later contains an embedded backup header located at the end of the volume For extra safety you can also create external volume header backup files To do so click Select Device or Select File select the volume select Tools gt Backup Volume Header and then follow the instructions Note A backup header embedded or external is not a copy of the original volume header because it is encrypted with a different header key derived using a different salt see the section Header Key Derivation Salt and Iteration Count When the
23. g c n Note that turning the password cache off will not clear it use w to clear the password cache y or no parameter enables saving history of mounted volumes n disables saving history of mounted volumes e g h n Wipes any passwords cached in the driver memory 76 password or p quit or q silent or s mountoption or m The volume password If the password contains spaces it must be enclosed in quotation marks e g p My Password Use p to specify an empty password Warning This method of entering a volume password may be insecure for example when an unencrypted command prompt history log is being saved to unencrypted disk Automatically perform requested actions and exit main TrueCrypt window will not be displayed If preferences is specified as the parameter e g q preferences then program settings are loaded saved and they override settings specified on the command line q background launches the TrueCrypt Background Task tray icon unless it is disabled in the Preferences If q is specified suppresses interaction with the user prompts error messages warnings etc If q is not specified this option has no effect ro Or readonly Mount volume as read only rm Or removable Mount volume as removable medium ts Or timestamp Do not preserve container timestamps sm Or system Without pre boot authentication mount a partition that is within the key scope of system e
24. hidden volumes are mounted only when a hidden operating system is running For more information see the subsection Security Requirements and Precautions Pertaining to Hidden Volumes 2 In some cases it is possible to determine that at a certain time a particular filesystem was not mounted under or that a particular file on the filesystem was not saved or accessed from within a particular instance of an operating system e g by analyzing and comparing filesystem journals file timestamps application logs error logs etc This might indicate that a hidden operating system is installed on the computer The countermeasures prevent these issues 3 It prevents data corruption and allows safe hibernation When Windows resumes from hibernation it assumes that all mounted filesystems are in the same state as when the system entered hibernation TrueCrypt ensures this by write protecting any filesystem accessible both from within the decoy and hidden systems Without such protection the filesystem could become corrupted when mounted by one system while the other system is hibernated If you need to securely transfer files from the decoy system to the hidden system follow these steps Start the decoy system Save the files to an unencrypted volume or to an outer normal TrueCrypt volume Start the hidden system If you saved the files to a TrueCrypt volume mount it it will be automatically mounted as read only Copy the files to the hid
25. is encrypted or do have to decrypt it first Generally you can upgrade to the latest version without decrypting the system partition drive just run the TrueCrypt installer and it will automatically upgrade TrueCrypt on the system However before upgrading please read the release notes for all versions of TrueCrypt that have been released since your version was released If there are any known issues or incompatibilities related to upgrading from your version to a newer one they will be listed in the release notes Note You cannot downgrade TrueCrypt if the system partition drive is encrypted 104 l use pre boot authentication Can I prevent a person adversary that is watching me start my computer from knowing that I use TrueCrypt Yes as of TrueCrypt 6 1 To do so boot the encrypted system start TrueCrypt select Settings gt System Encryption enable the option Do not show any texts in the pre boot authentication screen and click OK Then when you start the computer no texts will be displayed by the TrueCrypt boot loader not even when you enter the wrong password The computer will appear to be frozen while you can type your password It is however important to note that if the adversary can analyze the content of the hard drive he can still find out that it contains the TrueCrypt boot loader l use pre boot authentication Can I configure the TrueCrypt Boot Loader to display only a fake error message Yes as of T
26. may be both file hosted and partition device hosted Disadvantage Data sent over the network will not be encrypted However it is still possible to encrypt them using e g SSL TLS VPN or other technologies Remarks Note that when you restart the system the network share will be automatically restored only if the volume is a system favorite volume or an encrypted system partition drive to configure a volume as a system favorite volume mount it and select Volumes gt Save Currently Mounted Volumes as System Favorites A dismounted TrueCrypt file container is stored on a single computer for example on a server This encrypted file is shared over a network Users on other computers or systems will locally mount the shared file Thus the volume will be mounted simultaneously under multiple operating systems Advantage Data sent over the network will be encrypted however it is still recommended to encrypt them using e g SSL TLS VPN or other appropriate technologies to make traffic analysis more difficult and to preserve the integrity of the data Disadvantages The shared volume may be only file hosted not partition device hosted The volume must be mounted in read only mode under each of the systems see the section Mount Options for information on how to mount a volume in read only mode Note that this requirement applies to unencrypted volumes too One of the reasons is for example the fact that data read from a co
27. of data it encrypts or decrypts Hence if you allow an adversary to modify data encrypted by TrueCrypt he can set the value of any 16 byte block of the data to a random value However note that the adversary cannot choose the value that you will obtain when TrueCrypt decrypts the modified block the value will be random It is your responsibility to verify the integrity and authenticity of data encrypted or decrypted by TrueCrypt for example using third party software Changing Passwords and Keyfiles Note that the volume header which is encrypted with a header key derived from a password keyfile contains the master key not to be confused with the password with which the volume is encrypted If an adversary is allowed to make a copy of your volume before you change the volume password and or keyfile s he may be able to use his copy or fragment the old header of the TrueCrypt volume to mount your volume using a compromised password and or compromised keyfiles that were necessary to mount the volume before you changed the volume password and or keyfile s If you are not sure whether an adversary knows your password or has your keyfiles and whether he has a copy of your volume when you need to change its password and or keyfiles it is strongly recommended that you create a new TrueCrypt volume and move files from the old volume to the new volume the new volume will have a different master key Also note that if an adversary knows
28. processed using a cryptographically secure hash algorithm The keyfile pool content in addition to being hashed using CRC 32 is applied to the password which is then passed to the header key derivation function PBKDF2 PKCS 5 v2 which processes it along with salt and other data using a cryptographically secure hash algorithm selected by the user e g SHA 512 The resultant values are used to form the header key and the secondary header key XTS mode 125 TrueCrypt Volume Format Specification Encryption Status Description nN KR Unencrypted Salt Encrypted ASCII string TRUE Encrypted Volume header format version Encrypted Minimum program version required to open the volume Encrypted CRC 32 checksum of the decrypted bytes 256 511 Encrypted Reserved set to zero Encrypted Size of hidden volume for normal volumes set to zero Encrypted Size of volume Encrypted Byte offset of the start of the master key scope Encrypted Size of the encrypted area within the master key scope Encrypted Flag bits bit O set system encryption bit 1 set non system in place encrypted volume bits 2 31 are reserved Encrypted Reserved set to zero Encrypted CRC 32 checksum of the decrypted bytes 64 251 Encrypted Concatenated primary and secondary master keys Encrypted Reserved for system encryption this item is omitted BR ODDMDORDARNYUNA Encrypted Area for hidden volume header if there is no hidden volume Unen
29. reset a volume password or pre boot authentication password when a user forgets it or loses a keyfile Yes Note that there is no back door implemented in TrueCrypt However there is a way to reset volume passwords keyfiles and pre boot authentication passwords After you create a volume back up its header to a file select Tools gt Backup Volume Header before you allow a non admin user to use the volume Note that the volume header which is encrypted with a header key derived from a password keyfile contains the master key with which the volume is encrypted Then ask the user to choose a password and set it for him her Volumes gt Change Volume Password or generate a user keyfile for him her Then you can allow the user to use the volume and to change the password keyfiles without your assistance permission In case he she forgets his her password or loses his her keyfile you can reset the volume password keyfiles to your original admin password keyfiles by restoring the volume header from the backup file Tools gt Restore Volume Header Similarly you can reset a pre boot authentication password To create a backup of the master key data that will be stored on a TrueCrypt Rescue Disk and encrypted with your administrator password select System gt Create Rescue Disk To set a user pre boot authentication password select System gt Change Password To restore your administrator password boot the TrueCr
30. same method is used for encryption So if your computer has for example a quad core processor then encryption and decryption are four times faster than on a single core processor with equivalent specifications likewise they are twice faster on dual core processors etc Increase in encryption decryption speed is directly proportional to the number of cores and or processors When your computer has a multi core processor CPU or multiple processors CPUs header key derivation is parallelized too As a result mounting of a volume is several times faster on a multi core processor or multi processor computer than on a single core processor or a single processor computer with equivalent specifications Note Parallelization was introduced in TrueCrypt 6 0 Pipelining When encrypting or decrypting data TrueCrypt uses so called pipelining asynchronous processing While an application is loading a portion of a file from a TrueCrypt encrypted volume drive TrueCrypt is automatically decrypting it in RAM Thanks to pipelining the application does not have wait for any portion of the file to be decrypted and it can start loading other portions of the file right away The same applies to encryption when writing data to an encrypted volume drive Pipelining allows data to be read from and written to an encrypted drive as fast as if the drive was not encrypted the same applies to file hosted and partition hosted TrueCrypt volumes
31. see below This ensures that no data stored on the outer volume will be overwritten by data written to the area of the hidden volume e g when the system is being copied to it The size of the hidden volume is always the same as the size of the system partition Then TrueCrypt will create the hidden operating system by copying the content of the system partition to the hidden volume Data being copied will be encrypted on the fly with an encryption key different from the one that will be used for the decoy operating system The process of copying the system is performed in the pre boot environment before Windows starts and it may take a long time to complete several hours or even several days depending on the size of the system partition and on the performance of the computer You will be able to interrupt the process shut down your computer start the operating system and then resume the process However if you interrupt it the entire process of copying the system will have to start from the beginning because the content of the system partition must not change during cloning The hidden operating system will initially be a clone of the operating system under which you started the wizard Windows creates typically without your knowledge or consent various log files temporary files etc on the system partition It also saves the content of RAM to hibernation and paging files located on the system partition Therefore if an adversary an
32. such as Adobe Photoshop writes data to the first drive track If this happens when your system partition drive is encrypted by TrueCrypt a portion of the TrueCrypt Boot Loader will be damaged and you will not be able to start Windows In that case please use your TrueCrypt Rescue Disk to regain access to your system There are two ways to do SO 1 You may keep the third party software activated but you will need to boot your system from the TrueCrypt Rescue Disk CD DVD every time Just insert your Rescue Disk into your CD DVD drive and then enter your password in the Rescue Disk screen 2 If you do not want to boot your system from the TrueCrypt Rescue Disk CD DVD every time you can restore the TrueCrypt Boot Loader on the system drive To do so in the Rescue Disk screen select Repair Options gt Restore TrueCrypt Boot Loader However note that this will deactivate the third party software For information on how to use your TrueCrypt Rescue Disk please see the chapter TrueCrypt Rescue Disk Possible permanent solution Upgrade to TrueCrypt 5 1 or later decrypt the system partition drive and then re encrypt it using a non cascade encryption algorithm i e AES Serpent or Twofish Please note that this not a bug in TrueCrypt the issue is caused by inappropriate design of the third party activation software The reason is that the TrueCrypt Boot Loader is smaller than the one used for cascades of ciphers and therefore th
33. the TrueCrypt container or of its fragment may remain in the free space on the host volume in the defragmented file system This may have various security implications For example if you change the volume password keyfile s afterwards and an adversary finds the old copy or fragment the old header of the TrueCrypt volume he might use it to mount the volume using an old compromised password and or using compromised keyfiles that were necessary to mount the volume before the volume header was re encrypted To prevent this do one of the following Use a partition device hosted TrueCrypt volume instead of file hosted Securely erase free space on the host volume in the defragmented file system after defragmenting Do not defragment file systems in which you store TrueCrypt volumes Journaling File Systems When a file hosted TrueCrypt container is stored in a journaling file system such as NTFS a copy of the TrueCrypt container or of its fragment may remain in the free space on the host volume This may have various security implications For example if you change the volume password keyfile s and an adversary finds the old copy or fragment the old header of the TrueCrypt volume he might use it to mount the volume using an old compromised password and or using compromised keyfiles using an old compromised password and or using compromised keyfiles that were necessary to mount the volume before the volume header was re encryp
34. the driver stack of the class Storage Volume GUID of the class is 71A27CDD 812A 11D0 BEC7 08002BE2092F can write unencrypted data to TrueCrypt partition hosted volumes even if they are mounted For security reasons when a hidden operating system is running TrueCrypt ensures that all local unencrypted filesystems and non hidden TrueCrypt volumes are read only However this does not apply to filesystems on CD DVD like media and on custom atypical or non standard devices media for example any devices media whose class is other than the Windows device 100 class Storage Volume or that do not meet the requirements of this class GUID of the class is 71A27CDD 81 2A 1 1D0 BEC7 08002BE2092F TrueCrypt encrypted floppy disks When a floppy disk is ejected and another one is inserted data read written from to the disk will be corrupted Note that this affects only raw floppy disk volumes not file hosted TrueCrypt containers stored on floppy disks 101 Frequently Asked Questions The latest version of the TrueCrypt FAQ is available at http www truecrypt org faq Is there a Quick Start Guide or some tutorial for beginners Yes The first chapter Beginner s Tutorial contains screenshots and step by step instructions on how to create mount and use a TrueCrypt volume Can TrueCrypt encrypt a partition drive where Windows is installed Yes see the chapter System Encryption Can directly play a video avi
35. volume password and or keyfiles are changed or when the header is restored from the embedded or an external header backup both the volume header and the backup header embedded in the volume are re encrypted with header keys derived using newly generated salts the salt for the volume header is different from the salt for the backup header Each salt is generated by the TrueCrypt random number generator see the section Random Number Generator Both types of header backups embedded and external can be used to repair a damaged volume header To do so click Select Device or Select File select the volume select Tools gt Restore Volume Header and then follow the instructions WARNING Restoring a volume header also restores the volume password that was valid when the backup was created Moreover if keyfile s are is necessary to mount a volume when the backup is created the same keyfile s will be necessary to mount the volume again after the volume header is restored For more information see the section Encryption Scheme in the chapter Technical Details After you create a volume header backup you might need to create a new one only when you change the volume password and or keyfiles Otherwise the volume header remains unmodified so the volume header backup remains up to date Note Apart from salt which is a sequence of random numbers external header backup files do not contain any unencrypted information and they cannot be de
36. when attempting to auto mount partitions devices If you do not need to set mount options you can bypass the password prompt by holding down the Shift key when clicking Auto Mount Devices only cached passwords will be used if there are any Drive letters will be assigned starting from the one that is selected in the drive list in the main window 50 Dismount To dismount a TrueCrypt volume means to close it and make it impossible to read write from to the volume Dismount All To dismount a TrueCrypt volume means to close it and make it impossible to read write from to the volume This function dismount all currently mounted TrueCrypt volumes Wipe Cache Clears all passwords which may also contain processed keyfile contents cached in driver memory When there are no passwords in the cache this button is disabled For information on password cache see the section Cache Password in Driver Memory Never Save History If this option disabled the file names and or paths of the last twenty files devices that were attempted to be mounted as TrueCrypt volumes will be saved in the History file whose content can be displayed by clicking on the Volume combo box in the main window When this option is enabled TrueCrypt clears the registry entries created by the Windows file selector for TrueCrypt and sets the current directory to the user s home directory in portable mode to the directory from which TrueCrypt was launched whe
37. 2000 e g assign a mount point to a TrueCrypt volume i e attach a TrueCrypt volume to a folder The Windows Volume Shadow Copy Service is currently supported only for partitions within the key scope of system encryption for example a system partition encrypted by TrueCrypt or a non system partition located on a system drive encrypted by TrueCrypt Note For other types of volumes the Volume Shadow Copy Service is not supported because the documentation for the necessary API is available from Microsoft only under a non disclosure agreement which is impossible to comply with because TrueCrypt is open source Windows boot settings cannot be changed from within a hidden operating system if the system does not boot from the partition on which it is installed This is due to the fact that for security reasons the boot partition is mounted as read only when the hidden system is running To be able to change the boot settings please start the decoy operating system Encrypted partitions cannot be resized except partitions on an entirely encrypted system drive that are resized while the encrypted operating system is running When the system partition drive is encrypted the system cannot be upgraded for example from Windows XP to Windows Vista or repaired from within the pre boot environment using a Windows setup CD DVD In such cases the system partition drive must be decrypted first Note A running operating system can be updated secur
38. 51 Wipe Cachi Giueavadea lo poaeuasencadea A R R a 51 Neyer Save History tinas 51 EXA a A NE 51 Volume Tod Sucina E iniciada ni 52 PROGRAMIMENU 5 dreccdica ceda Ds db dela e tel dla et ad dle loca a emo 53 Volumes gt Auto Mount All Device Hosted Volumes ooooococcnonoccnononoonnnonononnnnncnononnncnnnnnnnos 53 Volumes gt Save Currently Mounted Volumes as Favorites oooocnnoconoccnoncnoncncnoncnoncnnnncnnnano 53 Volumes gt Mount Favorite Volumes siicissesscciiss ibcvessusdacaede sdcesa su cedasaaesdacessvacenes lecdeanasusnaes 53 Volumes gt Save Currently Mounted Volumes as System Favorites 53 Volumes gt Change Volume Password rodri inet 54 Volumes gt Set Header Key Derivation Algorithm s seesesseeseseeesiseresresseseresresseseresrersessees 55 System gt Change PassWord aeea DE 55 System gt Mount Without Pre Boot Authentication ooooncccnnnocononccononcncnoncnonnncccnnnncononaninnncnos 55 Tools gt Cl ar Volume HIStory a a 55 Tools gt Traveler Disk SEtUP AO ETTET 56 Tools gt Keyfile Gordita e aaa 56 Tools gt Backup Volume Header sien edersin A ii 56 TObls gt Restore Volume TAC ASI gos id 56 Settings gt Pretoria dra Lara cacas 57 MOUNTING TRUECRYPT VOLUMES il asa R Ai ra aaa E O EEEE 59 Cache Password im Driver Memory esiin n steadied E dane T 59 Mount Options s ninsi e A tateaen secouateauaane 59 A RR 60 KEYFILES ud SAS 60 Keytiles Dialog Window sisi diia 61 Security Tokens and Sm
39. BLE CAUSE A Windows issue causes the label to be written only to the Windows registry file instead of being written to the filesystem POSSIBLE SOLUTIONS This issue affects only volumes that are not mounted as removable Hence if you want to change the label reliably make sure the option Mount volume as removable medium in the Mount Options is enabled or that the option Mount volumes as removable media in the Preferences is enabled when mounting the volume This issue affects only labels set via the Windows GUI Hence if you want to change the label reliably you can use the label command to do so PROBLEM cannot encrypt a partition device because TrueCrypt Volume Creation Wizard says it is in use POSSIBLE SOLUTION Close disable or uninstall all programs that might be using the partition device in any way for example an anti virus utility If it does not help right click the Computer or My Computer icon on your desktop and select Manage gt Storage gt Disk Management Then right click the partition that you want to encrypt and click Change Drive Letter and Paths Then click Remove and OK Restart the operating system PROBLEM When creating a hidden volume the Wizard reports that the outer volume cannot be locked PROBABLE CAUSE The outer volume contains files being used by one or more applications POSSIBLE SOLUTION Close all applications that are using files on the outer volume If it does not he
40. CAY 1 FREE OPEN SOURCE ENCRYPTION www truecrypt org Version Information TrueCrypt User s Guide version 6 3 Released by TrueCrypt Foundation on October 21 2009 Legal Notices THE INFORMATION CONTAINED IN THIS DOCUMENT IS NOT WARRANTED TO MEET YOUR REQUIREMENTS TO BE FREE OF ERRORS COMPLETE OR TIMELY IN NO EVENT WILL ANY AUTHOR OF THE SOFTWARE OR DOCUMENTATION OR ANY APPLICABLE COPYRIGHT OWNER OR ANY OTHER PARTY WHO MAY COPY AND OR RE DISTRIBUTE THIS SOFTWARE OR DOCUMENTATION BE LIABLE TO YOU OR TO ANY OTHER PARTY FOR ANY DAMAGES INCLUDING BUT NOT LIMITED TO ANY DIRECT INDIRECT GENERAL SPECIAL INCIDENTAL PUNITIVE EXEMPLARY OR CONSEQUENTIAL DAMAGES INCLUDING BUT NOT LIMITED TO CORRUPTION OR LOSS OF DATA ANY LOSSES SUSTAINED BY YOU OR THIRD PARTIES A FAILURE OF THIS SOFTWARE TO OPERATE WITH ANY OTHER PRODUCT PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES OR BUSINESS INTERRUPTION WHETHER IN CONTRACT STRICT LIABILITY TORT INCLUDING BUT NOT LIMITED TO NEGLIGENCE OR OTHERWISE ARISING OUT OF THE USE COPYING MODIFICATION OR RE DISTRIBUTION OF THIS SOFTWARE OR DOCUMENTATION OR A PORTION THEREOF OR INABILITY TO USE THIS SOFTWARE OR DOCUMENTATION EVEN IF ANY CO AUTHOR COPYRIGHT OWNER OR ANY OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES BY INSTALLING RUNNING USING COPYING RE DISTRIBUTING AND OR MODIFYING THIS SOFTWARE INCLUDING BUT NOT LIMITED TO ITS DOCUMENTATION OR A PORTION THE
41. Crypt from the USB flash drive see also the chapter Portable Mode Does TrueCrypt use parallelization Yes Increase in encryption decryption speed is directly proportional to the number of cores processors your computer has For more information please see the chapter Parallelization in the documentation Can data be read from and written to an encrypted volume drive as fast as if the drive was not encrypted Yes since TrueCrypt uses pipelining and parallelization For more information please see the chapters Pipelining and Parallelization Is it possible to boot Windows installed in a hidden TrueCrypt volume Yes it is as of TrueCrypt 6 0 For more information please see the section Hidden Operating System Will be able to mount my TrueCrypt volume container on any computer Yes TrueCrypt volumes in contrast to TrueCrypt encrypted physical system partitions drives are independent of the operating system You will be able to mount your TrueCrypt volume on any computer on which you can run TrueCrypt see also the question Can use TrueCrypt in Windows if do not have administrator privileges 103 Can I unplug or turn off a hot plug device for example a USB flash drive or USB hard drive when there is a mounted TrueCrypt volume on it Before you unplug or turn off the device you should always dismount the TrueCrypt volume in TrueCrypt first and then perform the Eject operation if available right click t
42. Delete as soon as you see a BIOS start up screen and wait until a BIOS configuration screen appears If no BIOS configuration screen appears restart reset the computer again and start pressing F2 or Delete repeatedly as soon as you restart reset the computer When a BIOS configuration screen appears configure your BIOS to boot from the CD DVD drive first for information on how to do so please refer to the documentation for your BIOS motherboard or contact your computer vendor s technical support team for assistance Then restart your computer The TrueCrypt Rescue Disk screen should appear now Note In the TrueCrypt Rescue Disk screen you can select Repair Options by pressing F8 on your keyboard If your Rescue Disk is damaged you can create a new one by selecting System gt Create Rescue Disk To find out whether your TrueCrypt Rescue Disk is damaged insert it into your CD DVD drive and select System gt Verify Rescue Disk 45 Parallelization When your computer has a multi core processor CPU or multiple processors CPUs TrueCrypt uses all of the cores or processors in parallel for encryption and decryption For example when TrueCrypt is to decrypt a chunk of data it first splits the chunk into several smaller pieces The number of the pieces is equal to the number of the cores or processors Then all of the pieces are decrypted in parallel piece 1 is decrypted by thread 1 piece 2 is decrypted by thread 2 etc The
43. Designed by Bruce Schneier John Kelsey Doug Whiting David Wagner Chris Hall and Niels Ferguson published in 1998 It uses a 256 bit key and 128 bit block and operates in XTS mode see the section Modes of Operation Twofish was one of the AES finalists This cipher uses key dependent S boxes Twofish may be viewed as a collection of 2 different cryptosystems where 128 bits derived from a 256 bit key control the selection of the cryptosystem 4 In 13 the Twofish team asserts that key dependent S boxes constitute a form of security margin against unknown attacks 4 AES Twofish Two ciphers in a cascade 15 16 operating in XTS mode see the section Modes of Operation Each 128 bit block is first encrypted with Twofish 256 bit key in XTS mode and then with AES 256 bit key in XTS mode Each of the cascaded ciphers uses its own key All encryption keys are mutually independent note that header keys are independent too even though they are derived from a single password see Header Key Derivation Salt and lteration Count See above for information on the individual cascaded ciphers These are positive votes If negative votes are subtracted from the positive votes the following results are obtained Rijndael 76 votes Serpent 52 votes Twofish 10 votes RC6 14 votes MARS 70 votes 19 72 AES Twofish Serpent Three ciphers in a cascade 15 16 operating in XTS mode see the section Modes of Operation Each
44. If these conditions are not met the process continues from 3 again but this time instead of the data read in 1 the data read in 2 are used i e possible hidden volume header If the conditions are not met again mounting is terminated wrong password corrupted volume or not a TrueCrypt volume 5 Now we know or assume with very high probability that we have the correct password the correct encryption algorithm mode key size and the correct header key derivation algorithm If we successfully decrypted the data read in 2 we also know that we are mounting a hidden volume and its size is retrieved from data read in 2 decrypted in 3 6 The encryption routine is reinitialized with the primary master key and the secondary master key XTS mode see the section Modes of Operation which are retrieved from the decrypted volume header see the section TrueCrypt Volume Format Specification These keys can be used to decrypt any sector of the volume except the volume header area or the key data area for system encryption which has been encrypted using the header keys The volume is mounted See also section Modes of Operation and section Header Key Derivation Salt and Iteration Count The master keys were generated during the volume creation and cannot be changed later Volume password change is accomplished by re encrypting the volume header using a new header key derived from a new password 119 Modes of
45. Note Pipelining was introduced in TrueCrypt 5 0 and it is implemented only in the Windows versions of TrueCrypt 46 TrueCrypt Volume There are two types of TrueCrypt volumes File hosted container Partition device hosted non system Note In addition to creating the above types of virtual volumes TrueCrypt can encrypt a physical partition drive where Windows is installed for more information see the chapter System Encryption A TrueCrypt file hosted volume is a normal file which can reside on any type of storage device It contains hosts a completely independent encrypted virtual disk device A TrueCrypt partition is a hard disk partition encrypted using TrueCrypt You can also encrypt entire hard disks USB hard disks floppy disks USB memory sticks and other types of storage devices Creating a New TrueCrypt Volume To create a new TrueCrypt file hosted volume or to encrypt a partition device requires administrator privileges click on Create Volume in the main program window TrueCrypt Volume Creation Wizard should appear As soon as the Wizard appears it starts collecting data that will be used in generating the master key secondary key XTS mode and salt for the new volume The collected data which should be as random as possible include your mouse movements key presses and other values obtained from the system for more information please see the section Random Number Generator The Wizard provides hel
46. REOF YOU ACCEPT AND AGREE TO BE BOUND BY ALL TERMS AND CONDITIONS OF THE TRUECRYPT LICENSE THE FULL TEXT OF WHICH IS CONTAINED IN THE FILE License txt INCLUDED IN TRUECRYPT BINARY AND SOURCE CODE DISTRIBUTION PACKAGES CONTENTS INTRODUCTION sivsnssivsecatncicsieus sense siesussousdeseuesesbueceusce0ueseseussousceseess0ssussees lt deouesescessouscecoescecseccouscceouss 6 BEGINNER S TUTORIAL seeeseseses0s0s0s0sosososssssosssosssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssso 7 How to Create and Use a TrueCrypt CONAM A A A 7 How to Create and Use a TrueCrypt Partition DeviC8 ooonocccnnncccnoncccnoncnonnnnnononanonnncnnonnnnnnnnos 25 PLAUSIBLE DENIA BILE Y ccccssstesteciscessesincsscasiccesecsavtestassscusiavsvsediebe seus seusvevedesscevassrsvetedeveclovssevstes 26 HIDDEN VOLUME iia ti 27 Protection of Hidden Volumes Against Damage ooonoccnonccconnnonnnonncnoncnnnnnono nono nonncnnnnnnnn ccoo nano 29 Security Requirements and Precautions Pertaining to Hidden Volumes ooooconoccnincnnocnconncnns 32 HIDDEN OPERATING S YS TEM 2 A A E EA ENT 36 Process of Creation of Hidden Operating System oooococnnncccnoncccnoncnonononononcncnnncconnncnonnncnnonncnos 38 Plausible Deniability and Data Leak Protection oooococnnococnnncccnnncncnoncnononcnonnncncnoncnronncnnnnnnoo 39 Possible Explanations for Existence of Two TrueCrypt Partitions on Single Drive 39 Safety Security Precautions and Requirements Pertainin
47. S file system on read only media Is it possible to change the password for a hidden volume Yes the password change dialog works both for standard and hidden volumes Just type the password for the hidden volume in the Current Password field of the Volume Password Change dialog Remark TrueCrypt first attempts to decrypt the standard volume header and if it fails it attempts to decrypt the area within the volume where the hidden volume header may be stored if there is a hidden volume within In case it is successful the password change applies to the hidden volume Both attempts use the password typed in the Current Password field When I use HMAC RIPEMD 160 is the size of the header encryption key only 160 bits No TrueCrypt never uses an output of a hash function nor of a HMAC algorithm directly as an encryption key See the section Header Key Derivation Salt and Iteration Count for more information Can I change the header key derivation algorithm for example from HMAC RIPEMD 160 to HMAC SHA 512 without losing data stored on the volume Yes To do so select Volumes gt Set Header Key Derivation Algorithm How do burn a TrueCrypt container larger than 2 GB onto a DVD The DVD burning software you use should allow you to select the format of the DVD If it does select the UDF format ISO format does not support files larger than 2 GB Can I use tools like chkdsk Disk Defragmenter etc on the
48. SIBLE SOLUTION Note The following solution applies only to hidden volumes created within FAT volumes Defragment the outer volume mount it right click its drive letter in the Computer or My Computer window click Properties select the Tools tab and click Defragment Now After the volume is defragmented exit Disk Defragmenter and try to create the hidden volume again If this does not help delete all files and folders on the outer volume by pressing Shift Delete not by formatting do not forget to disable the Recycle Bin and System Restore for this drive beforehand and try creating the hidden volume on this completely empty outer volume again for testing purposes only If the maximum possible size of the hidden volume does not change even now the cause of the problem is very likely an extended root directory If you did not use the Default cluster size the last step in the Wizard reformat the outer volume and this time leave the cluster size at Default If it does not help reformat the outer volume again and copy less files folders to its root folder than you did last time If it does not help keep reformatting and decreasing the number of files folders in the root folder If this is unacceptable or if it does not help reformat the outer volume and select a larger cluster size If it does not help keep reformatting and increasing the cluster size until the problem is solved Alternatively try creating a hidden volum
49. See the section Tools gt Backup Volume Header Restore Volume Header See the section Tools gt Restore Volume Header 52 Program Menu Note To save space only the menu items that are not self explanatory are described in this documentation Volumes gt Auto Mount All Device Hosted Volumes See the section Auto Mount Devices Volumes gt Save Currently Mounted Volumes as Favorites This function is useful if you often work with more than one TrueCrypt volume at a time and you need each of them to be always mounted to a particular drive letter A list of all currently mounted volumes and the drive letters they are mounted as is saved to a file called Favorite Volumes xml in the folder sAPPDATA TrueCrypt In portable mode the file is saved to the folder from which you run the file TrueCrypt exe in which TrueCrypt exe resides Note that when you use this function all dismounted volumes that were previously saved as favorite will be deleted from the list of favorite volumes To mount volumes saved as Favorite select Volumes gt Mount Favorite Volumes To delete the list of favorite volumes dismount all TrueCrypt volumes and select Volumes gt Save Currently Mounted Volumes as Favorites See also Volumes gt Save Currently Mounted Volumes as System Favorites Volumes gt Mount Favorite Volumes This function mounts volumes you previously saved as Favorite For more information see the sectio
50. a beforehand If you are not sure whether to enable or disable Quick Format we recommend that you leave this option unchecked Note that Quick Format can only be enabled when encrypting partitions devices Important When encrypting a partition device within which you intend to create a hidden volume afterwards leave this option unchecked Dynamic Dynamic TrueCrypt container is a pre allocated NTFS sparse file whose physical size actual disk space used grows as new data is added to it Note that the physical size of the container actual disk space that the container uses will not decrease when files are deleted on the TrueCrypt volume The physical size of the container can only increase up to the maximum value that is specified by the user during the volume creation process After the maximum specified size is reached the physical size of the container will remain constant Note that sparse files can only be created in the NTFS file system If you are creating a container in the FAT file system the option Dynamic will be disabled grayed out Note that the size of a dynamic sparse file hosted TrueCrypt volume reported by Windows and by TrueCrypt will always be equal to its maximum size which you specify when creating the volume To find out current physical size of the container actual disk space it uses right click the container file in a Windows Explorer window not in TrueCrypt then select Properties and see the Size on
51. administrator privileges or physical access to the computer and the attacker needs you to use the computer after such an access However if any of these conditions is met it is actually impossible to secure the computer see below and therefore you must stop using it instead of relying on TPM If the attacker has administrator privileges he can for example reset the TPM capture the content of RAM containing master keys or content of files stored on mounted TrueCrypt volumes decrypted on the fly which can then be sent to the attacker over the Internet or saved to an unencrypted local drive from which the attacker might be able to read it later when he gains physical access to the computer If the attacker can physically access the computer hardware and you use it after such an access he can for example attach a malicious component to it such as a hardware keystroke logger that will capture the password the content of RAM containing master keys or content of files stored on mounted TrueCrypt volumes decrypted on the fly which can then be sent to the attacker over the Internet or saved to an unencrypted local drive from which the attacker might be able to read it later when he gains physical access to the computer again The only thing that TPM is almost guaranteed to provide is a false sense of security even the name itself Trusted Platform Module is misleading and creates a false sense of security As for re
52. al security TPM is actually redundant and implementing redundant features is usually a way to create so called bloatware Features like this are sometimes referred to as security theater 6 For more information please see the sections Physical Security and Malware 107 Why does Windows Vista and later versions of Windows ask me for permission to run TrueCrypt every time I run it in portable mode When you run TrueCrypt in portable mode TrueCrypt needs to load and start the TrueCrypt device driver TrueCrypt needs a device driver to provide transparent on the fly encryption decryption and users without administrator privileges cannot start device drivers in Windows Therefore Windows Vista and later versions of Windows ask you for permission to run TrueCrypt with administrator privileges Note that if you install TrueCrypt on the system as opposed to running TrueCrypt in portable mode you will not be asked for permission every time you run it Do I have to dismount TrueCrypt volumes before shutting down or restarting Windows No TrueCrypt automatically dismounts all mounted TrueCrypt volumes on system shutdown restart Which type of TrueCrypt volume is better partition or file container File containers are normal files so you can work with them as with any normal files file containers can be for example moved renamed and deleted the same way as normal files Partitions drives may be better as regards performa
53. alyzed files stored on the partition where the original system of which the hidden system is a clone resides he might find out for example that you used the TrueCrypt wizard in the hidden system creation mode which might indicate the existence of a hidden operating system on your computer To prevent such issues TrueCrypt will securely erase the entire content of the partition where the original system resides 38 after the hidden system has been created Afterwards in order to achieve plausible deniability TrueCrypt will prompt you to install a new system on the partition and encrypt it using TrueCrypt Thus you will create the decoy system and the whole process of creation of the hidden operating system will be completed Plausible Deniability and Data Leak Protection For security reasons when a hidden operating system is running TrueCrypt ensures that all local unencrypted filesystems and non hidden TrueCrypt volumes are read only i e no files can be written to such filesystems or TrueCrypt volumes Data is allowed to be written to any filesystem that resides within a hidden TrueCrypt volume provided that the hidden volume is not located in a container stored on an unencrypted filesystem or on any other read only filesystem There are three main reasons why such countermeasures have been implemented 1 It enables the creation of a secure platform for mounting of hidden TrueCrypt volumes Note that we officially recommend that
54. and Paths Click Remove If Windows prompts you to confirm the action click Yes Gig Soe 111 When I plug in my encrypted USB flash drive Windows asks me if want to format it Is there a way to prevent that Yes but you will need to remove the drive letter assigned to the device For information on how to do so see the question encrypted a non system partition but its original drive letter is still visible in the My Computer list How do I remove or undo encryption if do not need it anymore How do I permanently decrypt a volume Please see the chapter How to Remove Encryption What will change when I enable the option Mount volumes as removable media You can enable this option for example to prevent Windows from automatically creating the Recycled and or the System Volume Information folders on TrueCrypt volumes in Windows these folders are used by the Recycle Bin and System Restore facilities However there are some disadvantages For example when you enable this option under Windows Vista or earlier the Computer or My Computer list will not show free space on the volume note that this is a Windows limitation not a bug in TrueCrypt Do have to wipe free space and or files on a TrueCrypt volume Remark to wipe to securely erase to overwrite sensitive data in order to render them unrecoverable If you believe that an adversary will be able to decrypt the volume for exam
55. and you know that you will not need to save any data to it then the most comfortable way of protecting the hidden volume against damage is mounting the outer volume as read only see the section Mount Options Security Requirements and Precautions Pertaining to Hidden Volumes If you use a hidden TrueCrypt volume you must follow these security requirements and precautions If an adversary has access to a dismounted TrueCrypt volume at several points over time he may be able to determine which sectors of the volume are changing If you change the contents of a hidden volume e g create copy new files to the hidden volume or modify delete rename move files stored on the hidden volume etc the contents of sectors ciphertext in the hidden volume area will change After being given the password to the outer volume the adversary might demand an explanation why these sectors changed Your failure to provide a plausible explanation might indicate the existence of a hidden volume within the outer volume Note that the issue described above may also arise for example in the following cases o The file system in which you store a file hosted TrueCrypt container has been defragmented and a copy of the TrueCrypt container or of its fragment remains in the free space on the host volume in the defragmented file system To prevent this do one of the following B Use a partition device hosted TrueCrypt volume instead of file hosted B Secure
56. anyone forcing you to disclose your pre boot authentication password You should use the decoy operating system as frequently as you use your computer Ideally you should use it for all activities that do not involve sensitive data Otherwise plausible deniability of the hidden operating system might be adversely affected if you revealed the password for the decoy operating system to an adversary he could find out that the system is not used very often which might indicate the existence of a hidden operating system on your computer Note that you can save data to the decoy system partition anytime without any risk that the hidden volume will get damaged because the decoy system is not installed in the outer volume see below There will be two pre boot authentication passwords one for the hidden system and the other for the decoy system If you want to start the hidden system you simply enter the password for the hidden system in the TrueCrypt Boot Loader screen which appears after you turn on or restart your computer Likewise if you want to start the decoy system for example when asked to do so by an adversary you just enter the password for the decoy system in the TrueCrypt Boot Loader screen Note When you enter a pre boot authentication password the TrueCrypt Boot Loader first attempts to decrypt using the entered password the last 512 bytes of the first logical track of the system drive where encrypted master key data fo
57. art Cards cds ii ati ina 61 La AAA O ea sch ra ui a he Cea ie a 62 Empty Password amp Keyfile union id rindas 62 AS A o A E 63 Keyfiles gt Add Remove Keyfiles to from VoluMe ooooooncccnnnocinonocononaccnonnncnnncconnncconnnaconnncnos 63 Keyfiles gt Remove All Keyfiles from Volume oooonocccnnococonocononoccnononcnonnncnonnncconncnonnncconnnnnos 63 Keyfiles gt Generate Random Key coi deis 63 Keyfiles gt Set Default Keyfile PatlS icc sicccasosicavstavsictavopeaacsasebeasaessbadesdencdecs serena canina 64 SECURITY TOKENS SMART CARDS eessessoesoessessossocssessossoossessoesoossessoesoossossosssossosssessoseoe 65 PORTABLE MODE iaseliciucncesauteascuhinuse ceasossncasastastcaulsosctciecseceaacasesagasdocelanassouteaueaucepavabesacancoteauaanees 66 Tools gt Traveler Disk Set Print idilio 66 USING TRUECRYPT WITHOUT ADMINISTRATOR PRIVILEGES ooccnnccnosonsinssnessinssoos 68 TRUECRYPT BACK GROUND TAS Ko sissssccssconcscbissacscsssoncesasoensosbussseicdeencedasocebsabusnseucibadsteesoanttos 69 LANGUAGE PACES iscsdccustescsbedecsarsesvitersscescedeetsetevendeseaadesviduvesdusdedseoutavtudscacadeisdsubscuessedeesontesssdavece 70 A E ReneS 70 ENCRYPTION AEGORITH MA Sisi a 71 ARS sida 71 A 72 A nd ei cacas sde ela ao eos a 72 PES TWO aauom ae song tel erat doi a sete cena oa tice T2 AES Two fish Serpent cerei os eiei pi A iia 73 Serpent AES boa 13 Serpent TWONSH AES A A E ae ade weave oa ae 73 Twotish Serpent A A A A ERE
58. artition that you want to back up by following these steps a Click Select Device and then select the system partition that you want to back up in case of a hidden operating system select the partition containing the hidden volume in which the operating system is installed b Click OK c Select System gt Mount Without Pre Boot Authentication d Enter your pre boot authentication password and click OK 5 Mount the backup volume and then copy all files from the system partition mounted as a regular TrueCrypt volume since the previous step directly to the mounted backup volume 90 IMPORTANT If you store the backup volume in any location that an adversary can repeatedly access for example on a device kept in a bank s safe deposit box you should repeat all of the above steps including the step 2 each time you want to back up the volume see below If you follow the above steps you will help prevent adversaries from finding out Which sectors of the volumes are changing because you always follow step 2 This is particularly important for example if you store the backup volume on a device kept in a bank s safe deposit box or in any other location that an adversary can repeatedly access and the volume contains a hidden volume for more information see the subsection Security Requirements and Precautions Pertaining to Hidden Volumes in the chapter Plausible Deniability That one of the volumes is a backup of the oth
59. at you backup all your important files regularly this of course applies to any important data not just to encrypted data stored on TrueCrypt volumes Non System Volumes To back up a non system TrueCrypt volume securely it is recommended to follow these steps 1 Create a new TrueCrypt volume using the TrueCrypt Volume Creation Wizard do not enable the Quick Format option or the Dynamic option It will be your backup volume so its size should match or be greater than the size of your main volume If the main volume is a hidden TrueCrypt volume see the section Hidden Volume the backup volume must be a hidden TrueCrypt volume too Before you create the hidden backup volume you must create a new host outer volume for it without enabling the Quick Format option In addition especially if the backup volume is file hosted the hidden backup volume should occupy only a very small portion of the container and the outer volume should be almost completely filled with files otherwise the plausible deniability of the hidden volume might be adversely affected 2 Mount the newly created backup volume 3 Mount the main volume 4 Copy all files from the mounted main volume directly to the mounted backup volume IMPORTANT If you store the backup volume in any location that an adversary can repeatedly access for example on a device kept in a bank s safe deposit box you should repeat all of the above steps including the step 1 each ti
60. ata written to the system volume is written to a RAM disk Mount hidden volumes only when such a live CD system is running During the session only filesystems that reside in hidden TrueCrypt volumes may be mounted in read write mode outer or unencrypted volumes filesystems must be mounted as read only or must not be mounted accessible at all If you cannot use such a live CD version of the operating system or if you are not able to ensure that applications and the standard version as opposed to a live CD version of your operating system do not write the above types of sensitive data to non hidden volumes or filesystems you should not mount or create hidden TrueCrypt volumes under Linux o Mac OS X If you are not able to ensure that applications and the operating system do not write the above types of sensitive data to non hidden volumes or filesystems you should not mount or create hidden TrueCrypt volumes under Mac OS X If you use an operating system residing within a hidden volume see the section Hidden Operating System then in addition to the above you must follow these security requirements and precautions o You should use the decoy operating system as frequently as you use your computer Ideally you should use it for all activities that do not involve sensitive data Otherwise plausible deniability of the hidden operating system might be adversely affected if you This does not apply to filesystems on CD DVD lik
61. before it can be encrypted decrypted There are no extra memory RAM requirements for TrueCrypt For an illustration of how this is accomplished see the following paragraph Let s suppose that there is an avi video file stored on a TrueCrypt volume therefore the video file is entirely encrypted The user provides the correct password and or keyfile and mounts opens the TrueCrypt volume When the user double clicks the icon of the video file the operating system launches the application associated with the file type typically a media player The media player then begins loading a small initial portion of the video file from the TrueCrypt encrypted volume to RAM memory in order to play it While the portion is being loaded TrueCrypt is automatically decrypting it in RAM The decrypted portion of the video stored in RAM is then played by the media player While this portion is being played the media player begins loading next small portion of the video file from the TrueCrypt encrypted volume to RAM memory and the process repeats This process is called on the fly encryption decryption and it works for all file types not only for video files Note that TrueCrypt never saves any decrypted data to a disk it only stores them temporarily in RAM memory Even when the volume is mounted data stored in the volume is still encrypted When you restart Windows or turn off your computer the volume will be dismounted and files stored in i
62. can boot a WinPE or BartPE CD DVD or you can connect your system drive as a secondary or external drive to another computer and then boot the operating system installed on the computer After you boot a system run TrueCrypt click Select Device select the affected system partition click OK select System gt Mount Without Pre Boot Authentication enter your pre boot authentication password and click OK The partition will be mounted as a regular TrueCrypt volume data will be on the fly decrypted encrypted in RAM on access as usual Your TrueCrypt Rescue Disk contains a backup of the original content of the first drive track made before the TrueCrypt Boot Loader was written to it and allows you to restore it if necessary The first track typically contains a system loader or boot manager In the Rescue Disk screen select Repair Options gt Restore original system loader Note that even if you lose your TrueCrypt Rescue Disk and an attacker finds it he or she will not be able to decrypt the system partition or drive without the correct password To boot a TrueCrypt Rescue Disk insert it into your CD DVD drive and restart your computer If the TrueCrypt Rescue Disk screen does not appear or if you do not see the Repair Options item in the Keyboard Controls section of the screen it is possible that your BIOS is configured to attempt to boot from hard drives before CD DVD drives If that is the case restart your computer press F2 or
63. contents of a mounted TrueCrypt volume Yes TrueCrypt volumes behave like real physical disk devices so it is possible to use any filesystem checking repairing defragmenting tools on the contents of a mounted TrueCrypt volume Is it possible to use TrueCrypt without leaving any traces on unencrypted Windows Yes This can be achieved by running TrueCrypt in portable mode under BartPE BartPE stands for Bart s Preinstalled Environment which is essentially the Windows operating system prepared in a way that it can be entirely stored on and booted from a CD DVD registry temporary files etc are stored in RAM hard drive is not used at all and does not even have to be present The freeware Bart s PE Builder can transform a Windows XP installation CD into BartPE As of TrueCrypt 3 1 you do not need any TrueCrypt plug in for BartPE Just boot BartPE download the TrueCrypt self extracting package to the RAM disk which BartPE creates run it extract its content to the RAM 109 disk and then run the file TrueCrypt exe from the RAM disk Note You may also want to consider creating a hidden operating system for more information see the section Hidden Operating System Does TrueCrypt support the 64 bit editions of Windows 7 Vista Yes Note The 64 bit TrueCrypt driver is digitally signed with the digital certificate of the TrueCrypt Foundation which was issued by the certification authority GlobalSign Does TrueCrypt r
64. created it will no longer be required to mount the device with TrueCrypt to be able to save or load files to from the device 113 Uninstalling TrueCrypt To uninstall TrueCrypt on Windows XP select Start menu gt Settings gt Control Panel gt Add or Remove Programs gt TrueCrypt gt Change Remove To uninstall TrueCrypt on Windows Vista or later select Start menu gt Control Panel gt Programs Uninstall a program gt TrueCrypt gt Change Remove No TrueCrypt volume will be removed when you uninstall TrueCrypt You will be able to mount your TrueCrypt volume s again after you install TrueCrypt or when you run it in portable mode 114 TrueCrypt System Files amp Application Data Note swindir is the main Windows installation path e g C WINDOWS TrueCrypt Driver Swindir SYSTEM32 DRIVERS truecrypt sys 32 bit Windows or Swindirs SysWOW64 drivers truecrypt sys 64 bit Windows Note These files are not present when TrueCrypt is run in portable mode TrueCrypt Settings amp Application Data The following files are saved in the folder sAPPDATA TrueCrypt In portable mode these files are saved to the folder from which you run the file TrueCrypt exe i e the folder in which TrueCrypt exe resides WARNING Note that TrueCrypt does not encrypt those files unless it encrypts the system partition drive Configuration xml the main configuration file System Encryption xml temporar
65. crypted within the volume this area contains random data For system encryption this item is omitted See bytes 0 65535 131072 Encrypted Data area master key scope For system encryption offset may be different depending on offset of system partition S 131072 Encrypted Backup header encrypted with a different header key derived Unencrypted using a different salt For system encryption this item is omitted See bytes 0 65535 Encrypted Backup header for hidden volume encrypted with a different Unencrypted header key derived using a different salt If there is no hidden within the volume this area contains random data For system encryption this item is omitted See bytes 0 65535 The encrypted areas of the volume header are encrypted in XTS mode using the primary and secondary header keys For more information see the section Encryption Scheme and the section Header Key Derivation Salt and Iteration Count S denotes the size of the volume host in bytes Note that the salt does not need to be encrypted as it does not have to be kept secret 7 salt is a sequence of random values Multiple concatenated master keys are stored here when the volume is encrypted using a cascade of ciphers secondary master keys are used for XTS mode See below in this section for information on the method used to fill free volume space with random data when the volume is created tt Here the meaning of sy
66. crypted for more information see the chapter System Encryption and if all paging files are located on one or more of the partitions within the key scope of system for example on the partition where Windows is installed for more information see the subsection Solution below Also called swap file Windows uses this file usually stored on a hard drive to hold parts of programs and data files that do not fit in memory This means that sensitive data which you believe are only stored in RAM can actually be written unencrypted to a hard drive by Windows without you knowing TrueCrypt always attempts to lock the memory areas in which cached passwords encryption keys and other sensitive data are stored in order to prevent such data from being leaked to paging files However note that Windows may reject or fail to lock memory for various documented and undocumented reasons Furthermore TrueCrypt cannot prevent the contents of sensitive files that are opened in RAM from being saved unencrypted to a paging file note that when you open a file stored on a TrueCrypt volume for example in a text editor then the content of the file is stored unencrypted in RAM To prevent the issues described above encrypt the system partition drive for information on how to do so see the chapter System Encryption and make sure that all paging files are located on one or more of the partitions within the key scope of system encryption for example
67. crypted without knowing the correct password and or supplying the correct keyfile s For more information see the chapter Technical Details When you create an external header backup both the standard volume header and the area where a hidden volume header can be stored is backed up even if there is no hidden volume within the volume to preserve plausible deniability of hidden volumes If there is no hidden volume within the volume the area reserved for the hidden volume header in the backup file will be filled with random data to preserve plausible deniability 56 When restoring a volume header you need to choose the type of volume whose header you wish to restore a standard or hidden volume Only one volume header can be restored at a time To restore both headers you need to use the function twice Tools gt Restore Volume Header You will need to enter the correct password and or to supply the correct keyfiles that was were valid when the volume header backup was created The password and or keyfiles will also automatically determine the type of the volume header to restore i e standard or hidden note that TrueCrypt determines the type through the process of trial and error Note If the user fails to supply the correct password and or keyfiles twice in a row when trying to mount a volume TrueCrypt will automatically try to mount the volume using the embedded backup header in addition to trying to mount it using the pri
68. cryption key and secondary header key XTS mode are formed These keys are used to decrypt the volume header b Encryption algorithm AES 256 Serpent Twofish AES Serpent AES Twofish Serpent etc c Mode of operation XTS LRW deprecated legacy CBC deprecated legacy d Key size s If the size of the active partition is less than 256 MB then the data is read from the second partition behind the active one Windows 7 and later by default do not boot from the partition on which they are installed Y These parameters are kept secret not in order to increase the complexity of an attack but primarily to make TrueCrypt volumes unidentifiable indistinguishable from random data which would be difficult to achieve if these parameters were stored unencrypted within the volume header Also note that if a non cascaded encryption algorithm is used for system encryption the algorithm is known it can be determined by analyzing the contents of the unencrypted TrueCrypt Boot Loader stored in the first logical drive track or on the TrueCrypt Rescue Disk 118 4 Decryption is considered successful if the first 4 bytes of the decrypted data contain the ASCII string TRUE and if the CRC 32 checksum of the last 256 bytes of the decrypted data volume header matches the value located at byte 8 of the decrypted data this value is unknown to an adversary because it is encrypted see the section TrueCrypt Volume Format Specification
69. ction have to be performed to derive a header key which increases the time necessary to perform an exhaustive search for passwords i e brute force attack 7 Header keys used by ciphers in a cascade are mutually independent even though they are derived from a single password to which keyfiles may have been applied For example for the AES Twofish Serpent cascade the header key derivation function is instructed to derive a 768 bit encryption key from a given password and for XTS mode in addition a 768 bit secondary header key from the given password The generated 768 bit header key is then split into three 256 bit keys for XTS mode the secondary header key is split into three 256 bit keys too so the cascade actually uses six 256 bit keys in total out of which the first key is used by Serpent the second key is used by Twofish and the third by AES in addition for XTS mode the first secondary key is used by Serpent the second secondary key is used by Twofish and the third secondary key by AES Hence even when an adversary has one of the keys he cannot use it to derive the other keys as there is no feasible method to determine the password from which the key was derived except for brute force attack mounted on a weak password 121 Random Number Generator The TrueCrypt random number generator RNG is used to generate the master encryption key the secondary key XTS mode salt and keyfiles It creates a pool of rando
70. d by Hans Dobbertin Antoon Bosselaers and Bart Preneel in an open academic community The size of the output of RIPEMD 160 is 160 bits RIPEMD 160 is a strengthened version of the RIPEMD hash algorithm that was developed in the framework of the European Union s project RIPE RACE Integrity Primitives Evaluation 1988 1992 RIPEMD 160 was adopted by the International Organization for Standardization ISO and the IEC in the ISO IEC 101 18 3 2004 international standard 21 SHA 512 SHA 512 is a hash algorithm designed by the NSA and published by NIST in FIPS PUB 180 2 14 in 2002 the first draft was published in 2001 The size of the output of this algorithm is 512 bits Whirlpool The Whirlpool hash algorithm was designed by Vincent Rijmen co designer of the AES encryption algorithm and Paulo S L M Barreto The size of the output of this algorithm is 512 bits The first version of Whirlpool now called Whirlpool 0 was published in November 2000 The second version now called Whirlpool T was selected for the NESSIE New European Schemes for Signatures Integrity and Encryption portfolio of cryptographic primitives a project organized by the European Union similar to the AES competition TrueCrypt uses the third final version of Whirlpool which was adopted by the International Organization for Standardization ISO and the IEC in the ISO IEC 10118 3 2004 international standard 21 74 Supported Operating Systems This versi
71. d then boot the operating system installed on the computer Note For security reasons if the operating system that you want to back up resides ina hidden TrueCrypt volume see the section Hidden Operating System then the operating system that you boot in this step must be either another hidden operating system or a live CD operating system see above For more information see the subsection Security Requirements and Precautions Pertaining to Hidden Volumes in the chapter Plausible Deniability Create a new non system TrueCrypt volume using the TrueCrypt Volume Creation Wizard do not enable the Quick Format option or the Dynamic option It will be your backup volume so its size should match or be greater than the size of the system partition that you want to back up If the operating system that you want to back up is installed in a hidden TrueCrypt volume see the section Hidden Operating System the backup volume must be a hidden TrueCrypt volume too Before you create the hidden backup volume you must create a new host outer volume for it without enabling the Quick Format option In addition especially if the backup volume is file hosted the hidden backup volume should occupy only a very small portion of the container and the outer volume should be almost completely filled with files otherwise the plausible deniability of the hidden volume might be adversely affected Mount the newly created backup volume Mount the system p
72. d with a different key which is also the case when you create a hidden operating system and therefore it can be explained this way If you do not know any good reason why there should be more than one partition on a system drive at all It is generally recommended to separate non system files documents from system files One of the easiest and most reliable ways to do that is to create two partitions on the system drive one for the operating system and the other for documents non system files The reasons why this practice is recommended include o If the filesystem on one of the partitions is damaged files on the partition may get corrupted or lost whereas files on the other partition are not affected o Itis easier to reinstall the system without losing your documents reinstallation of an operating system involves formatting the system partition after which all files stored on it are lost If the system is damaged full reinstallation is often the only option A cascade encryption algorithm e g AES Twofish Serpent can be up to four times slower than a non cascade one e g AES However a cascade encryption algorithm may be more secure than a non cascade one for example the probability that three distinct encryption algorithms will be broken e g due to advances in cryptanalysis is significantly lower than the probability that only one of them will be broken Therefore if you encrypt the outer volume with a cascade encryption
73. den system partition or to another hidden volume sae aoe heen gn Possible Explanations for Existence of Two TrueCrypt Partitions on Single Drive An adversary might ask why you created two TrueCrypt encrypted partitions on a single drive a system partition and a non system partition rather than encrypting the entire disk with a single encryption key There are many possible reasons to do that However if you do not know any This does not apply to filesystems on CD DVD like media and on custom atypical or non standard devices media 39 other than creating the hidden operating system you can provide for example one of the following explanations If there are more than two partitions on a system drive and you want to encrypt only two of them the system partition and the one behind it and to leave the other partitions unencrypted for example to achieve the best possible performance when reading and writing data which is not sensitive to such unencrypted partitions the only way to do that is to encrypt both partitions separately note that with a single encryption key TrueCrypt could encrypt the entire system drive and all partitions on it but it cannot encrypt only two of them only one or all of the partitions can be encrypted with a single key As a result there will be two adjacent TrueCrypt partitions on the system drive the first will be a system partition the second will be a non system one each encrypte
74. e load save data from to it and create file hosted TrueCrypt volumes on the system However users without administrator privileges cannot encrypt format partitions cannot create NTFS volumes cannot install uninstall TrueCrypt cannot change passwords keyfiles for TrueCrypt partitions devices cannot backup restore headers of TrueCrypt partitions devices and they cannot run TrueCrypt in portable mode Note As regards personal privacy in most cases it is not safe to work with sensitive data under systems where you do not have administrator privileges because the administrator can easily capture and copy the sensitive data including the passwords and keys 68 TrueCrypt Background Task When the main TrueCrypt window is closed the TrueCrypt Background Task takes care of the following tasks functions 1 Hot keys 2 Auto dismount e g upon log off inadvertent host device removal time out etc 3 Notifications e g when damage to hidden volume is prevented 4 Tray icon WARNING If neither the TrueCrypt Background Task nor TrueCrypt is running the above mentioned tasks functions are disabled The TrueCrypt Background Task is actually the TrueCrypt exe application which continues running in the background after you close the main TrueCrypt window Whether it is running or not can be determined by looking at the system tray area If you can see the TrueCrypt icon there then the TrueCrypt Background Task is ru
75. e RAID Windows Dynamic Volumes TrueCrypt supports hardware software RAID as well as Windows dynamic volumes Windows Vista or later Dynamic volumes are displayed in the Select Device dialog window as Device HarddiskVolumeN Windows XP 2000 2003 If you intend to format a Windows dynamic volume as a TrueCrypt volume keep in mind that after you create the Windows dynamic volume using the Windows Disk Management tool you must restart the operating system in order for the volume to be available displayed in the Select Device dialog window of the TrueCrypt Volume Creation Wizard Also note that in the Select Device dialog window a Windows dynamic volume is not displayed as a single device item Instead a volumes that the Windows dynamic volume consists of are displayed and you can select any of them in order to format the entire Windows dynamic volume Additional Notes on Volume Creation After you click the Format button in the Volume Creation Wizard window the last step there will be a short delay while your system is being polled for additional random data Afterwards the master key header key secondary key XTS mode and salt for the new volume will be generated and the master key and header key contents will be displayed For extra security the randomness pool master key and header key contents can be prevented from being displayed by unchecking the checkbox in the upper right corner of the corresponding
76. e Volumes xml Note This file may be absent if the corresponding TrueCrypt feature is not used 116 Technical Details Notation C DxO EKO HO Ciphertext block Decryption algorithm using encryption decryption key K Encryption algorithm using encryption decryption key K Hash function Block index for n bit blocks n is context dependent Cryptographic key Plaintext block Bitwise exclusive OR operation XOR Modulo 2 addition where n is the bit size of the left most operand and of the resultant value e g if the left operand is a 1 bit value and the right operand is a 2 bit value then 1 O 1 1 1 0 1 2 1 1 3 0 0 O 0 0 1 1 0 2 0 0 3 1 Modular multiplication of two polynomials over the binary field GF 2 modulo xl Stx all GF stands for Galois Field Concatenation 117 Encryption Scheme When mounting a TrueCrypt volume assume there are no cached passwords keyfiles or when performing pre boot authentication the following steps are performed 1 The first 512 bytes of the volume i e the standard volume header are read into RAM out of which the first 64 bytes are the salt see TrueCrypt Volume Format Specification For system encryption see the chapter System Encryption the last 512 bytes of the first logical drive track are read into RAM the TrueCrypt Boot Loader is stored in the first track of the system drive and or on the TrueCrypt Rescue Disk Bytes 65536 66047 of the volume are read in
77. e dismounted and all files stored on it will be inaccessible and encrypted Even when power supply is suddenly interrupted without proper system shut down all files stored on the volume will be inaccessible and encrypted To make them accessible again you have to mount the volume To do so repeat Steps 13 18 Continued on the next page 24 If you want to close the volume and make files stored on it inaccessible either restart your operating system or dismount the volume To do so follow these steps lol xi File Volumes Keyfiles Tools Settings Help Homepage Drive Volume Size Encryption Algorithm D My Documents My Volume Normal Create Yolume Volume Properties Volume D My Documents My Volume Select File V Never save history Volume Tools Select Device Auto Mount Devices Dismount All Exit Select the volume from the list of mounted volumes in the main TrueCrypt window marked with a red rectangle in the screenshot above and then click Dismount also marked with a red rectangle in the screenshot above To make files stored on the volume accessible again you will have to mount the volume To do so repeat Steps 13 18 Wipe Gache How to Create and Use a TrueCrypt Partition Device Instead of creating file containers you can also encrypt physical partitions or drives i e create TrueCrypt device hosted volumes To do so repeat
78. e header and the backup header embedded in the volume are re encrypted with different header keys derived using newly generated salts the salt for the volume header is different from the salt for the backup header Each salt is generated by the TrueCrypt random number generator see the section Random Number Generator For more information about header backups see the subsection Tools gt Restore Volume Header in the chapter Main Program Window Provided that the options Quick Format and Dynamic are disabled and provided that the volume does not contain a filesystem that has been encrypted in place note that TrueCrypt does not allow the user to create a hidden volume within such a volume 127 Compliance with Standards and Specifications TrueCrypt complies with the following standards specifications and recommendations PKCS 5 v2 0 7 PKCS 11 v2 20 23 FIPS 197 3 FIPS 198 22 FIPS 180 2 14 ISO IEC 10118 3 2004 21 The correctness of the implementations of the encryption algorithms can be verified using test vectors select Tools gt Test Vectors or by examining the source code of TrueCrypt Source Code TrueCrypt is open source and free software The complete source code of TrueCrypt written in C C and assembly is freely available for peer review at http www truecrypt org 128 Future Development For the list of features that are planned for a future release please refer to http w
79. e hosted the Windows version of TrueCrypt verifies this and disallows creation of hidden volumes within sparse files When a hidden volume is mounted the operating system and third party applications may write to non hidden volumes typically to the unencrypted system volume unencrypted information about the data stored in the hidden volume e g filenames and locations of recently accessed files databases created by file indexing tools etc or the data itself in an unencrypted form temporary files etc or unencrypted information about the filesystem residing in the hidden volume which might be used e g to identify the filesystem and to determine whether it is the filesystem residing in the outer volume Therefore the following guidelines and precautions must be followed o Windows Create a hidden operating system for information on how to do so see the section Hidden Operating System and mount hidden volumes only when the hidden operating system is running Note When a hidden operating system is running TrueCrypt ensures that all local unencrypted filesystems and non hidden TrueCrypt volumes are read only i e no files can be written to such filesystems or TrueCrypt volumes Data is allowed to be written to filesystems within hidden TrueCrypt volumes o Linux Download or create a live CD version of your Linux operating system i e a live Linux system entirely stored on and booted from a CD DVD that ensures that any d
80. e media and on custom untypical or non standard devices media 33 revealed the password for the decoy operating system to an adversary he could find out that the system is not used very often which might indicate the existence of a hidden operating system on your computer Note that you can save data to the decoy system partition anytime without any risk that the hidden volume will get damaged because the decoy system is not installed in the outer volume If the operating system requires activation it must be activated before it is cloned cloning is part of the process of creation of a hidden operating system see the section Hidden Operating System and the hidden operating system i e the clone must never be reactivated The reason is that the hidden operating system is created by copying the content of the system partition to a hidden volume so if the operating system is not activated the hidden operating system will not be activated either If you activated or reactivated a hidden operating system the date and time of the activation and other data might be logged on a Microsoft server and on the hidden operating system but not on the decoy operating system Therefore if an adversary had access to the data stored on the server or intercepted your request to the server and if you revealed the password for the decoy operating system to him he might find out that the decoy operating system was activated or reactivated at a d
81. e my password to a disk No Is some hash of my password stored somewhere No How does TrueCrypt verify that the correct password was entered See the chapter Technical Details section Encryption Scheme 106 Can l encrypt a partition drive without losing the data currently stored on it Yes but the following conditions must be met If you want to encrypt an entire system drive which may contain multiple partitions or a system partition in other words if you want to encrypt a drive or partition where Windows is installed you can do so provided that you use TrueCrypt 5 0 or later and that you use Windows XP or a later version of Windows such as Windows 7 select System gt Encrypt System Partition Drive and then follow the instructions in the wizard If you want to encrypt a non system partition in place you can do so provided that it contains an NTFS filesystem that you use TrueCrypt 6 1 or later and that you use Windows Vista or a later version of Windows for example Windows 7 click Create Volume gt Encrypt a non system partition gt Standard volume gt Select Device gt Encrypt partition in place and then follow the instructions in the wizard Can I run TrueCrypt if don t install it Yes see the chapter Portable Mode Some encryption programs use TPM to prevent attacks Will TrueCrypt use it too No Those programs use TPM to protect against attacks that require the attacker to have
82. e of system encryption which it typically is by Disclaimer As Microsoft does not provide any API for handling hibernation non Microsoft developers of disk encryption software are forced to modify undocumented components of Windows in order to allow users to encrypt hibernation files Therefore no disk encryption software except for Microsoft s BitLocker can currently guarantee that hibernation files will always be encrypted At anytime Microsoft can arbitrarily modify components of Windows using the Auto Update feature of Windows that are not publicly documented or accessible via a public API Any such change or the use of an untypical or custom storage device driver may cause any non Microsoft disk encryption software to fail to encrypt the hibernation file Note We have been working with Microsoft on possible solutions to these issues For more information please see the footnote at http www truecrypt org docs s hibernation file 81 default for example on the partition where Windows is installed When the computer hibernates data are encrypted on the fly before they are written to the hibernation file When a computer hibernates or enters a power saving mode the content of its system memory is written to a so called hibernation file on the hard drive You can configure TrueCrypt Settings gt Preferences gt Dismount all when Entering power saving mode to automatically dismount all mounted TrueCrypt volumes erase thei
83. e within an NTFS volume PROBLEM One of the following problems occurs A TrueCrypt volume cannot be mounted NTFS TrueCrypt volumes cannot be created In addition the following error may be reported The process cannot access the file because it is being used by another process PROBABLE CAUSE This is probably caused by an interfering application Note that this is not a bug in TrueCrypt The operating system reports to TrueCrypt that the device is locked for an exclusive access by an application so TrueCrypt is not allowed to access it POSSIBLE SOLUTION It usually helps to disable or uninstall the interfering application which is usually an anti virus utility a disk management application etc 94 PROBLEM In the TrueCrypt Boot Loader screen I m trying to type my password and or pressing other keys but the TrueCrypt boot loader does not respond PROBABLE CAUSE You have a USB keyboard not a PS 2 keyboard and pre boot support for USB keyboards is disabled in your BIOS settings POSSIBLE SOLUTION You need to enable pre boot support for USB keyboards in your BIOS settings To do so follow the below steps Restart your computer press F2 or Delete as soon as you see a BIOS start up screen and wait until a BIOS configuration screen appears If no BIOS configuration screen appears restart reset the computer again and start pressing F2 or Delete repeatedly as soon as you restart reset the computer Whe
84. encrypted in place TrueCrypt does not allow the user to create a hidden volume within such a volume For information on the method used to fill free volume space with random data see chapter Technical Details section TrueCrypt Volume Format Specification 27 The password for the hidden volume must be substantially different from the password for the outer volume To the outer volume before creating the hidden volume within it you should copy some sensitive looking files that you actually do NOT want to hide These files will be there for anyone who would force you to hand over the password You will reveal only the password for the outer volume not for the hidden one Files that really are sensitive will be stored on the hidden volume A hidden volume can be mounted the same way as a standard TrueCrypt volume Click Select File or Select Device to select the outer host volume important make sure the volume is not mounted Then click Mount and enter the password for the hidden volume Whether the hidden or the outer volume will be mounted is determined by the entered password i e when you enter the password for the outer volume then the outer volume will be mounted when you enter the password for the hidden volume the hidden volume will be mounted TrueCrypt first attempts to decrypt the standard volume header using the entered password If it fails it loads the area of the volume where a hidden volume header can be stored i e the
85. er General Notes If you store the backup volume in any location where an adversary can make a copy of the volume consider encrypting the volume with a cascade of ciphers for example with AES Twofish Serpent Otherwise if the volume is encrypted only with a single encryption algorithm and the algorithm is later broken for example due to advances in cryptanalysis the attacker might be able to decrypt his copies of the volume The probability that three distinct encryption algorithms will be broken is significantly lower than the probability that only one of them will be broken 91 Troubleshooting It is recommended that you read also the latest online version of this chapter at http www truecrypt org docs s troubleshooting This section presents possible solutions to common problems that you may run into when using TrueCrypt If your problem is not listed here it might be listed in one of the following sections Incompatibilities Known Issues amp Limitations Frequently Asked Questions PROBLEM Writing reading to from volume is very slow even though according to the benchmark the speed of the cipher that I m using is higher than the speed of the hard drive PROBABLE CAUSE This is probably caused by an interfering application POSSIBLE SOLUTION First make sure that your TrueCrypt container does not have a file extension that is reserved for executable files for example exe sys or dll If i
86. er and Paths window should appear If no drive letter is displayed in the window click Add Otherwise click Cancel If you clicked Ada then in the Add Drive Letter or Path which should have appeared select a drive letter you want to assign to the partition and click OK e Inthe Computer Management window right click the partition you want to decrypt again and select Format The Format window should appear f Inthe Format window click OK After the partition is formatted it will no longer be required to mount it with TrueCrypt to be able to save or load files to from the partition If the volume is device hosted i e there are no partitions on the device and the device is entirely encrypted in addition to the steps 1 3 do the following a Right click the Computer or My Computer icon on your desktop or in the Start Menu and select Manage The Computer Management window should appear b Inthe Computer Management window from the list on the left select Disk Management within the Storage sub tree c Right click the area representing the storage space of the encrypted device and select New Partition or New Simple Volume d WARNING Before you continue make sure you have selected the correct device as all files stored on it will be lost The New Partition Wizard or New Simple Volume Wizard window should appear now follow its instructions to create a new partition on the device After the partition is
87. er may modify the hardware or attach a malicious hardware component to it such as a hardware keystroke logger that will capture the password or encryption key e g when Allegedly for 1 5 35 seconds under normal operating temperatures 26 44 C and up to several hours when the memory modules are cooled when the computer is running to very low temperatures e g 50 C New types of memory modules allegedly exhibit a much shorter decay time e g 1 5 2 5 seconds than older types as of 2008 t Before a key can be erased from RAM the corresponding TrueCrypt volume must be dismounted For non system volumes this does not cause any problems However as Microsoft currently does not provide any appropriate API for handling the final phase of the system shutdown process paging files located on encrypted system volumes that are dismounted during the system shutdown process may still contain valid swapped out memory pages including portions of Windows system files This could cause blue screen errors Therefore to prevent blue screen errors TrueCrypt does not dismount encrypted system volumes and consequently cannot clear the master keys of the system volumes when the system is shut down or restarted 83 you mount a TrueCrypt volume or otherwise compromise the security of the computer Therefore you must not use TrueCrypt on a computer that an attacker has physically accessed Furthermore you must ensure that TrueCrypt including i
88. ere is enough space in the first drive track for a backup of the TrueCrypt Boot Loader Hence whenever the TrueCrypt Boot Loader is damaged its backup copy is run automatically instead 98 Known Issues Limitations It is strongly recommended that you read also the latest online version of this chapter at http www truecrypt org docs s issues and limitations Known Issues There were no confirmed issues when this document was created Limitations Note This limitation does not apply to users of Windows Vista and later versions of Windows On Windows XP 2003 TrueCrypt does not support encrypting an entire system drive that contains extended logical partitions You can encrypt an entire system drive provided that it contains only primary partitions Extended logical partitions must not be created on any system drive that is partially or fully encrypted only primary partitions may be created on it Note lf you need to encrypt an entire drive containing extended partitions you can encrypt the system partition and in addition create partition hosted TrueCrypt volumes within any non system partitions on the drive Alternatively you may want to consider upgrading to Windows Vista or a later version of Windows TrueCrypt currently does not support encrypting a system drive that has been converted to a dynamic disk TrueCrypt volume passwords must consist only of printable ASCII characters Non ASCIlI character
89. erties Wipe Gache Moreover the field Hidden Volume Protected in the Volume Properties dialog window says Yes damage prevented Note that when damage to hidden volume is prevented no information about the event is written to the volume When the outer volume is dismounted and mounted again the volume properties will not display the string damage prevented 30 There are several ways to check that a hidden volume is being protected against damage 1 A confirmation message box saying that hidden volume is being protected is displayed after the outer volume is mounted if it is not displayed the hidden volume is not protected 2 Inthe Volume Properties dialog the field Hidden Volume Protected says Yes 3 The type of the mounted outer volume is Outer l5 x File Yolumes Keyfiles Tools Settings Help Homepage Drive Volume Size Encryption Algorithm DevicelHarddisk1lPartition3 2 1GB AES Important When an adversary asks you to mount an outer volume you of course must not mount the outer volume with the hidden volume protection enabled You must mount it as a normal volume and then TrueCrypt will not show the volume type Outer but Normal Note that during the time when an outer volume is mounted with the hidden volume protection enabled the adversary can find out that a hidden volume exists within the outer volume he she will be able to find it out
90. es Full support for Windows 7 Full support for Mac OS X 10 6 Snow Leopard The ability to configure selected volumes as system favorite volumes This is useful for example when you have volumes that need to be mounted before system and application services start and before users start logging on It is also useful when there are network shared folders located on a TrueCrypt volume and you need to ensure that the network shares will be restored by the system each time it is restarted For more information see the chapter Main Program Window section Program Menu subsection Volumes gt Save Currently Mounted Volumes as System Favorites Windows Improvements and bug fixes Favorite volumes residing within partitions or dynamic volumes will no longer be affected by changes in disk device numbers which may occur e g when a drive is removed or added Windows Many other minor improvements and bug fixes Windows Mac OS X and Linux For a list of changes in older versions see http www truecrypt org docs s version history 130 Acknowledgements We would like to thank the following people Paul Le Roux for making his E4M source code available some parts of TrueCrypt were derived from E4M Brian Gladman who wrote the excellent AES Twofish SHA 512 and finite field GF 2 multiplication routines Peter Gutmann for his paper on random numbers and for creating his cryptlib which was the source of
91. f malware TrueCrypt may become unable to secure data on the computer Therefore you must not use TrueCrypt on a computer infected with any kind of malware It is important to note that TrueCrypt is encryption software not anti malware software It is your responsibility to prevent malware from running on the computer If you do not TrueCrypt may become unable to secure data on the computer There are many rules that you should follow to help prevent malware from running on your computer Among the most important rules are the following Keep your operating system Internet browser and other critical software up to date In Windows XP or later turn on DEP for all programs Do not open suspicious email attachments especially executable files even if they appear to have been sent by your relatives or friends their computers might be infected with malware sending malicious emails from their computers accounts without their knowledge Do not follow suspicious links contained in emails or on websites even if the email website appears to be harmless or trustworthy Do not visit any suspicious websites Do not download or install any suspicious software Consider using good trustworthy anti malware software Multi User Environment Keep in mind that the content of a mounted TrueCrypt volume is visible accessible to all logged on users NTFS file permissions can be configured to prevent this Moreover on Windows the password cache is shared
92. file regardless of the file size If you are not sure what entropy means we recommend that you let TrueCrypt generate a file with random content and that you use it as a keyfile select Keyfiles gt Generate Random Keyfile However if you use an MP3 file as a keyfile you must ensure that no program modifies the ID3 tags e g song title name of artist etc within the MP3 file Otherwise it will be impossible to mount volumes that use the keyfile 60 WARNING If you lose a keyfile or if any bit of its first 1024 kilobytes changes it will be impossible to mount volumes that use the keyfile WARNING If password caching is enabled the password cache also contains the processed contents of keyfiles used to successfully mount a volume Then it is possible to remount the volume even if the keyfile is not available accessible To prevent this click Wipe Cache or disable password caching for more information please see the section Settings gt Preferences subsection Cache passwords in driver memory Keyfiles Dialog Window If you want to use keyfiles i e apply them when creating or mounting volumes or changing passwords look for the Use keyfiles option and the Keyfiles button below a password input field Cache passwords and keyfiles in memory Cancel I Display Password Mount Options These control elements appear in various dialog windows and always have the same functions Check the Use keyfile
93. for a different master key Syntax TrueCrypt exe a devices favorites b Ve yl n d drive letter e Zf h yln k keyfile or search path 1 drive letter m bk rm recovery ro sm ts p password q background preferences s tokenlib path v volume w TrueCrypt Format exe n Note that the order in which options are specified does not matter Examples Mount the volume d imyvolume as the first free drive letter using the password prompt the main program window will not be displayed truecrypt q v d myvolume Dismount a volume mounted as the drive letter X the main program window will not be displayed truecrypt q dx Mount a volume called myvolume tc using the password MyPassword as the drive letter X TrueCrypt will open an explorer window and beep mounting will be automatic truecrypt v myvolume tc 1x a p MyPassword e b 78 Sharing over Network If there is a need to access a single TrueCrypt volume simultaneously from multiple operating systems there are two options 1 2 A TrueCrypt volume is mounted only on a single computer for example on a server and only the content of the mounted TrueCrypt volume i e the file system within the TrueCrypt volume is shared over a network Users on other computers or systems will not mount the volume it is already mounted on the server Advantages All users can write data to the TrueCrypt volume The shared volume
94. formation on how to change a password used for pre boot authentication please see the section System gt Change Password See also the chapter Security Requirements and Precautions PKCS 5 PRF In this field you can select the algorithm that will be used in deriving new volume header keys for more information see the section Header Key Derivation Salt and Iteration Count and in generating the new salt for more information see the section Random Number Generator Note When TrueCrypt re encrypts a volume header the original volume header is first overwritten 256 times with random data to prevent adversaries from using techniques such as magnetic force microscopy or magnetic force scanning tunneling microscopy 17 to recover the overwritten header however see also the chapter Security Requirements and Precautions 54 Volumes gt Set Header Key Derivation Algorithm This function allows you to re encrypt a volume header with a header key derived using a different PRF function for example instead of HMAC RIPEMD 160 you could use HMAC Whirlpool Note that the volume header contains the master encryption key with which the volume is encrypted Therefore the data stored on the volume will not be lost after you use this function For more information see the section Header Key Derivation Salt and Iteration Count Note When TrueCrypt re encrypts a volume header the original volume header is first overwritten 256 times with ra
95. g the corresponding file folder icons to the keyfile dialog window or to the password entry dialog Keyfiles gt Add Remove Keyfiles to from Volume This function allows you to re encrypt a volume header with a header encryption key derived from any number of keyfiles with or without a password or no keyfiles at all Thus a volume which is possible to mount using only a password can be converted to a volume that require keyfiles in addition to the password in order to be possible to mount Note that the volume header contains the master encryption key with which the volume is encrypted Therefore the data stored on the volume will not be lost after you use this function This function can also be used to change set volume keyfiles i e to remove some or all keyfiles and to apply new ones Remark This function is internally equal to the Password Change function When TrueCrypt re encrypts a volume header the original volume header is first overwritten 256 times with random data to prevent adversaries from using techniques such as magnetic force microscopy or magnetic force scanning tunneling microscopy 17 to recover the overwritten header however see also the chapter Security Requirements and Precautions Keyfiles gt Remove All Keyfiles from Volume This function allows you to re encrypt a volume header with a header encryption key derived from a password and no keyfiles so that it can be mounted using only a password with
96. g to Hidden Operating Systems 41 SYSTEM ENCRYPTION sesscsssscecsccccescccistescccescesccessscececcaccecceusecscececcescccesusececcacebscousscasecescescccesesssees 43 Hidden Operating Systems A ede eee ees 43 Operating Systems Supported for System Encryption eee ceeeeceseeeneeeneeceeeeeseeeeneeesaeens 44 TrueCrypt Rescue Disk cirios ii ideas 44 PARAELLELIZATIO Nucia darian iaa nia ala iaa darian 46 NN TN 46 TRUECRYPT VOLUME vivssccccsccicvcvecscsessecevecesssovacsvevevesecssseucusecavasasccebacuocsesucnsecectecsecavatasssecdsscstavate 47 CREATING A NEW TRUECRYPT VOLUME 00000s00esseseseessssssssesssesessseseseseseseseseseseseseseseseseseseseseeees 47 Hash Algorithm esseistinen nipan e aE AE AATE a a aaie 47 Encryption Algorithmes a a s 47 It SA A a a a tia 48 O 48 CUE SIZS A A NO RR O di tati er SPE ET 48 TrueCrypt Volumes on CDs and DVDS iii eek idl naan 48 Hardware Software RAID Windows Dynamic Volumes ooooooccnoccccoocccnonnnononcnononcnonancconnnnnos 49 Additional Notes on Volume Creation cooooonncnccnnnonononanicnocnnncnnononanecacccncnnonnnnnnncconccnonenananisss 49 MAIN PROGRAM WINDOW ccccsssssssssssssssssssssssssssesssssssssssssssesssesssescsesesesssesssesssssesesssesesess 50 Select S A l E EE sects atten toate debe vetilna fos Bide EE E Stoataiea E EAE cating 50 Seleck DEVICE eee EE e e Bes PN TS as Ne ns ld dee O 50 MOI de se a Ed 50 Auto Mount Device ld 50 DISTIN a cas 51 DismountAll a A DOOR
97. h a cascade encryption algorithm On the system partition you store data that is less sensitive than data you store on the non system partition i e on the outer volume 40 Note When the user attempts to encrypt the system partition with a cascade encryption algorithm TrueCrypt warns him or her that it can cause the following problems and implicitly recommends to choose a non cascade encryption algorithm instead o For cascade encryption algorithms the TrueCrypt Boot Loader is larger than normal and therefore there is not enough space in the first drive track for a backup of the TrueCrypt Boot Loader Hence whenever it gets damaged which often happens for example during inappropriately designed anti piracy activation procedures of certain programs the user must use the TrueCrypt Rescue Disk to repair the TrueCrypt Boot Loader or to boot o On some computers resuming from hibernation takes longer In contrast to a password for a non system TrueCrypt volume a pre boot authentication password needs to be typed each time the computer is turned on or restarted Therefore if the pre boot authentication password is long which is required for security purposes it may be very tiresome to type it so frequently Hence you can answer that it was more convenient for you to use a short and therefore weaker password for the system partition i e the decoy system and that it is more convenient for you to store the most sensitive data which
98. he device in the Computer or My Computer list or use the Safely Remove Hardware function built in Windows accessible via the taskbar notification area Otherwise data loss may occur What is a hidden operating system See the section Hidden Operating System What is plausible deniability See the chapter Plausible Deniability Will be able to mount my TrueCrypt partition container after reinstall or upgrade the operating system Yes TrueCrypt volumes are independent of the operating system However you need to make sure your operating system installer does not format the partition where your TrueCrypt volume resides Note If the system partition drive is encrypted and you want to reinstall or upgrade Windows you need to decrypt it first select System gt Permanently Decrypt System Partition Drive However a running operating system can be updated security patches service packs etc without any problems even when the system partition drive is encrypted Can I upgrade from an older version of TrueCrypt to the latest version without any problems Generally yes However before upgrading please read the release notes for all versions of TrueCrypt that have been released since your version was released If there are any known issues or incompatibilities related to upgrading from your version to a newer one they will be listed in the release notes Can upgrade TrueCrypt if the system partition drive
99. he mounted volume for example by double clicking the item marked with a red rectangle in the screenshot above Continued on the next page 23 You can also browse to the mounted volume the way you normally browse to any other types of volumes For example by opening the Computer or My Computer list and double clicking the corresponding drive letter in this case it is the letter M lol File Edit View Favorites Tools Help ay gt uy Y 7 Y D B Back Forward Up Refresh Address 4 My Computer y me SYSTEM 0 Local Disk amp Local Disk D Local Disk Local Disk F Local Disk E Local Disk M Local Disk Ea Free Space 0 97 9 My Computer You can copy files to and from the TrueCrypt volume just as you would copy them to any normal disk for example by simple drag and drop operations Files that are being read or copied from the encrypted TrueCrypt volume are automatically decrypted on the fly in memory RAM Similarly files that are being written or copied to the encrypted TrueCrypt volume are automatically encrypted on the fly right before they are written to the disk in RAM Note that TrueCrypt never saves any decrypted data to a disk it only stores them temporarily in RAM memory Even when the volume is mounted data stored in the volume is still encrypted When you restart Windows or turn off your computer the volume will b
100. he system partition you store data that is less sensitive but which you need to access often than data you store on the non system partition i e on the outer volume Safety Security Precautions and Requirements Pertaining to Hidden Operating Systems As a hidden operating system resides in a hidden TrueCrypt volume a user of a hidden operating system must follow all of the security requirements and precautions that apply to normal hidden TrueCrypt volumes These requirements and precautions as well as additional requirements and precautions pertaining specifically to hidden operating systems are listed in the subsection Security Requirements and Precautions Pertaining to Hidden Volumes WARNING If you do not protect the hidden volume for information on how to do so refer to the section Protection of Hidden Volumes Against Damage do not write to the outer volume note that the decoy operating system is not installed in the outer volume Otherwise you may overwrite and damage the hidden volume and the hidden operating system within it 41 If all the instructions in the wizard have been followed and if the security requirements and precautions listed in the subsection Security Requirements and Precautions Pertaining to Hidden Volumes are followed it will be impossible to prove that the hidden volume and hidden operating system exist even when the outer volume is mounted or when the decoy operating system is decrypted or started
101. hey are derived from a single password see the section Header Key Derivation Salt and Iteration Count See above for information on the individual cascaded ciphers Twofish Serpent Two ciphers in a cascade 15 16 operating in XTS mode see the section Modes of Operation Each 128 bit block is first encrypted with Serpent 256 bit key in XTS mode and then with Twofish 256 bit key in XTS mode Each of the cascaded ciphers uses its own key All encryption keys are mutually independent note that header keys are independent too even though they are derived from a single password see the section Header Key Derivation Salt and Iteration Count See above for information on the individual cascaded ciphers 73 Hash Algorithms In the Volume Creation Wizard in the password change dialog window and in the Keyfile Generator dialog window you can select a hash algorithm A user selected hash algorithm is used by the TrueCrypt Random Number Generator as a pseudorandom mixing function and by the header key derivation function HMAC based on a hash function as specified in PKCS 5 v2 0 as a pseudorandom function When creating a new volume the Random Number Generator generates the master key secondary key XTS mode and salt For more information please see the section Random Number Generator and section Header Key Derivation Salt and Iteration Count RIPEMD 160 RIPEMD 160 published in 1996 is a hash algorithm designe
102. ibed below does not affect you if the system partition or system drive is encrypted for more information see the chapter System Encryption and if the system is configured to write memory dump files to the system drive which it typically is by default Most operating systems including Windows can be configured to write debugging information and contents of the system memory to so called memory dump files when an error occurs system crash blue screen bug check Therefore memory dump files may contain sensitive data TrueCrypt cannot prevent cached passwords encryption keys and the contents of sensitive files opened in RAM from being saved unencrypted to memory dump files Note that when you open a file stored on a TrueCrypt volume for example in a text editor then the content of the file is stored unencrypted in RAM and it may remain unencrypted in RAM until the computer is turned off Also note that when a TrueCrypt volume is mounted its master key is stored unencrypted in RAM Therefore you must disable memory dump file generation on your computer at least for each session during which you work with any sensitive data and during which you mount a TrueCrypt volume To do so in Windows XP or later right click the Computer or My Computer icon on the desktop or in the Start Menu and then select Properties gt on Windows Vista or later gt Advanced System Settings gt Advanced tab gt section Startup and Recovery gt Sett
103. ical Details When rumning the hidden operating system appears to be installed on the same partition as the original operating system the decoy system However in reality it is installed within the partition behind it in a hidden volume All read write operations are transparently redirected from the system partition to the hidden volume Neither the operating system nor applications will know that data written to and read from the system partition is actually written to and read from the partition behind it from to a hidden volume Any such data is encrypted and decrypted on the fly as usual with an encryption key different from the one that is used for the decoy operating system Note that there will also be a third password the one for the outer volume It is not a pre boot authentication password but a regular TrueCrypt volume password It can be safely disclosed to anyone forcing you to reveal the password for the encrypted partition where the hidden volume containing the hidden operating system resides Thus the existence of the hidden volume and of the hidden operating system will remain secret If you are not sure you understand how this is possible or what an outer volume is please read the section Hidden Volume The outer volume should contain some sensitive looking files that you actually do not want to hide To summarize there will be three passwords in total Two of them can be revealed to an attacker for the decoy s
104. ifferent time which might indicate the existence of a hidden operating system on your computer For similar reasons any software that requires activation must be installed and activated before you start creating the hidden operating system When you need to shut down the hidden system and start the decoy system do not restart the computer Instead shut it down or hibernate it and then leave it powered off for several minutes before turning the computer on and booting the decoy system This is required to clear the memory which may contain sensitive data For more information see the section Unencrypted Data in RAM in the chapter Security Requirements and Precautions The computer may be connected to a network including the internet only when the decoy operating system is running When the hidden operating system is running the computer should not be connected to any network including the internet one of the most reliable ways to ensure it is to unplug the network cable if there is one Note that if data is downloaded from or uploaded to a remote server the date and time of the connection and other data are typically logged on the server Various kinds of data are also logged on the operating system e g Windows auto update data application logs error logs etc Therefore if an adversary had access to the data stored on the server or intercepted your request to the server and if you revealed the password for the decoy operating sy
105. ilename and location you like for example on a USB memory stick Note that the file My Volume does not exist yet TrueCrypt will create it IMPORTANT Note that TrueCrypt will not encrypt any existing files If you select an existing file it will be overwritten and replaced by the newly created volume so the overwritten file will be ost not encrypted You will be able to encrypt existing files later on by moving them to the TrueCrypt volume that we are creating now Select the desired path where you wish the container to be created in the file selector Type the desired container filename in the File name box Click Save The file selector window should disappear In the following steps we will return to the TrueCrypt Volume Creation Wizard Note that after you copy existing unencrypted files to a TrueCrypt volume you should securely erase wipe the original unencrypted files There are software tools that can be used for the purpose of secure erasure many of them are free STEP 7 Volume Location D My Documents My Volume y Select File IV Never save history A TrueCrypt volume can reside in a file called TrueCrypt container which can reside on a hard disk on a USB Flash drive etc 4 TrueCrypt container is just like any normal file it can be for example moved copied and deleted as any normal file Click Select File to choose a filename for the container and to select the location whe
106. iles that it finds on the USB memory stick as keyfiles WARNING When you add a folder as opposed to a file to the list of keyfiles only the path is remembered not the filenames This means e g that if you create a new file in the folder or if you copy an additional file to the folder then all volumes that used keyfiles from the folder will be impossible to mount until you remove the newly added file from the folder Empty Password amp Keyfile When a keyfile is used the password may be empty so the keyfile may become the only item necessary to mount the volume which we do not recommenda If default keyfiles are set and enabled when mounting a volume then before prompting for a password TrueCrypt first automatically attempts to mount using an empty password plus default keyfiles If you need to set Mount Options e g mount as read only protect hidden volume etc for a volume being mounted this way hold down the Control Ctrl key while clicking Mount or select Mount with Options from the Volumes menu This will open the Mount Options dialog Found at the time when you are mounting the volume changing its password or performing any other operation that involves re encryption of the volume header 62 Quick Selection Keyfiles and keyfile search paths can be quickly selected in the following ways Right click the Keyfiles button in the password entry dialog window and select one of the menu items Dra
107. ility in any way The adversary still cannot prove that the partition device is a TrueCrypt volume or that the file partition or device contains a hidden TrueCrypt volume provided that you follow the security requirements and precautions listed in the chapter Security Requirements and Precautions and subsection Security Requirements and Precautions Pertaining to Hidden Volumes Whenever TrueCrypt accesses a file hosted volume e g when dismounting attempting to mount changing or attempting to change the password creating a hidden volume within it etc or a keyfile it preserves the timestamp of the container keyfile i e date and time that the container keyfile was last accessed or last modified unless this behavior is disabled in the preferences Note that if you use the Windows File Properties tool to view a container keyfile timestamp e g by right clicking the container keyfile and selecting Properties you will alter the date and time that the container keyfile was last accessed Also note that if you view thumbnails of files in the Windows file selector for instance when selecting a container or 26 Hidden Volume lt may happen that you are forced by somebody to reveal the password to an encrypted volume There are many situations where you cannot refuse to reveal the password for example due to extortion Using a so called hidden volume allows you to solve such situations without revealing the password t
108. ings gt section Write debugging information gt select none gt OK Note Due to a missing API if the system partition drive is encrypted by TrueCrypt and if the system is configured to write memory dump files to the system drive which it typically is by default the TrueCrypt driver automatically prevents Windows from writing any data to memory 82 dump files for information on how to encrypt the system partition drive see the chapter System Encryption Unencrypted Data in RAM It is important to note that TrueCrypt is disk encryption software which encrypts only disks not RAM memory Keep in mind that most programs do not clear the memory area buffers in which they store unencrypted portions of files they load from a TrueCrypt volume This means that after you exit such a program unencrypted data it worked with may remain in memory RAM until the computer is turned off and according to some researchers even for some time after the power is turned off Also note that if you open a file stored on a TrueCrypt volume for example in a text editor and then force dismount on the TrueCrypt volume then the file will remain unencrypted in the area of memory RAM used by allocated to the text editor This also applies to forced auto dismount Inherently unencrypted master keys have to be stored in RAM too When a non system TrueCrypt volume is dismounted TrueCrypt erases its master keys stored in RAM When the co
109. ion drive Encrypts a non system partition on any internal or external drive e g a flash drive Optionally creates a hidden volume C Encrypt the system partition or entire system drive Encrypts the partition drive where Windows is installed Anyone who wants to gain access and use the system read and write files etc will need to enter the correct password each time before Windows boots Optionally creates a hidden system More information about system encryption Cancel The TrueCrypt Volume Creation Wizard window should appear In this step you need to choose where you wish the TrueCrypt volume to be created A TrueCrypt volume can reside in a file which is also called container in a partition or drive In this tutorial we will choose the first option and create a TrueCrypt volume within a file As the option is selected by default you can just click Next Note In the following steps the screenshots will show only the right hand part of the Wizard window STEP 4 In this step you need to choose whether to create a standard or hidden TrueCrypt volume In this tutorial we will choose the former option and create a standard TrueCrypt volume As the option is selected by default you can just click Next STEP 5 Volume Location z Select File V Never save history A TrueCrypt volume can reside in a file called TrueCrypt container which can reside on a hard disk on a USB Flash dr
110. ith the protection of national security systems and or national security information 1 71 Serpent Designed by Ross Anderson Eli Biham and Lars Knudsen published in 1998 It uses a 256 bit key 128 bit block and operates in XTS mode see the section Modes of Operation Serpent was one of the AES finalists It was not selected as the proposed AES algorithm even though it appeared to have a higher security margin than the winning Rijndael 4 More concretely Serpent appeared to have a high security margin while Rijndael appeared to have only an adequate security margin 4 Rijndael has also received some criticism suggesting that its mathematical structure might lead to attacks in the future 4 In 5 the Twofish team presents a table of safety factors for the AES finalists Safety factor is defined as number of rounds of the full cipher divided by the largest number of rounds that has been broken Hence a broken cipher has the lowest safety factor 1 Serpent had the highest safety factor of the AES finalists 3 56 for all supported key sizes Rijndael 256 had a safety factor of 1 56 In spite of these facts Rijndael was considered an appropriate selection for the AES for its combination of security performance efficiency implementability and flexibility 4 At the last AES Candidate Conference Rijndael got 86 votes Serpent got 59 votes Twofish got 31 votes RC6 got 23 votes and MARS got 13 votes 18 19 Twofish
111. ity patches service packs etc without any problems even when the system partition drive is encrypted Repair features of the Windows pre boot component are not supported when the operating system is encrypted When the notebook battery power is low Windows may omit sending the appropriate messages to running applications when the computer is entering power saving mode Therefore TrueCrypt may fail to auto dismount volumes in such cases Some filesystems other than NTFS and FAT store file attribute modification timestamps TrueCrypt is unable as there is no appropriate API to preserve such timestamps even if the option Preserve timestamps of file containers is enabled Due to a Windows limitation a container stored in a remote filesystem shared over a network cannot be mounted as a system favorite volume however it can be mounted as a regular non system favorite volume when a user logs on Special software e g a low level disk editor that writes data to a disk drive in a way that circumvents drivers in the driver stack of the class DiskDrive GUID of the class is 4D36E967 E325 11CE BFC1 08002BE10318 can write unencrypted data to a non system drive hosting a mounted TrueCrypt volume Partition0 and to encrypted partitions drives that are within the key scope of active system encryption TrueCrypt does not encrypt such data written that way Similarly software that writes data to a disk drive circumventing drivers in
112. ive etc 4 TrueCrypt container is just like any normal file it can be for example moved copied and deleted as any normal file Click Select File to choose a filename for the container and to select the location where you wish the container to be created WARNING IF you select an existing file TrueCrypt will NOT encrypt it the file be deleted and replaced with the newly created TrueCrypt container You will be able to encrypt existing files later on by moving them to the TrueCrypt container that you are about to create now Help In this step you have to specify where you wish the TrueCrypt volume file container to be created Note that a TrueCrypt container is just like any normal file It can be for example moved or deleted as any normal file It also needs a filename which you will choose in the next step Click Select File The standard Windows file selector should appear while the window of the TrueCrypt Volume Creation Wizard remains open in the background 10 STEP 6 Specify Path and File Name Ed x Look in f My Documents E My Computer My Documents Desktop 2 Recent Fie nane Files of type an Files y Cancel A In this tutorial we will create our TrueCrypt volume in the folder D My Documents and the filename of the volume container will be My Volume as can be seen in the screenshot above You may of course choose any other f
113. keyfiles It is very important that you choose a good password You should avoid choosing one that contains only a single word that can be found in a dictionary or a combination of 2 3 or 4 such words It should not contain any names or dates of birth It should mot be easy to guess 4 good password is a random combination of upper and lower case letters numbers and special characters such as etc We recommend choosing a password consisting of more than 20 characters the longer the better The maximum password length is 64 characters Help lt Prey Cancel This is one of the most important steps Here you have to choose a good volume password Read carefully the information displayed in the Wizard window about what is considered a good password After you choose a good password type it in the first input field Then re type it in the input field below the first one and click Next Note The button Next will be disabled until passwords in both input fields are the same STEP 11 Volume Format Options Filesystem Far y Cluster Default y J Dynamic Random Pool AOBOSBC33EB6D3FA30A05F6355622D13 M Header Key Master Key Abort Done Speed Left IMPORTANT Move your mouse as randomly as possible within this window The longer you move it the better This significantly increases the cryptographic strength of the encryption keys Then click Format to create the volume Help l
114. l be impossible to prove provided that certain guidelines are followed see below Thus you will not have to decrypt or reveal the password for the hidden operating system Before you continue reading this section make sure you have read the section Hidden Volume and that you understand what a hidden TrueCrypt volume is A hidden operating system is a system for example Windows Vista or Windows XP that is installed in a hidden TrueCrypt volume It is impossible to prove that a hidden TrueCrypt volume exists provided that certain guidelines are followed for more information see the section Hidden Volume and therefore it is impossible to prove that a hidden operating system exists However in order to boot a system encrypted by TrueCrypt an unencrypted copy of the TrueCrypt Boot Loader has to be stored on the system drive or on a TrueCrypt Rescue Disk Hence the mere presence of the TrueCrypt Boot Loader can indicate that there is a system encrypted by TrueCrypt on the computer Therefore to provide a plausible explanation for the presence of the TrueCrypt Boot Loader the TrueCrypt wizard helps you create a second encrypted operating system so called decoy operating system during the process of creation of a hidden operating system A decoy operating system must not contain any sensitive files lts existence is not secret it is not installed in a hidden volume The password for the decoy operating system can be safely revealed to
115. lems when creating a hidden volume refer to the chapter Troubleshooting for possible solutions Note that it is also possible to create and boot an operating system residing in a hidden volume see the section Hidden Operating System in the chapter Plausible Deniability The wizard scans the cluster bitmap to determine the size of the uninterrupted area of free space if there is any whose end is aligned with the end of the outer volume This area accommodates the hidden volume and therefore the size of this area limits the maximum possible size of the hidden volume On Linux and Mac OS X the wizard actually does not scan the cluster bitmap but the driver detects any data written to the outer volume and uses their position as previously described 28 Protection of Hidden Volumes Against Damage If you mount a TrueCrypt volume within which there is a hidden volume you may read data stored on the outer volume without any risk However if you or the operating system need to save data to the outer volume there is a risk that the hidden volume will get damaged overwritten To prevent this you should protect the hidden volume in a way described in this section When mounting an outer volume type in its password and before clicking OK click Mount Options Enter password for Device Harddisk1 Partition4 Password olialia Cache passwords and keyfiles in memory Cancel I Display Password Mount Options Use keyfiles
116. lose them manually TrueCrypt Background Task Enabled See the chapter TrueCrypt Background Task TrueCrypt Background Task Exit when there are no mounted volumes If this option is checked the TrueCrypt background task automatically and silently exits as soon as there are no mounted TrueCrypt volumes For more information see the chapter TrueCrypt Background Task Note that this option cannot be disabled when TrueCrypt runs in portable mode Auto dismount volume after no data has been read written to it for After no data has been written read to from a TrueCrypt volume for n minutes the volume is automatically dismounted Force auto dismount even if volume contains open files or directories This option applies only to auto dismount not to regular dismount It forces dismount without prompting on the volume being auto dismounted in case it contains open files or directories i e file directories that are in use by the system or applications 58 Mounting TrueCrypt Volumes If you have not done so yet please read the sections Mount and Auto Mount Devices in the chapter Main Program Window Cache Password in Driver Memory This option can be set in the password entry dialog so that it will apply only to that particular mount attempt It can also be set as default in the Preferences For more information please see the section Settings gt Preferences subsection Cache passwords in driver memory Mount Optio
117. lp try disabling or uninstalling any anti virus utility you use and restarting the system subsequently PROBLEM When accessing a file hosted container shared over a network insufficient memory or not enough server storage is available error is reported 96 PROBABLE CAUSE IRPStackSize in the Windows registry may have been set to a too small value POSSIBLE SOLUTION Locate the RPStackSize key in the Windows registry and set it to a higher value Then restart the system If the key does not exist in the Windows registry create it at HKEY_LOCAL_MACHINE SYSTEM CurrentControlSet Services LanmanServer Parameters and set its value to 16 or higher Then restart the system For more information see http support microsoft com kb 285089 and http support microsoft com kb 177078 97 Incompatibilities It is recommended that you read also the latest online version of this chapter at http www truecrypt org docs s incompatibilities Activation of Adobe Photoshop and Other Products Using FLEXnet Publisher SafeCast Note The issue described below does not affect you if you use TrueCrypt 5 1 or later and a non cascade encryption algorithm i e AES Serpent or Twofish The issue also does not affect you if you do not use pre boot authentication see the chapter System Encryption Acresso FLEXnet Publisher activation software formerly Macrovision SafeCast used for activation of third party software
118. lume 5cceb1 96 4 8bf 46ab ad00 70965512253a To determine the volume name use e g mount vol exe Also note that device paths are case sensitive Driver letter to mount the volume as When 1 is omitted and when a is used the first free drive letter is used Open an Explorer window after a volume has been mounted Beep after a volume has been successfully mounted or dismounted If no parameter is specified automatically mount the volume If devices is specified as the parameter e g a devices auto mount all currently accessible device partition hosted TrueCrypt volumes If favorites is specified as the parameter auto mount favorite volumes Note that auto is implicit if quit and volume are specified Dismount volume specified by drive letter e g d x When no drive letter is specified dismounts all currently mounted TrueCrypt volumes Forces dismount if the volume to be dismounted contains files being used by the system or an application and forces mounting in shared mode i e without exclusive access Specifies a keyfile or a keyfile search path For multiple keyfiles specify e g k c keyfilel dat k d KeyfileFolder k c kf2 To specify a keyfile stored on a security token or smart card use the following syntax token slot SLOT_NUMBER file FILE_NAME Use the specified PKCS 11 library for security tokens and smart cards y or no parameter enable password cache n disable password cache e
119. ly erase free space on the host volume in the defragmented file system after defragmenting B Do not defragment file systems in which you store TrueCrypt volumes o A file hosted TrueCrypt container is stored in a journaling file system such as NTFS A copy of the TrueCrypt container or of its fragment may remain on the host volume To prevent this do one the following B Use a partition device hosted TrueCrypt volume instead of file hosted B Store the container in a non journaling file system for example FAT32 o A TrueCrypt volume resides on a device that utilizes a wear leveling mechanism e g some USB flash drives A copy of a fragment of the TrueCrypt volume may remain on the device For more information on wear leveling see the section Wear Leveling in the chapter Security Requirements and Precautions o You back up content of a hidden volume by cloning its host volume or create a new hidden volume by cloning its host volume see How to Back Up Securely and Volume Clones 32 Make sure that Quick Format is disabled when encrypting a partition device within which you intend to create a hidden volume On Windows make sure you have not deleted any files within a volume within which you intend to create a hidden volume the cluster bitmap scanner does not detect deleted files On Linux or Mac OS X if you intend to create a hidden volume within a file hosted TrueCrypt volume make sure that the volume is not sparse fil
120. m Number Generator during the volume creation process If a TrueCrypt volume hosts a hidden volume within its free space the header of the hidden volume is located at the byte 65536 of the host volume the header of the host outer volume is located at the byte 0 of the host volume see the section Hidden Volume If there is no hidden volume within a TrueCrypt volume the bytes 65536 131071 of the volume i e the area where the header of a hidden volume can reside contain random data see above for information on the method used to fill free volume space with random data when the volume is created The layout of the header of a hidden volume is the same as the one of a standard volume bytes 0 65535 The maximum possible TrueCrypt volume size is 263 bytes 8 589 934 592 GB However due to security reasons with respect to the 128 bit block size and the mode of operation the maximum allowed volume size is 1 PB 1 048 576 GB Embedded Backup Headers Each TrueCrypt volume created by TrueCrypt 6 0 or later contains an embedded backup header located at the end of the volume see above The header backup is not a copy of the volume header because it is encrypted with a different header key derived using a different salt see the section Header Key Derivation Salt and Iteration Count When the volume password and or keyfiles are changed or when the header is restored from the embedded or an external header backup both the volum
121. m values in RAM memory The pool which is 640 bytes long is filled with data from the following sources Mouse movements Keystrokes Mac OS X and Linux Values generated by the built in RNG both dev random and dev urandom MS Windows only MS Windows CryptoAPI collected regularly at 500 ms interval MS Windows only Network interface statistics NETAPI32 MS Windows only Various Win32 handles time variables and counters collected regularly at 500 ms interval Before a value obtained from any of the above mentioned sources is written to the pool it is divided into individual bytes e g a 32 bit number is divided into four bytes These bytes are then individually written to the pool with the modulo 2 addition operation not by replacing the old values in the pool at the position of the pool cursor After a byte is written the pool cursor position is advanced by one byte When the cursor reaches the end of the pool its position is set to the beginning of the pool After every 16 byte written to the pool the pool mixing function is applied to the entire pool see below Pool Mixing Function The purpose of this function is to perform diffusion 2 Diffusion spreads the influence of individual raw input bits over as much of the pool state as possible which also hides statistical relationships After every 16 byte written to the pool this function is applied to the entire pool Description of the pool mixing function 1
122. mary header each subsequent time that the user attempts to mount the volume until he or she clicks Cancel If TrueCrypt fails to decrypt the primary header but it successfully decrypts the embedded backup header at the same time the volume is mounted and the user is warned that the volume header is damaged and informed as to how to repair it Note that these features can be used in a corporate environment to reset volume passwords in case a user forgets it or when he she loses his her keyfile After you create a volume backup its header select Tools gt Backup Volume Header before you allow a non admin user to use the volume Note that the volume header which is encrypted with a header key derived from a password keyfile contains the master key with which the volume is encrypted Then ask the user to choose a password and set it for him her Volumes gt Change Volume Password or generate a user keyfile for him her Then you can allow the user to use the volume and to change the password keyfiles without your assistance permission In case he she forgets his her password or loses his her keyfile you can reset the volume password keyfiles to your original admin password keyfiles by restoring the volume header backup Tools gt Restore Volume Header Settings gt Preferences Invokes the Preferences dialog window where you can change among others the following options Wipe cached passwords on exit If enabled passwords
123. me using different user passwords or PINs Just give each user a security token or smart card containing the same TrueCrypt keyfile and let them choose their personal password or PIN that will protect their security token or smart card Allows managing multi user shared access all keyfile holders must present their keyfiles before a volume can be mounted Any kind of file for example txt exe mp3 avi can be used as a TrueCrypt keyfile however we recommend that you prefer compressed files such as mp3 jpg zip etc Note that TrueCrypt never modifies the keyfile contents Therefore it is possible to use for example five files in your large mp3 collection as TrueCrypt keyfiles and inspection of the files will not reveal that they are used as keyfiles You can select more than one keyfile the order does not matter You can also let TrueCrypt generate a file with random content and use it as a keyfile To do so select Keyfiles gt Generate Random Keyfile Note Keyfiles are currently not supported for system encryption IMPORTANT To make brute force attacks on a keyfile infeasible the size of the keyfile should be at least 30 bytes If a volume uses multiple keyfiles then at least one of the keyfiles should be 30 bytes in size or larger Note that the 30 byte limit assumes a large amount of entropy in the keyfile If the first 1024 kilobytes of a file contain only a small amount of entropy it should not be used as a key
124. me you want to back up the volume see below If you follow the above steps you will help prevent adversaries from finding out Which sectors of the volumes are changing because you always follow step 1 This is particularly important for example if you store the backup volume on a device kept in a bank s safe deposit box or in any other location that an adversary can repeatedly access and the volume contains a hidden volume for more information see the subsection Security Requirements and Precautions Pertaining to Hidden Volumes in the chapter Plausible Deniability That one of the volumes is a backup of the other System Partitions Note In addition to backing up files we recommend that you also back up your TrueCrypt Rescue Disk select System gt Create Rescue Disk For more information see the section TrueCrypt Rescue Disk 89 To back up an encrypted system partition securely and safely it is recommended to follow these steps 1 If you have multiple operating systems installed on your computer boot the one that does not require pre boot authentication If you do not have multiple operating systems installed on your computer you can boot a BartPE CD DVD live Windows entirely stored on and booted from a CD DVD for more information search the section Frequently Asked Questions for the keyword BartPE If none of the above is possible connect your system drive as a secondary drive to another computer an
125. most cases it is not safe to work with sensitive data under systems where you do not have administrator privileges because the administrator can easily capture and copy the sensitive data including the passwords and keys 2 After examining the registry file it may be possible to tell that TrueCrypt was run and that a TrueCrypt volume was mounted on a Windows system even if it had been run in portable mode If you need to solve these problems we recommend using BartPE for this purpose For further information on BartPE see the question Is it possible to use TrueCrypt without leaving any traces on Windows in the section Frequently Asked Questions There are two ways to run TrueCrypt in portable mode 1 After you extract files from the TrueCrypt self extracting package you can directly run TrueCrypt exe Note To extract files from the TrueCrypt self extracting package run it and then select Extract instead of Install on the second page of the TrueCrypt Setup wizard 2 You can use the Traveler Disk Setup facility to prepare a special traveler disk and launch TrueCrypt from there The second option has several advantages which are described in the following sections in this chapter Note When running in portable mode the TrueCrypt driver is unloaded when it is no longer needed e g when all instances of the main application and or of the Volume Creation Wizard are closed and no TrueCrypt volumes are moun
126. mpg etc stored on a TrueCrypt volume Yes TrueCrypt encrypted volumes are like normal disks You provide the correct password and or keyfile and mount open the TrueCrypt volume When you double click the icon of the video file the operating system launches the application associated with the file type typically a media player The media player then begins loading a small initial portion of the video file from the TrueCrypt encrypted volume to RAM memory in order to play it While the portion is being loaded TrueCrypt is automatically decrypting it in RAM The decrypted portion of the video stored in RAM is then played by the media player While this portion is being played the media player begins loading next small portion of the video file from the TrueCrypt encrypted volume to RAM memory and the process repeats The same goes for video recording Before a chunk of a video file is written to a TrueCrypt volume TrueCrypt encrypts it in RAM and then writes it to the disk This process is called on the fly encryption decryption and it works for all file types not only for video files Will TrueCrypt be open source and free forever Yes it will We will never create a commercial version of TrueCrypt as we believe in open source and free security software Is it possible to donate to the TrueCrypt project Yes For more information please visit http www truecrypt org donations I forgot my password is there any way
127. mputer is cleanly restarted or cleanly shut down all non system TrueCrypt volumes are automatically dismounted and thus all master keys stored in RAM are erased by the TrueCrypt driver except master keys for system partitions drives see below However when power supply is abruptly interrupted when the computer is reset not cleanly restarted or when the system crashes TrueCrypt naturally stops running and therefore cannot erase any keys or any other sensitive data Furthermore as Microsoft does not provide any appropriate API for handling hibernation and shutdown master keys used for system encryption cannot be reliably and are not erased from RAM when a computer hibernates is shut down or restarted To summarize TrueCrypt cannot and does not ensure that RAM contains no sensitive data e g passwords master keys or decrypted data Therefore after each session in which you work with a TrueCrypt volume or in which an encrypted operating system is running you must shut down or if the hibernation file is encrypted hibernate the computer and then leave it powered off for several minutes before turning it on again This is required to clear the RAM see also the section Hibernation File Physical Security If an attacker can physically access the computer hardware and you use it after the attacker has physically accessed it then TrueCrypt may become unable to secure data on the computer This is because the attack
128. n Volumes gt Save Currently Mounted Volumes as Favorites above Volumes gt Save Currently Mounted Volumes as System Favorites System favorites are useful for example in the following cases You have volumes that are required to be mounted before system and application services start and before users start logging on There are network shared folders located on TrueCrypt volumes If you configure these volumes as system favorites you will ensure that the network shares will be automatically restored by the system each time it is restarted Note that unlike the regular non system favorites system favorite volumes use the pre boot authentication password and therefore require your system partition drive to be encrypted also note it is not required to enable caching of the pre boot authentication password 53 System favorite volumes can be configured to be available within TrueCrypt only to users with administrator privileges select Settings gt System Favorite Volumes gt Allow only administrators to view and dismount system favorite volumes in TrueCrypt This option should be enabled on servers to ensure that system favorite volumes cannot be dismounted by users without administrator privileges On non server systems this option can be used to prevent system favorite volumes from interfering with normal TrueCrypt functions like e g Dismount All If TrueCrypt is run without administrator privileges the defaul
129. n a BIOS configuration screen appears enable pre boot support for USB keyboards This can typically be done by selecting Advanced gt USB Configuration gt Legacy USB Support or USB Legacy gt Enabled Note that the word legacy is in fact misleading because pre boot components of modern versions of MS Windows require this option to be enabled to allow user interaction control Then save the BIOS settings typically by pressing F10 and restart your computer For more information please refer to the documentation for your BIOS motherboard or contact your computer vendor s technical support team for assistance PROBLEM One of the following problems occurs After the hidden operating system is cloned and the password for it entered the computer hangs after the message Booting is displayed After the pre boot authentication password is entered during the system encryption pretest the computer hangs after the message Booting is displayed PROBABLE CAUSE Memory data corruption caused by a bug in the BIOS of your computer POSSIBLE SOLUTIONS Upgrade your BIOS for information on how to do so please refer to the documentation for your BIOS motherboard or contact your computer vendor s technical support team for assistance Use a different motherboard model brand 95 PROBLEM The label of a filesystem within a TrueCrypt volume cannot be changed under Windows Vista or a later version of Windows PROBA
130. nce Note that reading and writing to from a file container may take significantly longer when the container is heavily fragmented To solve this problem defragment the file system in which the container is stored when the TrueCrypt volume is dismounted What s the recommended way to back up a TrueCrypt volume See the chapter How to Back Up Securely What will happen if I format a TrueCrypt partition See the question s it possible to change the file system of an encrypted volume in this FAQ Is it possible to change the file system of an encrypted volume Yes when mounted TrueCrypt volumes can be formatted as FAT12 FAT16 FAT32 NTFS or any other file system TrueCrypt volumes behave as standard disk devices so you can right click the device icon for example in the Computer or My Computer list and select Format The actual volume contents will be lost However the whole volume will remain encrypted If you format a TrueCrypt encrypted partition when the TrueCrypt volume that the partition hosts is not mounted then the volume will be destroyed and the partition will not be encrypted anymore it will be empty 108 Is it possible to mount a TrueCrypt container that is stored on a CD or DVD Yes However if you need to mount a TrueCrypt volume that is stored on a read only medium such as a CD or DVD under Windows 2000 the file system within the TrueCrypt volume must be FAT Windows 2000 cannot mount an NTF
131. ncryption for example a partition located on the encrypted system drive of another operating system that is not running Useful e g for backup or repair operations Note If you supply a password as a parameter of p make sure that the password has been typed using the standard US keyboard layout in contrast the GUI ensures this automatically bk or headerbak Mount volume using embedded backup header Note All volumes created by TrueCrypt 6 0 or later contain an embedded backup header located at the end of the volume recovery Do not verify any checksums stored in the volume header This option should be used only when the volume header is damaged and the volume cannot be mounted even with the mount option headerbak Example m ro To specify multiple mount options use e g m rm m ts TrueCrypt Format exe TrueCrypt Volume Creation Wizard noisocheck or n Do not verify that TrueCrypt Rescue Disks are correctly burned This can be useful e g in corporate environments where it may be more convenient to maintain a central repository of ISO images rather than a repository of CDs or DVDs WARNING Never attempt to use this option to facilitate the reuse of a previously created TrueCrypt Rescue Disk Note that every time you encrypt a system partition drive you must create a new TrueCrypt Rescue 77 Disk even if you use the same password A previously created TrueCrypt Rescue Disk cannot be reused because it was created
132. ndom data to prevent adversaries from using techniques such as magnetic force microscopy or magnetic force scanning tunneling microscopy 17 to recover the overwritten header however see also the chapter Security Requirements and Precautions System gt Change Password Changes the password used for pre boot authentication see the chapter System Encryption WARNING Your TrueCrypt Rescue Disk allows you to restore key data if it is damaged By doing so you also restore the password that was valid when the TrueCrypt Rescue Disk was created Therefore whenever you change the password you should destroy your TrueCrypt Rescue Disk and create a new one select System gt Create Rescue Disk Otherwise an attacker could decrypt your system partition drive using the old password if he finds the old TrueCrypt Rescue Disk and uses it to restore the key data See also the chapter Security Requirements and Precautions For more information on changing a password please see the section Volumes gt Change Volume Password above System gt Mount Without Pre Boot Authentication Check this option if you need to mount a partition that is within the key scope of system encryption without pre boot authentication For example if you need to mount a partition located on the encrypted system drive of another operating system that is not running This can be useful e g when you need to back up or repair an operating system encrypted by TrueCrypt
133. ne Handbook of Applied Cryptography CRC Press October 1996 International Organization for Standardization ISO Information technology Security techniques Hash functions Part 3 Dedicated hash functions ISO IEC 10118 3 2004 February 24 2004 NIST The Keyed Hash Message Authentication Code HMAC Federal Information Processing Standards Publication 198 March 6 2002 available at http csrc nist gov publications fips fips 198 fips 198a pdf RSA Laboratories PKCS 11 v2 20 Cryptographic Token Interface Standard RSA Security Inc Public Key Cryptography Standards PKCS June 28 2004 available at ftp ftp rsasecurity com pub pkes pkes 11 v2 20 pkes 11v2 20 pdf 133
134. never a container or keyfile is selected via the Windows file selector Therefore the Windows file selector will not remember the path of the last mounted container or the last selected keyfile Furthermore if this option is enabled the volume path input field in the main TrueCrypt window is cleared whenever you hide TrueCrypt Note You can clear the volume history by selecting Tools gt Clear Volume History Exit Terminates the TrueCrypt application The driver continues working and no TrueCrypt volumes are dismounted When running in portable mode the TrueCrypt driver is unloaded when it is no longer needed e g when all instances of the main application and or of the Volume Creation Wizard are closed and no TrueCrypt volumes are mounted However if you force dismount on a TrueCrypt volume when TrueCrypt runs in portable mode or mount a writable NTFS formatted volume on Windows Vista or later the TrueCrypt driver will not be unloaded when you exit TrueCrypt it will be unloaded only when you shut down or restart the system This prevents various problems caused by a bug in Windows for instance it would be impossible to start TrueCrypt again as long as there are applications using the dismounted volume 51 Volume Tools Change Volume Password See the section Volumes gt Change Volume Password Set Header Key Derivation Algorithm See the section Volumes gt Set Header Key Derivation Algorithm Backup Volume Header
135. nning You can click the icon to open the main TrueCrypt window Right click on the icon opens a popup menu with various TrueCrypt related functions You can shut down the Background Task at any time by right clicking the TrueCrypt tray icon and selecting Exit If you need to disable the TrueCrypt Background Task completely and permanently select Settings gt Preferences and uncheck the option Enabled in the TrueCrypt Background Task area of the Preferences dialog window 69 Language Packs Language packs contain third party translations of the TrueCrypt user interface texts Some language packs also contain translated TrueCrypt User Guide Note that language packs are currently supported only by the Windows version of TrueCrypt Installation To install a language pack follow these steps 1 Download a language pack from http www truecrypt org localizations 2 Exit TrueCrypt if it is running 3 Extract the language pack to the folder to which you installed TrueCrypt i e the folder in which the file TrueCrypt exe resides for example C Program Files TrueCrypt or C Program Files x86 TrueCrypt etc 4 Run TrueCrypt 5 The language pack should be automatically detected loaded and set as the default language pack You can select a language at any time by clicking Settings gt Language To revert to English select Settings gt Language Then select English and click OK 70 Encryption Algorithms TrueCr
136. ns Mount options affect the parameters of the volume being mounted The Mount Options dialog can be opened by clicking on the Mount Options button in the password entry dialog When a correct password is cached volumes are automatically mounted after you click Mount If you need to change mount options for a volume being mounted using a cached password hold down the Control Ctrl key while clicking Mount or select Mount with Options from the Volumes menu Default mount options can be configured in the main program preferences Settings gt Preferences Mount volume as read only When checked it will not be possible to write any data to the mounted volume Note that Windows 2000 do not allow NTFS volumes to be mounted as read only Mount volume as removable medium Check this option for example if you need to prevent Windows from automatically creating the Recycled and or System Volume Information folders on the volume these folders are used by the Recycle Bin and System Restore facilities Use backup header embedded in volume if available All volumes created by TrueCrypt 6 0 or later contain an embedded backup header located at the end of the volume If you check this option TrueCrypt will attempt to mount the volume using the embedded backup header Note that if the volume header is damaged you do not have to use this option Instead you can repair the header by selecting Tools gt Restore Volume Header Mount pa
137. nventional file system under one OS while the file system is being modified by another OS might be inconsistent which could result in data corruption 79 Security Requirements and Precautions IMPORTANT If you want to use TrueCrypt you must follow the security requirements and security precautions listed in this chapter The sections in this chapter specify security requirements for using TrueCrypt and give information about things that adversely affect or limit the ability of TrueCrypt to secure data on a computer Data Leaks When a TrueCrypt volume is mounted the operating system and third party applications may write to unencrypted volumes typically to the unencrypted system volume unencrypted information about the data stored in the TrueCrypt volume e g filenames and locations of recently accessed files databases created by file indexing tools etc or the data itself in an unencrypted form temporary files etc or unencrypted information about the filesystem residing in the TrueCrypt volume Note that Windows automatically records large amounts of potentially sensitive data such as the names and locations of files you open applications you run etc In order to prevent data leaks you must follow these steps alternative steps may exist If you do not need plausible deniability o Encrypt the system partition drive for information on how to do so see the chapter System Encryption and make sure that only
138. o your volume A standard TrueCrypt volume Space Occupied by Files Header ofthe Standard Volume Free Space Containing Random Data The standard TrueCrypt volume after a hidden volume was created within it Header ofthe Hidden Volume Data Area ofthe Hidden Volume The layout of a standard TrueCrypt volume before and after a hidden volume was created within it The principle is that a TrueCrypt volume is created within another TrueCrypt volume within the free space on the volume Even when the outer volume is mounted it is impossible to prove whether there is a hidden volume within it or not because free space on any TrueCrypt volume is always filled with random data when the volume is created and no part of the dismounted hidden volume can be distinguished from random data Note that TrueCrypt does not modify the file system information about free space etc within the outer volume in any way keyfile in the Thumbnail file selector mode Windows may modify the timestamps of the files date and time that the files were last accessed Provided that all the instructions in the TrueCrypt Volume Creation Wizard have been followed and provided that the requirements and precautions listed in the subsection Security Requirements and Precautions Pertaining to Hidden Volumes are followed t Provided that the options Quick Format and Dynamic are disabled and provided that the volume does not contain a filesystem that has been
139. of mounting TrueCrypt partitions devices see the section Auto Mount Devices for more information Mount After you click Mount TrueCrypt will try to mount the selected volume using cached passwords if there are any and if none of them works it prompts you for a password If you enter the correct password and or provide correct keyfiles the volume will be mounted Important Note that when you exit the TrueCrypt application the TrueCrypt driver continues working and no TrueCrypt volume is dismounted Auto Mount Devices This function allows you to mount TrueCrypt partitions devices without having to select them manually by clicking Select Device TrueCrypt scans headers of all available partitions devices on your system except DVD drives and similar devices one by one and tries to mount each of them as a TrueCrypt volume Note that a TrueCrypt partition device cannot be identified nor the cipher it has been encrypted with Therefore the program cannot directly find TrueCrypt partitions Instead it has to try mounting each even unencrypted partition device using all encryption algorithms and all cached passwords if there are any Therefore be prepared that this process may take a long time on slow computers If the password you enter is wrong mounting is attempted using cached passwords if there are any If you enter an empty password and if Use keyfiles is unchecked only the cached passwords will be used
140. on of TrueCrypt supports the following operating systems Windows 7 Windows 7 x64 64 bit Edition Windows Vista Windows Vista x64 64 bit Edition Windows XP Windows XP x64 64 bit Edition Windows Server 2008 Windows Server 2008 x64 64 bit Windows Server 2003 Windows Server 2003 x64 64 bit Windows 2000 SP4 Mac OS X 10 6 Snow Leopard 32 bit Mac OS X 10 5 Leopard Mac OS X 10 4 Tiger Linux kernel 2 4 2 6 or compatible Note The following operating systems among others are not supported Windows 2003 IA 64 Windows 2008 IA 64 Windows XP IA 64 Windows 95 98 ME NT See also the section Operating Systems Supported for System Encryption 75 Command Line Usage Note that this section applies to the Windows version of TrueCrypt For information on command line usage applying to the Linux and Mac OS X versions please run truecrypt h help or volume or v letter or I explore or e beep or b auto or a dismount or d force or f keyfile or k tokenlib cache or c history or h wipecache or w Display command line help File and path name of a TrueCrypt volume to mount do not use when dismounting To mount a partition device hosted volume use for example v Device Harddisk1 Partition3 to determine the path to a partition device run TrueCrypt and click Select Device You can also mount a partition or dynamic volume using its volume name for example v Vo
141. on the partition where Windows is installed Note that the last condition is typically met on Windows XP by default However Windows Vista and later versions of Windows are configured by default to create paging files on any suitable volume Therefore before you start using TrueCrypt you must follow these steps Right click the Computer or My Computer icon on the desktop or in the Start Menu and then select Properties gt on Windows Vista or later gt Advanced System Settings gt Advanced tab gt section Performance gt Settings gt Advanced tab gt section Virtual memory gt Change On Windows Vista or later disable Automatically manage paging file size for all drives Then make sure that the list of volumes available for paging file creation contains only volumes within the intended key scope of system encryption for example the volume where Windows is installed To disable paging file creation on a particular volume select it then select No paging file and click Set When done click OK and restart the computer Note You may also want to consider creating a hidden operating system for more information see the section Hidden Operating System Hibernation File Note The issue described below does not affect you if the system partition or system drive is encrypted for more information see the chapter System Encryption and if the hibernation file is located on one the partitions within the key scop
142. out any keyfiles Note that the volume header contains the master encryption key with which the volume is encrypted Therefore the data stored on the volume will not be lost after you use this function Remark This function is internally equal to the Password Change function When TrueCrypt re encrypts a volume header the original volume header is first overwritten 256 times with random data to prevent adversaries from using techniques such as magnetic force microscopy or magnetic force scanning tunneling microscopy 17 to recover the overwritten header however see also the chapter Security Requirements and Precautions Keyfiles gt Generate Random Keyfile You can use this function to generate a file with random content which you can use as a keyfile recommended This function uses the TrueCrypt Random Number Generator Note that the resulting file size is always 64 bytes i e 512 bits which is also the maximum possible TrueCrypt password length 63 Keyfiles gt Set Default Keyfile Paths Use this function to set default keyfiles and or default keyfile search paths This function is particularly useful if you for example store keyfiles on a USB memory stick that you carry with you You can add its drive letter to the default keyfile configuration To do so click Add Path browse to the drive letter assigned to the USB memory stick and click OK Now each time you mount a volume and if Use keyfiles is checked in the passwo
143. ov publications fips fips 197 fips 197 pdf J Nechvatal E Barker L Bassham W Burr M Dworkin J Foti E Roback NIST Report on the Development of the Advanced Encryption Standard AES October 2 2000 available at http nvl nist gov pub nistpubs res 106 3 163nec pdf B Schneier J Kelsey D Whiting D Wagner C Hall N Ferguson T Kohno M Stay The Twofish Team s Final Comments on AES Selection May 15 2000 available at http csrc nist gov archive aes round2 comments 200005 15 bschneier pdf Bruce Schneier Beyond Fear Thinking Sensibly About Security in an Uncertain World Springer 2003 RSA Laboratories PKCS 5 v2 0 Password Based Cryptography Standard RSA Data Security Inc Public Key Cryptography Standards PKCS March 25 1999 available at ftp ftp rsasecurity com pub pkcs pkcs 5v2 pkcs5v2 0 pdf and also courtesy of RSA Laboratories at http www truecrypt org docs pkcs5v2 0 pdf H Krawczyk M Bellare R Canetti HMAC Keyed Hashing for Message Authentication RFC 2104 February 1997 available at http www ietf org rfc rfc2104 txt M Nystrom RSA Security Identifiers and Test Vectors for HMAC SHA 224 HMAC SHA 256 HMAC SHA 384 and HMAC SHA 512 RFC 4231 December 2005 available at http www ietf org rfc rfc423 1 txt Peter Gutmann Software Generation of Practically Strong Random Numbers presented at the 1998 Usenix Security Symposium available at http www cs auckland
144. p and information necessary to successfully create a new TrueCrypt volume However several items deserve further explanation Hash Algorithm Allows you to select which hash algorithm TrueCrypt will use The selected hash algorithm is used by the random number generator as a pseudorandom mixing function which generates the master key secondary key XTS mode and salt for more information please see the section Random Number Generator It is also used in deriving the new volume header key and secondary header key see the section Header Key Derivation Salt and Iteration Count For information about the implemented hash algorithms see the chapter Hash Algorithms Note that the output of a hash function is never used directly as an encryption key For more information please refer to the chapter Technical Details Encryption Algorithm This allows you to select the encryption algorithm with which your new volume will be encrypted Note that the encryption algorithm cannot be changed after the volume is created For more information please see the chapter Encryption Algorithms 47 Quick Format If unchecked each sector of the new volume will be formatted This means that the new volume will be entirely filled with random data Quick format is much faster but may be less secure because until the whole volume has been filled with files it may be possible to tell how much data it contains if the space was not filled with random dat
145. parts of the random number generator source code Wei Dai who wrote the Serpent and RIPEMD 160 routines and Dag Arne Osvik for his paper Speeding up Serpent Mark Adler et al who wrote the Inflate routine The designers of the encryption algorithms hash algorithms and the mode of operation Horst Feistel Don Coppersmith Walt Tuchmann Lars Knudsen Ross Anderson Eli Biham Bruce Schneier David Wagner John Kelsey Niels Ferguson Doug Whiting Chris Hall Joan Daemen Vincent Rijmen Carlisle Adams Stafford Tavares Phillip Rogaway Hans Dobbertin Antoon Bosselaers Bart Preneel Paulo S L M Barreto All the others who have made this project possible all who have morally supported us and all who sent us bug reports or suggestions for improvements Thank you very much 131 References 1 10 11 U S Committee on National Security Systems CNSS National Policy on the Use of the Advanced Encryption Standard AES to Protect National Security Systems and National Security Information CNSS Policy No 15 Fact Sheet No 1 June 2003 available at http www cnss gov Assets pdf cnssp_15_fs pdf and also at http csrc nist gov cryptval CNSS 15FS pdf C E Shannon Communication Theory of Secrecy Systems Bell System Technical Journal v 28 n 4 1949 NIST Advanced Encryption Standard AES Federal Information Processing Standards Publication 197 November 26 2001 available at http csrc nist g
146. ple that he will make you reveal the password then the answer is yes Otherwise it is not necessary because the volume is entirely encrypted How does TrueCrypt know which encryption algorithm my TrueCrypt volume has been encrypted with Please see the section Encryption Scheme chapter Technical Details 112 How to Remove Encryption Please note that TrueCrypt can in place decrypt only system partitions and system drives select System gt Permanently Decrypt System Partition Drive lf you need to remove encryption e g if you no longer need encryption from a non system volume please follow these steps 1 2 Mount the TrueCrypt volume Move all files from the TrueCrypt volume to any location outside the TrueCrypt volume note that the files will be decrypted on the fly Dismount the TrueCrypt volume If the TrueCrypt volume is file hosted delete it the container just like you delete any other file If the volume is partition hosted applies also to USB flash drives in addition to the steps 1 3 do the following a Right click the Computer or My Computer icon on your desktop or in the Start Menu and select Manage The Computer Management window should appear b Inthe Computer Management window from the list on the left select Disk Management within the Storage sub tree c Right click the partition you want to decrypt and select Change Drive Letter and Paths d The Change Drive Lett
147. pt container will be mounted Note In this tutorial we chose the drive letter M but you may of course choose any other available drive letter STEP 14 E TrueCrypt volume Properties ME EA ES Click Select File The standard file selector window should appear STEP 15 Select a TrueCrypt Yolume ax Look in o My Documents e Oe EA a My Computer My Documents E Desktop a i Recent Files of type AI Files y Cancel y YA In the file selector browse to the container file which we created in Steps 6 11 and select it Click Open in the file selector window The file selector window should disappear In the following steps we will return to the main TrueCrypt window STEP 16 E TrueCrypt volume Properties __ einen _ seer Ha Eel In the main TrueCrypt window click Mount Password prompt dialog window should appear 20 STEP 17 Enter password for D My Documents My Volume DISTANT er AO Beem O My Documents My Volme H a a A El e Type the password which you specified in Step 10 in the password input field marked with a red rectangle 21 STEP 18 Enter password for D My Documents My Volume DISTANT er AO BAY Osvevoocuneespiy vole Sec en a ___Yolume Tools _ Select Device E EA Click OK in the password prompt window
148. r master keys stored in RAM and cached passwords stored in RAM if there are any before a computer hibernates or enters a power saving mode However keep in mind that if you do not use system encryption see the chapter System Encryption TrueCrypt still cannot reliably prevent the contents of sensitive files opened in RAM from being saved unencrypted to a hibernation file Note that when you open a file stored on a TrueCrypt volume for example in a text editor then the content of the file is stored unencrypted in RAM and it may remain unencrypted in RAM until the computer is turned off To prevent the issues described above encrypt the system partition drive for information on how to do so see the chapter System Encryption and make sure that the hibernation file is located on one of the partitions within the key scope of system encryption which it typically is by default for example on the partition where Windows is installed When the computer hibernates data will be encrypted on the fly before they are written to the hibernation file Note You may also want to consider creating a hidden operating system for more information see the section Hidden Operating System Alternatively if you cannot use system encryption disable or prevent hibernation on your computer at least for each session during which you work with any sensitive data and during which you mount a TrueCrypt volume Memory Dump Files Note The issue descr
149. r non hidden encrypted system partitions drives are normally stored If it fails and if there is a partition behind the active partition the TrueCrypt It is not practical and therefore is not supported to install operating systems in two TrueCrypt volumes that are embedded within a single partition because using the outer operating system would often require data to be written to the area of the hidden operating system and if such write operations were prevented using the hidden volume protection feature it would inherently cause system crashes i e Blue Screen errors 36 Boot Loader even if there is actually no hidden volume on the drive automatically tries to decrypt using the same entered password again the area of the first partition behind the active partition where the encrypted header of a possible hidden volume might be stored Note that TrueCrypt never knows if there is a hidden volume in advance the hidden volume header cannot be identified as it appears to consist entirely of random data If the header is successfully decrypted for information on how TrueCrypt determines that it was successfully decrypted see the section Encryption Scheme the information about the size of the hidden volume is retrieved from the decrypted header which is still stored in RAM and the hidden volume is mounted its size also determines its offset For further technical details see the section Encryption Scheme in the chapter Techn
150. rd dialog TrueCrypt will scan the path and use all files that it finds there as keyfiles WARNING When you add a folder as opposed to a file to your default keyfile list only the path is remembered not the filenames This means e g that if you create a new file in the folder or if you copy an additional file to the folder then all volumes that used keyfiles from the folder will be impossible to mount until you remove the newly added file from the folder IMPORTANT Note that when you set default keyfiles and or default keyfile search paths the filenames and paths are saved unencrypted in the file Default Keyfiles xml For more information please see the chapter TrueCrypt System Files amp Application Data 64 Security Tokens amp Smart Cards TrueCrypt supports security or cryptographic tokens and smart cards smart card readers that can be accessed using the PKCS 11 2 0 or later protocol 23 For more information please see the section Security Tokens and Smart Cards in the chapter Keyfiles 65 Portable Mode TrueCrypt can run in so called portable mode which means that it does not have to be installed on the operating system under which it is run However there are two things to keep in mind 1 You need administrator privileges in order to able to run TrueCrypt in portable mode for reasons see the chapter Using TrueCrypt Without Administrator Privileges Also note that as regards personal privacy in
151. re you wish the container to be created WARNING IF you select an existing file TrueCrypt will NOT encrypt it the file be deleted and replaced with the newly created TrueCrypt container You will be able to encrypt existing files later on by moving them to the TrueCrypt container that you are about to create now Help lt Prev Cancel In the Volume Creation Wizard window click Next STEP 8 Encryption Options aes Algorithm test FIPS approved cipher Rijndael published in 1998 that may be used by U S government departments and agencies to protect classified information up to the Top Secret level 256 bit key 128 bit block 14 rounds AES 256 Mode of operation is XTS More information on AES Benchmark Hash Algorithm RIPEMD 160 Information on hash algorithms Help lt Prev Cancel Here you can choose an encryption algorithm and a hash algorithm for the volume If you are not sure what to select here you can use the default settings and click Next for more information see Chapters Encryption Algorithms and Hash Algorithms 12 STEP 9 Here we specify that we wish the size of our TrueCrypt container to be 1 megabyte You may of course specify a different size After you type the desired size in the input field marked with a red rectangle click Next STEP 10 Volume Password Password IN confirm f Il Display password I Use
152. rtition using system encryption without pre boot authentication Check this option if you need to mount a partition that is within the key scope of system encryption without pre boot authentication For example if you need to mount a partition located on the encrypted system drive of another operating system that is not running This can be useful e g when you need to back up or repair an operating system encrypted by TrueCrypt from within another operating system Note that this option can be enabled also when using the Auto Mount Devices or Auto Mount All Device Hosted Volumes functions Hidden Volume Protection Please see the section Protection of Hidden Volumes Against Damage 59 Hot Keys To set system wide TrueCrypt hot keys click Settings gt Hot Keys Note that hot keys work only when TrueCrypt or the TrueCrypt Background Task is running Keyfiles Keyfile is a file whose content is combined with a password for information on the method used to combine a keyfile with password see the chapter Technical Details section Keyfiles Until the correct keyfile is provided no volume that uses the keyfile can be mounted You do not have to use keyfiles However using keyfiles has some advantages May improve protection against brute force attacks significant particularly if the volume password is not very strong Allows the use of security tokens and smart cards see below Allows multiple users to mount a single volu
153. rueCrypt 6 1 To do so boot the encrypted system start TrueCrypt select Settings gt System Encryption enable the option Do not show any texts in the pre boot authentication screen and enter the fake error message in the corresponding field for example the Missing operating system message which is normally displayed by the Windows boot loader if it finds no Windows boot partition It is however important to note that if the adversary can analyze the content of the hard drive he can still find out that it contains the TrueCrypt boot loader Can configure TrueCrypt to mount automatically whenever Windows starts selected non system TrueCrypt volumes that use the same password as my system partition drive i e my pre boot authentication password Yes Mount the volume s and then select Volumes gt Save Currently Mounted Volumes as System Favorites For more information see the chapter Main Program Window section Program Menu subsection Volumes gt Save Currently Mounted Volumes as System Favorites Can I configure TrueCrypt to mount certain volumes automatically whenever I log on to Windows Yes To do so follow these steps 1 Mount the volume s and then select Volumes gt Save Currently Mounted Volumes as Favorites 2 Select Settings gt Preferences In the Preferences window in the section Actions to perform upon log on to Windows enable the option Mount favorite volumes
154. s in passwords are not supported and may cause various problems e g inability to mount a volume To work around a Windows XP issue the TrueCrypt boot loader is always automatically configured for the version of the operating system under which it is installed When the version of the system changes for example the TrueCrypt boot loader is installed when Windows Vista is running but it is later used to boot Windows XP you may encounter various known and unknown issues for example on some notebooks Windows XP may fail to display the log on screen Note that this affects multi boot configurations TrueCrypt Rescue Disks and decoy hidden operating systems therefore if the hidden system is e g Windows XP the decoy system should be Windows XP too The ability to mount a partition that is within the key scope of system encryption without pre boot authentication for example a partition located on the encrypted system drive of another operating system that is not running which can be done e g by selecting System gt Mount Without Pre Boot Authentication is limited to primary partitions extended logical partitions cannot be mounted this way Due to a Windows 2000 issue TrueCrypt does not support the Windows Mount Manager under Windows 2000 Therefore some Windows 2000 built in tools such as Disk Defragmenter do not work on TrueCrypt volumes Furthermore it is not possible to use the Mount Manager 99 services under Windows
155. s option and click Keyfiles The keyfile dialog window should appear where you can specify keyfiles to do so click Add Files or Add Token Files or keyfile search paths click Add Path Security Tokens and Smart Cards TrueCrypt can directly use keyfiles stored on a security token or smart card that complies with the PKCS 11 2 0 or later standard 23 and that allows the user to store a file data object on the token card To use such files as TrueCrypt keyfiles click Add Token Files in the keyfile dialog window Access to a keyfile stored on a security token or smart card is typically protected by PIN codes which can be entered either using a hardware PIN pad or via the TrueCrypt GUI lt can also be protected by other means such as fingerprint readers In order to allow TrueCrypt to access a security token or smart card you need to install a PKCS 11 2 0 or later software library for the token or smart card first Such a library may be supplied with the device or it may be available for download from the website of the vendor or other third parties If your security token or smart card does not contain any file data object that you could use as a TrueCrypt keyfile you can use TrueCrypt to import any file to the token or smart card if it is supported by the device To do so follow these steps 1 Inthe keyfile dialog window click Add Token Files 61 2 If the token or smart card is protected by a PIN password or o
156. sible to prove provided that certain guidelines are followed Thus you will not have to decrypt or reveal the password for the hidden operating system For more information see the section Hidden Operating System in the chapter Plausible Deniability 43 Operating Systems Supported for System Encryption TrueCrypt can currently encrypt the following operating systems Windows 7 Windows 7 x64 64 bit Edition Windows Vista SP1 or later Windows Vista x64 64 bit Edition SP1 or later Windows XP Windows XP x64 64 bit Edition Windows Server 2008 Windows Server 2008 x64 64 bit Windows Server 2003 Windows Server 2003 x64 64 bit TrueCrypt Rescue Disk During the process of preparing the encryption of a system partition drive TrueCrypt requires that you create a so called TrueCrypt Rescue Disk CD DVD which serves the following purposes If the TrueCrypt Boot Loader screen does not appear after you start your computer or if Windows does not boot the TrueCrypt Boot Loader may be damaged The TrueCrypt Rescue Disk allows you restore it and thus to regain access to your encrypted system and data however note that you will still have to enter the correct password then In the Rescue Disk screen select Repair Options gt Restore TrueCrypt Boot Loader Then press Y to confirm the action remove the Rescue Disk from your CD DVD drive and restart your computer If the TrueCrypt Boot Loader is frequently damaged for e
157. ssestessacasededsswesabiodededsesswosestedovareussoisevssdedecseessessssedecdes 98 KNOWN ISSUES amp LIMITATIONS ssscncscsiscesscssncesvecsnsevaseetvneceapesescanytushegsusesescbeeessesonereuseoseusheness 99 Known ISSUES e ennta E EE R A O A E AEE ESEAS 99 A E AE eae E TA 99 FREQUENTLY ASKED QUESTIONS ssssssssssesessssoesesoseosessosesosoosoesososessessosssssssssesssoseosessoses 102 HOW TO REMOVE ENCRYPTION sseseesessesoesosseseossesessossesossossesossossessossesossossesossossessossesossoss 113 UNINSTALLING TRUECRYPT seeseseoseesessossesessossesoosoesessossesossossesossossesoossesossossesossossessesosseseose 114 TRUECRYPT SYSTEM FILES amp APPLICATION DATA esssesooesesssesoossoessesoossosssessossosssessose 115 TECANICAE DETATES 000 AA AA 117 NOTATION ida A AA da Didi als 117 ENERYPTON S CHEME a a A AE OEE Bash Mia IIS ISS MB So I Ee 118 MODES OF OPERATION ae A didas dad dad cea ida 120 HEADER KEY DERIVATION SALT AND ITERATION COUNT 00000sesesesesesssesssesesssssesesesesesesesesens 121 RANDOM NUMBER GENERATOR Q cccscsssssssecececececeesssececececsceesensaaecesececsenessseaeeeseeeesenensaaeeeseeeens 122 KEYFILES cotos E EE sotbecsva san A E Gi Lod A O dica 124 TRUECRYPT VOLUME FORMAT SPECIFICATION sscsessssccecccscsssessaecececccseessssseceeesececsesensaaeeeseeeens 126 COMPLIANCE WITH STANDARDS AND SPECIFICATIONS ccccceseesssecesececsceessnseceeeccesceesenssaeeeseeeens 128 SOURCE CODE nr tia td
158. stem encryption does not include a hidden volume containing a hidden operating system 126 Note that this specification applies to volumes created by TrueCrypt 6 0 or later The format of file hosted volumes is identical to the format of partition device hosted volumes however the volume header or key data for a system partition drive is stored in the last 512 bytes of the first logical drive track TrueCrypt volumes have no signature or ID strings Until decrypted they appear to consist solely of random data Free space on each TrueCrypt volume is filled with random data when the volume is created The random data is generated as follows Right before TrueCrypt volume formatting begins a temporary encryption key and a temporary secondary key XTS mode are generated by the random number generator see the section Random Number Generator The encryption algorithm that the user selected is initialized with the temporary keys The encryption algorithm is then used to encrypt plaintext blocks generated by the random number generator The encryption algorithm operates in XTS mode see the section Modes of Operation The resulting ciphertext blocks are used to fill overwrite the free space on the volume The temporary keys are stored in RAM and are securely erased after formatting finishes The fields located at the byte 0 salt and 256 master keys contain random values generated by the random number generator see the section Rando
159. stem to him he might find out that the connection was not made from within the decoy operating system which might indicate the existence of a hidden operating system on your computer Also note that similar issues would affect you if there were any filesystem shared over a network under the hidden operating system regardless of whether the filesystem is remote or local Therefore when the hidden operating system is running there must be no filesystem shared over a network in any direction If the BIOS EFI or any other component logs power down events or any other events that could be related to events logged in Windows logs you should either disable such logging or ensure that the log is securely erased after each session 34 In addition to the above you must follow the security requirements and precautions listed in the following chapters Security Requirements and Precautions How to Back Up Securely 35 Hidden Operating System If your system partition or system drive is encrypted using TrueCrypt you need to enter your pre boot authentication password in the TrueCrypt Boot Loader screen after you turn on or restart your computer It may happen that you are forced by somebody to decrypt the operating system or to reveal the pre boot authentication password There are many situations where you cannot refuse to do so for example due to extortion TrueCrypt allows you to create a hidden operating system whose existence wil
160. t Prev E Cancel Move your mouse as randomly as possible within the Volume Creation Wizard window at least for 30 seconds The longer you move the mouse the better This significantly increases the cryptographic strength of the encryption keys which increases security Click Format Volume creation should begin TrueCrypt will now create a file called My Volume in the folder D My Documents as we specified in Step 6 This file will be a TrueCrypt container it will contain the encrypted TrueCrypt volume Depending on the size of the volume the volume creation may take a long time After it finishes the following dialog box will appear TrueCrypt Yolume Creation Wizard x e LA The TrueCrypt volume has been successfully created Click OK to close the dialog box STEP 12 e ee Tne Lee We have just successfully created a TrueCrypt volume file container In the TrueCrypt Volume Creation Wizard window click Exit The Wizard window should disappear In the remaining steps we will mount the volume we just created We will return to the main TrueCrypt window which should still be open but if it is not repeat Step 1 to launch TrueCrypt and then continue from Step 13 STEP 13 E TrueCrypt volume Properties Wipe Gache Sa EA Select a drive letter from the list marked with a red rectangle This will be the drive letter to which the TrueCry
161. t cannot ensure that the older header is really overwritten If an adversary found the old volume header which was to be overwritten on the device he could use it to mount the volume using an old compromised password and or using compromised keyfiles that were necessary to mount the volume before the volume header was re encrypted Due to security reasons we recommend that TrueCrypt volumes are not created on devices or in file systems that utilize a wear leveling mechanism If you decide not to follow this recommendation and you intend to use in place encryption on a drive that utilizes wear leveling mechanisms make sure the partition drive does not contain any sensitive data before you fully encrypt it TrueCrypt cannot reliably perform secure in place encryption of existing data on such a drive however after the partition drive has been fully encrypted any new data that will be saved to it will be reliably encrypted on the fly That includes the following precautions Before you run TrueCrypt to set up pre boot authentication disable the paging files and restart the operating system you can enable the paging files after the system partition drive has been fully encrypted Hibernation must be prevented during the period between the moment when you start TrueCrypt to set up pre boot authentication and the moment when the system partition drive has been fully encrypted For more information see the sections Paging File and Hibernation File
162. t does Windows and antivirus software may interfere with the container and adversely affect the performance of the volume Second disable or uninstall any application that might be interfering which usually is antivirus software or automatic disk defragmentation tool etc In case of antivirus software it often helps to turn off real time on access scanning in the preferences of the antivirus software If it does not help try temporarily disabling the virus protection software If this does not help either try uninstalling it completely and restarting your computer subsequently PROBLEM A TrueCrypt volume cannot be mounted TrueCrypt reports Incorrect password or not a TrueCrypt volume POSSIBLE CAUSE The volume header may have been damaged by a third party application or malfunctioning hardware POSSIBLE SOLUTIONS If you created your volume using TrueCrypt 6 0 or later you can try to restore the volume header from the backup embedded in the volume by following these steps 1 Run TrueCrypt 6 0 or later 92 2 Click Select Device or Select File to select your volume 3 Select Tools gt Restore Volume Header If you created your volume using TrueCrypt 5 1a or earlier you can try to mount your volume with the command line option m recovery as follows 1 Install TrueCrypt 6 1 or later 2 On your keyboard press and hold the Windows key and then press R The Windows Run dialog should appear 3 Type in
163. t erase data by overwriting it with random data in fact TrueCrypt can be used to securely erase a partition device too by creating an empty encrypted partition device hosted volume within it However you need to prevent data leaks see section Data Leaks and also note that for system encryption the first drive track contains the unencrypted TrueCrypt Boot Loader which can be easily identified as such for more information see the chapter System Encryption When using system encryption plausible deniability can be achieved by creating a hidden operating system see the section Hidden Operating System Although file hosted TrueCrypt volumes containers do not contain any kind of signature either until decrypted they appear to consist solely of random data they cannot provide this kind of plausible deniability because there is practically no plausible explanation for the existence of a file containing solely random data However plausible deniability can still be achieved with a file hosted TrueCrypt volume container by creating a hidden volume within it see above Notes When formatting a hard disk partition as a TrueCrypt volume the partition table including the partition type is never modified no TrueCrypt signature or ID is written to the partition table There are methods to find files or devices containing random data such as TrueCrypt volumes Note however that this does not affect plausible deniab
164. t on Windows Vista and later system favorite volumes will not be available in the TrueCrypt application window When you select this menu item Save Currently Mounted Volumes as System Favorites a list of all currently mounted volumes and the drive letters they are mounted as is saved to a file called System Favorite Volumes xml in the folder sALLUSERSPROFILE TrueCrypt Note that when you use this function all dismounted volumes that were previously saved as system favorite will be deleted from the list To delete the list of system favorite volumes dismount all TrueCrypt volumes and select Volumes gt Save Currently Mounted Volumes as System Favorites Volumes gt Change Volume Password Allows changing the password of the currently selected TrueCrypt volume no matter whether the volume is hidden or standard Only the header key and the secondary header key XTS mode are changed the master key remains unchanged This function re encrypts the volume header using a header encryption key derived from a new password Note that the volume header contains the master encryption key with which the volume is encrypted Therefore the data stored on the volume will not be lost after you use this function password change will only take a few seconds To change a TrueCrypt volume password click on Select File or Select Device then select the volume and from the Volumes menu select Change Volume Password Note For in
165. t will be inaccessible and encrypted Even when power supply is suddenly interrupted without proper system shut down files stored in the volume are inaccessible and encrypted To make them accessible again you have to mount the volume and provide the correct password and or keyfile Beginner s Tutorial How to Create and Use a TrueCrypt Container This chapter contains step by step instructions on how to create mount and use a TrueCrypt volume We strongly recommend that you also read the other sections of this manual as they contain important information STEP 1 If you have not done so download and install TrueCrypt Then launch TrueCrypt by double clicking the file TrueCrypt exe or by clicking the TrueCrypt shortcut in your Windows Start menu STEP 2 E TrueCrypt ee x File Volumes Keyfiles Tools Settings Help Homepage ST y Wipe Cache Select File JV Never save history Volume Tools Select Device Mount Auto Mount Devices Dismount All Exit The main TrueCrypt window should appear Click Create Volume marked with a red rectangle for clarity Yolume Properties STEP 3 E TrueCrypt Yolume Creation Wizard TrueCrypt Volume Creation Wizard Create an encrypted file container Creates a virtual encrypted disk within a file Recommended For inexperienced users More information Encrypt a non system partit
166. ted However if you force dismount on a TrueCrypt volume when TrueCrypt runs in portable mode or mount a writable NTFS formatted volume on Windows Vista or later the TrueCrypt driver will not be unloaded when you exit TrueCrypt it will be unloaded only when you shut down or restart the system This prevents various problems caused by a bug in Windows for instance it would be impossible to start TrueCrypt again as long as there are applications using the dismounted volume Tools gt Traveler Disk Setup You can use this facility to prepare a special traveler disk and launch TrueCrypt from there Note that TrueCrypt traveler disk is not a TrueCrypt volume but an unencrypted volume A traveler disk contains TrueCrypt executable files and optionally the autorun inf script see the section AutoRun Configuration below After you select Tools gt Traveler Disk Setup the Traveler Disk 66 Setup dialog box should appear Some of the parameters that can be set within the dialog deserve further explanation Include TrueCrypt Volume Creation Wizard Check this option if you need to create new TrueCrypt volumes using TrueCrypt run from the traveler disk you will create Unchecking this option saves space on the traveler disk AutoRun Configuration autorun inf In this section you can configure the traveler disk to automatically start TrueCrypt or mount a specified TrueCrypt volume when the traveler disk is inserted
167. ted Some journaling file systems also internally record file access times and other potentially sensitive information To prevent possible security issues related to journaling file systems do one the following Use a partition device hosted TrueCrypt volume instead of file hosted Store the container in a non journaling file system for example FAT32 Volume Clones Never create a new TrueCrypt volume by cloning an existing TrueCrypt volume Always use the TrueCrypt Volume Creation Wizard to create a new TrueCrypt volume If you clone a volume and then start using both this volume and its clone in a way that both eventually contain different data then you might aid cryptanalysis both volumes will share a single key set This is especially critical when the volume contains a hidden volume See also the chapter How to Back Up Securely 87 Additional Security Requirements and Precautions In addition to the requirements and precautions described in this chapter Security Requirements and Precautions you must follow and keep in mind the security requirements precautions and limitations listed in the following chapters and sections How to Back Up Securely Limitations Security Requirements and Precautions Pertaining to Hidden Volumes Plausible Deniability 88 How to Back Up Securely Due to hardware or software errors malfunctions files stored on a TrueCrypt volume may become corrupted Therefore we strongly recommend th
168. tes To Il T Il Tz 1173 M ili Write these bytes obtained in step 7 c 11 individually to the keyfile pool with the modulo 2 addition operation not by replacing the old values in the pool at the position of the pool cursor After a byte is written the pool cursor position is advanced by one byte When the cursor reaches the end of the pool its position is set to the beginning of the pool Apply the content of the keyfile pool to the password P using the following method a Divide the password P into individual bytes Bo Bpi 1 Note that if the password was shorter than the keyfile pool then the password was padded with zero bytes to the length of the pool in Step 5 hence at this point the length of the password is always greater than or equal to the length of the keyfile pool b Divide the keyfile pool KP into individual bytes Go Gipi 1 c ForO i lt kpl perform B B Gi d P Bo I By ll ll Bp 2 Il Bpr 124 9 The password P after the keyfile pool content has been applied to it is now passed to the header key derivation function PBKDF2 PKCS 5 v2 which processes it along with salt and other data using a cryptographically secure hash algorithm selected by the user e g SHA 512 See the section Header Key Derivation Salt and Iteration Count for more information The role of the hash function H is merely to perform diffusion 2 CRC 32 is used as the hash function H Note that the output of CRC 32 is subsequently
169. the following command replace the last argument Device Harddisk1 PartitionO with the path to your volume On 32 bit systems SProgramFiles TrueCrypt TrueCrypt exe q m recovery v Device Harddiskl Partition0 On 64 bit systems SProgramFiles x86 TrueCrypt TrueCrypt exe q m recovery v Device Harddisk1 Partition0 4 Press Enter to try to mount your volume PROBLEM After successfully mounting a volume Windows reports This device does not contain a valid file system or a similar error PROBABLE CAUSE The file system on the TrueCrypt volume may be corrupted or the volume is unformatted POSSIBLE SOLUTION You can use filesystem repair tools supplied with your operating system to attempt to repair the filesystem on the TrueCrypt volume In Windows it is the chkdsk tool TrueCrypt provides an easy way to use this tool on a TrueCrypt volume First make a backup copy of the TrueCrypt volume because the chkdsk tool might damage the filesystem even more and then mount it Right click the mounted volume in the main TrueCrypt window in the drive list and from the context menu select Repair Filesystem PROBLEM When trying to create a hidden volume its maximum possible size is unexpectedly small there is much more free space than this on the outer volume PROBABLE CAUSE Fragmentation 93 OR Too small cluster size too many files folders in the root directory of the outer volume POS
170. the hidden volume the hidden volume will be mounted Note TrueCrypt first attempts to decrypt the standard volume header using the entered password If it fails it loads the area of the volume where a hidden volume header can be stored i e the bytes 65536 131071 which contain solely random data when there is no hidden volume within the volume to RAM and attempts to decrypt it using the entered password Note that hidden volume headers cannot be identified as they appear to consist entirely of random data If the header is successfully decrypted for information on how TrueCrypt determines that it was successfully decrypted see the section Encryption Scheme the information about the size of the hidden volume is retrieved from the decrypted header which is still stored in RAM and the hidden volume is mounted its size also determines its offset Further information may be found in the section Hidden Volume Can I save data to the decoy system partition without risking damage to the hidden system partition Yes You can write data to the decoy system partition anytime without any risk that the hidden volume will get damaged because the decoy system is not installed within the same partition as the hidden system For more information see the section Hidden Operating System Can I use TrueCrypt in Windows if do not have administrator privileges See the chapter Using TrueCrypt Without Administrator Privileges Does TrueCrypt sav
171. the steps 1 3 but in the step 3 select the second or third option Then follow the remaining instructions in the wizard When you create a device hosted TrueCrypt volume within a non system partition drive you can mount it by clicking Auto Mount Devices in the main TrueCrypt window For information pertaining to encrypted system partition drives see the chapter System Encryption Important We strongly recommend that you also read the other chapters of this manual as they contain important information that has been omitted in this tutorial for simplicity 25 Plausible Deniability In case an adversary forces you to reveal your password TrueCrypt provides and supports two kinds of plausible deniability 1 Hidden volumes for more information see the section Hidden Volume below and hidden operating systems see the section Hidden Operating System 2 Until decrypted a TrueCrypt partition device appears to consist of nothing more than random data it does not contain any kind of signature Therefore it is impossible to prove that a partition or a device is a TrueCrypt volume or that it has been encrypted provided that the security requirements and precautions listed in the chapter Security Requirements and Precautions are followed A possible plausible explanation for the existence of a partition device containing solely random data is that you have wiped securely erased the content of the partition device using one of the tools tha
172. ther means such as a fingerprint reader authenticate yourself for example by entering the PIN using a hardware PIN pad 3 The Security Token Keyfile dialog window should appear In it click Import Keyfile to Token and then select the file you want to import to the token or smart card Note that you can import for example 512 bit keyfiles with random content generated by TrueCrypt see Keyfiles gt Generate Random Keyfile below To close all opened security token sessions either select Keyfiles gt Close All Security Token Sessions or define and use a hotkey combination Settings gt Hot Keys gt Close All Security Token Sessions Keyfile Search Path By adding a folder in the keyfile dialog window click Add Path you specify a keyfile search path All files found in the keyfile search path will be used as keyfiles Important Note that folders and files they contain found in keyfile search paths are ignored Keyfile search paths are especially useful if you for example store keyfiles on a USB memory stick that you carry with you You can set the drive letter of the USB memory stick as a default keyfile search path To do so select Keyfiles gt Set Default Keyfiles Paths Then click Add Path browse to the drive letter assigned to the USB memory stick and click OK Now each time you mount a volume and if the option Use keyfiles is checked in the password dialog window TrueCrypt will scan the path and use all f
173. to RAM see the section TrueCrypt Volume Format Specification For system encryption bytes 65536 66047 of the first partition located behind the active partition are read see the section Hidden Operating System If there is a hidden volume within this volume or within the partition behind the boot partition we have read its header at this point otherwise we have just read random data whether or not there is a hidden volume within it has to be determined by attempting to decrypt this data for more information see the section Hidden Volume Now TrueCrypt attempts to decrypt the standard volume header read in 1 All data used and generated in the course of the process of decryption are kept in RAM TrueCrypt never saves them to disk The following parameters are unknown and have to be determined through the process of trial and error i e by testing all possible combinations of the following a PRF used by the header key derivation function as specified in PKCS 5 v2 0 see the section Header Key Derivation Salt and Iteration Count which can be one of the following HMAC SHA 512 HMAC RIPEMD 160 HMAC Whirlpool A password entered by the user to which one or more keyfiles may have been applied see the section Keyfiles and the salt read in 1 are passed to the header key derivation function which produces a sequence of values see the section Header Key Derivation Salt and Iteration Count from which the header en
174. to recover the files from my TrueCrypt volume TrueCrypt does not contain any mechanism or facility that would allow partial or complete recovery of your encrypted data without knowing the correct password or the key used to encrypt the data The only way to recover your files is to try to crack the password or the key but it could take thousands or millions of years depending on the length and quality of the password keyfiles on software hardware efficiency and other factors 102 Does TrueCrypt also encrypt file names and folder names Yes The entire file system within a TrueCrypt volume is encrypted including file names folder names and contents of every file This applies to both types of TrueCrypt volumes i e to file containers virtual TrueCrypt disks and to TrueCrypt encrypted partitions devices How can I use TrueCrypt on a USB flash drive You have two options 1 Encrypt the entire USB flash drive However you will not be able run TrueCrypt from the USB flash drive Note Windows does not support multiple partitions on USB flash drives 2 Create a TrueCrypt file container on the USB flash drive for information on how to do so see the chapter Beginner s Tutorial If you leave enough space on the USB flash drive choose an appropriate size for the TrueCrypt container you will also be able to store TrueCrypt on the USB flash drive along with the container notin the container and you will be able to run True
175. ts device driver is not running when the attacker physically accesses the computer Additional information pertaining to hardware attacks where the attacker has direct physical access is contained in the section Unencrypted Data in RAM Furthermore even if the attacker cannot physically access the computer hardware directly he or she may be able to breach the physical security of the computer by remotely intercepting and analyzing emanations from the computer hardware including the monitor and cables For example intercepted emanations from the cable connecting the keyboard with the computer can reveal passwords you type It is beyond the scope of this document to list all of the kinds of such attacks sometimes called TEMPEST attacks and all known ways to prevent them such as shielding or radio jamming You must prevent such attacks It is solely your responsibility to do so If you do not TrueCrypt may become unable to secure data on the computer Malware The term malware refers to all types of malicious software such as computer viruses Trojan horses or spyware Some kinds of malware are designed e g to log keystrokes including typed passwords such captured passwords are then either sent to the attacker over the Internet or saved to an unencrypted local drive from which the attacker might be able to read it later when he or she gains physical access to the computer If you use TrueCrypt on a computer infected with any other kind o
176. tte Gel loo ous AS A AE dub NS AAA oui he 128 PREFACE Please note that although most chapters of this documentation apply generally to all versions of TrueCrypt some sections are primarily aimed at users of the Windows versions of TrueCrypt Hence such sections may contain information that is inappropriate in regards to the Mac OS X and Linux versions of TrueCrypt Introduction TrueCrypt is a software system for establishing and maintaining an on the fly encrypted volume data storage device On the fly encryption means that data is automatically encrypted or decrypted right before is loaded or saved without any user intervention No data stored on an encrypted volume can be read decrypted without using the correct password keyfile s or correct encryption keys Entire file system is encrypted e g file names folder names contents of every file free space meta data etc Files can be copied to and from a mounted TrueCrypt volume just like they are copied to from any normal disk for example by simple drag and drop operations Files are automatically being decrypted on the fly in memory RAM while they are being read or copied from an encrypted TrueCrypt volume Similarly files that are being written or copied to the TrueCrypt volume are automatically being encrypted on the fly right before they are written to the disk in RAM Note that this does not mean that the whole file that is to be encrypted decrypted must be stored in RAM
177. un on Mac OS X Yes Does TrueCrypt run on Linux Yes Can I mount my TrueCrypt volume under Windows Mac OS X and Linux Yes TrueCrypt volumes are fully cross platform Is it possible to install an application to a TrueCrypt volume and run it from there Yes What will happen when a part of a TrueCrypt volume becomes corrupted In encrypted data one corrupted bit usually corrupts the whole ciphertext block in which it occurred The ciphertext block size used by TrueCrypt is 16 bytes i e 128 bits The mode of operation used by TrueCrypt ensures that if data corruption occurs within a block the remaining blocks are not affected for more information see the section Modes of Operation See also the question What do do when the encrypted filesystem on my TrueCrypt volume is corrupted What do I do when the encrypted filesystem on my TrueCrypt volume is corrupted File system within a TrueCrypt volume may become corrupted in the same way as any normal unencrypted file system When that happens you can use filesystem repair tools supplied with your operating system to fix it In Windows it is the chkdsk tool TrueCrypt provides an easy way to use this tool on a TrueCrypt volume Right click the mounted volume in the main TrueCrypt window in the drive list and from the context menu select Repair Filesystem 110 We use TrueCrypt in a corporate enterprise environment Is there a way for an administrator to
178. until the volume is dismounted Warning Note that the option Protect hidden volume against damage caused by writing to outer volume in the Mount Options dialog window is automatically disabled after a mount attempt is completed no matter whether it is successful or not all hidden volumes that are already being protected will of course continue to be protected Therefore you need to check that option each time you attempt to mount the outer volume if you wish the hidden volume to be protected TrueCrypt Mount Options xi J Mount volume as read only J Mount volume as removable medium Cancel Use backup header embedded in volume if available Mount partition using system encryption without pre boot authentication Hidden volume Protection J Protect hidden volume against damage caused by writing to outer volume Password to hidden volume Dn men if empty cache is used F Display password 7 Use keyfiles What is hidden volume protection 31 If you want to mount an outer volume and protect a hidden volume within using cached passwords then follow these steps Hold down the Control Ctrh key when clicking Mount or select Mount with Options from the Volumes menu This will open the Mount Options dialog Enable the option Protect hidden volume against damage caused by writing to outer volume and leave the password box empty Then click OK If you need to mount an outer volume
179. volume and therefore the hidden volume which is to contain a clone of the system partition can reside only in the second half of the partition In the next steps the wizard will create two TrueCrypt volumes outer and hidden within the first partition behind the system partition The hidden volume will contain the hidden operating system The size of the hidden volume is always the same as the size of the system partition The reason is that the hidden volume will need to contain a clone of the content of the system partition see below Note that the clone will be encrypted using a different encryption key than the original Before you start copying some sensitive looking files to the outer volume the wizard tells you the maximum recommended size of space that the files should occupy so that there is enough free space on the outer volume for the hidden volume Remark After you copy some sensitive looking files to the outer volume the cluster bitmap of the volume will be scanned in order to determine the size of uninterrupted area of free space whose end is aligned with the end of the outer volume This area will accommodate the hidden volume so it limits its maximum possible size The maximum possible size of the hidden volume will be determined and it will be verified that it is greater than the size of the system partition which is required because the entire content of the system partition will need to be copied to the hidden volume
180. ww truecrypt orqg future Contact Information on how to contact us can be found at http www truecrypt org contact Legal Information License The text of the license under which TrueCrypt is distributed is contained in the file License txtthat is included in the TrueCrypt binary and source code distribution packages and is also available at http www truecrypt org legal license Copyright Information This software as a whole Copyright 2009 TrueCrypt Foundation All rights reserved Portions of this software Copyright 2003 2009 TrueCrypt Foundation All rights reserved Copyright 1998 2000 Paul Le Roux All rights reserved Copyright 1998 2008 Brian Gladman Worcester UK All rights reserved Copyright 2002 2004 Mark Adler All rights reserved For more information please see the legal notices attached to parts of the source code Trademark Information TrueCrypt and the TrueCrypt logos are trademarks of the TrueCrypt Foundation Note The goal is not to monetize the name or the product but to protect the reputation of TrueCrypt and to prevent support issues and other kinds of issues that might arise from the existence of similar products with the same or similar name Even though TrueCrypt is a trademark TrueCrypt is and will remain open source and free software Any other trademarks are the sole property of their respective owners 129 Version History 6 3 October 21 2009 New featur
181. xample by inappropriately designed activation software or if you do not want the TrueCrypt boot loader to reside on the hard drive for example if you want to use an alternative boot loader manager for other operating systems you can boot directly from the TrueCrypt Rescue Disk as it contains the TrueCrypt boot loader too without restoring the boot loader to the hard drive Just insert your Rescue Disk into your CD DVD drive and then enter your password in the Rescue Disk screen If you repeatedly enter the correct password but TrueCrypt says that the password is incorrect it is possible that the master key or other critical data are damaged The TrueCrypt Rescue Disk allows you to restore them and thus to regain access to your encrypted system and data however note that you will still have to enter the correct password then In the Rescue Disk screen select Repair Options gt Restore key data Then enter your password press Y to confirm the action remove the Rescue Disk from your CD DVD drive and restart your computer Note This feature cannot be used to restore the header of a hidden volume within which a hidden operating system resides see the section Hidden Operating System To restore such a volume header click Select Device select the partition behind the decoy system partition click OK select Tools gt Restore Volume Header and then follow the instructions WARNING By restoring key data using a TrueCrypt Rescue Disk
182. y configuration file used during the initial process of in place encryption decryption of the system partition drive Default Keyfiles xml Note This file may be absent if the corresponding TrueCrypt feature is not used Favorite Volumes xml Note This file may be absent if the corresponding TrueCrypt feature is not used History xml the list of last twenty files devices attempted to be mounted as TrueCrypt volumes or attempted to be used as hosts for TrueCrypt volumes this feature can be disabled for more information see the section Never Save History Note This file may be absent if the corresponding TrueCrypt feature is not used In Place Encryption In Place Encryption Wipe Algo temporary configuration files used during the initial process of in place encryption decryption of a non system volume Post Install Task Tutorial Post Install Task Release Notes temporary configuration files used during the process of installation or upgrade of TrueCrypt The following files are saved in the folder sALLUSERSPROFILE TrueCrypt WARNING Note that TrueCrypt does not encrypt those files unless it encrypts the system partition drive 115 Original System Loader a backup of the original content of the first drive track made before the TrueCrypt Boot Loader was written to it Note This file is absent if the system partition drive has not been encrypted System Favorit
183. you also restore the password that was valid when the TrueCrypt Rescue Disk was created Therefore 44 whenever you change the password you should destroy your TrueCrypt Rescue Disk and create a new one select System gt Create Rescue Disk Otherwise if an attacker knows your old password for example captured by a keystroke logger and if he then finds your old TrueCrypt Rescue Disk he could use it to restore the key data the master key encrypted with the old password and thus decrypt your system partition drive If Windows is damaged and cannot start the TrueCrypt Rescue Disk allows you to permanently decrypt the partition drive before Windows starts In the Rescue Disk screen select Repair Options gt Permanently decrypt system partition drive Enter the correct password and wait until decryption is complete Then you can e g boot your MS Windows setup CD DVD to repair your Windows installation Note that this feature cannot be used to decrypt a hidden volume within which a hidden operating system resides see the section Hidden Operating System Note Alternatively if Windows is damaged cannot start and you need to repair it or access files on it you can avoid decrypting the system partition drive by following these steps If you have multiple operating systems installed on your computer boot the one that does not require pre boot authentication If you do not have multiple operating systems installed on your computer you
184. you do not need to access as often in the non system TrueCrypt partition i e in the outer volume for which you chose a very long password As the password for the system partition is not very strong because it is short you do not intentionally store sensitive data on the system partition However you still prefer the system partition to be encrypted because potentially sensitive or mildly sensitive data is stored on it as a result of your everyday use of the computer for example passwords to online forums you visit which can be automatically remembered by your browser browsing history applications you run etc When an attacker gets hold of your computer when a TrueCrypt volume is mounted for example when you use a laptop outside he can in most cases read any data stored on the volume data is decrypted on the fly as he reads it Therefore it may be wise to limit the time the volume is mounted to a minimum Obviously this may be impossible or difficult if the sensitive data is stored on an encrypted system partition or on an entirely encrypted system drive because you would also have to limit the time you work with the computer to a minimum Hence you can answer that you created a separate partition encrypted with a different key than your system partition for your most sensitive data and that you mount it only when necessary and dismount it as soon as possible so as to limit the time the volume is mounted to a minimum On t
185. your password or has your keyfiles and has access to your volume he may be able to retrieve and keep its master key If he does he may be able to decrypt your volume even after you change its password and or keyfile s because the master key does not change when you change the volume password and or keyfiles In such a case create a new TrueCrypt volume and move all files from the old volume to this new one The following sections of this chapter contain additional information pertaining to possible security issues connected with changing passwords and or keyfiles Wear Leveling Journaling File Systems Defragmenting Reallocated Sectors 85 Wear Leveling Some storage devices e g some solid state drives including USB flash drives and some file systems utilize so called wear leveling mechanisms to extend the lifetime of the storage device or medium These mechanisms ensure that even if an application repeatedly writes data to the same logical sector the data is distributed evenly across the medium logical sectors are remapped to different physical sectors Therefore multiple versions of a single sector may be available to an attacker This may have various security implications For instance when you change a volume password keyfile s the volume header is under normal conditions overwritten with a re encrypted version of the header However when the volume resides on a device that utilizes a wear leveling mechanism TrueCryp
186. ypt Rescue Disk select Repair Options gt Restore key data and enter your administrator password Note It is not required to burn each TrueCrypt Rescue Disk ISO image to a CD DVD You can maintain a central repository of ISO images for all workstations rather than a repository of CDs DVDs For more information see the section Command Line Usage option noisocheck We share a volume over a network Is there a way to have the network share automatically restored when the system is restarted Please see the chapter Sharing over Network It is possible to access a single TrueCrypt volume simultaneously from multiple operating systems for example a volume shared over a network Please see the chapter Sharing over Network Can a user access his or her TrueCrypt volume via a network Please see the chapter Sharing over Network I encrypted a non system partition but its original drive letter is still visible in the My Computer list When I double click this drive letter Windows asks if want to format the drive Is there a way to hide or free this drive letter Yes to free the drive letter follow these steps 1 Right click the Computer or My Computer icon on your desktop or in the Start Menu and select Manage The Computer Management window should appear From the list on the left select Disk Management within the Storage sub tree Right click the encrypted partition device and select Change Drive Letter
187. ypt volumes can be encrypted using the following algorithms Block Size Mode of Bits Operation Algorithm Designer s Key Size Bits AES J Daemen V Rijmen 256 128 XTS Serpent R Anderson E Biham L Knudsen 256 128 XTS Twotsh a 2 1 xis AES Twofish 256 256 128 XTS AES Twofish Serpent 256 256 256 128 XTS Serpent AES 256 256 128 XTS Serpent Twofish AES 256 256 256 128 XTS Twofish Serpent 256 256 128 XTS For information about XTS mode please see the section Modes of Operation AES The Advanced Encryption Standard AES specifies a FIPS approved cryptographic algorithm Rijndael designed by Joan Daemen and Vincent Rijmen published in 1998 that may be used by US federal departments and agencies to cryptographically protect sensitive information 3 TrueCrypt uses AES with 14 rounds and a 256 bit key i e AES 256 published in 2001 operating in XTS mode see the section Modes of Operation In June 2003 after the NSA US National Security Agency conducted a review and analysis of AES the U S CNSS Committee on National Security Systems announced in 1 that the design and strength of AES 256 and AES 192 are sufficient to protect classified information up to the Top Secret level This is applicable to all U S Government Departments or Agencies that are considering the acquisition or use of products incorporating the Advanced Encryption Standard AES to satisfy Information Assurance requirements associated w
188. ypted in place while the operating system is running You can interrupt the process of encryption or decryption anytime leave the partition drive partially unencrypted restart or shut down the computer and then resume the process which will continue from the point it was stopped The mode of operation used for system encryption is XTS see the section Modes of Operation For further technical details of system encryption see the section Encryption Scheme in the chapter Technical Details To encrypt a system partition or entire system drive select System gt Encrypt System Partition Drive and then follow the instructions in the wizard To decrypt a system partition drive select System gt Permanently Decrypt System Partition Drive Note By default Windows 7 and later boot from a special small partition The partition contains only files that are required to boot the system Windows allows only applications that have administrator privileges to write to the partition when the system is running TrueCrypt encrypts the partition only if you choose to encrypt the whole system drive as opposed to choosing to encrypt only the partition where Windows is installed Hidden Operating System It may happen that you are forced by somebody to decrypt the operating system There are many situations where you cannot refuse to do so for example due to extortion TrueCrypt allows you to create a hidden operating system whose existence will be impos
189. ystem and for the outer volume The third password for the hidden system must remain secret Hidden Volume Decoy Operating System Outer Volume amp Hidden Operating System Partition 1 Partition 2 Example Layout of System Drive Containing Hidden Operating System If the size of the active partition is less than 256 MB then the data is read from the second partition behind the active one Windows 7 and later by default do not boot from the partition on which they are installed 37 Process of Creation of Hidden Operating System To start the process of creation of a hidden operating system select System gt Create Hidden Operating System and then follow the instructions in the wizard Initially the wizard verifies that there is a suitable partition for a hidden operating system on the system drive Note that before you can create a hidden operating system you need to create a partition for it on the system drive It must be the first partition behind the system partition and it must be at least 5 larger than the system partition the system partition is the one where the currently running operating system is installed However if the outer volume not to be confused with the system partition is formatted as NTFS the partition for the hidden operating system must be at least 110 2 1 times larger than the system partition the reason is that the NTFS file system always stores internal data exactly in the middle of the
Download Pdf Manuals
Related Search