LUKS vs. Truecrypt

VirtualRider · 2009-11-27 21:22:10

Hi,

it's me again with another philosphic question: What do you prefer to encrypt your harddrives, and why?

Most of my partitions are truecrypts, because it was easy to use when i started to encrypt. But the GUI is
a little uncomfortable for daily-use, with the result that i'm decrypting my data-partion only when i
really need it (strong password, hard to type). I'm looking for a more comfortable solution here.

On my Laptop /home is encrypted with luks. It's a little harder to setup (great support in the new arch-installer)
and it is decrypted at login by pam (weak password, quick access).

I guess there are no big differences in security between luks/truecrypt (Is the suggested aes-xts-algorithm good?).

As you can see, i've no fixed purpose in mind while creating this thread, but maybe it's a good base of a nice discussion.

Regards
VR

Ranguvar · 2009-11-28 04:55:17

LUKS is simpler, but doesn't fully work for non-GNU/Linux OSen.

TrueCrypt is more universal and has more advanced protection if you use it (plausible deniability), but is less supported by userland tools, more complex to set up, and practically requires reading the entire documentation (where they point out numerous ways you can easily screw up all your security).

If you need plausible deniability, you really need it, so TrueCrypt (or if you need encryption across multiple OSen). Otherwise, LUKS.
There's also loop-aes, which is like a faster, less supported (out-of-kernel) LUKS. It's included in the Zen kernel, for example.

Last edited by Ranguvar (2009-11-28 04:55:51)

jwwolf · 2009-11-28 07:42:08

If your really worried about security you should use both/multiple.So if any of them are ever compromised you will be safe.

Last edited by jwwolf (2009-11-28 07:42:42)

Ranguvar · 2009-11-28 10:46:49

jwwolf wrote:

If your really worried about security you should use both/multiple.So if any of them are ever compromised you will be safe.

No, that's if you're paranoid to the point of being beyond silly

TrueCrypt allows you to chain multiple crypto systems; that should be enough for the very worried.

Heller_Barde · 2009-11-28 12:44:19

Why does LUKS not provide plausible deniability. I read a few discussions about the topic but mostly they just ended in "but if someone tortures you with a cactus up your behind, you'll still give out secrets" and similar... So I don't quite see the problem that TrueCrypt/plausible deniability seems to be the solution to.

cheers Heller Barde

jwwolf · 2009-11-29 06:40:57

Ranguvar wrote:

jwwolf wrote:
If your really worried about security you should use both/multiple.So if any of them are ever compromised you will be safe.
No, that's if you're paranoid to the point of being beyond silly
TrueCrypt allows you to chain multiple crypto systems; that should be enough for the very worried.

And if in the future Truecrypt is ever compromised, and you are subject to a subpeona for your computer equipment,your multiple chains will have no use if they have a master key.Your entire effort would be for nothing.It's not being paranoid it's being secure.If this is paranoid why even encrypt it? Isn't that paranoid to begin with? It's better to not trust a single entity with your security,the likely hood that multiple entities are going to be compomised at the same time is far less likely to happen,than a single developer.

Rubber hose attack is still possible.
Become a masochism.

Ranguvar · 2009-11-29 07:07:01

@jwwolf: Sure, but given that most-to-all of the heavy lifting TrueCrypt does is done by implementations of crypto (AES, Twofish, Serpent) that have survived in the wild for a long, long time, and are also likely used by LUKS... I don't think we need to worry too much about this possibility.

@Heller_Barde: To be honest, I'm not all that afraid of some random dude hiring a thug to stick a cactus up my rear and get me to cough up info... It just doesn't seem that likely to me.
I think most people interested in plausible deniability are more concerned about governments gone wrong, and other systems where they may not be able to stick said cactus up said rear (unless the government has gone REALLY wrong).

And hey, it might even work on thugs. Just be sure to put some mildly interesting stuff on the fake secured partition, so that they're a little satisfied. It works better when they only suspect, and don't know anything for certain.

moljac024 · 2009-11-29 12:09:39

The way I understand it, if you change anything on the outer layer you risk data integrity on the inner layer. So, when you decypher your hard drive and the dude sees that the files there are 1 or 2 years old he'd have to be really stupid to not conclude that there is another hidden partition in there.

bender02 · 2009-11-29 16:29:24

moljac024 wrote:

The way I understand it, if you change anything on the outer layer you risk data integrity on the inner layer. So, when you decypher your hard drive and the dude sees that the files there are 1 or 2 years old he'd have to be really stupid to not conclude that there is another hidden partition in there.

That's not true; you can let truecrypt know that there is a hidden partition when you mount the outer one; then it makes sure that you don't damage the hidden volume.

Harlequin · 2009-11-29 19:58:42

But if Truecrypt is not that stupid and knows there is another partition, there is certainly a way to examine there is another partition by third. At least by looking at the very low level.

Last edited by Harlequin (2009-11-29 19:59:06)

bender02 · 2009-11-29 20:01:44

Harlequin wrote:

But if Truecrypt is not that stupid and knows there is another partition, there is certainly a way to examine there is another partition by third. At least by looking at the very low level.

It doesn't know. You have to tell it, and give the correct password. I think the way it roughly works is that it does some hashing with your password, and then looks whether at some place on the partition this randomly looking chunk of bytes appears. If yes, it goes on with decrypting, otherwise it tells you that there's no hidden partition (with that password).

theapodan · 2009-11-30 03:34:18

Ranguvar wrote:

There's also loop-aes, which is like a faster, less supported (out-of-kernel) LUKS. It's included in the Zen kernel, for example.

If you are saying what I think you are saying, that isn't correct. Loop block devices and cryptoloop are both part of the standard kernel sources and have been forever, and are available as modules in the stock Arch kernel as loop and cryptoloop. You can make a loop device with any algorithm you want.

I have a usb key with an encrypted partition. All I do is mount the partition with these options: user,loop,encryption=aes128,noauto,rw

I don't know how portable this sort of thing is though.

Last edited by theapodan (2009-11-30 03:34:55)

bender02 · 2009-11-30 09:23:19

theapodan wrote:

Ranguvar wrote:
There's also loop-aes, which is like a faster, less supported (out-of-kernel) LUKS. It's included in the Zen kernel, for example.
If you are saying what I think you are saying, that isn't correct. Loop block devices and cryptoloop are both part of the standard kernel sources and have been forever, and are available as modules in the stock Arch kernel as loop and cryptoloop. You can make a loop device with any algorithm you want.

No, cryptoloop != loop-aes
- cryptoloop has some security issues (i can't find the link at the moment, but I remember reading this); and *is* in the mainline kernel
- loop-aes is a different beast, it's written by an encryption freak (so no known vulnerabilities), it was *not* accepted into the mainline kernel (I think the reason was some "political" issues), and you really need to compile your own kernel (on most distros, arch included) and then compile a patched loop driver.

moljac024 · 2009-11-30 10:40:59

Anyway, repeat rubber hose until all hidden volumes are found. Always assume there is one more hidden volume and do not back down with the hose.
There you have it - plausible deniability just causes more pain.

Ranguvar · 2009-11-30 18:26:26

Cryptoloop has many security problems, yes, don't use it if you can help it.

moljac024, you not only assume a very above-average understanding of the latest crypto techniques on the adversary's part, you also assume that they _can_ 'rubber hose' (some governments aren't _that_ bad yet), etc... I talked about this before.

rwd · 2009-11-30 20:18:08

My reason to encrypt is in case my computers get lost or stolen, and a thief will only care about the hardware anyway. If the men in black really wanted to snoop into your computer they could rip out the ram memory and read out the encryption keys.

moljac024 · 2009-11-30 23:30:31

Ranguvar wrote:

Cryptoloop has many security problems, yes, don't use it if you can help it.
moljac024, you not only assume a very above-average understanding of the latest crypto techniques on the adversary's part, you also assume that they _can_ 'rubber hose' (some governments aren't _that_ bad yet), etc... I talked about this before.

That post was more of a joke
But, thinking about it - the best approach in cryptology is to always assume the most knowledgeable opponent. For example, always assume the enemy knows the algorithm.

derelict · 2009-12-01 00:04:00

Anyone have any experience with FreeOTFE? http://www.freeotfe.org/
It seems to have similar funtionality to Truecrypt, but can mount LUKS volumes.

Ranguvar · 2009-12-01 01:21:34

moljac024 wrote:

Ranguvar wrote:
Cryptoloop has many security problems, yes, don't use it if you can help it.
moljac024, you not only assume a very above-average understanding of the latest crypto techniques on the adversary's part, you also assume that they _can_ 'rubber hose' (some governments aren't _that_ bad yet), etc... I talked about this before.
That post was more of a joke
But, thinking about it - the best approach in cryptology is to always assume the most knowledgeable opponent. For example, always assume the enemy knows the algorithm.

Best approach, sure, but if something gives me extra protection from unknowledgeable opponents at no cost to protection against well-learned opponents, all that remains is whether it's worth the effort

theapodan · 2009-12-01 05:25:46

bender02 wrote:

No, cryptoloop != loop-aes
- cryptoloop has some security issues (i can't find the link at the moment, but I remember reading this); and *is* in the mainline kernel

!!!

I use cryptoloop and was not aware of security issues. On the wikipedia page they talk about watermarking attacks, but those only would seem to reveal that a particular file that the attacker was looking for was there, but not the contents of an arbitrary file, like my personal data. So I'd still be safe

I've been using this setup for some number of years. Should I change, or is my above understanding correct? I just don't want people to read my private thoughts and see my tax return from last year.

bender02 · 2009-12-01 08:18:43

@theapodan: The page that is linked from that wikipedia entry: http://mareichelt.de/pub/texts.cryptolo … t_styles=2 , also mentions optimized dictionary attacks - that you should be worried about

But seriously, if all you need is that a random person who steals your computer can't access mildly private data, then you should be fine. On the other hand, using LUKS (or ecryptfs) is pretty straigtforward and way more secure, so you *should* change to it.

bender02 · 2009-12-01 09:16:06

derelict wrote:

Anyone have any experience with FreeOTFE? http://www.freeotfe.org/
It seems to have similar funtionality to Truecrypt, but can mount LUKS volumes.

Well, it's only for windows. And there's two contradicting statements in the 'feature list' - it says it can decrypt LUKS volumes, and at the same time that the encrypted volumes have no signature. While this may be true for freeotfe's own volumes, LUKS volumes do have a signature (he claims they don't in the faq).

choener · 2009-12-01 12:59:26

Freeotfe is quite nice for mounting luks-encrypted volumes. Do this: make luks partition under linux, format with fat32/ntfs and you have an encrypted drive accessible from both systems.

Btw. the signature is for the freeotfe format, not the luks format.

And the author is a she, not a he, afaik.

Ranguvar · 2009-12-01 15:25:32

Info on cryptoloop insecurity (it also appears that loop-AES in single-key mode is insecure): http://mareichelt.de/pub/texts.cryptoloop.php
I don't think that's the only reason, I just remember hearing back when I was really into hard disk encryption that cryptoloop was very bad.

At any rate, it's unmaintained...

Last edited by Ranguvar (2009-12-01 15:26:38)

bender02 · 2009-12-01 18:45:19

choener wrote:

And the author is a she, not a he, afaik.

Ooops; the first time that I'm not politically correct and right away I do it wrong ...

But you're right that it sounds pretty useful if you need to have also windows access; an alternative to truecrypt.

Arch Linux

#1 2009-11-27 21:22:10

LUKS vs. Truecrypt

#2 2009-11-28 04:55:17

Re: LUKS vs. Truecrypt

#3 2009-11-28 07:42:08

Re: LUKS vs. Truecrypt

#4 2009-11-28 10:46:49

Re: LUKS vs. Truecrypt

#5 2009-11-28 12:44:19

Re: LUKS vs. Truecrypt

#6 2009-11-29 06:40:57

Re: LUKS vs. Truecrypt

#7 2009-11-29 07:07:01

Re: LUKS vs. Truecrypt

#8 2009-11-29 12:09:39

Re: LUKS vs. Truecrypt

#9 2009-11-29 16:29:24

Re: LUKS vs. Truecrypt

#10 2009-11-29 19:58:42

Re: LUKS vs. Truecrypt

#11 2009-11-29 20:01:44

Re: LUKS vs. Truecrypt

#12 2009-11-30 03:34:18

Re: LUKS vs. Truecrypt

#13 2009-11-30 09:23:19

Re: LUKS vs. Truecrypt

#14 2009-11-30 10:40:59

Re: LUKS vs. Truecrypt

#15 2009-11-30 18:26:26

Re: LUKS vs. Truecrypt

#16 2009-11-30 20:18:08

Re: LUKS vs. Truecrypt

#17 2009-11-30 23:30:31

Re: LUKS vs. Truecrypt

#18 2009-12-01 00:04:00

Re: LUKS vs. Truecrypt

#19 2009-12-01 01:21:34

Re: LUKS vs. Truecrypt

#20 2009-12-01 05:25:46

Re: LUKS vs. Truecrypt

#21 2009-12-01 08:18:43

Re: LUKS vs. Truecrypt

#22 2009-12-01 09:16:06

Re: LUKS vs. Truecrypt

#23 2009-12-01 12:59:26

Re: LUKS vs. Truecrypt

#24 2009-12-01 15:25:32

Re: LUKS vs. Truecrypt

#25 2009-12-01 18:45:19

Re: LUKS vs. Truecrypt

Board footer