Measured “in the vacuum” of the main memory bus, AES-NI certainly delivers on its performance promises. The following benchmarks were recorded with TrueCrypt’s integrated benchmarking facility on a system equipped with an Intel Core i5-2520M Sandy Bridge processor sporting the AES extensions. When enabled on this system, hardware acceleration was observed to result in a more than 5x speed boost in AES encryption and decryption performance, bumping throughput up from 277 MB/s to 1.5 GB/s. Even cascaded modes recognized significant speed gains.

Real world applications, however, do not take place in a vacuum, and most users would be hard pressed to bring a data stream with anywhere close to even the lower of the two measured speeds in scope. Encrypted streams don’t spontaneously originate in main memory with its tens of GB/s of bandwidth. They come from storage devices and network sockets. No rotating mechanical disk drive achieves such high transfer rates at this time (try ~120 MB/s), nor does gigabit ethernet (125 MB/s). Contemporary SATA controllers do in theory (300 MB/s and 600 MB/s), and solid state disks can max out their bandwidth, but do not mix well with encryption due to wear leveling. Some RAID configurations could go there in theory, but doubtfully in practice. 10 gigabit ethernet (1.25 GB/s) could break these speeds, but is limited to exotic applications. In fact, network hardware that can operate at such speeds is largely restricted to industrial contexts.

When performance demand is less than what could be supplied absent hardware acceleration, the acceleration is a “nice to have” and might have incidental benefits, however in throughput terms its performance impact is zero. Hardware-accelerated AES can ultimately only be said to yield a material, tangible speed boost when the AES cipher is operating on a stream of greater bandwidth than a software-only implementation could keep up with at that time. This is not typically the case in practical scenarios with realistic present day hardware.

So, does AES-NI make a difference? Absolutely. It all but eliminates the possibility that the cipher will act as the performance bottleneck in any given application. It reduces the risk of an erroneous or adulterated AES implementation in software, and it mitigates side channel attacks. It conserves CPU cycles, which conserves power. And, there are circumstances when hardware-accelerated AES would have unambiguous, meaningful performance impact:

• When the stream is extremely fast: you’re lucky enough to have an unusually high performance configuration, you’re in a research lab, or you’re in the future with more advanced hardware than exists today

• When the CPU is underpowered with respect to the other bottlenecks in the system: this could be a factor as AES-NI becomes available on lower powered chips, although, every model Intel has shipped with AES on-die appears to be no less than half as fast as that tested here

• When the CPU is substantially taxed at the time by other processes, which is wholly conceivable

But, in spite of all the benefits hardware accelerated AES brings, it would be naive to regard the technical upper speed limits illustrated in benchmarks as real world performance targets. AES-NI is better viewed as future-proofing, which is no doubt what Intel and AMD are up to with their investment in AES technology.

Resources

Wikipedia: Advanced Encryption Standard

Wikipedia: AES-NI instruction set

Intel: Advanced Encryption Standard Instructions (AES-NI)

TrueCrypt Homepage

TrueCrypt: Hardware Acceleration

Wikipedia: List of Device Bandwidths

Wikipedia: Disk Drive Performance Characteristics

SSDs and TrueCrypt: Durability and Performance Issues

Intel Product Search: AES-NI

7.1

September 1, 2011

      New features:

• Full compatibility with 64-bit and 32-bit Mac OS X 10.7 Lion

      Improvements and bug fixes:

• Minor improvements and bug fixes  (Windows, Mac OS X, and Linux)

I’ll be upgrading several systems here from version 7.0a and expect zero issues. I’ve been running TrueCrypt since version 6.0a in late 2008, and never experienced a single issue upgrading or at any other time. It’s a rock solid program, though the authors are something of a black hole.

If you don’t already have Full Disk Encryption on your portable laptop or notebook computers, this fresh release presents an excellent opportunity to get serious about data theft prevention and fortify your security posture. I offer full service TrueCrypt Full Disk Encryption installation for those who are most comfortable having an expert consultant perform the procedure using streamlined tools. Contact me for information.

Resources

TrueCrypt Homepage

TrueCrypt Release Notes

TrueCrypt Download Latest Stable Version

In terms of the impacted segment of users, the release notes call out a workaround for an issue affecting Windows Vista and later operating systems only (but not Windows XP) and only with specific storage controller device drivers present.

7.0a

September 6, 2010

      Improvements:

• Workaround for a bug in some custom (non-Microsoft) drivers for storage device controllers that caused a system crash when initiating hibernation on TrueCrypt-encrypted operating systems.  (Windows 7/Vista/2008/2008R2)

• Other minor improvements  (Windows, Mac OS X, and Linux)

      Bug fixes:

• Minor bug fixes  (Windows, Mac OS X, and Linux)

I’d make this to be pretty limited in extent, and for a fact it doesn’t impact my installations, all Windows XP systems. But, all the same, I’ve updated three systems here at the lab from version 7.0 without issue.

If you don’t already have Full Disk Encryption on your portable laptop / notebook / netbook computers, this fresh release presents an excellent opportunity to get serious about data theft prevention and fortify your security posture. I offer full service TrueCrypt Full Disk Encryption installation for those who are most comfortable having an expert perform the procedure using streamlined tools. Contact me for information.

Resources

TrueCrypt Homepage

TrueCrypt Release Notes

TrueCrypt Download Latest Stable Version

AES is the Advanced Encryption Standard, the open, powerful encryption cipher officially sanctioned by the Federal government in 2001 for the encryption of top secret information. It has since become so ubiquitous that, as of this year, chip maker Intel has begun burning the logic underlying AES right on to new chips in hard-wired, transistorized form, allowing encryption and decryption duties to be offloaded from software applications for increased security, reliability and performance.

AES is also the fastest of three ciphers supported by TrueCrypt and the default cipher when creating new volumes. With version 7.0 the TrueCrypt development team has made good on their longstanding promise of a future release that would leverage hardware-accelerated AES capabilities when present.

The new version also sports a variety of other usability, technical, and security improvements, including a number of convenience features involving Favorite Volumes (a feature I seldom use personally), and hardening of Hibernation File encryption under Windows Vista and 7 in the case that Full Disk Encryption is not in force (which is an ill-chosen configuration anyway). And, support for native volume encryption of floppy disks is dropped, presumably since no one has even seen a working floppy disk in years.

As the major version number increment suggests, this update is highly recommended for all users running previous versions. I’ve updated three systems here at the lab from version 6.3a without issue, although sadly, none of the three have new enough CPUs to do hardware-accelerated AES.

7.0

July 19, 2010

      New features:

• Hardware-accelerated AES (for more information, see the chapter Hardware Acceleration).

  Note: If you want to disable hardware acceleration, select Settings > Performance and disable the option ‘Accelerate AES encryption/decryption by using the AES instructions of the processor‘.

• A volume can now be configured to be automatically mounted whenever its host device gets connected to the computer (provided that the correct password and/or keyfiles are supplied).  (Windows)

  Note: For example, if you have a TrueCrypt container on a USB flash drive and you want to configure TrueCrypt to mount it automatically whenever you insert the USB flash drive into the USB port, follow these steps: 1. Mount the volume. 2. Right-click the mounted volume in the drive list in the main TrueCrypt window and select ‘Add to Favorites‘. 3. The Favorites Organizer window should appear. In it, enable the option ‘Mount selected volume when its host device gets connected‘ and click OK.

  Also note that TrueCrypt will not prompt you for a password if you have enabled caching of the pre-boot authentication password (Settings > ‘System Encryption‘) and the volume uses the same password as the system partition/drive. The same applies to cached non-system volume passwords.

• Partition/device-hosted volumes can now be created on drives that use a sector size of 4096, 2048, or 1024 bytes (Windows, Linux). Note: Previously only file-hosted volumes were supported on such drives.

• Favorite Volumes Organizer (Favorites > ‘Organize Favorite Volumes‘ or ‘Organize System Favorite Volumes‘), which allows you to set various options for each favorite volume. For example, any of them can be mounted upon logon, as read-only or removable medium, can be assigned a special label (which is shown within the user interface instead of the volume path), excluded from hotkey mount, etc. The order in which favorite volumes are displayed in the Favorites Organizer window can be changed and it is the order in which the volumes are mounted (e.g. when Windows starts or by pressing the ‘Mount Favorite Volumes‘ hotkey). For more information, see the chapters Favorite Volumes and System Favorite Volumes.  (Windows)

• The Favorites menu now contains a list of your non-system favorite volumes. When you select a volume from the list, you are asked for its password (and/or keyfiles) (unless it is cached) and if it is correct, the volume is mounted. (Windows)

      Security improvements:

• In response to our public complaint regarding the missing API for encryption of Windows hibernation files, Microsoft began providing a public API for encryption of hibernation files on Windows Vista and later versions of Windows (for more information, see the section TrueCrypt 5.1a in this version history). Starting with this version 7.0, TrueCrypt uses this API to encrypt hibernation and crash dump files in a safe documented way. (Windows 7/Vista/2008/2008R2)

  Note: As Windows XP and Windows 2003 do not provide any API for encryption of hibernation files, TrueCrypt has to modify undocumented components of Windows XP/2003 in order to allow users to encrypt hibernation files. Therefore, TrueCrypt cannot guarantee that Windows XP/2003 hibernation files will always be encrypted. Therefore, if you use Windows XP/2003 and want the hibernation file to be safely encrypted, we strongly recommend that you upgrade to Windows Vista or later and to TrueCrypt 7.0 or later. For more information, see the section Hibernation File.  

      Improvements:

• Many minor improvements.  (Windows, Mac OS X, and Linux)

      Bug fixes:

• Minor bug fixes.  (Windows, Mac OS X, and Linux)

      Removed features:

• TrueCrypt no longer supports device-hosted volumes located on floppy disks. Note: You can still create file-hosted TrueCrypt volumes on floppy disks.

The authors dropped a lot more detail in the release notes this time, which is highly appreciated.

If you don’t already have Full Disk Encryption on your portable laptop / notebook / netbook computers, this fresh release presents an excellent opportunity to get serious about data theft prevention and fortify your security posture. I offer full service TrueCrypt Full Disk Encryption installation for those who are most comfortable having an expert perform the procedure using streamlined tools. Contact me for information.

Resources

TrueCrypt Homepage

TrueCrypt Release Notes

TrueCrypt Download Latest Stable Version

Wikipedia: Advanced Encryption Standard

Wikipedia: AES Instruction Set

Wikipedia: Intel Westmere Architecture

Intel: Advanced Encryption Standard (AES) Instructions Set

6.3a

November 23, 2009

      Improvements and bug fixes:

• Minor improvements and bug fixes.  (Windows, Mac OS X, and Linux)

Such glaring lack of detail in the release notes leaves upgraders unable to ascertain whether the newest fixes do or do not apply to their installations. I have complained about the lack of transparency before though, so I guess the developers have not dropped by. Are there performance improvements, security fixes, new features, or all of the above? Do they apply only to a specific architecture, or everyone? TrueCrypt: your users need to know these things.

In any event I will perform the upgrade to 6.3a on my affected systems for the sake of keeping current.

If you don’t already have Full Disk Encryption on your portable laptop / notebook / netbook computers, this fresh release presents an excellent opportunity to get serious about data theft prevention and fortify your security posture. I offer full service TrueCrypt Full Disk Encryption installation for those who are most comfortable having an expert perform the procedure using streamlined tools. Contact me for information.

Resources

TrueCrypt Homepage

TrueCrypt Release Notes

TrueCrypt Download Latest Stable Version

6.3

October 21, 2009

      New features:

• Full support for Windows 7.

• Full support for Mac OS X 10.6 Snow Leopard.

• The ability to configure selected volumes as ‘system favorite volumes’. This is useful, for example, when you have volumes that need to be mounted before system and application services start and before users start logging on. It is also useful when there are network-shared folders located on a TrueCrypt volume and you need to ensure that the network shares will be restored by the system each time it is restarted. For more information, see the chapter ‘Main Program Window‘, section ‘Program Menu‘, subsection ‘Volumes -> Save Currently Mounted Volumes as Favorite‘ in the documentation. (Windows)

      Improvements and bug fixes:

• ‘Favorite’ volumes residing within partitions or dynamic volumes will no longer be affected by changes in disk device numbers, which may occur, e.g., when a drive is removed or added.  (Windows)

• Many other minor improvements and bug fixes.  (Windows, Mac OS X, and Linux)

The release notes always say “Many other minor improvements and bug fixes.” For once I would like to know what exactly the improvements and bugfixes include in detail. If there’s one complaint I have about TrueCrypt it’s lack of transparency from the developers.

The in situ version update procedure is fairly trivial, overwriting the installed version of the application and rewriting an updated boot loader in the case of Full Disk Encryption. The end-to-end drive encryption pass does not have to be run again (a common concern). It is recommended (not enforced, but highly advisable) to burn an updated rescue CD for FDE systems since the boot loader has changed – I always do.

If you don’t already have Full Disk Encryption on your portable laptop / notebook / netbook computers, this fresh release presents an excellent opportunity to get serious about data theft prevention and fortify your security posture. I offer full service TrueCrypt Full Disk Encryption installation for those who are most comfortable having an expert perform the procedure using streamlined tools. Contact me for information.

Resources

TrueCrypt Homepage

TrueCrypt Release Notes

TrueCrypt Download Latest Stable Version

Why encrypt a CD? Well, think of it this way: You take a good deal of trouble to protect the data on your computer from disclosure, using access controls like login passwords, software countermeasures to protect against infection and intrusion, maybe you have even followed my advice and implemented Full Disk Encryption. Suppose, though, that you then burn some important documents (lets say financial, tax, or customer records or the blueprints to a sensitive project) from your carefully protected computer to a plain old data CD. You place it on your desk, or in a spindle in a drawer, or in your car, or in a box to take to the post office. Later, when you’re not looking, a bad guy snatches this CD and makes off with it. Just like that, he has unrestricted access to its contents without ever having to defeat any defenses. This is a wide open security gap.

Encrypted CDs close this gap in an airtight way. They are effective against the risk of general theft from the premises, the risk of interception in transport, the risk of disclosure to an untrusted agent in a bailment situation as when data vaulting, the risk of corporate espionage, jealous lovers, the IRS, you name it. Whoever snags it will be the proud new owner of a nice pile of random data that, unless they have 5,000 years and a supercomputer, is totally opaque to them.

Secure portable storage media may even be required for regulatory compliance in many contexts, as when storing sensitive customer data such as Social Security Numbers, credit card numbers, or health records. Data breaches in military, public, and commercial sectors have increasingly been making headlines. Regulatory authorities in Nevada and Massachusetts just passed laws requiring the mandatory encryption of Social Security numbers, bank account numbers, and credit card numbers when carried on portable storage devices like flash drives, setting a precedent that will likely see legislation nationwide.

How to make an encrypted CD

The gist of the procedure is to create an encrypted file-container volume with TrueCrypt that is just slightly less than the size of the target media. I use a 695MB .tc container filesize for a 700MB CD-R. (You could choose a similar container filesize for a 4.7GB single layer DVD-R or 8.5GB dual layer DVD-R). The extra margin of 5MB is used to add some AutoRun machinery to the CD so that when the finished disk is inserted, Windows shell takes you right into password entry for mounting the encapsulated volume.

1. Create an encrypted file-container volume on disk

1. Open TrueCrypt and start the Volume Creation Wizard by clicking “Create Volume”
2. Choose the default “Create an encrypted file container”
3. Choose the default “Standard TrueCrypt volume”
4. Specify a scratch path where you have sufficient space to hold the 695MB container file. A scratch partition is ideal for this. Make up a filename of your choice, I usually name it contents.tc or [yyyymmdd].tc. For the purposes of this example let’s name it contents.tc
5. For Encryption Options the default algorithms are fine unless you care to change them
6. Enter a volume size of 695MB



7. Specify a password, pick a good one
8. The documentation says Windows has problems with NTFS on read-only media, but I’ve never had a problem and always choose NTFS
9. Move the mouse around to populate the Random Pool, then finally click “Format” to create the container file
10. Writing of the container file shouldn’t take too long, seconds to a minute depending on your system, then you can exit

2. Mount the file-container volume and copy your content into it

1. Open the container file you just created, contents.tc, for mounting with TrueCrypt. If you named it with a .tc extension a shell association exists and you can just double-click on it to be taken right into TrueCrypt with it already selected as the volume file.
2. An available drive letter should already be selected. Click “Mount” and enter your password to mount the encrypted volume as that virtual drive.
3. You can now open that drive letter and populate it with content, whatever is the target data that will be going on the CD. Remember that the drive has a 695MB capacity.
4. When done, dismount the volume from TrueCrypt using the “Dismount” button.

3. For a convenient and elegant touch, use TrueCrypt’s Traveler Disk Setup utility to generate some AutoRun machinery that will start automatically when the finished disk is inserted

1. Start the utility from TrueCrypt > “Tools” menu > “Traveler Disk Setup…”
2. For “Create traveler disk files at (traveler disk root directory)” box, browse for and locate the scratch path you used in step 1 above, the path where the container file resides
3. Uncheck “Include TrueCrypt Volume Creation Wizard”, you don’t need it for this use case
4. Under AutoRun Configuration choose “Auto-mount TrueCrypt volume (specified below)”
5. For “TrueCrypt volume to mount (relative to traveler disk root)” box, browse for and locate the container file itself
6. “Open Explorer window for mounted volume” should already be checked



7. Finally, click “Create” to generate the AutoRun components. Traveler Disk Setup quickly creates a folder named TrueCrypt with a little bit of plumbing and a file named autorun.inf in the target path, then you can close out of the utility

4. Burn the CD

1. Using CD burning software of your choice (I use Nero, but use whatever you have on your machine) create a new Data CD (ISO) compilation
2. Place the following files into it: contents.tc, autorun.inf, and the TrueCrypt folder
3. Notice importantly what is happening: You are burning the container – not its encapsulated contents – and the AutoRun machinery to media
4. Burn the compilation to blank media, label it, and test it

Upon insertion to a computer with AutoPlay enabled, this CD should now prompt you for the password, mount the encrypted volume automatically to an available drive letter, and open an Explorer window to that drive. And because its runtime components are packaged on the disk, it will work even on a machine that doesn’t have TrueCrypt natively installed.

Many security conscious users (myself included) disable AutoPlay because it poses something of a security risk; in this case, you can still mount contents.tc the long way, using TrueCrypt’s main dialog, you just sacrifice some convenience.

The developers of TrueCrypt have remarked that they plan to add support for Raw CD/DVD volumes in a future release, which ought to further simplify this procedure.

Stay tuned to this space for Part 2: Encrypted USB Memory Sticks, where I plan to share a very useful nested AutoRun technique.

Resources

TrueCrypt Homepage

TrueCrypt Traveler Mode

Wikipedia: AutoRun

Extent of identity theft and data breaches largely hidden

Mass 201 CMR 17: A Survival Guide for the Anxious

Mass 201 CMR 17: The Darkness and the Light

The Federal Trade Commission estimates that as many as 9 million Americans have their identities stolen each year, and that identity theft is the fastest growing crime in the nation.

If your laptop was lost or stolen, the new “owner” could have unrestricted access to view all your private documents, email, pictures, and could even gain access to financial accounts. Your ordinary system login passwords (if you use them) afford you no real protection and only a false sense of security; an unscrupulous individual can bypass Windows passwords and BIOS passwords by simply detaching the drive and connecting it as an external data drive to another computer, rendering all its contents completely visible.

There is a simple and effective countermeasure that protects you against this serious privacy risk, rendering your confidential data totally useless to any unauthorized party who gets their hands on it. Yet not nearly enough users leverage this crucial security capability.

Full Disk Encryption (FDE) is software (or hardware) which encrypts every bit of data that goes on a disk, from start to end, automatically, transparently, in real-time. You choose a password that unlocks the encryption, which must be entered whenever starting up the computer. Without the correct password, the contents of the disk are rendered completely useless to any thief, effectively a mass of random data.

Note that this is a much more robust level of security than an ordinary startup password. The data on the disk is stored encrypted at all times and at no time is unencrypted data written to the disk. A low level driver layer intervenes between the disk and the rest of the operating system, to whose point of view the disk is just ordinary unencrypted storage.

I have deployed an industry standard Full Disk Encryption software solution for the protection of my own systems, including not only laptops but also external storage devices. I am using it every day and finding it to be reliable, mature, optimized, and to cause essentially imperceptible (e.g. no) performance impact.

I am recommending all users of portable laptop and notebook computers to contact me to set up an appointment to have this vital security capability expertly installed to your systems. Don’t risk a data breach that could make you the victim of identity theft or the leakage of your personal documents and files to prying eyes. Even if you don’t have anything “important” on your computer, why allow some rogue individual the pleasure of viewing your personal documents, pictures, and email? Lock them out with Full Disk Encryption.

Resources

Wikipedia: Full Disk Encryption

About.com Business Security: 8 Reasons for Full Disk Encryption