TrueCrypt 7.0 Released, Supports Hardware-Accelerated AES

A major, feature-rich update to the TrueCrypt disk encryption tool hit the wire yesterday, notably adding support for Intel’s on-die AES-NI instruction set in Westmere class processors and newer. The authors claim a juicy 4 to 8 times performance leap for hardware-accelerated AES over a pure software implementation.

AES is the Advanced Encryption Standard, the open, powerful encryption cipher officially sanctioned by the Federal government in 2001 for the encryption of top secret information. It has since become so ubiquitous that, as of this year, chip maker Intel has begun burning the logic underlying AES right on to new chips in hard-wired, transistorized form, allowing encryption and decryption duties to be offloaded from software applications for increased security, reliability and performance.

AES is also the fastest of three ciphers supported by TrueCrypt and the default cipher when creating new volumes. With version 7.0 the TrueCrypt development team has made good on their longstanding promise of a future release that would leverage hardware-accelerated AES capabilities when present.

The new version also sports a variety of other usability, technical, and security improvements, including a number of convenience features involving Favorite Volumes (a feature I seldom use personally), and hardening of Hibernation File encryption under Windows Vista and 7 in the case that Full Disk Encryption is not in force (which is an ill-chosen configuration anyway). And, support for native volume encryption of floppy disks is dropped, presumably since no one has even seen a working floppy disk in years.

As the major version number increment suggests, this update is highly recommended for all users running previous versions. I’ve updated three systems here at the lab from version 6.3a without issue, although sadly, none of the three have new enough CPUs to do hardware-accelerated AES.

7.0

July 19, 2010

      New features:

Hardware-accelerated AES (for more information, see the chapter Hardware Acceleration).

Note: If you want to disable hardware acceleration, select Settings > Performance and disable the option ‘Accelerate AES encryption/decryption by using the AES instructions of the processor‘.

A volume can now be configured to be automatically mounted whenever its host device gets connected to the computer (provided that the correct password and/or keyfiles are supplied). (Windows)

Note: For example, if you have a TrueCrypt container on a USB flash drive and you want to configure TrueCrypt to mount it automatically whenever you insert the USB flash drive into the USB port, follow these steps: 1. Mount the volume. 2. Right-click the mounted volume in the drive list in the main TrueCrypt window and select ‘Add to Favorites‘. 3. The Favorites Organizer window should appear. In it, enable the option ‘Mount selected volume when its host device gets connected‘ and click OK.

Also note that TrueCrypt will not prompt you for a password if you have enabled caching of the pre-boot authentication password (Settings > ‘System Encryption‘) and the volume uses the same password as the system partition/drive. The same applies to cached non-system volume passwords.

Partition/device-hosted volumes can now be created on drives that use a sector size of 4096, 2048, or 1024 bytes (Windows, Linux). Note: Previously only file-hosted volumes were supported on such drives.

Favorite Volumes Organizer (Favorites > ‘Organize Favorite Volumes‘ or ‘Organize System Favorite Volumes‘), which allows you to set various options for each favorite volume. For example, any of them can be mounted upon logon, as read-only or removable medium, can be assigned a special label (which is shown within the user interface instead of the volume path), excluded from hotkey mount, etc. The order in which favorite volumes are displayed in the Favorites Organizer window can be changed and it is the order in which the volumes are mounted (e.g. when Windows starts or by pressing the ‘Mount Favorite Volumes‘ hotkey). For more information, see the chapters Favorite Volumes and System Favorite Volumes.  (Windows)

The Favorites menu now contains a list of your non-system favorite volumes. When you select a volume from the list, you are asked for its password (and/or keyfiles) (unless it is cached) and if it is correct, the volume is mounted. (Windows)

      Security improvements:

In response to our public complaint regarding the missing API for encryption of Windows hibernation files, Microsoft began providing a public API for encryption of hibernation files on Windows Vista and later versions of Windows (for more information, see the section TrueCrypt 5.1a in this version history). Starting with this version 7.0, TrueCrypt uses this API to encrypt hibernation and crash dump files in a safe documented way. (Windows 7/Vista/2008/2008R2)

Note: As Windows XP and Windows 2003 do not provide any API for encryption of hibernation files, TrueCrypt has to modify undocumented components of Windows XP/2003 in order to allow users to encrypt hibernation files. Therefore, TrueCrypt cannot guarantee that Windows XP/2003 hibernation files will always be encrypted. Therefore, if you use Windows XP/2003 and want the hibernation file to be safely encrypted, we strongly recommend that you upgrade to Windows Vista or later and to TrueCrypt 7.0 or later. For more information, see the section Hibernation File.

      Improvements:

Many minor improvements. (Windows, Mac OS X, and Linux)

      Bug fixes:

Minor bug fixes. (Windows, Mac OS X, and Linux)

      Removed features:

TrueCrypt no longer supports device-hosted volumes located on floppy disks. Note: You can still create file-hosted TrueCrypt volumes on floppy disks.

The authors dropped a lot more detail in the release notes this time, which is highly appreciated.

If you don’t already have Full Disk Encryption on your portable laptop / notebook / netbook computers, this fresh release presents an excellent opportunity to get serious about data theft prevention and fortify your security posture. I offer full service TrueCrypt Full Disk Encryption installation for those who are most comfortable having an expert perform the procedure using streamlined tools. Contact me for information.