USB encryption?

[logicalconfusion]

My gf recently lost her thumb drive loaded with pics of us, out in the woods. She lost it at a Bingo tournament in a local church. I don't think the seniors are going to upload our naked pics but now I'm scared. From now we decided to encrypt all our info on USB drives, only out of necessity. I thought of using of using True Crypt to hide files. Its a great free application. The only problem is that its not inherently installed on Windows/Linux/OS X. There must be an easier way. any ideas?

Edited January 24, 2013 by logicalconfusion

[Sitwon]

Other than password-protected zip files, I don't think there is much you could do that is "inherently installed on Windows/Linux/OS X".

The strategy I would probably go with is to include TrueCrypt as a portable app for all the operating systems/platforms you expect to encounter on the USB stick and then store the files in an encrypted container on the filesystem. That way you can plug it in, fire up Truecrypt, mount the container, do stuff with the files. Disadvantage is that TrueCrypt takes up some space on the drive, but drives are always getting bigger and cheaper so this might not be a big issue. For Linux, make sure you have a statically-compiled TrueCrypt binary for any platforms you expect to encounter (i386, x86_64, for ARM you're kind of screwed unless you know in advance which ARM chips/kernels you'll be running on).

If you're looking for hardware, I have an IronKey that I use to back up sensitive files. (The ones I *need* a safe backup of, but that I can't store on unencrypted media. Things like my PGP keys/revocation certs, ssh keys, bank account information, or anything else that I would be screwed if it was lost or leaked.) IronKey is a pricey solution for everyday use, but it offers stronger protection than TrueCrypt. I've used it on Windows and Linux without problems, never tested on OS X.

Edit: Also, GnuPG might be a little bit smaller than IronKey and it can be useful for encyrpting/decrypting individual files. In addition to the asymmetric cryptography which it is known for, the 'gpg' utility can also do symmetric encryption like TrueCrypt. And it wouldn't hurt to have a trusted copy of GnuPG with you in case you need to verify or encrypt messages.

Edited January 23, 2013 by Sitwon

[oxley]

True Crypt (as far as I'm aware) is the one of the few multi platform tools to do this.

Not being install is not and issue for Windows (don't have mac to test on and haven't tested on Linux) as its portable, Portableapps.com have a windows version,and there is instructions on the True Crypt site, which I just copy to the root of my USB, but I use Portableapps for all my USB sticks just to have all my utilities handy and automatic updates.

[logicalconfusion]

ok! Now we all see that M$ really doesn't care. With all the open source encryption protocols out there, there's not one universal standard that works well with all the processors that Crocodile Dun-dee just mentioned. Lets pretend ARM and all the others in the market didn't exist. What if it was just Win/Linux/OS X. The last time I checked Iron key isn't GALVANIZED! Bid Lan-den can screw us all over by forcing his belly dancers to stomp it w/ ti-89 camels. I'm looking for a safe method that's portable for the clouds....

Edited January 28, 2013 by logicalconfusion

[digip]

Without using something like Trucrypt, password protected zip files would probably be your best bet for universal cross platform use. Its not always pre-installed in linux, but thats usually an easy fix on most *nix systems. Windows has zip file support built in, and I thin so does OSX, but I do know they make a zip program for OSX because I have clients who send me files from their mac's in a zip file.

Only flaw with zip files, is when opened in notepad, you can clearly see the file names. If you want encrypted file names and password protection, use winrar which works on windows and linux, but not 100% sure on mac equivalents.

[ihackforfun]

Also when password protecting zip files, make sure you have a really strong password since you can try forever to guess the password, there is to my knowledge no way to self-destruct a zip files upon mis-guessing the password.

Quote from the winzip website:

"The security of your data depends not only on the strength of the encryption method but also on the strength of your password, including factors such as length and composition of the password, and the measures you take to ensure that your password is not disclosed to unauthorized third parties." (http://kb.winzip.com/kb/entry/80/)

Literally every coder can write a password cracker for zip files, it is a common example when reading books on Python for hackers ... You can find one here if you look into the preview: http://www.amazon.com/Violent-Python-Cookbook-Penetration-Engineers/dp/1597499579

Conclusion: don't put pictures you do not want others to see on media that is frequently lost/stolen (USB, external HD, public dropbox folder, phone) :-)

[logicalconfusion]

Great idea. I'll stick to cloud based solutions like Iron Key, that Hak5 Pirate mentioned. I thought Iron Key was just a plain old USB drive with some kind of proprietary encryption app. built-in :D lol. I think its best to use a three-layer approach, True Crypt combined Encrypted Zip file stored on a secure network that can be accessed by LogMein Hamachi or Open VPN. Its too bad there's no like real built-in OS mechanism that can transparently encrypt files on the fly while the USB is connected, like a dongle. I know that Win7 implements Bitlocker...wish it was compatible with all the other OSes. Too bad Iron Key costs an arm and leg!

[Sitwon]

ok! Now we all see that M$ really doesn't care. With all the open source encryption protocols out there, there's not one universal standard that works well with all the processors at Crocodile Dun-dee just mentioned. Lets pretend ARM and all the other in the market didn't exist. What if it was just Win/Linux/OS X. The last time I checked Iron key isn't GALVANIZED! Bid Lan-den can screw us all over by forcing his belly dancers to stomp it w/ ti-89 camels. I'm looking for a safe method that's portable for the clouds....

IronKey is designed to be resistant to both digital and physical attacks. If you try to open it up the chip self-destructs. If you try the wrong password enough times it self-destructs. In either case, it's stronger than a normal USB key regardless of what encryption you are using.

Ignoring ARM, you can easily include a portable version of GnuPG and/or TrueCrypt on the key and have an encrypted container on the key. For the use case you originally described I don't see how that's a bad option.

[Sitwon]

Zipfile passwords are trivial to crack. There have been zip password crackers available online since at last the mid-90's. That's how I found the password to unlock the VCL toolkit back when I first got into the scene. (Does anyone here even remember VCL?)

[logicalconfusion]

YUP! I remember it from way back in the day! Zip file encryption is a lot like decompiling ol'skool 16bit VB3 appz, remember a password is just a permutation that never changes unless that NSA is involved So, now its time for a plat-form independent encryption scheme? Any ideas?

[Garda]

Truecrypt can run in a portable mode (but you still need an administrator account on the computer on which you're using it).

This seems elaborate, but what I would do is make 2 partitions on the USB drive. One a regular Fat32, the other will be the Truecrypt partition. With 2 partitions you get a backup unencrypted partition for convenience and it still looks like a normal USB drive when you plug it in (albeit one where the size of the drive will not reflect the number written on the outside of the USB drive). You also have somewhere to put Truecrypt portable on for when you're using another computer.

Give the Truecrypt partition some weird partition ID so that it is ignored by Windows (and probably other operating systems) when you put the USB drive in the computer. Then encrypt the 2nd partition with Truecrypt.

[logicalconfusion]

Well true crypt can create hidden partitions. TC can run in "portable" mode if there's a version of it installed on each OS. I was thinking of a universal format like zip that's recognized by all the major OSes. I'll write congress....they they can persuade the IT industry to set a default standard that works like True Crypt on all major OSes. Either way, its good to know that TC is around. Changing the partition ID is a good idea. Thanks.

[Jason Cooper]

Whatever way you go about securing your files don't forget that loosing the USB drive isn't the only risk involved with putting confidential files on a USB drive. Some applications will make cached copies of files locally while they are using them and don't clear them out when they close. Misconfigured search programs can cache metadata about your files that may even include a preview version of the image. So if you aren't careful you could be leaving your confidential files on other peoples machines in a form that they can read and possibly even presented to them when they innocently search for their own files.

Also you will need to remember to clear out the opened recently list in any programs you use (and possible the windows start menu) as even just the filename and path can give information away about your file.

Having said all that TrueCrypt is awesome and a definitely harder to attack and hide than an encrypted zip file.

[logicalconfusion]

That's a very good point. I personally would never retrieve sensitive info on public PC. Losing the USB drive wouldn't matter. Its pretty easy to program a thumb drive to like DBAN its contents every so often or check the CPU ID, before self destructing. All this reminds of an old Bond movie....