It is not only full disk encryption. I have used a file container encrypted with financial information on linux and windows over the years. I can mount that file on either OS.
Like Charles Dimino, you're not following the point. The security limitations of FDE come from doing crypto at the block layer. If your cryptosystem is giving something that (a) transparently encrypts and (b) mounts as a filesystem, it's block crypto, and shares the same problems as whatever cryptosystem unlocks your boot drive.
The problem is block-level crypto. It has nothing to do with whether it's layered on top of a hardware disk drive.
You're obsessing over the crypto, but we're talking about the user experience. It's block-level crypto. We get that. No one cares, in the context of this conversation.
What you're not getting is that TrueCrypt offered a particular interface experience and cross-platform compatibility that doesn't exist elsewhere.
You write as if the whole thread isn't there for people to see, and as if I had somehow responded to something you said rather than it being the other way around. You literally started this unproductive subthread by responding to the comment where I addressed the need for cross-platform things that work like Truecrypt does, and you've tried to built an argument by stipulating that security doesn't matter. Sorry, security is all that matters here.
"The term "full-disk/on-disk encryption" is often used to signify that everything on a disk is encrypted, including the programs that can encrypt bootable operating system partitions."
Are you going to tell Markus Gattol he's wrong? No? Good, let's move on.
What matters here is the security, and the adoption rate of TrueCrypt is/was through the roof, because of how it allowed folks to move encrypted volumes across various platforms without much hassle.
What you wrote seems to intimate there's no actual need or value in moving encrypted volumes across platforms, and that if folks actually want to do that they should just encrypt individually and at a FS level and do so using PGP, which has existed for years, and whose adoption rate and ease-of-use are both, compared to TrueCrypt, through the floor.
The fact is, people want to move encrypted volumes across platforms. It's not more secure than anything else, but it presents a workflow that might actually be more secure, due simply to it's ease of implementation.
You're right, security is all that matters here, and folks aren't going to be secure if it remains impossibly difficult to be secure.
(IMO) In that what it says about what specific things do does not correspond with objective reality. (As a product of the enlightenment I believe that such a concept exists and that correspondence with such is what makes something "wrong" or "right." ;-) If you want to know why, just look at what the article says, then observe objective reality, and see how they differ. The "Salt, Stretching" section is one place to look, it's the only one I really bothered reading.
You'll know the part I'm referring to because it reads practically as a response to a chunk of Gattol's page; it's a problem shared by the Wikipedia coverage on full-disk encryption.
Being cagey about it (i) motivates you to actually read the paper and (ii) avoids what would inevitably be an extremely unproductive debate.
(This is a fantastic survey, by the way; if you're interested in crypto, bookmark it forever.)
My amusement about Gattol's page has nothing to do with Gattol; it's just the way his page got used in this thread by someone else, as a sort of rhetorical "fatality" move. I'm confident Gattol is much smarter than I am. I say that because Dimino also tried to take this thread to Gattol on Twitter, too. :)
I figured if someone were besmirching my good work, I'd want to know about it, is all. I don't think one should be able to call someone wrong without giving them a chance to disagree.
Furthermore, this is devolving into a schoolyard, "I know but I'm not telling" situation. To put it another way, I don't think there is any significant error in the Gattol's page, nor is there any significant error on the wikipedia page on full-disk encryption.
I'm very glad to be shown to be incorrect on this point, but I doubt I would be, at least by you.
I'm interested in this area, both professionally and as a genuine curiosity, but every time I run into you it's a negative experience. I'd like that to stop happening.
That's a mighty fancy of saying, "it's wrong" without pointing out examples.
But hey, I'm not ultimately the guy who wrote the article. I've poked both the author and Thomas on twitter -- maybe Thomas can help the author correct any inaccuracies. You, too, could help I'd imagine, if you would be more specific about the issues. I'm guessing the author wouldn't want his article to remain inaccurate if folks could point out the specific issues.
It's like I'm talking to a child when I talk to you. I wouldn't bother if you didn't constantly pop up to derail conversations about crypto with your "crypto should stay hard" attitude. I suspect you want crypto to remain impossible to get right just so you can continue to stay relevant.
The rest of my comment frankly wasn't for you, it's for the folks reading what you write and blindly accepting it. At least now they can see how petulant you can be when facing differing points of view.
Up until this comment, I thought you might have a point against tptacek, but now it's clear you are trolling. Or at least, not operating under the "give your opponent a charitable interpretation" rule of HN.
I admit I tilted. It's just frustrating every time I talk to him or see him talk to others about anything that's even remotely contradictory to what he's said, it always devolves into something as inane as what happened here.
Is it still considered 'full disk' when its only used with a container file? I've never used TCs full-disk mode, but I've used it to quickly and easily create mountable disk images (even without encryption this would be handy). To my ear, 'full disk encryption' is something a hard drives firmware should be involved in.
Some folks call that "full disk encryption", but since there's a separate feature in TrueCrypt that calls itself "full disk encryption" and is actually encrypting the entire disk, to the point where TrueCrypt has to supply a boot loader to decrypt, it's probably reasonable to want to differentiate the two.
Thomas doesn't see the difference because it's all "block level" encryption, and apparently the only thing in the world that matters is crypto (rather than the presentation and adoption of crypto), but the difference is mainly in the boot loader aspect.
What are you talking about? It needs a boot loader if it encrypts the OS partition, which is orthogonal to whether it encrypts entire physical discs or not. That feature is not called "full disk" anywhere I can see. "System Encryption" or something.
I have no idea why you think it's productive to litigate the difference between "block-level encryption" and "full-disk encryption", but if it makes you feel better we can just pretend we switched the terms, because my point applies equally to them --- they're synonyms.
I also have no idea where the "I'm telling the world there shouldn't be a tool like Truecrypt" came from. I think you've misread me.
If you're talking about a security product -- which TrueCrypt is -- the first metric you have to concern yourself with is: does it keep you secure? The user experience and the adoption and the performance and all that other fun stuff is irrelevant if the product doesn't do the one thing that every user unequivocally requires of it.
So yes, it's not just about the crypto...when the crypto works. But when the crypto is insecure, which is what tptacek is saying, then yes, it is ONLY about the crypto.
NB: I'm plenty qualified on UX and general technical matters, but on whether crypto is secure, I defer to the experts.
My only point has been that Thomas, et. al. have been telling us we don't want something like TrueCrypt, despite the fact that we very clearly do. His suggestion of "just use PGP and FS level encryption" is absurd, but NOT from a crypto standpoint (I, like you, defer to Thomas and the other experts on the integrity of the crypto itself). It is, however, absurd from a UX/workflow standpoint.
Horseshit. Round 1 and Round 2 of the audit share technical members. The guy leading the actual crypto review work has been looking at Truecrypt for more than a year. And Matthew Green, who coordinates the whole audit project, just wrote that he and his students have been reviewing Truecrypt's crypto for months.
They did not "only get their act together today". They've thought about Truecrypt far more rigorously than you have, and for far, far longer.
You've been almost completely unable to explain in technical terms what "UX" you want from sector-level crypto that you couldn't get from filesystem crypto. When pressed, you in effect say "yeah, well, name a tool that does that".
The fact that your only options today are [insecure, easy] and [secure, difficult] does not mean that there is no [secure, easy] option possible. But militating in favor of insecure crypto goes a long way towards hiding that possibility from everyone.
This isn't a pedantic point. Ross Ulbricht just got reamed in federal court because a simple physical arrest compromised virtually every secret he had. Why? Because he was relying on sector-level all-or-nothing crypto. By encouraging people to rely on tools like Truecrypt, you are, in a very small but real way, endangering them.
Today was the day Matthew Green released an update on his blog.
I was just reading it, and that's exclusively I was referring to. I look forward to the results and am grateful of the time they're spending. I hope they find nothing.
This isn't a pedantic point. Ross Ulbricht just got reamed in federal court because a simple physical arrest compromised virtually every secret he had. Why? Because he was relying on sector-level all-or-nothing crypto.
There was a bit more to it than just that. He could have used block-level encryption relatively safely if he'd made a series or hierarchy of Truecrypt containers and mounted them only when needed, rather than putting everything on just the one block device.
More importantly, his physical security was lacking, as he hadn't properly considered the threat model. If he'd been working in a secured area (like a locked room) where open laptop snatching was infeasible, that would have given him enough warning to close the lid, and maybe pop the battery out. Albeit still vulnerable to a cold boot attack, if law enforcement have such capacity.
TrueCrypt lets you create fixed sized encrypted volumes, and allows you to decrypt those volumes on any of the three major OS platforms.
There's nothing special about TrueCrypt in how it performs the encryption/decryption (or so we're told), but no tool besides TrueCrypt allows such a flexible approach.
And it's you who refuses to accept that [secure,easy] can exist, because it'd make you irrelevant. It's a completely silly stance to take, but it's yours.
But hey, at least I've wrung your opinion on TrueCrypt out of you:
> By encouraging people to rely on tools like Truecrypt, you are, in a very small but real way, endangering them.
For posterity, in case you edit it away.
Which leads me to the question: Why are you even involved in the TrueCrypt audit, if you think it's a bad idea to use such tools?
P.S. Ulbricht was caught because the FBI owned TOR, and that's about it. Maybe your indignation towards TrueCrypt should consider Snowden's use of TrueCrypt to evade the combined allied world's intelligence community.
Would you like to put money on whether my opinion about Truecrypt is identical to Matthew Green's and Kenn White's, or would you like to include them in your critique?
It's amusing that you feel you've "wrung out" of me something one of the few things I've recently blogged at length about.
I've already answered that question, directly, on this thread.
And no, I blogged "don't use sector-level crypto". In a post literally titled "You Don't Want XTS". Under the subhed "Disks Are The Last Thing You Want To Encrypt". As in, "the last thing in the world".
> This piece is written for software designers, not end-users. If you’re an end-user looking for crypto advice: use Truecrypt, use Filevault, use dm-crypt
It's a great write-up, I read the whole thing. You clearly understand the domain well.
I really just don't get why you'd, in one breath, decry XTS, and then in that same breath, recommend people use TrueCrypt, which is, as you call it, "the best-known implementation of XTS".
Maybe just lead me to the water on this one. It's really the only thing left unresolved in our conversation.
Block-level encryption is a terrible, terrible approach for many reasons (which 'tptacek has referenced a million times). However, Truecrypt is the best such implementation, and it's a required approach in certain cases. You should be doing crypto at the application/filesystem level; if you can't, use Truecrypt. This isn't contradictory advice.
That's not just what he said, he also said, "By encouraging people to rely on tools like Truecrypt, you are, in a very small but real way, endangering them."
You also completely changed the comment I originally replied to. I much prefer your new comment, though my fundamental issue with the fact that you're working on the audit of software you think is dangerous to promote remains.
I don't know what you think you're accomplishing by saying "nuh uh" like this. You've done it a few times, and I don't understand, in any of these cases, why you think anyone would think you'd say otherwise.
If you'd care to elaborate beyond, "nuh uh", I'm sure we'd all be glad to hear it.
The "No you haven't" was in regard to the fact that you haven't answered why you're involved in TrueCrypt at all, if you don't think it should be used.
Well, you have edited a lot of your comments, so perhaps you did include this information in a later edit?
Edit:
Having re-read the thread, you haven't explained why you're involved in the TrueCrypt audit, or why you recommend folks use TrueCrypt if you think XTS is bad.
I'm not being "squirmy". You're playing a semantic game with the word "disk". The technical issue with FDE is that it works at the level of blocks, and so lacks information about message boundaries or the storage flexibility needed to (a) randomize the encryption and (b) store authenticators. Encrypt a physical disk, encrypt a file that pretends to be a mountable volume, same issues.
I get that not everyone understands the technical issues in designing storage encryption, but don't take that out on me.
Full-disk encryption is block-level encryption. If you're using TrueCrypt to encrypt anything, you're using block-level encryption. There is no functional difference between them. If you are not encrypting your entire disk, then block-level encryption is a bad idea because 1) it doesn't provide authentication, and 2) block-level encryption (using strategies like XTS) is not as strong as regular authenticated encryption using CBC and a MAC or whatever.
If you're not using TrueCrypt for full-disk or full-volume encryption, you'd be better off using basically anything else. There are plenty of cross-platform tools for doing that kind of thing.
Authentication is the biggest problem with sector-level crypto, but the other technical problem with encrypting sectors is that you don't get a place to store the metadata you'd need to randomize the encryption, and so you lose semantic security as well. If you squint at it the right way, XTS is the ECB mode of sector-level (wide-block) crypto schemes.
