TrueCrypt and image backups

mog27

TrueCrypt 5.0 just came out and the big new feature is it lets you encrypt your entire hard drive. The thing I can't figure out is if you are still able to create a backup image of your drive with Acronis /Ghost if you encrypt your drive? I know with some *nix encryption if you create an image with an encrypted drive it can only be done with a sector-by-sector image (a huge image). Anyone know?

Kasor

I find no reason to backup the entrie encrpyt HD.

However, you ask a good question. I want to know, too.

JDMurray

I don't see anything listed to the contrary in the troubleshooting and incompatibilities section of truecrypt.org. If you can create a backup image of a disk partition encrypted with TrueCrypt 4.3, why would you assume that you might not be able to do the same with TrueCrypt 5.0? The new features list states that it is highly recommended that users of older versions of TrueCrypt upgrade to 5.0. I'm gonna load 5.0 on my Ubuntu laptop right now.

mog27

On my XP laptop with TC 5.0
I keep getting the following error on a laptop with 2GB RAM:
"error: insignificant memory for encryption"
(After I boot my computer up and it asks me to enter my pass.)

I have seen some others with this issue with no resolution. I wonder if it's a bug. Is this happening to anyone else?

JDMurray

Does the error occur before or after you enter your volume password? How much free memory is there when the error occurs?

mog27

JDMurray wrote:

Does the error occur before or after you enter your volume password? How much free memory is there when the error occurs?

It's before windows boots. I'm encrypting the entire drive. So it's during the pre boot authentication test. It does a test before it starts encrypting and that is when it complains about memory. It has to be something with TC because I have 2 gigs of ram and I've seen others with the same error. Im just waiting for a resolution/fix.

JDMurray

Did the computer ever boot properly after the entire system drive was encrypted? If not, try booting the computer from a Linux LiveCD and check if the drive is actually encrypted or not. If it is encrypted, and the LiveCD has TrueCrypt installed on it, you should be able to mount the encrypted drive in Traveler Mode.

dynamik

Kasor wrote:

I find no reason to backup the entrie encrpyt HD.

However, you ask a good question. I want to know, too.

You hear about laptops with social security numbers, bank/credit account numbers, etc. being lost all the time. Simply requiring a password on boot is a great way to secure that information. There are a number of reasons why having a user load a TC file is not ideal. A program may require that data be stored in a specific location or maybe you're afraid the user will check the "remember password" box. I agree that encrypting the entire system drive is overkill for nearly everyone. However, I can see it being useful in certain situations.

I'm curious to see how much it effects performance. Have there been any benchmarks released? I imagine it could go unnoticed for word processing, email, etc., but it would probably cripple any disk-intensive tasks, such as video/audio editing.

mog27

JDMurray wrote:

Did the computer ever boot properly after the entire system drive was encrypted? If not, try booting the computer from a Linux LiveCD and check if the drive is actually encrypted or not. If it is encrypted, and the LiveCD has TrueCrypt installed on it, you should be able to mount the encrypted drive in Traveler Mode.

I think you are misinterpreting what happened.. The laptop was never encrypted. TC does a 'test' where it reboots your computer and has you enter in the pre boot auth password. That is where we get the memory error. If the test passes TC will go ahead and do the actual encryption.

Ahriakin

Have you enough hard drive space? Based on how much data exists, or the largest single file size it may need more free space on certain systems to use as temp storage while it encrypts. You might also want to run a full chkdisk before hand.

Just encrypting my own laptop right now, also 2GB Ram using 25Gb out of 100GB of HDD space. I have to say I'm very impressed with the whole process so far, I was able to pause it and remove some non critical images to speed up the process, restart it seamlessly and can still work on the system while it's encrypting the volume.

mog27

Ahriakin wrote:

Have you enough hard drive space? Based on how much data exists, or the largest single file size it may need more free space on certain systems to use as temp storage while it encrypts. You might also want to run a full chkdisk before hand.

Just encrypting my own laptop right now, also 2GB Ram using 25Gb out of 100GB of HDD space. I have to say I'm very impressed with the whole process so far, I was able to pause it and remove some non critical images to speed up the process, restart it seamlessly and can still work on the system while it's encrypting the volume.

I can't remember how big my HD is (I'm not at home now) but it is a newer model Lenovo (core 2 duo) so it must have a fairly large drive and I don't have a lot of things on it - just everyday programs and no movies, mp3, etc.

RTmarc

mog27 wrote:

On my XP laptop with TC 5.0
I keep getting the following error on a laptop with 2GB RAM:
"error: insignificant memory for encryption"
(After I boot my computer up and it asks me to enter my pass.)

I have seen some others with this issue with no resolution. I wonder if it's a bug. Is this happening to anyone else?

I'm running into the exact same problem. I'm running Vista 64bit with 8GB of RAM. If I don't have enough memory, well, I'm not sure what to do.

Ahriakin

Was just over on the site and while the forums are down the Known-Issues section does lists this as a problem on some systems, with no cause-details only that it will be addressed in the next version.

mog27

Ahriakin wrote:

Was just over on the site and while the forums are down the Known-Issues section does lists this as a problem on some systems, with no cause-details only that it will be addressed in the next version.

Ah ok. Guess we will have to wait till this is fixed.

Ahriakin

Well it finished encrypting my system and the test machine I had running in parallel. Dell 620 and 630 Laptops respectively, the audio drivers on both now will not load (Sigmatel HD Audio). Both are running fully updated XP SP2, the test machine is a fresh install. Will have to do some digging but just FYI you may have sound issues....

ratzefatz

the same issue on my dell m90 laptop. after the first reboot (before encryption) my sounddriver couldn´t load( sigmatel hd audio). when using permanently decrypting the system drive and the bootloader is removed, the audiodevice start to work like normal

JDMurray

You guys are encrypting your entire drive? I've had no problems creating encrypted volumes under Ubuntu, but I've not tried encrypting an entire drive yet. And from what I've been reading, this memory problem seems to be happening only on newer computers, or perhaps newer releases of a specific BIOS.

slippy

I'm having the audio problem as well. Anyone find a fix yet or know where I can get more info?

Dell E1705
Sigmatel HD Audio
2GB Ram

dynamik

JDMurray wrote:

You guys are encrypting your entire drive? I've had no problems creating encrypted volumes under Ubuntu, but I've not tried encrypting an entire drive yet. And from what I've been reading, this memory problem seems to be happening only on newer computers, or perhaps newer releases of a specific BIOS.

I believe this is what they're doing: http://www.truecrypt.org/docs/?s=system-encryption

RTmarc

dynamik wrote:

JDMurray wrote:

You guys are encrypting your entire drive? I've had no problems creating encrypted volumes under Ubuntu, but I've not tried encrypting an entire drive yet. And from what I've been reading, this memory problem seems to be happening only on newer computers, or perhaps newer releases of a specific BIOS.

I believe this is what they're doing: http://www.truecrypt.org/docs/?s=system-encryption

Correct. The new version of TC supports system partition encryption with pre-boot authentication. As you can imagine, people are extremely anxious to test this out. I can speak for my organization and say that when the bugs are worked out, we'll be rolling it out to all of the workstations. We currently use PointSec for all notebooks but the ratio of notebook to workstation is incredibly lopsided; as it is with most organizations.

Darthn3ss

how long do you reckon it'd take to encrypt my 750gb hard drive?

Ahriakin

Yup entire drive. Ensures no one's going to plunder through your Pagefile, check the system for deleted files etc. There was a bit of a performance hit since the encryption but not much at all, since I work with our Firewall/Security devices and am editing and transferring configs regularly an encrypted volume (which I was using) doesn't provide enough protection considering the sensitivity of the data. If I remember rightly one of the first successful attacks against Vista involved overloading the system RAM so that protected data was dumped to the Pagefile where it was recovered and read with ease, so it is a vector worth covering even for data you think is just in volatile ram.

Edit: Performance. It encrypts blank space with random data so the amount of space used is irrelevant it is just down to the drive size. My Laptop (the D620) has a 100GB 7200RPM (2mb cache) drive, took about 2 hours using AES and no pre-wipe. A desktop drive should be a good deal faster. The fact you can do it while you are working on the system though is pretty amazing.

RTmarc

Darthn3ss wrote:

how long do you reckon it'd take to encrypt my 750gb hard drive?

I don't know what the throughput is for TC but PointSec is roughly 15 - 25GB/hour. I can't imagine the two products being very dissimilar.

JDMurray

dynamik wrote:

I believe this is what they're doing: http://www.truecrypt.org/docs/?s=system-encryption

I wonder how you can input the pre-boot authentication password to a remotely-managed server that is protected using TC5? You would need a pre-boot OS stub to first establish a secure remote connection (VPN, VNC) to a remote management console and then start the TrueCrypt Boot Loader. Someone at the management console would then enter the TC Boot Loader password for the server. There can also be an automated solution where by the remote management console automatically authenticates the server over the secure connection and then supplies the boot password. I wonder if there are already data protection products that do this.

DeTard

JDMurray wrote:

dynamik wrote:

I believe this is what they're doing: http://www.truecrypt.org/docs/?s=system-encryption

I wonder how you can input the pre-boot authentication password to a remotely-managed server that is protected using TC5? You would need a pre-boot OS stub to first establish a secure remote connection (VPN, VNC) to a remote management console and then start the TrueCrypt Boot Loader. Someone at the management console would then enter the TC Boot Loader password for the server. There can also be an automated solution where by the remote management console automatically authenticates the server over the secure connection and then supplies the boot password. I wonder if there are already data protection products that do this.

Honestly, I find that would be incredibly insecure.... First off, you'd have to have some way of entering that password in. The only secure way of doing that pre-boot (required) would be using a some form of "lights out" interface and doing it manually. If you didn't go that route, you'd most likely have to have a public/private key system. But that would mean leaving that key on an unencrypted partition of the drive. Meaning if someone broke into your data room and stole the hard drives from the server, they'd be able to use that key to decrypt the drives anyhow.

I mean, there's no way of doing this securely and automatically upon boot. Even if you had it on a USB drive, you'd have to leave that drive there all the time, and if someone broke in they'd be able to take the drive as well.

If you really want to encrypt your data on a server, I'd suggest using EFS per user, but make sure you create a data recovery agent key before allowing users to do so. Of course, this is if you're talking about a file server... otherwise, I don't know. I, at the moment, can't think of any REAL secure way of encrypting a whole server and boot it automatically. Maybe the "lights out" system along with a very good UPS is the way to go to make sure it doesn't power off even on long power outages?

Ahriakin

For a remote server you'd be better off with just using Encrypted volumes but an un-encrypted boot partition. There are two 3rd party addons for Truecrypt that will automatically encrypt your Pagefile and Mycdocuments folder (incl. temp files) on an un-encrypted volume.

JDMurray

Ahriakin wrote:

For a remote server you'd be better off with just using Encrypted volumes but an un-encrypted boot partition. There are two 3rd party addons for Truecrypt that will automatically encrypt your Pagefile and Mycdocuments folder (incl. temp files) on an un-encrypted volume.

Yeah, I'd like to use TrueCrypt as an EFS to prevent sensitive data from being stored to disk as plain-text. For my server needs I really don't care about the password-protected-bootup feature. An un-encrypted boot partition seems to be the way to go. Now the question is whether to use an encrypted file container, partition, or drive. It looks like file containers are the safest (i.e., least likely to fail) way to go.

Ahriakin

Containers are also the most portable, just dismount it pick up the file and move it/remount.

RTmarc

Version 5.0a has been released that reportedly resolves all of the issues we initially ran into including the 'insufficient memory' and audio related problems.

JDMurray

And 5.0a also fixes the problem with some sound card drivers not loading from an encrypted partition. That was another big problem reported with TC 5.0.

TrueCrypt Version History

mog27

I haven't tried it yet but TrueCrypt 5.0a was just released:

Improvements:

*The memory requirements for the TrueCrypt Boot Loader have been reduced by 18 KB (eighteen kilobytes). As a result of this improvement, the following problem will no longer occur on most of the affected computers: The memory requirements of the TrueCrypt Boot Loader 5.0 prevented users of some computers from encrypting system partitions/drives (when performing the system encryption pretest, the TrueCrypt Boot Loader displayed the following error message: Insufficient memory for encryption).


Bug fixes:

* On computers equipped with certain brands of audio cards, when performing the system encryption pretest or when the system partition/drive is encrypted, the sound card drivers failed to load. This will no longer occur. (Windows Vista/XP/2003)
*It is possible to access mounted TrueCrypt volumes over a network. (Windows)
*TrueCrypt Rescue Disks created by the previous version could not be booted on some computers. This will no longer occur. (Windows Vista/XP/2003)
Note: If your TrueCrypt Rescue Disk created by TrueCrypt 5.0 cannot be booted on your computer, please upgrade to this version of TrueCrypt and then create a new TrueCrypt Rescue Disk (select 'System' > 'Create Rescue Disk').
* Many other minor bug fixes. (Windows, Mac OS X, and Linux)


This should fix the sound issues some here were having and the annoying insufficient memory problems I and some others were having.