Version Information


Possible Explanations for Existence of Two TrueCrypt Partitions on Single Drive



Yüklə 5,12 Kb.
Pdf görüntüsü
səhifə39/130
tarix07.01.2024
ölçüsü5,12 Kb.
#205371
1   ...   35   36   37   38   39   40   41   42   ...   130
TrueCrypt User Guide

Possible Explanations for Existence of Two TrueCrypt Partitions on Single Drive 
 
An adversary might ask why you created two TrueCrypt-encrypted partitions on a single drive (a 
system partition and a non-system partition) rather than encrypting the entire disk with a single 
encryption key. There are many possible reasons to do that. However, if you do not know any 
*
This does not apply to filesystems on CD/DVD-like media and on custom, atypical, or non-standard devices/media. 


51 
(other than creating a hidden operating system), you can provide, for example, one of the following 
explanations: 

If there are more than two partitions on a system drive and you want to encrypt only two of 
them (the system partition and the one behind it) and to leave the other partitions 
unencrypted (for example, to achieve the best possible performance when reading and 
writing data, which is not sensitive, to such unencrypted partitions), the only way to do that 
is to encrypt both partitions separately (note that, with a single encryption key, TrueCrypt 
could encrypt the entire system drive and 
all
partitions on it, but it cannot encrypt only two 
of them — only one or all of the partitions can be encrypted with a single key). As a result, 
there will be two adjacent TrueCrypt partitions on the system drive (the first will be a system 
partition, the second will be a non-system one), each encrypted with a different key (which 
is also the case when you create a hidden operating system, and therefore it can be 
explained this way). 
If you do not know any good reason why there should be more than one partition on a 
system drive at all:
It is generally recommended to separate non-system files (documents) from system files. 
One of the easiest and most reliable ways to do that is to create two partitions on the 
system drive; one for the operating system and the other for documents (non-system files). 
The reasons why this practice is recommended include: 
o
If the filesystem on one of the partitions is damaged, files on the partition may get 
corrupted or lost, whereas files on the other partition are not affected.
o
It is easier to reinstall the system without losing your documents (reinstallation of an 
operating system involves formatting the system partition, after which all files stored 
on it are lost). If the system is damaged, full reinstallation is often the only option.

A cascade encryption algorithm (e.g. AES-Twofish-Serpent) can be many times slower than 
a non-cascade one (e.g. AES). However, a cascade encryption algorithm may be more 
secure than a non-cascade one (for example, the probability that three distinct encryption 
algorithms will be broken, e.g. due to advances in cryptanalysis, is significantly lower than 
the probability that only one of them will be broken). Therefore, if you encrypt the outer 
volume with a cascade encryption algorithm and the decoy system with a non-cascade 
encryption algorithm, you can answer that you wanted the best performance (and adequate 
security) for the system partition, and the highest possible security (but worse performance) 
for the non-system partition (i.e. the outer volume), where you store the most sensitive 
data, which you do not need to access very often (unlike the operating system, which you 
use very often, and therefore you need it to have the best possible performance). On the 
system partition, you store data that is less sensitive (but which you need to access very 
often) than data you store on the non-system partition (i.e. on the outer volume). 

Provided that you encrypt the outer volume with a cascade encryption algorithm (e.g. AES-
Twofish-Serpent) and the decoy system with a non-cascade encryption algorithm (e.g. 
AES), you can also answer that you wanted to prevent the problems about which TrueCrypt 
warns when the user attempts to choose a cascade encryption algorithm for system 
encryption (see below for a list of the problems). Therefore, to prevent those problems, you 
decided to encrypt the system partition with a non-cascade encryption algorithm. However, 
you still wanted to use a cascade encryption algorithm (because it is more secure than a 
non-cascade encryption algorithm) for the most sensitive data, so you decided to create a 
second partition, which those problems do 
not
affect (because it is non-system) and to 
encrypt it with a cascade encryption algorithm. On the system partition, you store data that 
is less sensitive than data you store on the non-system partition (i.e. on the outer volume).


52 
Note: When the user attempts to encrypt the system partition with a cascade encryption 
algorithm, TrueCrypt warns him or her that it can cause the following problems (and 
implicitly recommends to choose a non-cascade encryption algorithm instead):
o
For cascade encryption algorithms, the TrueCrypt Boot Loader is larger than normal and, 
therefore, there is not enough space in the first drive track for a backup of the TrueCrypt 
Boot Loader. Hence, 
whenever
it gets damaged (which often happens, for example, during 
inappropriately designed anti-piracy activation procedures of certain programs), the user 
must use the TrueCrypt Rescue Disk to repair the TrueCrypt Boot Loader or to boot.
o
On some computers, resuming from hibernation takes longer.

In contrast to a password for a non-system TrueCrypt volume, a pre-boot authentication 
password needs to be typed each time the computer is turned on or restarted. Therefore, if 
the pre-boot authentication password is long (which is required for security purposes), it 
may be very tiresome to type it so frequently. Hence, you can answer that it was more 
convenient for you to use a short (and therefore weaker) password for the system partition 
(i.e. the decoy system) and that it is more convenient for you to store the most sensitive 
data (which you do not need to access as often) in the non-system TrueCrypt partition (i.e. 
in the outer volume) for which you chose a very long password.
As the password for the system partition is not very strong (because it is short), you do not 
intentionally store sensitive data on the system partition. However, you still prefer the 
system partition to be encrypted, because potentially sensitive or mildly sensitive data is 
stored on it as a result of your everyday use of the computer (for example, passwords to 
online forums you visit, which can be automatically remembered by your browser, browsing 
history, applications you run, etc.)

When an attacker gets hold of your computer when a TrueCrypt volume is mounted (for 
example, when you use a laptop outside), he can, in most cases, read any data stored on 
the volume (data is decrypted on the fly as he reads it). Therefore, it may be wise to limit 
the time the volume is mounted to a minimum. Obviously, this may be impossible or difficult 
if the sensitive data is stored on an encrypted system partition or on an entirely encrypted 
system drive (because you would also have to limit the time you work with the computer to 
a minimum). Hence, you can answer that you created a separate partition (encrypted with a 
different key than your system partition) for your most sensitive data and that you mount it 
only when necessary and dismount it as soon as possible (so as to limit the time the 
volume is mounted to a minimum). On the system partition, you store data that is less 
sensitive (but which you need to access often) than data you store on the non-system 
Yüklə 5,12 Kb.

Dostları ilə paylaş:
1   ...   35   36   37   38   39   40   41   42   ...   130




Verilənlər bazası müəlliflik hüququ ilə müdafiə olunur ©azkurs.org 2024
rəhbərliyinə müraciət

gir | qeydiyyatdan keç
    Ana səhifə


yükləyin