TrueCrypt FDE question

[VirtualLarry]

I know that TrueCrypt supports some sort of FDE, that can be used with Windows. But there is the "bootloader hole" - the idea is that someone with physical access to your machine, can install a trojaned bootloader, and steal your passphrase the next time you log in to your machine.

I was thinking of a way to fix this issue. What about storing the bootloader on a USB flash drive that you keep with you at all times. There would be no key material stored on the flash drive. The HD on the computer, would appear to be nothing but random data. There would be no bootloader on the computer to leave a trail. Does TrueCrypt support doing something like that? Does anyone know?

 

[Chiefcrowe]

I haven't read about that but it is a very good idea.

What if you set a BIOS password, then someone can't install another bootloader right?
Unless they take the HD out physically and try...

 

[VirtualLarry]

That's a good idea too. Unfortunately, it seems that nearly every maker of motherboards has removed the ATA password feature from their BIOS code. I thought it used to be in most PCs, a long time ago. But recent motherboards, nope.

The only few that I found that have documented support for ATA password, are a bunch of Intel corporate-oriented Qxx motherboards.

Even some popular laptops, like MSI's, lack the HD/ATA password setting. This is mind-boggling to me, because that is what I would consider to be the primary defense against losing your data in a laptop theft.

There are devices that can bypass the ATA password on many desktop HDs too, unfortunately. Supposedly, the Intel 320 Series SSD implements FDE and uses ATA password, so that could be a solution.

I would prefer using a software FDE on top of that, however.

I suppose, should the TrueCrypt devs want to embark on something nifty, they could create a bootloader that would reside on a USB flash drive, AND implement ATA password support, which would then work on ANY desktop motherboard, not just a precious few.

 

[smakme7757]

There is a known exploit to Truecrypt which captures your password at logon, i forget the name though.

With regards to the Intel 320 SSD, i own one and althugh the NAND chips are encrypted in hardware so the encryption is always on you utilize this protection by settings an ATA password. According to Intel the curent methods of disabling or extrating the ATA password won't work because the password is stored on the drive as a non-reversable hash.

If this is in regards to your public computer your best bet would be to have the case locked in a cabinet (with air holes) so only the screen, keyboard and mouse are accessible by the users.

 

[dawks]

That's a good idea too. Unfortunately, it seems that nearly every maker of motherboards has removed the ATA password feature from their BIOS code. I thought it used to be in most PCs, a long time ago. But recent motherboards, nope.

The only few that I found that have documented support for ATA password, are a bunch of Intel corporate-oriented Qxx motherboards.

Even some popular laptops, like MSI's, lack the HD/ATA password setting. This is mind-boggling to me, because that is what I would consider to be the primary defense against losing your data in a laptop theft.

There are devices that can bypass the ATA password on many desktop HDs too, unfortunately. Supposedly, the Intel 320 Series SSD implements FDE and uses ATA password, so that could be a solution.

I would prefer using a software FDE on top of that, however.

I suppose, should the TrueCrypt devs want to embark on something nifty, they could create a bootloader that would reside on a USB flash drive, AND implement ATA password support, which would then work on ANY desktop motherboard, not just a precious few.

You working for the NSA or what? I guess not since they have this all figured out..

I'm hoping this is more just an exercise of thought than anything, if you're this paranoid about your data you've got bigger problems to worry about

someone would obviously need physical access to install a truecrypt bootloader intercepter, at which point, again, you've got bigger problems to worry about than just a truecrypt password.

I cant recommend stacking encryption tools, thats just asking for trouble. Make sure you have VERY good backups and a good memory for passwords

A TPM chip with bitlocker = win. or TrueCrypt FDE with a Intel CPU using new AES-I = fantastic. I'm actually running Mac OS 10.7 Lion with FileVault FDE on an SSD with a Core i5 and as far as I know, its using the AES instructions.. It still screams.

 

[VirtualLarry]

I'm not worried about people finding things, there's nothing on my systems to find. What I'm more worried about is stuff finding it's way onto my systems that I don't want.