FIXED - Truecrypt v6.0a released.

14 July 2008

I'm well over a week late with this post, but better late than never. The Truecrypt Foundation announced on 8 July 2008 that v6.0a of Truecrypt, the cross-platform disk encryption package was released to the Net, along with its source code. Judging by the changelogs, it stands head and shoulders above the last releases (v5.1 and v5.1a) in several important respects. First and foremost, the new release takes full advantage of systems that have more than one CPU in them (like many laptops these days), so if you're using whole disk encryption storage I/O will be faster than before because encryption and decryption tasks can be divvied up between processor cores. Whole disk encryption now works with Microsoft Windows Vista and 2008, which makes it an attractive option for newer laptops and servers in the corporate theatre. Encrypted data volumes now incorporate a backup header near the end of the file, so if the volume itself is damaged it might still be possible to access the encrypted data or repair the volume (if its contents can't be backed up to offline storage). Encrypted volume access is now much faster on Linux systems because the crypto functionality built into the kernel is used preferentially over re-implementations of the algorithms (if you don't know what this means, don't worry, just trust that it'll be faster).

It should also be noted that Truecrypt now makes it possible to hide an entire operating system (currently only a copy of Windows) inside of an encrypted hard drive. Under such circumstances, all non-encrypted and encrypted-but-not-hidden volumes are kept in read-only mode (though hidden volumes may be accessed freely) to minimize leakage of data from the hidden OS, which would give away its presence. The reason for this is to make it possible to set up a decoy OS on a computer that is only used for non-essential or trivial things, like reading Facebook and playing video games. All of the data found in this encrypted-but-not-secret OS are things that are irrelevant, i.e., you don't care if they're exposed to an attacker who forces you to boot your laptop and give away your passphrase. A hidden volume is created on the encrypted drive and your copy of Windows is copied block for block into it; because you can't prove that a hidden volume exists you can store and work with data you deem sensitive and there is no way to prove that you have anything of interest to an attacker because it all looks like garbage from the outside, and like unused disk space from the inside (unless you mount the hidden volume or boot into it where They can see you (if having a plausibly deniable hidden drive (for all intents and purposes) doesn't make sense to you, read the not very technical explanation here)).

Please keep in mind that it's important to use your decoy OS on a semi-regular basis to make it look like it's there for a reason other than to be distracting. If you have a pristine copy of XP that you haven't even started IE on inside of a Truecrypted drive, it looks suspicious to attackers. As always with cryptographic software or hardware, read the bloody manual before you use it because misuing it can send you up a certain body of flowing water without a means of propulsion.

I haven't gotten around to testing this release yet, but I have a VMware image standing by on Windbringer that I'm going to use as a test bed, and I'll post my results after I've had a chance to hammer on it for a bit.