I\'m not into security and encryption at all, I\'m just a Truecrypt user. So may

Question

I'm not into security and encryption at all, I'm just a Truecrypt user. So maybe it's a very noob-question, but I can't figure it out.

When I make a Truecrypt container, it will encrypt everything inside it. When I want to open the container, I open up Truecrypt, mount the file and type in my password.

Suppose my computer is stolen and the thief finds the container and is savy enough to recognize it as a Truectypt-container. All the encryption will do me no good, right? Because the only thing the thief has to do is crack my password, open up Truecrypt and mount the container.

So, although my files are encrypted, there seems to be a single point of failure: the password (which I make very strong ofcourse).

Are there any flaws in my logic?

Explanation / Answer

The key (mis)assumption here is contained in the statement,

"...the only thing the thief has to do is crack my password, open up Truecrypt and mount the container..."

Unless you are a nation-state-level attacker (e.g. "No Such Agency" and its foreign counterparts), I think you will find cracking a TrueCrypt password (even acknowledging the many legitimate questions about TrueCrypt after its abandonment by its original developers), to be (ahem) "easier said than done".

The fact is that any system of cryptography (TrueCrypt included) can be compromised if you don't use it properly (for example if you use something stupid like "1234", "password" or "letmein" as your password), and a cryptographic system that isn't properly designed (e.g. which leaks information) can make it trivially easy for even a moderately sophisticated attacker to break the encryption and recover the "plaintext" (unencrypted) version of the data that you have stored in the supposedly "protected" container.

That having been said, however, the publicly available evidence suggests that while there are some questions about TrueCrypt, it is well enough implemented so as to be a real S.O.B. to successfully attack, if you use a decent (10+ character, with complexity) password. (Don't take my word for it; check out any of the relevant forensics blogs and see how frustrated some attackers are, about TrueCrypt.)

Another key feature that it has -- to my mind this is a very important one -- is that you can further protect the password complexity of a TrueCrypt container by using "keyfiles", which provide a primitive version of "something you have (e.g. the keyfile), and something you know (e.g. the password)". (Make sure not to store the keyfile in some easily-accessible location for an attacker; keep it in the cloud, or on a USB stick and not on the same hard drive as where you have the TrueCrypt container.)

Lastly, in your case, the other thing that I'd be sure to do, is not use the same password for your TrueCrypt container, as you use for authentication to the account that you use, when you log on to your PC. The point being, if someone somehow breaks or infers your account password (not impossible to do, especially if you're using Windows or you have a lot of "shoulder surfers" in your vicinity), you don't want them to simultaneously get access to your "secured" container. I see this happening a lot, and it drives me crazy!

Related Questions

Navigate

• Browse (All)
• Browse I
• Subjects

Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.