On The Fly Encryption (OTFE)
I recently got a LaCie 250Gb external drive to do some off-site backups of my data. I am a bit worried about security though since it is so easy to get these USB devices talking to just about anything.
I read up about disk encryption software commonly called On The Fly Encryption - OTFE for short. I use XP and OS X as my desktop Operating Systems but I think I'll stick this drive mostly into my XP machines for now so I am focussing on software for that at the moment.
The amount of data I need to encrypt is probably much less than 5Gb, it is just things like mail, configuration files, a few database dumps and so forth, the rest could go in the plain onto the disk. However some of these tools allow encryption of full devices so that would be an ideal. I would for example not be too happy if my raw files of my photos gets stolen, this is the main chunk of data I need to arrange off-site backup for.
There are a number of free and commercial options, I tried a few in each catagory:
| Product Name | Cost | Comments |
| FileDisk | Free (GPL) | Command line only, though the FreeOTFE author wrote a GUI front end for it. It seems to be unmaintained though and certainly was the reason for quite a few hard resets of my box today. |
| FreeOTFE | Free (GPL) | Early days in developement but looks promising. I had it stop responding a couple of times when copying large files onto it. Lacks good progress indicators for things, so you think its crashed when its just taking its time. A big plus of this product though is that it has the ability to make Linux compatible crypted disks, this could be a big selling point. |
| TrueCrypt | Open Source (Own License) | Works flawlessly so far. I particularly like the nice progress bars on creating and formating of the data files. |
| CryptoExpert Lite | Free but restricted | Has maximum file size limitation so did not try it. |
| Softwinter Sentry | $49.95 | This product also worked flawlessly, not as nice progress bars but it works. |
From the above table it should be clear that amongst the products I tried TrueCrypt and Sentry are the winners, I'd consider buying Sentry if I needed very long term storage and need the kind of backing that a company tends to give, backwards compatibility and so forth.
My usage however as a off-site backup system means I will be overwriting the last backups - or perhaps rotate them for 2 or 3 months - so I most certainly do not need long term archival.
TrueCrypt can also encrypt a full partition so I also tested that and I must say it works great. The initial format over the USB2 of 200Gig would take about 5 hours - so I did a quick format for testing but this is not suggested for actual use. This works great so I will put all my data on the crypted partition and leave a 32Gig FAT32 on the drive to store the TrueCrypt software on etc. You do not need to install anything on the windows machine to run TrueCrypt so can even be run off a memory stick.
My choice therefore is TrueCrypt, kudo's to them for a very professional looking product with a good UI and great documentation to go with it.
While researching this I came across this site that has a whole lot of useful encryption related information.
About R.I. Pienaar
Systems Administrator, Consultant, Linux Guy, Automator, Ruby CoderLinks
- @ripienaar
- Flashpolicyd
- Flickr
- London DevOps Group
- MCollective Plugins
- R.I.Pienaar
- Ruby PDNS
- The Marionette Collective
- Wiki
Tweets
- Sent a bug report about broken ruby stomp gem in 1.1.4, hopefully this mail does not fall on deaf ears like previous ones :( #activemq
- Damn you apple for inviting me to reserve an iPad when I do not live in the states and so cannot.
- Blog Post: New release of my Puppet Concat tool with 0.24.8+ support http://bit.ly/aA9RYh #puppet
- French village went insane after CIA spiked its bread with LSD http://bit.ly/9r2307
- It's ironic how you cannot send email with google charts api images to gmail users and expect it to work. way to go.
- Google charting API really is very sexy
- High Scalability: Saying Yes to NoSQL; Going Steady with Cassandra at Digg http://bit.ly/9Kli5f
- Caffiene infused. 2am to bed day before delivering the last talk of the day is not recommended
- Once again discovering that something as simple as correct MX and NS records is a very effective CAPTCHA to weed out idiot hosting companies
- I love the E4 ipad ripoff ad http://srt.ly/epad
Reading
Planned books:
- The Science of Fear: How the Culture of Fear Manipulates Your Brain by Daniel Gardner
- Relentless by Dean Koontz
- Mind Over Ship by David Marusek
- The New Space Opera by Gardner Dozois
- The New Space Opera 2 by Gardner Dozois, Jonathan Strahan
Current books:
-
Ariel: A Book of the Change by Steven R. Boyett
Recent books:
- Hacking Vim: A Cookbook to Get the Most Out of the Latest Vim Editor by Kim Schulz
- Beautiful Architecture: Leading Thinkers Reveal the Hidden Beauty in Software Design by Diomidis Spinellis , Georgios Gousios
Categories
Archives
Licence
August 1st, 2005 - 20:55
I’ve been using Softwinters Sentry for a year or more now, but of the last 3 months, I have received NO support. They do not respond to questions at any email address … and I’m asking questions specific to using the product. I’m now moving away from Sentry because of that reason, and having good success with TrueCrypt.
April 6th, 2006 - 09:37
I am using Rohos Disk, but it’s not free.
I choosed it because of theyr perfect and quick support, also they have some additional features that make it easy to use. This is not just another encrypted disk clone program.
It integrates into MS Office programs, SaveAs/Open dialog of any apps. it intergates into theyr Win Logon program that allows to use one password for both.
http://www.rohos.com/desktop-security/rohos_disk_compare.htm
… But the Rohos Disk offers an easier and more convenient way of working with the secret disk. The information is still well protected, but accessing it is much easier.
–Joel
April 25th, 2006 - 17:19
Dear R. I. Pienaar,
Does TrueCrypt provide any compression, though?
(My actual interest is moreso having an on-the-fly
compression, many-actual-changing-files in one “virtual-drive” volume-file.)
Sincerely,
Bill Sivula
October 27th, 2006 - 12:39
Dear Bill Sivula,
TrueCrypt does NOT in fact provide On-The-Fly-Compression, and only On-The-Fly-Encryption. This is a GOOD thing.
Reasons why that is a GOOD thing:
- It prevents bloat
- It allows for consistently accurate benchmarking of data transfer speeds
- It maximizes the number of Points of Failure, instead of the all-eggs, one-basket nature of a combined approach
- It helps TrueCrypt remain secure by minimizing complexity and maximizing code readability.
- Since TrueCrypt volumes mount completely transparently as standard disk drives, it is easily possible to implement a SEPARATE On-The-Fly-Compression program WITHIN the TrueCrypt Volume, allowing you complete freedom over the compression process, and of course the option of whether to use it or not, even at differing times in the same volume. In general, and ESPECIALLY with security software like TrueCrypt, it is this kind of “modular” software approach that is far more recommended than an “all-inclusive” solution. That principle is a large part of what makes Linux and UNIX Operating Systems so much more secure than Windows ones.
I hope this answers your question adequately, and if you couldn’t tell, I very highly recommend TrueCrypt. It is incredibly well-designed, fantastically secure, expertly implemented, fully-featured, and wonderfully documented. Unfortunately I can’t give a real recommendation for a standalone On-The-Fly-Compression program, as I’ve not ever needed to use one, but I do know for sure that they exist. I recommend doing your own research in that field and selecting the Compression solution best suited to your needs.
January 16th, 2007 - 06:58
We use TrueCrypt many times for many different purposes and highly recommend it, open source with a friendly graphical user interface, what else can you ask for?
March 10th, 2007 - 18:03
TrueCrypt is an extremely secure program. Its expertly designed to encrypt data securely (where if a hash function like MD5 is cracked, it does not weaken the security of the password, as the TC volume’s password is never stored as a hash.)
FreeOFTE is good too, and provides much-needed support for volumes that are encrypted on Linux with the kernel loopback modules.
If you want a commercial solution, I’d seriously consider PGP Desktop Professional. It offers a large amount of options to protect data, and offers the ability to use hardware smartcards, so even if your computer is compromised with a keylogger, encrypted files and volumes cannot be decrypted as the smartcard physically has the key on it, the cryptographic operations using the key are done on the card itself, and the key is never physically available to the computer at any time. For example, if someone compromises a box and one is using an Aladdin eToken, they may obtain the password to unlock the eToken, but have no way to decrypt anything because the eToken will not give the key away.
I use all three of these. FreeOTFE for my PDA and Linux volumes, TrueCrypt for volumes going to be archived onto CD and DVD, and PGP for boot volume protection with a hardware key.