Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- Press J to jump to the feed. Press question mark to learn the rest of the keyboard shortcuts
- Search r/crypto
- User account menu
- Join the discussion
- BECOME A REDDITOR
- Posted byu/Black51
- Is it likely police would be able break through the Bitlocker encryption on my computer hard drives if they really wanted to?
- There's a chance I might be under investigation by the police in the future here in Canada and I'm wondering if my computer data would be safe from them or not being encrypted with Bitlocker drive encryption.
- If Bitlocker isn't very good, is there a better alternative i should use instead? I need my hard drive data to be safe from police.
- edit: spelling
- This thread is archived
- New comments cannot be posted and votes cannot be cast
- edited 3 years ago
- I do not trust Microsoft bitlocker from a nation state. It is very likely that Microsoft could assist law enforcement upon request.
- If your data was not previously encrypted, you will need to securely wipe your harddrive with a Gutmann 35 pass wipe. Darik's Boot And Nuke should assist in this. After securely wiping disk, then encrypt before transferring files back over. Then securely wipe the media you used to transfer the data. Note that if you have a hybrid or solid state disk then you are better off physically destroying the disc and disposing in area not associated with you if it has ever had incriminating unencrypted data on it. This is because solid state disks have what is called wear leveling so the previous data written to that disk may not be deleted.
- For Windows, Veracrypt is what I recommend, also look into the hidden partition feature which will let you have plausible deniability and decoy data if ever forced to reveal password. For high paranoia you could give the decoy partition a weaker password than the hidden partition so if an adversary tries do decrypt your computer they will decrypt the fake data instead of the real data. For encryption use very long and strong passphrase, do not be like that hacker that had his computer decrypted because he used the password "chewy" which was the name of his cat and a weak passphrase to encrypt his computer. Use very long string of words, letters, characters symbols etc..
- For linux, LUKS encryption is good, most distros have LUKS whole disc encryption feature as an option during installation.
- For linux computers another option for higher security or if afraid of forgetting your decryption passphrase could use the Gnupg G10code smartcard from www.kernelconcepts.de so you can encrypt your harddrive with smartcard so you have equivalent of strong crypto key with only having to remember a pin code. If incorrect pin entered too many times the card containing the key self destructs. If go this route be sure to change both the admin and the standard pin, use 4096 length key, and initialize on airgap computer or live system so malware does not intercept the pin code.
- Also keep in mind encrypted computers have 3 main attack vectors you will want to protect from.
- Attack vector #1 - RAM dump and cold boot Always keep your encrypted computer completely powered off when not in use, if your computer gets snagged when it is not completely powered off the adversary can examine the RAM for the crypto keys. With older computers using DDR2 RAM or older takes a while for the RAM to flush after computer has been powered off. With newer computers that have DDR3 RAM the RAM flushes out much faster. Use DDR3 RAM or later if possible. If the computer needs to remain powered on when you are away from it, I could design system that would allow computer to detect intrusion of someone other than you then immediately cut off power.
- Attack vector #2 - "Evil Maid Attack" This attack vector takes place when computer is out of your sight and an adversary tampers with the computers hardware or software to intercept your decryption key next time you use it. The only real way to defend from this is with either surveillance system, or to carry your computer with you at all times. Another precaution could be to use a boot disc to recursively calculate the sha256sum of the bootloader to audit bootloader if you suspect something strange, or to carry the bootloader on a thumb drive on your keychain. This technique of routine bootloader auditing or carrying the bootloader on you will only detect tampering of the operating system, it will not detect tampering of the BIOS or hardware. This is why I say keeping eye on the hardware 24/7 is the better option. Or do both for higher security.
- Attack vector #3 - "Shoulder surfing" You may have the best encryption and strongest passphrase there is, but if any person or camera watches you type in your decryption passphrase then game over. To protect from this use folding cardboard cover to cover the keyboard and hands when typing in decryption passphrase.
- I can offer security consulting, design solutions, or elaborate or simplify anything if you ask.
- edited 3 years ago
- tldr; Yes, and not just bitlocker but just about any other crypto implementation. Most people are not capable of sustaining a defense against something like a police force using everything the DHS, Feds, etc.. will give them to break into your data. They are extremely persistent and adamant that they have every right to do whatever it takes once they get that thought into their heads.
- The thing that protects most citizen's privacy is the cost of doing it. But if they had reason to target you, then very likely they will break through it through a myriad of ways even without having to break the crypto.
- edited 3 years ago
- I'd still recommend TrueCrypt.
- It's been thoroughly audited, and no backdoors have been found.
- You'll need 7.1a (as 7.2 was the final release that was read-only).
- Versions 7.1a are available here from grc.com:
- https://www.grc.com/misc/truecrypt/truecrypt.htm
- Look into the "hidden volume" feature (plausible deniability).
- Edit: 7.1a, not 7.1
- Indeed, I stand corrected. 7.1a
- Veracrypt is even better. They're improving Truecrypt.
- https://veracrypt.codeplex.com/
- For the inevitable naysayers: please watch this interview with the lead dev first.
- For data at rest, I reccomend TrueCrypt. I'll let others here comment on whether or not they agree.
- Importantly, if you may be under investigation, you should be shutting down your computer whenever you aren't using it. Don't leave it on. If they get your machine while it's turned on they have a LOT more to work with.
- Any reason why you recommend TrueCrypt instead of VeraCrypt?
- The Truecrypt code has been audited and nothing major was found
- I would recommend Veracrypt which is a maintained continued fork of TrueCrypt.
- "Recently, researchers from Google’s Project Zero team uncovered a pair of elevation of privilege vulnerabilities in TrueCrypt, both of which were patched this weekend in VeraCrypt - See more at: https://threatpost.com/veracrypt-patched-against-two-critical-truecrypt-flaws/114833/#sthash.HcXEZH1U.dpuf"
- Source: https://threatpost.com/veracrypt-patched-against-two-critical-truecrypt-flaws/114833/
- Those elevation privileges are for Windows only. And you shouldn't be using Windows or anything closed source if you're concerned about governments getting access to your data. Jumping to an unaudited fork over a minor issue is stupid.
- Comment deleted by user
- "What truly matters is not what brand of condom one uses, but that one uses a condom at all."
- -Sum Waiss Gai, 2015 C.E.
- Unless one brand of condoms break when the other does not.
- I wouldn't use condoms that someone poked a hole in or that came from a shady business, but as long as it comes from a reputable source that isn't out to get me out or doing things improperly, it's mostly a matter of aesthetics.
- I'm a bit late for the party, but I've seen that they've stopped its development. Is it still safe?
- I haven't been following VeraCrypt -- it may be great software, but because I'm not familiar with it I wouldn't feel comfortable recommending it. I know TrueCrypt has been thoroughly audited recently and the results were pretty good. I don't know how much the VeraCrypt fork differs from the code that was audited.
- ThrobbingMeatGristle
- edited 3 years ago
- The Bitlocker design in Vista had a thing called the Elephant Diffuser which helped mask the underlying patterns one finds on a disk and thus avoided any weakening of the end result (this is not an exact description, but it will probably do).
- The point is that this added layer was removed in versions for later versions of windows - conclude from that what you will.
- I go along with recommendations for TrueCrypt and Full Disk Encryption. I suggest using a Yubikey to hold all but say 16-20 chars of your password entered at boot time (so its what you remember and what you have) but the password is ridiculously long to the attacker. Obviously dont keep the Yubikey and the computer in the same place until you are booting and then unplug it after.
- Why is everyone recommending truecrypt over veracrypt? I recently switched to veracrypt, should I switch back?
- ThrobbingMeatGristle
- It depends... from what I have read it breaks down a bit like this...
- Are you mounting file based images as drives a lot? Stick with Veracrypt because the recent fixes probably affect you as you are using drive letters created via Veracrypt which patched some elevation type vulns.
- Are you doing FDE at boot time - if so why change from something that works well and has been really well tested ?
- I mainly use Truecrypt to do boot time FDE thats why I have not changed. I know my system is secure when it is powered down and locked away and only I will be able to boot it.
- I sometimes use Truecrypt to mount a 2Tb external USB that has been fully encrypted. For that I use a keyfile stored on a Smartcard and I use a quarantined machine.
- ThePooSlidesRightOut
- Have a look at this PDF:
- Bypassing Local Windows Authentication to Defeat Full Disk Encryption, by Ian Haken, November 12, 2015:
- https://www.blackhat.com/docs/eu-15/materials/eu-15-Haken-Bypassing-Local-Windows-Authentication-To-Defeat-Full-Disk-Encryption-wp.pdf
- Use whole disk encryption like Veracrypt, with a strong password. Never use sleep mode. Encryption starts to protect your data a few seconds to minutes after shutdown.
- Only when powered off and if you don't back up the keys in Microsoft's cloud and if it doesn't use a backdoored TPM
- Even then I hesitate to trust BitLocker because of Microsoft's relationship with the NSA. It's completley possible BitLocker is compromised.
- Comment deleted by user
- Comment deleted by user
- I have heard that Microsoft copies users keys to their servers now.
- Comment deleted by user
- I don't exactly how to put this, but I'll try. From a technological perspective, there may or may not be a weaknesses in BitLocker and various levels of police agencies may or may not have access through these weaknesses. More importantly, however, is the moral question of whether you actually have something to hide. I can assure that if you have something to hide, it will certainly be found out, irrespective of encryption, technology, exploits and all that crap. The "how" is irrelevant. It's the "what" that actually matters.
- COMMUNITY DETAILS
- Cryptography is the art of creating mathematical assurances for who can do what with data, including but not limited the classical example of encrypting messages so that only the key-holder can read it. Cryptography lives at an intersection of math, programming, and computer science. This subreddit covers the theory and practice of modern and *strong* cryptography, and it is a technical subreddit focused on the algorithms and implementations of cryptography.
- R/CRYPTO RULES
- Crypto review requests must explain the algorithms
- Challenges and puzzles must use modern crypto
- Don't flood the sub with duplicate posts
- Stick to the topic of cryptography, NOT currency
- Maintain high quality & accuracy, don't mislead
- Don't cheat on challenges or tests!
- Link directly to the original (with exceptions)
- RELATED SUBREDDITS
- 283,874 subscribers
- 401,274 subscribers
- 16,408 subscribers
- r/cryptography
- 18,019 subscribers
- r/shittycrypto
- 358 subscribers
- 386 subscribers
- GUIDELINES FOR /R/CRYPTO
- This sub is for cryptography, NOT cryptocurrency.
- RULES (along with reddiquette)
- Assume good faith & be kind. This is a friendly subreddit.
- Codes, simple ciphers, ARGs, and other such "weak crypto" don't belong here. If a desktop computer can break a code in less than an hour, it's not strong crypto. See /r/codes. This includes cracking challenges.
- Do not ask people to break your cryptosystem without first sharing the algorithm. Sharing just the output is like...
- Familiarize yourself with the following before asking about a novel cryptosystem:
- Kerckhoffs's principle
- Schneier's Law
- Don't use this sub to cheat on competitions or challenges!
- Systems that use crypto are not necessarily relevant here.
- Our wiki pages
- Threads on starting in crypto one & two
- Thread of crypto links - older thread
- Our monthly cryptography wishlist threads!
- Cryptology ePrint archive
- Freenode IRC:s ##crypto - (IRC protocol URL)
- Metzdowd cryptography mailing list
- Randombit cryptography mailing list
- VIEW ALL MODERATORS
- The Reddit App
- Reddit Premium
- Content Policy| Privacy Policy
- User Agreement| Mod Policy
- © 2018 Reddit, Inc. All rights reserved
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement