Solved

How to auto dismount a USB flash drive that has TrueCrypt on it

Posted on 2006-06-19
11
11,037 Views
Last Modified: 2011-10-03
Hi there,

I apologize in advance for my abundant ignorance here. Please bear with me and let me explain what I'm trying to do first, and then I'll get to my questions.

I'm trying to set-up encrypted USB drives for several coworkers. I used the excellent instructions in the following link to setup the USB drives so they automatically prompt for a password when they are inserted:

http://glosoli.blogspot.com/2005/09/encrypted-thumb-drive-and-autoplay.html

However, I know the users I'm doing this for, and there is zero chance that they will always remember to dismount the drive explicitly when they are done. The likely use case is they put in the drive, copy some files to it, and immediately yank it out to take it home.

I have three questions:

1) What happens exactly if you pull out the USB drive without dismounting the TC drive? It seems a subsequent user on the machine might have access to whatever files were already in memory. Does it also put the integrity of the TC data file at risk?

2) Is there a solution to this that does not involve the user explicitly dismounting? I thought about trying to set it up to auto-dismount after 1 minute, but that isn't really ideal.  I know on the Kingston USB drives, you can pull the drive out without dismounting and have many fewer problems that seems to happen with this TrueCrypt solution.

3) Is explicitly having to dismount something that would be the case no matter what encryption you used? That is, the drives are Lexar Jump Drives and they came with SecureII software from Lexar. I found it clunky and greatly preferred the way you could setup TrueCrypt to start. But do other solutions handle pulling out a USB drive without dismounting any differently?

Without solving that, I'm certain users will use the drives without encryption. They claim that when they use an unsecure USB drive now and yank it out without dismounting, they never have any problems.

Thanks in advance for any advice. It would be GREATLY appreciated!

-Dave
0
Comment
Question by:JediBecker
  • 4
  • 3
  • 2
  • +1
11 Comments
 
LVL 10

Expert Comment

by:kiranghag
Comment Utility
>>1) What happens exactly if you pull out the USB drive without dismounting the TC drive? It seems a subsequent user on the machine might have access to
>>whatever files were already in memory. Does it also put the integrity of the TC data file at risk?

normally windows or any os will cache the data on removable usb drives. you might see the file copy/move complete but part of data is still in memory. so if you pull it out, your data could be corrupted.

>>2) Is there a solution to this that does not involve the user explicitly dismounting? I thought about trying to set it up to auto-dismount after 1 minute, but that
>>isn't really ideal.  I know on the Kingston USB drives, you can pull the drive out without dismounting and have many fewer problems that seems to happen with
>>this TrueCrypt solution.

you can disable the write cache on removable drives from device manager (by right clicking the device there)

this will make the write operations on usb drive slower but will not affect reads. and if someone happen to remove the drive without explicitely removing it from windows, you wont loose data. (if its pulled when drive is not actively being written)
0
 
LVL 10

Expert Comment

by:kiranghag
Comment Utility
but i guess you will have to connect the drive in each machine once and do the disable thingy. so that on subsequent connections tha cache will not be enabled again.
also make sure that on each machine, you plug the drive in all working usb ports and repeat the operations. windows seems to remember settings for each port and device combination

try it and tell what happens
0
 
LVL 70

Accepted Solution

by:
garycase earned 500 total points
Comment Utility
Well ... let's break this discussion into two sections:

I)  What happens with a "normal" USB flash drive if you just "yank it out" ?

II)  What complications does using TrueCrypt add to this ?

I'll also address your specific questions along with these.

For (I):  There are two issues associated with removing a USB device:  (1) possible data corruption; and (2) possible electrical damage.   For (1) the problem is that Windows does deferred writes to removeable devices, and if you remove one before it has completed the write process (which can be several seconds after it's "apparently" done) you will have a corrupted drive.   As noted above, if you change the settings for the device to optimize it for quick removal, you can disable the write caching feature and then you don't have to worry about this ==> but it will make writes MUCH slower, particularly when copying many small files, as it will close the directory after each file.   For (2) there's no workaround -- you're simply taking a risk every time you pull the device out; and any electrical "glitch" can damage either the device itself or your PC's USB port.   There are MANY examples in questions here on EE where folks have destroyed USB flash drives; their USB ports; an MP3 player; etc. by not following the "Safely Remove" protocol.  

Bottom line:  Think of "Safely Remove" as a seat belt.   You'll "get by" without using it MOST of the time;  but at some point you'll have an accident (i.e. you'll damage your device) and then you'll wish you had used it.   If you optimize the drive for quick removal; and always wait a second or so after any access, you'll be fairly safe -- any electrical damage possibility is relatively minimal when the drive is not actively being accessed.  But it's still best to "Safely Remove".

For (II):  TrueCrypt adds the complicating factor that a program will be actively using the drive whenever you try to Safely Remove, so it won't work !!   You have to "Dismount" the drive first -- so TrueCrypt is no longer actively using it.   The easiest way to do this for your users is to add an Icon to the desktop that executes a simple batch file containing this single line:  TrueCrypt\TrueCrypt.exe /q /dz  (where the "z" in "dz" is the drive letter for the drive).

So, considering the above, your 3 questions can be answered as follows:

"1) What happens exactly if you pull out the USB drive without dismounting the TC drive?" ==>  There are 3 dangers here:  (a)  If the TrueCrypt volume is in an unstable state, you could damage that volume and potentially lose all of the data -- it appears TrueCrypt keeps the file in a stable state from the documentation I looked at, but I don't know this for certain;  (b)  if write cacheing is enabled, you have the usual possibilities for corruption associated without doing a Safely Remove (this is, as noted above, easily avoided); and (c)  the usual potential for electrical damage is present if the drive is yanked while being accessed.

"...It seems a subsequent user on the machine might have access to whatever files were already in memory." ==>  This is NOT a risk -- the data is stored on a single file on the external device;  if it's not present, there's no risk of access to the data.

"...  Does it also put the integrity of the TC data file at risk?" ==> Yes, for reasons already discussed.

"2) Is there a solution to this that does not involve the user explicitly dismounting?" ==>  No.  There will always be some risk of data integrity loss if you "yank" a drive with a file that's open (as the TrueCrypt file will be anytime the drive is mounted).

"3) Is explicitly having to dismount something that would be the case no matter what encryption you used?" ==>  Yes.

Note that the risk associated with simply "yanking" the device is essentially only present when the device is WRITTEN to ==> i.e. if you simply insert it, READ from it, and then "yank" it there's no risk except for the possibility of electrical damage (which is minimal except during actual access).  But for the use you've described, the drives will always be written to.
0
 
LVL 7

Expert Comment

by:imacgouf
Comment Utility
Hi,

Please refer to this link where Peter long has written a safe eject utility for USB Device
http://www.experts-exchange.com/Operating_Systems/Q_21267488.html

Accepted Answer from PeteLong
Date: 01/10/2005 02:23AM SGT
Grade: A
Accepted Answer  

In fact to save me getting shouted at for using EMail download it from my web site
http://www.petenetlive.com/Downloads/software/safeeject.exe
0
 
LVL 7

Expert Comment

by:imacgouf
Comment Utility
Also you may wish to look at this utility from Microsoft to see if it helps.

http://support.microsoft.com/default.aspx?scid=kb;EN-US;Q311272

The DevCon utility is a command-line utility that acts as an alternative to Device Manager. Using DevCon, you can enable, disable, restart, update, remove, and query individual devices or groups of devices. DevCon also provides information that is relevant to the driver developer and is not available in Device Manager.

You can use DevCon with Microsoft Windows 2000, Windows XP, and Windows Server 2003.

Download http://download.microsoft.com/download/1/1/f/11f7dd10-272d-4cd2-896f-9ce67f3e0240/devcon.exe
0
Network it in WD Red

There's an industry-leading WD Red drive for every compatible NAS system to help fulfill your data storage needs. With drives up to 8TB, WD Red offers a wide array of solutions for customers looking to build the biggest, best-performing NAS storage solution.  

 

Author Comment

by:JediBecker
Comment Utility
Thanks to everyone for the excellent information.  

kiranghag: that is useful to know.  One prerequisite for me, though, is assuming that the users will plug these into unknown, new computers that I don't have access to.  So I can't assume they will disable the write cache themselves.

imacgouf: thanks for the links.  Ideally, though, I want a way to do this without having the user explicitly dismount and safely remove the drive.  Pete Long's utility seems like a convenient way to do it, but still requires action on the user's part.  The way I've got the TC drive setup now is very convenient, too (context menu dismounting), but still requires the user to remember to do something.
 
garycase: thanks for the superb post.  That really clarifies almost everything.  And it sounds like there is no perfect solution for what I want, as you state here:

"'2) Is there a solution to this that does not involve the user explicitly dismounting?' ==>  No.  There will always be some risk of data integrity loss if you "yank" a drive with a file that's open (as the TrueCrypt file will be anytime the drive is mounted)."

However, I have one point of clarification.  Someone here has a Kingston Data Privacy Elite USB drive.  She claims she yanks it out all the time and has never had any problems.  In trying it myself, it seems like it can get in a state where when I put it back in, it doesn't automatically prompt me for a password until I explicitly double-click the Privacy software (normally it auto-prompts you when you insert it).  However, unlike the TrueCrypt drive, I never get "delayed write failed" messages from XP.  And I've never gotten any data loss on Kingston drive (I have on the TC drive).  That could be because I haven't tried enough times, though.

From what you've explained, it sounds like maybe the Kingston drive turns off the write cache somehow with their software?  How else to explain the way that it seems to work?  If I could set up the TC drive to behave the way the Kingston drive is, I'd be content.  What do you think of this speculation?

Thanks,
-Dave
0
 
LVL 70

Expert Comment

by:garycase
Comment Utility
"... it sounds like maybe the Kingston drive turns off the write cache somehow with their software ..." ==> Absolutely.  You can set the write cache parameters in a batch file when mounting the drive.   I'm not at home this week (on vacation with limited internet access, but I do check my e-mail when possible) -- so don't have access to all of my notes; and don't remember the exact syntax for disabling write cacheing when mounting via a batch file.  But it's almost certain that's what is being done.  (TrueCrypt's own syntax may allow this -- I'll check after I post this and see if it's in the docs)

As I noted last night, IF TrueCrypt maintains file consistency with the file that contains the encrypted data, then it would be fine to "yank" the drive as long as it was not in the process of being accessed -- and with write cacheing disabled that means just a few seconds after any write request it will be fine.   Although there is always some risk when you "yank" a flash drive without properly dismounting the TrueCrypt drive, IF TrueCrypt maintains it in a stable state (it's not clear from the documentation, but seems like it does); and IF write cacheing is disabled; then you could safely "yank" it AFTER any writes that are initiated have finished (i.e. if you use explorer to copy a large number of files, you would have to wait until they completed -- which could be a fairly large number of seconds -- before "yanking" the drive).    The Kingston Data Privacy Elite almost certainly maintains a consistent state for all of the data files on the flash drive -- and disables write cacheing -- so as long as writes are completed, it's relatively safe to pull it.
0
 
LVL 70

Expert Comment

by:garycase
Comment Utility
... Note:  It's not clearly noted in the documentation, but if you use the /rm switch in a batch file that mounts a TrueCrypt volume (= "removeable media"), I suspect TrueCrypt will never cache any data itself (note this is different than the Windows write cache), and so the file will always be in a consistent state.   If you also disable the Windows write cache (not, as you've noted, easy to guarantee when the flash drive may be plugged into various computers) it should always be relatively safe to remove.   Note that even if Windows write cacheing is enabled, if the users would just be sure they waited for several seconds of inactivity it would USUALLY be safe to pull the drive.   Windows and/or TrueCrypt may be "confused" by the open volume that no longer exists;  but the data on the volume will be just fine as long as there were no pending writes.

Bottom line:  You can MINIMIZE the likelihood of any corruption and/or device damage with the right settings -- but it is ALWAYS safest to dismount the volume and "Safely Remove" the device.     Note that on any unit that has a light to show it's powered (e.g. most SanDisk flash drives), the light goes off when you "Safely Remove" the device -- i.e. there is no power to the device at that point;   so you can easily see that there is NO danger of any electrical damage when pulling it at that point.   As I noted in my earlier post, think of the Dismounting/Safely Remove actions as a seat belt => rarely going to make a difference; but when it does, you'll sure wish you had used it.



0
 

Author Comment

by:JediBecker
Comment Utility
Thanks again, garycase.  That all makes sense, and I was starting to think that maybe it would be do-able (with your noted caveats about seat-belts).

However, I made sure TrueCrypt was treating the encrypted volume as a removable drive, and I went to the device manager to check on delayed writes.  I went to "disk drives" and selected the Lexar drive and it was already set to optimize for quick removal.

So I thought: hmm, this seems the best that I could do.  I updated a Word document on the disk, waited a second, and yanked it out.  Much to my surprise, a second later, Windows complained that the delayed write failed.  Not only that, I could still open the encrypted volume (despite the device not being plugged in) and was able to open the Word doc with my change in it.  When I put the drive back in and reset things, the change was NOT in the file.  The delayed write did fail, but the volume would have been accessible to someone else who sat down at the computer.  Yuck.

It seems as though the setting for disabling the write cache apply to the USB drive itself, but not the volume mounted through TrueCrypt.  Does that sound right to you?  This makes me think that this won't work using TrueCrypt and I need to find another encryption software that I can set things up like you suggest.
0
 
LVL 70

Expert Comment

by:garycase
Comment Utility
Yes, that is almost certainly TrueCrypt buffering the data and not actually writing it ==> when TrueCrypt "writes" the data through Windows, that's a 2nd level of buffering -- and if delayed writes are not enabled for that drive, Windows will write it immediately (note, however, that "immediately" can still take a few seconds => it will start immediately, but if you "yank" the drive while it's "blinking" with activity that's also bad).   If does sound like TrueCrypt does NOT immediately update the file containing the mounted volume -- so if your users can't be counted on to reliably dismount the volume, you need to find a different encryption solution.   Too bad USB devices aren't like optical drives (which can be "locked" so they won't eject if they're in use).
0
 

Author Comment

by:JediBecker
Comment Utility
Okay, thanks for all the input, garycase.  You were *extremely* helpful, even if I still haven't found a solution I like.  I'll keep looking and if I find something I'm content with, I'll post it back here.

Cheers,
-Dave
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Sometimes the best way to deal with an infected computer is to boot from external media and run your tools from there.  The reason you may wish to do this really depends on the infection.  Some malware is so recalcitrant that no matter what you do i…
This article is an update and follow-up of my previous article:   Storage 101: common concepts in the IT enterprise storage This time, I expand on more frequently used storage concepts.
This tutorial will walk an individual through the process of installing the necessary services and then configuring a Windows Server 2012 system as an iSCSI target. To install the necessary roles, go to Server Manager, and select Add Roles and Featu…
This Micro Tutorial will teach you how to reformat your flash drive. Sometimes your flash drive may have issues carrying files so this will completely restore it to manufacturing settings. Make sure to backup all files before reformatting. This w…

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now