Solved

DriveCrypt Plus Pack: encrypt only boot partition? And general DCPP question.

Posted on 2007-04-08
9
467 Views
Last Modified: 2008-01-09
I'm using DriveCrypt Plus Pack 3.9 with one hd, which has 2 partitions c:\ (boot) and d:\ (data)
(XP Pro)

1. I've read different things about encrypting partitions with dcpp. Some say it's highly recommended to encrypt ONLY c:\ some do say c:\ and d:\ should be encrypted. (Remember it's one hd)

What do the experts think about it? Should I encrypt one or both partitions?

2. I do use Bootauth with 2 passwords to gain access. Both passwords do have a length of app 25 (numbers, chars, signs)

As the hd is encrypted with AES256 and this is know to be pretty safe, but what about the passwords? A length of 25 (using 2 passwords) is nice, but when someone wants to gain access, he hasn't has to decrypt the hd, he has "only" to brute-force the 2 passwords. (Or am I wrong here?) And to brute-force 2 passwords should be more easy than decrypting a hd which is AES256 encrypted.

Respectfully yours,
sun :)
0
Comment
Question by:su-n
  • 4
  • 3
9 Comments
 
LVL 27

Accepted Solution

by:
Tolomir earned 250 total points
ID: 18873265
1.) Well it depends on what data you keep on drive D, if that is your "virtual money" and drive C contains just the boot code... well you should get the point.

Basically you have to encrypt the partition that contains config files, the data, the temp files and the pagefile. All other parts are not really important.

I don't think one can make any profit from the knowledge, that I use openoffice or nero at home...

I wonder if one needs drivecrypt DCPP though.

How about this setup:

Use the free truecrypt and the free vmware server/player. Store your virtual client systems in a truecrypt partition.

Now work just in the virtual system, should be quite tamper proof.

You could even use linux as starting OS...

</just an idea, any comments, anyone?>

2. It depends on how often one can enter a wrong bootcode. If there is an increasing timeout after each wrong entry, well brute forcing could take a bit long...


Tolomir
 





0
 

Expert Comment

by:q90887
ID: 19091328
Tolomir, the guy asked a question about the encryption he already have installed on his machine. He asked a particular question about DriveCrypt Plus Pack 3.9. He DID NOT ask for suggestions about other encryption programs. So I think you're offtopic suggesting him to use TrueCrypt.
Besides, TrueCrypt DOES NOT encrypt the Operating System.
0
 
LVL 27

Expert Comment

by:Tolomir
ID: 19096377
@Q90887 I've used the normal drivecrypt myself fort a couple of years.

Now I'm using the free vmware server and keep the image in a truecrypt archive.

I no longer need full harddisk encryption, for being secure. So this was just an idea no recipe how to handle the "problem".

---

Regarding security @ boottime:


* Anti dictionary and brute-force attack mechanisms (due to the nature of DCPP, it is the most difficult system to attack compared to anything else available.)

@sun: If you really want to be secure: I suggest you get a Rainbow iKey 1000 USB-based two-factor authentication token, also available from Securstar (1) That way one cannot force you to tell them the DCPP password, since you simply don't know it.

(1) http://www.securstar.com/products_usbtoken.php


Tolomir  
0
Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 

Assisted Solution

by:q90887
q90887 earned 250 total points
ID: 19096841
I'm paranoid myself but not that paranoid :)
I think your sug
gestions are way too much (but of course good solutions).
Simple DCPP encryption should be enough and I don't think is possible to crack such encryption.
As about brute force, if you use a long password, nobody will brute it.
I'm sure that nobody will never even try to brute force such encryptions no matter who are you and what you did. Because it takes MONTHS of bruteforce. It's just a dead end for anyone who wants your data.

As about "being forced to provide the password", there Is no such laws. Few months back when I did this homework I was able to find that only in the UK they could vote such a law that allows Police to keep you arrested until you "remind" the password. But it was not voted yet, it was just a project with many against it.

Not even in US there is no such law. There are rumors that last versions of PGP have backdoors
for the US goverment. These are just rumors and PGP deny it, but as long as they are based in US and they are not open source... everything is possible.

Anyway the existence of the Hidden OS in DCPP cannot be proved.

DriveCryps and BestCrypt are also not open source, but at least they are based in Europe which is a Plus.

The only bad thing about DriveCrypt is that I have some windows problems because if it
(I even have ticket open at http://www.experts-exchange.com/OS/Miscellaneous/Q_22572508.html )

I'm also using BestCryp for another PC and it seems much better then DriveCrypt, but BestCrypt does not provide plausible deniability (Hidden OS).

Tolomir, whats your opinion about BestCrypt volume encryption? Ever used?
0
 
LVL 27

Expert Comment

by:Tolomir
ID: 19098643
Nope just truecrypt and drivecrypt.

Honestly securstar (drivecrypt) pissed me off by needing to confirm my order payed by credit card (just another year's maintenance) by a phone call.

I said WHAT????

Deinstalled that stuff, used truecrypt and it's smooth and I've even donated some money via paypal.

---

Here is some comparison:

http://en.wikipedia.org/wiki/Comparison_of_disk_encryption_software

Tolomir


P.S. regarding keyloggers: it's wise to keeps a part of the password on an usbstick. This leaves a keylogger quite helpless. That way the passphrase consists of a password and some filecontent, in truecrypt this could be some mp3 file, all that counts is data....

At least Truecrypt and Drivecrypt comes with that feature...
0
 

Expert Comment

by:q90887
ID: 19104244
What hapends if I lose the usbstick?
0
 
LVL 27

Expert Comment

by:Tolomir
ID: 19106352
Well it is just a file.

I.e. you give truecrypt a password + a file. Both could be stored anywhere.

You could even use c:\boot.ini as file. In that case you better make sure it is never changed :-)



0

Featured Post

Highfive + Dolby Voice = No More Audio Complaints!

Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

Join & Write a Comment

A few customers have recently asked my thoughts on Password Managers.  As Security is a big part of our industry I was initially very hesitant and sceptical about giving a program all of my secret passwords.  But as I was getting asked about them mo…
You cannot be 100% sure that you can protect your organization against crypto ransomware but you can lower down the risk and impact of the infection.
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now