## Encrypt hard drives and usb drives with dm-crypt and TrueCrypt

REMINDER: PASSHPHRASE SHOULD BE 42+ CHARACTERS LONG TO BE EQUIVALENT TO A 256 BIT KEY.

I recently explored encrypting usb drives and external hard drives (well, any hard drive really). I always wanted to lock all of my hard drives just to feel more secure about my files, but never got around to learning how to. In this post, I’ll describe my experience for usb drives and hard drives that aren’t used as the main disk for a computer to boot. I’ll describe full disk encryption for Ubuntu (where the OS resides) in another post.

I explored two methods. The first is using DM-Crypt with LUKS, which is the free and truly open-source solution. The second is using TrueCrypt, which is free (as in beer) and is open-source/proprietary (you can see source code, but I don’t know about modifying and redistributing). A more extensive list can be found here.

This post describes how one can go about encrypting the drive with dm-crypt. You can format the drive as FAT32, ext2, ext3, or anything really (this describes how to format a drive as FAT32 on the command line). On Linux, you just have to use cryptsetup to unencrypt the drive first. Then mount it for use. Ubuntu Desktop does this automatically (asks you for your passphrase) when the drive is plugged in. On a Windows machine, you have to install FreeOTFE in order to decrypt the drive. If the drive is FAT32, you will have access to it automatically after mounting the encrypted drive. If the drive is ext2 or ext3, you will have to install Ext2Fsd first in order to mount the drive. As of now, there isn’t a way to decrypt the drive on Mac OS X.

TrueCrypt is available on all three major platforms: Windows, Mac, and Linux. Thus, it is better than dm-crypt for usb drives in the sense that you can also use them on a Mac. You can use it to encrypt an entire disk or create an encrypted container file (pseudo partition?) to place files you want secured into. The latter approach is good for smaller files. For archives (big size), the FAT32 combination won’t work due to the 4.7GB file size limitation. Getting started with TrueCryt is quite easy as you just have to follow the GUI. To access the drive on any machine, you have to install TrueCrypt. If the drive is ext2 or ext3, again, you have to install Ext2Fsd on Windows. To mount an ext2 or ext3 drive on a Mac, you have to install ext2fuse, of which MacFuse is a pre-requisite.

What will I use? For a hard drive that I know I will only use with Linux, I’ll go the dm-crypt approach. For drives that I might bring around and plug into other platforms, I will either go with the dm-crypt + ext3 or TrueCrypt + ext3 approach. Why ext3? FAT32 is recognized on all three platforms, PS3, and most other devices that you can plug in the USB drive. However, if the disk is encrypted, the places I can plug the disk into is VERY limited (i.e. a computer). There’s no reason to prefer FAT32. Sure, I would have to install additional software on a Mac or Windows machine in order to read ext2/3. However, to unencrypt on those platforms, I would have needed to install TrueCrypt or FreeOTFE anyways, so this addtional install is trivial. Hmm, since I don’t really plug my drives into a Mac anymore, I think I’ll just stick with dm-crypt. The trick to all this is to have a spare unencrypted usb drive that you can use on a daily basis =].

### Change passphrase by adding a new one and removing the old one

I thought it was impossible, but it’s quite easy. Just use cryptsetup luksAddKey /dev/MYDEVICE to add a new passphrase, and cryptsetup luksRemoveKey /dev/MYDEVICE to remove the old passphrase.

## VPN service for an anonymous or untraceable internet presence

I recently considered the use a paid VPN service to connect myself to the internet. Why? The internet is a whole other world out there, and you just don’t know how much privacy you lose with all the connections you make on your computer. I see myself and the average user at a disadvantage when it comes to privacy because we aren’t savvy enough to know the underlying workings of the internet. The transmission of data packets from one device to another gives rise to the opportunity for a knowledgeable person (not me, of course ;) to decipher private information in that transmission. I’m not even referring to people stealing my password. It’s just scary to know people can find out what sites you’ve visited, what services you use, etc. Your privacy can be compromised without you even knowing it. People can figure out your daily habits and make judgment on the kind of person you are. This is quite scary. For example, your internet service provider (ISP) knows exactly what files (unencrypted) you are transporting on the internet: the source, the destination, the timing, duration, frequency, etc. However, if your connection between two devices are encrypted, for example, using SSL, then all the ISP (and other snoopers) see is a stream of data that have no idea what it is without the proper key.

When connected to a VPN, all the connections made between you and the internet is channeled through the VPN server. Thus, your footprint on the internet is that VPN server. What your ISP would see is a bunch of encrypted data that is passed from the VPN server and to your computer. I feel my personal freedom (privacy) is more guarded using such a service.

This site offers some reviews for the major services available. I ultimately tried HideMyAss due to their pricing (their yearly price ends up being like \$6.55/month), the number of servers and ip addresses available, the location of these servers (30+ countries), the use of OpenVPN, their non-censoriship of connections (e.g., torrent), and the data they collect (the time you log on and the time you log off).

My original plan was to set the certificates and credentials working with an OpenVPN client on my Asus RT-N16 router running Tomato firmware. However, before getting there, I tried the service on my Ubuntu laptop using the OpenVPN and the provided scripts. I have to say, I was disappointed in the difference in speed. Without the VPN service, I download at 2+ Mbps. With it, I was downloading at 1.3 Mbps. I understand that speed loss is inevitable due to the encryption and data outing through one more server before it reaches my computer, but I was expecting 1.9 Mbps. I tried a few other servers but the speed didn’t improve. As a statistician, I should try it many, many more times. However, I didn’t have the time for it, and besides, I will only commit to the service if I get consistent speed that’s near my official bandwidth, and this obviously wasn’t the case. HideMyAss’s customer service suggested I use their “Speed Guide” functionality in their software to select the fastest server for me, but it wasn’t available for Linux. Moreover, if I were to want use the VPN service on my router, I would want to stick with a single server and forget about it, not “shop” around for the right server each time it got slow to get the best speed. Now if somehow the server selection was automatic or that they limit only a certain number of users per server to give the best speed to the users, then I think I would like the service more.

Not only did I want consistent speed, I also wanted no abrupt in service since I would run it on my router where all my internet-enabled devices depend on for the internet. I use VoIP for phone service, and I do not want to have an abrupt phone service due to the VPN service having issues. HideMyAss claims to have a 99.8% uptime rate. I assume this is really good because Google claims to have a 99.9% uptime rate.

I ultimately cancelled HideMyAss and got a refund. However, I’m still on the lookout for THE vpn service that has all the features of HideMyAss, but with negligible difference in speed. I’m sure as time goes by internet speed will only get faster, and maybe by then I wouldn’t mind not downloading at 3 Mbps if I can download at 2.5 Mbps and retain privacy.

If you have any suggestions for me, do let me know!

For now, I just have to stick with SSL-enabled sites for the exchange of private information (email, newsgroup, etc.). For the exchange of important data, I always use ssh anyways.

UPDATE: wanted to share this recent article on Lifehacker, and this useful comparison of vpn speed test that’s done periodically. I guess HideMyAss is the fastest out there, and what the speed I was observing is typical of the encryption overhead.