encription software for Linux and Windows / Alternative for TrueCrypt ?
Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
For linux, there's dm-crypt/luks. You could probably access a dm-crypt encrypted partition in Windows by installing a linux vm with virtualbox and mounting the encrypted partition from within the linux vm. I certainly wouldn't trust any windows encryption software that wasn't open source. Truecrypt was open source and I recall hearing rumors that someone outside the US had picked up the code and was working on a new, updated release of a cross platform encryption application based on the old Truecrypt code base:
TrueCrypt mount volumes with "suid" option by default.It also allows any user who can unlock a volume to
mount it with whatever mount option they want,with the default being "suid" option among others.
The above means,if you can unlock a TrueCrypt volume on a machine,you can get root shell.
Steps to take to show what i just said
1. download "tc.img" from here[1].Thats a TrueCrypt volume.
2. mount it using TrueCrypt
3. browse to the mount point and you will find an executable named "owned".
4. run it with something like "./owned /bin/bash" and you will now have root shell.
Implication:
1. If somebody can use your computer to mount a TrueCrypt volume,that somebody can get root shell in seconds.
2. If there is a linux based public computer with TrueCrypt installed for the public to use to access their TrueCrypt
volumes,then through this trick,any user can get root access on that computer.
TrueCrypt mount volumes with "suid" option by default.It also allows any user who can unlock a volume to
mount it with whatever mount option they want,with the default being "suid" option among others.
The above means,if you can unlock a TrueCrypt volume on a machine,you can get root shell.
Steps to take to show what i just said
1. download "tc.img" from here[1].Thats a TrueCrypt volume.
2. mount it using TrueCrypt
3. browse to the mount point and you will find an executable named "owned".
4. run it with something like "./owned /bin/bash" and you will now have root shell.
Implication:
1. If somebody can use your computer to mount a TrueCrypt volume,that somebody can get root shell in seconds.
2. If there is a linux based public computer with TrueCrypt installed for the public to use to access their TrueCrypt
volumes,then through this trick,any user can get root access on that computer.
This violates the First Rule of Security, deny physical access.
How is that a TC issue?
Physical access is not necessary as the exploit can still be carried out remotely if the
user can login and run TrueCrypt.
The problem is that TrueCrypt can be used as a mean to gain "elevated privileges" and hence
the bug if somebody file one will be classified as a "local privilege escalation bug",like this[1] one.
This will be true especially with the second scenario,a scenario you conveniently did not address.
To exploit suid access: This requires a security vulnerability known to the attacker in an suid program like su or sudo. mhogomchungu, you provide a downloadable truecrypt volume containing a program with such a vulnerability deliberately built in, to prove truecrypt 7.1a as unsecure? This is not truecrypt's fault, the program "owned" is unsecure.
To anyone who cares about the "suid" mount option:
- Do not have suid programs in your truecrypt container
- or open the encrypted mapping without mounting, and mount yourself with "-o nosuid"
- if you need programs like su or sudo in the container, always keep them up to date. They run with root rights, but they still check passwords.
Anyway, if you need to encrypt a volume, by far the best way to do it is to use a drive, or a controller-card, that is capable of encrypting the data on the media. The very best forms of cryptography are those that are totally invisible to the end-user.
To exploit suid access: This requires a security vulnerability known to the attacker in an suid program like su or sudo. mhogomchungu, you provide a downloadable truecrypt volume containing a program with such a vulnerability deliberately built in, to prove truecrypt 7.1a as unsecure? This is not truecrypt's fault, the program "owned" is unsecure.
To anyone who cares about the "suid" mount option:
- Do not have suid programs in your truecrypt container
- or open the encrypted mapping without mounting, and mount yourself with "-o nosuid"
- if you need programs like su or sudo in the container, always keep them up to date. They run with root rights, but they still check passwords.
How hard is it to download an executable and run it on a remote system (assuming there's not firewall protections prohibiting it)? I don't buy this assumption that it's the program he wrote that is flawed. I would expect any program that is launched, by a user, is not escalated to higher privileges without prompting for some form of authentication and authorization. The default mount options and truecrypt not restricting what mount options are available to the user are flaws in truecrypt.
I'd say it's a serious bug. If anybody thinks otherwise I have a nice bridge in New York that is for sale; any buyers?
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
