About 3 months ago, my ipod was stolen, and with it, a bunch of important personal data, now I have bought a 4 GB usb drive I would like to encrypt it along with all files that are stored in it, several questions come in order:
How can I achieve this?
What would be the recommended security encryption to use?, why?
Will I be able to use it on windows pcs?

I also will want to do the same for my laptop partitions, home, var and swap, and in the near future in a bunch of my company windows pc's filesystems or maybe only to specific files (what would you recommend?).

All advice along with tutorials and guides will be greatly appreciated.

Im using Debian lenny with kernel 2.6.24-1 amd64

umm... it really would be helpfull to get some answers, at least the first part! usb encryption is of high importance now, still all the questions are important!

If you search LQ for "filesystem encryption" you'll find lots of threads discussing just that. Should be easy to pick since only a few methods offer cross-platform compatibility.

We shouldn't just tell members to search without at least a few suggestions, that's not the LQ way of helping others.

As for the OP question:

There's Truecrypt (truecrypt.org) for USB devices, it's an open source application and it works with Windows but seems their site isn't loading right now to get full details. I guess since that's your main goal for now, that might be a viable solution.

And well to encrypt data on Linux, you can use http://cipherdyne.org/gpgdir/ which encrypts and decrypts directories with GPG. But if you're familiar with GPG, you can use this to encrypt individual files as well, it's got a Windows port as well if needed. You could probably get similar functionality on Windows or your USB disk as well with GPG.

There are some commercial solutions out there as well, but that's all I know from the top of my noggin.

One thing to keep in mind, especially with a popular program like Truecrypt, is that it require administrator rights on each system to work.

I've been interested in this topic for many months now and have yet to find a solution that is cross platform and doesn't require administrator/root rights to use.

My current scheme is a fully encrypted hard disk (with the exception of /boot of course) using LUKS. The USB key chain I carry around with me doesn't hold really sensitive data. I do however, store my Keepass database on it.

If you're unfamiliar with Keepass, it is a great program for managing passwords and account info written for Windows but with a Linux port called KeepassX. Keepass does not require administrative rights and there is even a portable version available. One feature of Keepass is the ability to attach files to particular entries in the database. I suppose you could use this to store sensitive information.

So I could not see any encrypted data if I dont have administrator privileges, or could see the data, read it, but not write it as a normal user or encrypt?

They reason the encryption programs need administrative rights is because they take the encrypted block of data and mount it as a device. In Windows you would choose a drive letter (like X: or something) and in Linux you would choose a mount point. In both cases the operating system does not allow normal users to mount hard drives. Therefore you could not read, write, or even create an encrypted volume/partition.

BTW:
There are three ways to think about this. 1) You can encrypt an entire partition on a particular disk (or the whole disk itself. 2) You can create an encrypted volume which looks like a large file of random data but contains whatever you want - like an encrypted folder. 3) Or you can directly choose to encrypt specific files/folders (which is kind of like the encrypted volume except the size of the volume is automatically set to the size of your data.

Regarding True Crypt:

I have found that the second most recent version, v5.0a, causes problems with Linux when it is using partitions that it has encrypted itself. This problem is reduced when it is using partitions encrypted by v4.x of True Crypt.

V4.x of True Crypt can be found on the System Rescue CD.
http://www.sysresccd.org

So I recommend that if you want to use the v5.0a (or maybe even v5.1a) of True Crypt you should boot the System Rescue CD and format the partitions using the version of True Crypt on that CD.

The drawbacks are that you will not be able to use the latest features of True Crypt. These are mainly concerned with changing and adding the access password(s) to mount the encrypted partition.

I really like True Crypt. It works on Linux and Windows. That is its main advantage. I do believe that the True Crypt developer(s) are mostly interested in the Windows environment and then port their software to Linux in a less-than-careful manner.

If you don't need the multi platform feature of True Crypt then Linux dm-crypt + LUKS appears be be a good solution.

An encrypted partition is mounted by root but is fully accessible by normal users, just like unencrypted partitions. You only need root privileges to mount, unmount, and change access rights to the partition. Once the encrypted partition is mounted it acts just like any other mounted disk partition.

I believe one of the goals of LUKS is to be cross platform.


Also regarding what you said about TrueCrypt in general, I agree you should stick with version 4. I don't really like the direction they've taken in version 5. It's much harder to avoid the GUI, documentation is sparse, and there are a number of other complaints which you can read about on the TC forums.

GPG is not a viable system for many files. It's based on PGP (and now the OpenPGP standard) which was designed for encryption and digital signatures for email. For that use, there is probably nothing better.

For a portable USB drive, Truecrypt is the way to go. It's open source and it works. I've been running 5.0a in test since it came out and I had zero problems. I've used Truecrypt pretty much since it came out and never lost anything.

I agree that the new GUI for Truecrypt is a waste of time but give the guy credit for trying to make it look the same everywhere. You can still use command-line for almost everything and that's what I do.

I like the fact that you can choose ciphers and hashes with Truecrypt and there's no games unlike some other "competitors".

This True Crypt web site page says that you need to run Linux kernel 2.6.24 or higher.
http://forums.truecrypt.org/viewtopic.php?t=9129
Another True Crypt web site page says that you have to run Linux kernel 2.6.25.1 or higher. I can't find that one right now.

The problem, which I have experienced, is when you are creating a file system on an encrypted partition it will stop mid-process with a blocking i/o on the disk. Eventually other processes on the system get hung as they attempt to access the same disk. You eventually reach a point where all of the processes that you can see and interact with are hung.

This may also be a problem when writing a lot of data onto a mounted encrypted volume if that volume was encrypted with TC v5.x.

I have avoided it by encrypting my disk partitions with True Crypt v4.3 from the System Rescue CD. Now I can use True Crypt v5.0a on PCLOS to read and write to those partitions.

Once we're all running kernel v2.6.25 we'll see if True Crypt is really innocent in these malfunctions. That could be quite a wait, though. My PCLOS is only running 2.6.18.

I use Slack's 2.6.17.13 kernel and TrueCrypt 5.0a has been working since the beginning! If you need a 2.6.24 kernel it's news to everyone running Slackware 11.0 ;)