Lab: Encryption software & secure deletion & data recovery
Data recovery & secure deletion
Before we move to encryption we will see why secure erasure is useful. This is also a motivation for using encryption as the attacker would not be able to access insecurely erased data in case the data is encrypted.
We will try out software Recuva Free, Bleachbit, Eraser and CCleaner. Recuva allows to restore files while Bleachbit and Eraser are meant for secure deletion. CCleaner helps to remove temporary files, cookies, history and other traces left in the computer.
- Lab exercise 1: Start Recuva Free and understand how it works.
- Use Recuva Free to find deleted files from the partition "Virtual USB".
- Where should the recovered files be written?
- Open the recovered picture and write your name into the cloud that is in the top middle part of the image. Save the changes and submit the picture as part of your homework solution. The solution has to be submitted through the course website.You will have to log in to courses.cs.ut.ee with your university credentials to be able to submit the solutions.
- Lab exercise 2: After the homework solution has been submitted securely erase the restored files. In addition, overwrite empty space on the partition "E:Virtual USB".
- Lab exercise 3: Testing recovery with secure erasure. Download some small files (pdf, picture, etc.) and save them on the partition "Virtual USB". Now delete these files by putting them into the recycle bin and emptying the bin. Try to restore the files with "Recuva". Put the data back to "Virtual USB" and now use secure erasure. Now Recuva should not be able to restore the files - test if it is so.
Encryption software
In principle encryption software can be divided in two categories. First, some software is for encrypting individual files and folders in a computer. For example, one can use such software to encrypt only work-related documents. Windows Encrypting File System, VeraCrypt, Boxcryptor and even PGP are examples of software that encrypt individual files.
It is important to understand that all other files are left unencrypted. In addition, the temporary files created when opening an attachment from e-mail or editing an Office document may be placed outside the encrypted folder by the operating system. Also, operating system profile setting as well as web browsing history is unprotected in this case.
Another approach is to encrypt the whole disk, including the system drive. The system drive is a disk (or its partition) where the operating system files reside and that is used to boot up the system. In Windows, the system drive is the C:\
drive, in Mac OS X and Linux it is where the root file system /
is.
When the system drive is encrypted, the decryption password is requested right after starting the computer, before the operating system can start loading.
Most operating systems have system drive encryption software bundled with them. For Windows there is Bitlocker, although is is available only for more feature-full versions of Windows (Enterprise, Ultimate, Server). In Mac OS X there is FileVault 2 and in many Linux distributions LUKS and DM-crypt are most used. VeraCrypt works on all of the three operating systems, although for system drive encryption it is used mostly in Windows.
Windows Encrypting File System
Windows Encrypting File System (EFS) is a feature in the NTFS file system that is used in the Windows operating system. It allows the user to encrypt individual files, folders or even all files in a drive very easily. However, EFS cannot be used to encrypt the system drive. EFS is available since Windows 2000, but it is unsupported in some cheaper versions (e.g. Windows 7 Starter, Home Basic, Home Premium).
Windows EFS generates a separate encryption key for each file. This encryption key is then encrypted with user's password and bundled with the encrypted file. Hence, the file encryption is a s strong as the user's login password. Moreover, since the encryption keys are tightly connected with the user's Windows login account, it is advisable to export the certificate used for EFS and keep it in a safe place. Otherwise the encrypted files become inaccessible if something should happen to the Windows user profile. Recovering encrypted files also requires Windows operating system with EFS support.
Staring EFS service:
- Start
services.msc
- Find Encrypting File System (EFS) from the list
- Start EFS and make it automatically start on boot
Using EFS:
- Choose a file or folder to encrypt
- Right click on it and choose "Properties" -> "General" -> "Advanced" -> "Encrypt contents to secure data"
- Don't forget to backup the user profile certificate
VeraCrypt
VeraCrypt is a popular open source software for encrypting individual files or whole storage devices (hard disks or USB sticks). It provides on-the-fly encryption so files are transparently encrypted or decrypted while in use. Like all other solutions mentioned here, it uses symmetric encryption to encrypt files.
VeraCrypt's strengths are it's open source code (hence, transparency) and the fact that it is supported on all major operating systems (Windows, Mac OS X, Linux). This allows for easy secure file exchange between different platforms.
1. Installing VeraCrypt
VeraCrypt is available from its webpage at https://www.veracrypt.fr/en/Home.html
Run the downloaded installer and
- Accept the license
- Click "Continue"
- If needed, change the installation location and click "Install"
- Finish installation and run VeraCrypt
2. Encrypted file container
The simplest way to protect a small amount of files is to put them together in a single encrypted file, a container. It is also convenient to backup this container or move it to another computer. With a strong password the files are kept confidential even when the container should leak - without the right password it looks like random data.
Excercise
Creating a new container:
- Click "Create Volume"
- Choose "Create an encrypted file container"
- Choose "Standard VeraCrypt volume"
- Click "Select File" and save the new container as a file (for example
myfile.hc
). Note: .hc is the default VeraCrypt file extension, but you can use any extension, even .pdf or .docx to look less obvious.
Click "Next" - Click "Next"
- Let's make a small container: 10 MB
- Choose a password and memorize it. It should be a strong password, but in the lab you can also use something short and simple for testing. You will be given a warning but it can be ignored.
- Click "Format". Collecting randomness to generate a strong key may take some time.
- You will be offered to create another container. You can choose "Exit" if you don't want to create a second container.
Using a file container:
- Click "Select file" and locate your container (
myfile.hc
) - Choose a drive letter, for example
Z:
- Click "Mount"
- Insert password. You can first try a wrong password to validate that you will get an error, then use the correct one. Checking the password is deliberately made slow in order to make cracking the password hard.
- Right click on the chosen drive letter and choose "Open" or double-click the chosen drive letter.
- Copy some files to the drive (
Z:\
) - Close the drive window
- Click "Dismount" in the VeraCrypt window
- Validate that the copied files are really in the container by following steps 1-5 again. Then don't forget to dismount the drive.
Homework task
Create an encrypted file container with VeraCrypt and submit it as part of the homework. Follow the instructions in the lab session page on how to install and use VeraCrypt. (2p)
- The container itself should be small (500 kB)
- The name of the container must be your family name. If necessary, substitute non-standard characters (e.g. å -> a).
- The password must be "infsec" (written in lowercase)
- Create a text (.txt) file in the container that has your first name as filename, e.g.
Kristjan.txt
. The file content is not important. - Make sure that you are able to mount the container with the correct password and then submit the VeraCrypt container as a solution.
3. Encrypting a USB stick
One way to securely transport files is to create an encrypted container like described i previous section and then carry it along on a USB stick. However, VeraCrypt can also encrypt the whole USB drive.
USB drives usually have a single partition, but it is possible to add and remove partitions just like on a hard drive. Encrypting a partition also requires formatting it so all of the files there must be backed up before starting this process.
- Click "Create volume"
- Click "Encrypt non-system partition/drive"
- Click "Standard VeraCrypt volume"
- Choose a partition you want to encrypt by clicking "Select drive" and selecting a partition. If you do this task using the given virtual machine, then choose the "Virtual USB" partition. Files on that partition that you want to keep should be backed up at this point.
- Click "Next" and then again "Next"
- Choose a strong password and/or create a keyfile. The password and keyfile together form the encryption/decryption key. A keyfile should be kept separately from the USB stick and protected against theft. If either of the password or keyfile is lost, the encrypted files cannot be restored.
- Click "Next", choose "Quick format" and click "Next"
- You can now try to make random movements with your cursor to generate entropy for generating the encryption key. Then click "Format" and "Yes".
- Click "Next"
- Using the encrypted partition is similar to using an encrypted file container, but start with selecting "Select device".
Of course, if you want to use this encrypted USB stick in another computer, it must have the VeraCrypt software. For computers where you do not have permission to install new software, there is also a possibility to create a portable VeraCrypt version from Tools -> Traveler Disk Setup... A good idea is to create two partitions on your USB stick: one encrypted and the other unencrypted, holding the portable version of VeraCrypt.
4. Encrypting system drive
As mentioned before, VeraCrypt also allows to encrypt the system drive (or any other drive, actually). This can be done by clicking "Create volume" and then choosing "Encrypt the system partition or entire drive" or Choosing System -> Encrypt System Partition/Drive... from the menu. The rest of the process is similar to creating an encrypted container or USB drive. In the process, VeraCrypt also generates a System Rescue CD where it writes the encryption key encrypted with the chosen password. This CD is needed when the hard drive's boot section gets corrupted for some reason.
Depending on the drive size, encrypting the whole disk may take a lot of time. However, VeraCrypt encrypts the disk on-the-fly and in the background so you can continue to use the computer normally during this time.
Truecrypt and the history of VeraCrypt
VeraCrypt is one of the successors of a very popular open-source disk encryption software Truecrypt. Although a popular software, there are some facts that brought up some questions about Truecrypt:
- The authors of Truecrypt are anonymous (at least to the public) and thus it is not known what is their motivation on creating such software.
- It is hard to validate if the distributed binaries are really built from the published source code.
- Truecrypt source code was not audited for a very long time. Hence, there was no guarantee that it didn't contain any back doors. In fall 2013, Matthew Green and Kenneth White started a campaign to audit it's source code. More information on it at http://istruecryptauditedyet.com/.
- In May 2014 the developers of Truecrypt unexpectedly announced that they will discontinue developing the software and advise not to use Truecrypt as it might have security vulnerabilities. It is not known what was the reason for making such statement. The Truecrypt web page was replaced with a tutorial on migrating to another software. It was decided that the aforementioned security audit would still be finished.
- In April 2015, the security audit was finished and no alarming security issues were identified.
Some people still use(d) the last stable Truecrypt version 7.1a, as this was the audited version. However, since Truecrypt code will not be maintained anymore, it is clear that any potential security vulnerabilities will also remain unfixed and some such vulnerabilities have already been found. Thus, it is advisable to use some of its up-to-date copies, e.g. VeraCrypt. VeraCrypt maintains most of the user interface of Truecrypt and can even open old Truecrypt containers. Most importantly, it also receives security patches, if necessary.
Encrypting individual files
VeraCrypt's encrypted file container is a convenient way to securely store or transport files, but it does not suit well with the use case where files need to be synchronized between computers backed up using cloud storage services (Dropbox, Google Drive, Microsoft Onedrive, etc.). The problem here is that VeraCrypts's encrypted file container is actually a single file, so when even one file in the container is changed, the whole container changes and needs to be uploaded to the cloud service again.
This problem can be solved by encrypting each file separately. So when a file is changed, only this single file is uploaded to the cloud service, just as with unencrypted files. Also, the encrypted files are about the same size as the originals. The files are encrypted in the user's computer before uploading them to the cloud service. The same holds for decryption, so the cloud service provider never sees unencrypted version of files.
To start using such encryption software, the user first has to choose a password and a folder where the encrypted versions of files are kept. This should be the folder that is synchronized to the cloud, e.g. some subfolder of Dropbox. Secondly, the user chooses a drive (or folder in case of Linux) where the encrypted files are available in decrypted form. This is the virtual drive where the user can access the files. Unencrypted files are never stored on disk, the encryption and decryption is done on-the-fly. We briefly describe two of such encryption software: Boxcryptor Classic and Cryptomator.
Boxcryptor
Boxcryptor is compatible with all of the cloud storage providers that create a synchronized folder in user's computer (e.g. all of the providers mentioned above) and can be also used without any cloud service just to store encrypted versions of files on the disk. Moreover, Boxcryptor also has mobile client support.
There were two versions of the Boxcryptor software. The current version has secure file sharing capabilities with other Boxcryptor users, but for simplicity, we use the legacy Boxcryptor Classic in this lab, which does not require registration. The paid version of Boxcryptor also encrypts filenames. Unfortunately, Boxcryptor Classic is not developed or supported anymore.
Cryptomator
https://cryptomator.org/ is a free open source software doing exactly the same - it protects contents of a folder with a password and shows un-encrypted view of those as a separate drive (or directory in case of Linux).
Further reading
- Bitlocker
- TrueCrypt
- http://www.truecrypt.org - now redirecting to another web page
- https://en.wikipedia.org/wiki/TrueCrypt
- http://istruecryptauditedyet.com/
- The audited version of TrueCrypt and its binaries
- TCnext - another mirror for Truecrypt binaries
- Truecrypt binaries mirror hosted by grc.com
- Security analysis of TrueCrypt by BSI (2015)
- BoxCryptor