Using a decoy operating system, with another OS hidden by TrueCrypt?

6

TrueCrypt provides an option to use a hidden operating system. This works by having a decoy operating system residing on partition 1, and using partition 2 as (encrypted) data storage for the decoy OS. The catch is, TrueCrypt makes it possible for the partition 2, the "outer" partition, also contain a hidden partition lurking within the outer partition's free space - which then contains the hidden operating system.

When mounting the outer partition as data storage, TrueCrypt is able to protect the hidden data if you provide the hidden partition's password. If this is not done, anything written to the free space of the outer partition may of course overwrite something from the hidden data. TrueCrypt, for security reasons, does not do the prevention by moving the free data around, or just avoiding the area where it's hidden - but only by detecting a conflict and preventing the write. In fact, TrueCrypt then makes the whole partition read-only until a remount.

Now this makes sense for a filesystem you're not using much - for example just storing some decoy files and afterwards adding a hidden partition, leaving the decoy files untouched or as read-only. However, in order for it not to look suspicious, the decoy operating system should of course be used constantly for insensitive work - this is even suggested by the TrueCrypt documentation.

But actually using the outer system seems really bothersome, since use means there's going to be a lot of writing - even if the partition is dedicated for data storage. So I would expect conflicts happen quite often: Even if the hidden partition is rather small (150 MB), assuming the data is distributed randomly in the free space, even if there's a thousand times larger amount of free space (150 GB) there would statistically happen a conflict when writing even 1 MB file into the outer partition. (That is, if my math is correct...) Even if you have 1,5 TB, you'd need to remount after even 10 MB writing - which to me sounds like the outer file system is pretty unusable for regular work.

I expect I have misunderstood something, but I didn't catch it in the documentation. So the question is: Does using the decoy operating system regularly mean that you'll have to constanty unmount/remount after a write conflict, making any file copying a tedious task? Or is there some method for TrueCrypt to prevent this? What is this method?

Ilari Kajaste

Posted 2009-10-12T19:02:00.853

Reputation: 3 282

Answers

1

It does appear that file copying will require a remount. Despite this,

"You should use the decoy operating system as frequently as you use your computer. Ideally, you should use it for all activities that do not involve sensitive data. Otherwise, plausible deniability of the hidden operating system might be adversely affected"

However, to copy:

"If you need to securely transfer files from the decoy system to the hidden system, follow these steps:

  1. Start the decoy system.
  2. Save the files to an unencrypted volume or to an outer/normal TrueCrypt volume.
  3. Start the hidden system
  4. If you saved the files to a TrueCrypt volume, mount it (it will be automatically mounted as read-only).
  5. Copy the files to the hidden system partition or to another hidden volume."

These tips are from the documentation.

Katerberg

Posted 2009-10-12T19:02:00.853

Reputation: 745

I was thiking about write operations on the outer volume. You know, the standard writing that happens when you use your computer - working on a document, managing your files, saving stuff from the net, downloading pictures from camera, or whatever. If I understand correctly, this normal working on the outer volume would result in constant conflicts, thus forcing each time the outer volume to be read-only until remount. It's a much rarer case where you need to move files from the outer to the hidden volume - so in that case having to remount isn't really a bother. – Ilari Kajaste – 2009-10-12T20:31:49.517

Asked: 2009-10-12T19:02:00.853

Viewed: 4 521 times

Active: 2009-10-12T19:44:37.633