This week I have been mostly doing the following:
- Suffering from a Stomach Bug. This has been Unpleasant;
- Playing tennis, bowling and baseball on the Wii: excellent fun, even though I have acquired one or two Actual Sporting Injuries;
- Investigating the use of TrueCrypt as a suitable cross-platform solution for encrypting USB memory sticks. It seems to work very nicely: I’ve tried it under Linux at home and under Linux and Windows XP at work. Only annoyance is that it requires an administrator user (root privileges – Edit: what happens is that it prompts you for your password, sudo-style) to mount volumes under Linux. Not a problem for me, as I’m admin on all the machines I use, but it’d be nice for it not to have that requirement. It means that users without sudo access cannot use TrueCrypt. I’m using the full volume encryption on the USB stick, simply because this strikes me as more secure: if one were, say, to use a volume file on the otherwise-unencrypted USB filesystem, then deleting files puts them in “.Trash”, which will be unencrypted. Not good. Therefore, encrypt the whole volume: much safer;
- I’m also intending to investigate the full system encryption features in Debian/Ubuntu, when I reinstall the OS on my laptop in the near future.
Maybe the impact of having to use sudo could be minimised by specifying the truecrypt commands specifically in the sudoers file? (Although I must admit I’ve not looked at truecrypt..)
PermalinkOmahn: Yeah, there are probably various workarounds to make it work, although they all have either (a) security implications or (b) practical annoyances. Options appear to be (i) configure sudo to allow *all* users to use truecrypt via sudo, possibly passwordless – this is annoying because it requires truecrypt to be launched as ‘sudo truecrypt’; (ii) configuring truecrypt setuid root – probably dangerous and if I remember Gnome wouldn’t let me launch a GTK+ app which was setuid root.
It’s just a shame that it can’t work in exactly the same way as mounting non-encrypted USB sticks: these are mounted in the background, but require no special privileges for the user.
Permalink