Friday, February 10, 2012

Quickpost: Disassociating the Key From a TrueCrypt System Disk


Didier stevens on his blog has a nice post on Disassociating the key from a TrueCrypt system.

TrueCrypt allows for full disk encryption of a system disk. I use it on my Windows machines. You probably know that the TrueCrypt password you type is not the key. But it is, simply put, used to decrypt the master key that is in the volume header. On a system drive, the volume header is stored in the last sector of the first track of the encrypted system drive (TrueCrypt 7.0 or later). Usually, a track is 63 sectors long and a sector is 512 bytes long. So the volume header is in sector 62. When this header is corrupted or modified, you can no longer decrypt the disk, even with the correct password. You need to use the TrueCrypt Rescue Disk to restore the volume header. This rescue disk was created when you encrypted the disk. I’m using Tiny Hexer on the Universal Boot CD For Windows to erase the volume header (you can’t modify the volume header easily when you booted from the TrueCrypt system disk; using a live CD like UBCD4WIN is one possible workaround).


First I’m checking the geometry of the system drive with MBRWizard:



Take a look at the CHS (Cylinders Heads Sectors) value: S = 63 confirms that a track is 63 sectors long.


Then I open the system drive with Tiny Hexer (notice that the sector size is 512 bytes or 0×200 bytes):



I go to sector 62, the last sector of the first track:



It contains the volume header (an encrypted volume header has no recognizable patterns, it looks like random bytes):



Then I erase the volume header by filling the sector with zeroes and writing it back to disk:



And if you absolutely want to prevent recovery of this erased sector, write several times to it with random data.


Booting is no longer possible, even with the correct password. The TrueCrypt bootloader will tell you the password is incorrect:



One can say that I’ve created a TrueCrypt disk that requires 2-factor authentication. To decrypt this disk, you need 2 factors: the password and the corresponding TrueCrypt Rescue Disk.


First you need to boot from the TrueCrypt Rescue Disk, and select Repair Options (F8):



And then you write the volume header back to the system disk. Remark that the TrueCrypt Rescue Disk requires you to enter the password before it writes the volume header to the disk:



And now you can boot from the system disk with your password.


Use this method if you need to travel with or mail an encrypted system disk and want to be 100% sure there is no way to decrypt the drive while in transit. But don’t travel with the 2 factors on you, send the TrueCrypt Rescue Disk via another channel.


Remark: MBRWizard allows you to wipe sectors, but for whatever reason, it couldn’t successfully wipe sector 62 on my test machine.


Oh yeah, don’t forget to make a full backup before you attempt this technique ;-)