About a year ago I built several 1.2TB fileservers for a number of my consulting clients which utilized RAID5 arrays for redundancy with LVM running on top for expandability. One of my cleints which does some media work has exhausted the storage space and called a few weeks ago about expanding the storage space on the server.

The four hard drives in the server now were already utilizing all the onboard SATA-II ports. I certainly could have replaced the drives with larger ones (which I did do for another client) but that would have entailed some careful shuffling of data and wouldn't provide for much future expandability. For another client who uses space much more slowly I could have added a two port SATA expansion card and added two drives in RAID1 but here I expect to need to continue adding space and so I proposed an external storage tower with a multiport SATA link. I was looking for a PCI Express controller which would support eight drives on a single card and would be supported in Debian Linux. I ended up selecting a Highpoint RocketRAID 2322 which seemed to fit the bill.

As it turns out packaged driver support for Linux is only available for Fedora, Red Hat and SuSE. Luckily I found great instructions at this University of Northern Iowa site for building the drivers from source provided by Highpoint. Although there is some grumbling in the open source community about these drivers being non-free licensed (hence no package from Debian) just about everything else is great. The kernel module built without any problems and without a huge number of dependencies and I was able to get the drives up and running without too much work.

Unfortunately, I did not get the module into the initramfs as I had intended and so on reboot it all came crashing down. This entailed a trip to the customer and several hours to fix because the entire system including the root filesystem is LVM on RAID. Luckily, I was able to boot off an Ubuntu CD and build the RocketRAID kernel module again then start the RAID and then the LVM which finally allowed me to mount the filesystem. After doing this a few times I was finally able to get the initramfs straightened out and things working again. Needless to say it was a long night, but a successful one nonetheless.

I've written before suggesting the use of Linux for open source drive imaging and it seems there has been some movement in this direction. About a year after my initial posting the folks at PackRatStudios posted this article with a list of free and open source alternatives to the Symantec Ghost software. A quick look at the utilities they reviewed indicates that there is still much work to be done on using Linux as a disk imaging platform, particularly when it comes to ease of use and filesystem (NTFS in particular) support. On the other hand we're much further along than we were and progress is clearly being made.

About a month and a half ago I wrote about open source whole disk encryption software (this was just before TrueCrypt 5 came out) and mentioned an open source program called DiskCryptor which has been available since late fall and was the first open source whole drive encryption (system partition encryption) utility to support Windows that I'm aware of.

DiskCryptor has releases hosted on SourceForge and additional information on the primary developer's website. Though the developer's site is in Russian the Google translation facility does an ok job of translating it.

I started using DiskCryptor a few weeks before TrueCrypt 5 came out and was really impressed. Once TrueCrypt was released I tried that and while I do appreciate some aspects of the super redundancy in TrueCrypt whole disk encryption I soon went back to using DiskCryptor for a couple of reasons.

First, I had problems with TrueCrypt blue-screening on me and sometimes preventing my system from shutting down properly (it would sometimes reboot instead of shutting down). This made me quite uncomfortable as I was trusting my data to the software. I understand there have been a few patches to TrueCrypt since I tested version 5.0 which fixes some of the problems people were having and which I have not tried yet but there are other reasons I prefer DiskCryptor.

Second, while all the hand holding and redundant systems in TrueCrypt do make it (to some extent) dummy-resistant they are actually quite a pain when being utilized by a power user and there is no way to bypass them. In some cases it is either inconvenient or unnecessary to create a recovery CD. DiskCryptor does not require that a recovery CD be created and has different, perhaps more robust methods of recovering the data should the need arise.

Third, DiskCryptor supports hibernation! This is reason enough to use DiskCryptor for many laptop users. I understand that TrueCrypt 5.1 includes hibernation support but it appears a bug may have been introduced at the same time with dire consequences for drive security. Read about this bug in English and see the code problem in Russian. This may be fixed in TreuCrypt 5.1a but is not specifically mentioned as fixed in the TrueCrypt changelog as far as I can see.

Fourth, DiskCryptor has (in my mind) more robust/useful recovery options. This is for several reasons. While there is no recovery CD or extensive boot loader decryption ala TrueCrypt the encrypted volumes are fully compatible with standard TrueCrypt encrypted volumes (including pre-TrueCrypt 5). This means you can take a DiskCryptor encrypted volume and physically attach the drive to another system or boot into another OS and then mount and decrypt the drive with TrueCrypt. You cannot even do this with TrueCrypt encrypted drives as the technology behind TrueCrypt whole drive encryption is not compatible with regular TrueCrypt encrypted volumes. To me this is really exciting and useful as it allows me to move drives between systems and retain access to the encrypted data. There is also a BartPE plugin for DiskCryptor so you can boot from a BartPE CD and decrypt/access the encrypted drive. Finally, support is in version 0.3 (coming out shortly) for installing the DiskCryptor boot code on other media (eg. flash memory keys, CD-ROMs, etc.)

Fifth, DiskCryptor appears to be faster than TrueCrypt 5 WDE. At least on my system I noticed no slowdown with DiskCryptor but TrueCrypt 5 significantly slowed down my disk intensive operations. This is a major reason I personally switched back to DiskCryptor and I'm not the only one as evidenced by some posts in the DiskCryptor forums which indicate that in terms of MB/s DiskCryptor is as much as twice as fast as TrueCrypt 5, at least on some systems. Based on my experience I would agree. I understand there have been some performance enhancements in TrueCrypt 5.1a which include some assembly optimization (which was already a part of DiskCryptor) and I have not had a chance to test this latest version yet but believe speed improvements have also been made in the latest version of DiskCryptor which may still give it the edge.

Sixth, the development of DiskCryptor is both more active and more responsive to users than TrueCrypt. "ntldr" the developer of DiskCryptor has been very open to suggestions and very responsive to users through the forum on their website http://freed0m.org/forum the same cannot be said for TrueCrypt. Based on what I've seen from various TrueCrypt users they have been often ignored by the TrueCrypt developers who seem to be a small group of developers who do not respond particularly well to users or accept development assistance (one of the major benefits of open source development). The disenfranchised users include the DiskCryptor developer "ntldr" along with OS X users who started a project called OS X Crypt because of the unresponsive nature of TrueCrypt developers. I think this potentially will be a huge problem for TrueCrypt and it makes me somewhat concerned about the motives and long term success of the TrueCrypt development team. This is also manifested in the somewhat restrictive nature of the TrueCrypt source license compared with other open source licenses such as the GPL (which is used by DiskCryptor). While TrueCrypt may be open source it is most definitely not GPL software and not GPL compatible (read about the issues of including this with GPL software here)

There is one downside to DiskCryptor, there is currently no real help file or instructions for using it but I was able to figure it out by looking at the menu options all of which seem fairly straightforward to me. This is an acknowledged flaw and is being actively worked on by a few DiskCryptor users. In the meantime the primary developer is more concerned about enhancing the feature set and eradicating bugs than on developing documentation, an understandable position for many volunteer software developers.

Communication and publicity is not a strong suit for DiskCryptor and this may be partially to the fact that English is not the first language of the developer. In my opinion this, more than anything, is holding back what is otherwise an excellent (and in my mind superior to TrueCrypt) product. Much of the information is available but it's in the DiskCryptor forums which contain a mix of Russian and English making them not the most user friendly way to learn about the software. There has also been little tech press coverage of the program.

I am not so much trying to make the case by myself that DiskCryptor is a better product for everyone, though it was for me. I am trying to bring some attention to the first open source whole disk encryption program (there was even a Wikipedia vote where it was decided to eliminate the page for DiskCryptor as non-notable and where people seriously questioned if it was just a knock off of TrueCrypt 5!) and encourage others to talk about and try DiskCryptor. Certainly the program could use some English language press if it is to grow significantly. Hopefully by explaining my reasons for selecting DiskCryptor as my choice I've encouraged you to at least keep an open mind and try the software then write and share your experience with others.

My laptop is one of the IBM (Lenovo) Thinkpads which includes a fingerprint reader and TPM chip which can be used to both unlock the system at boot and log on to Windows using software supplied with the computer. One thing that the supplied software does not do but something that I've been interested in doing is whole disk encryption (something also called by a few other names depending on the vendor and software.

You can learn more about whole disk encryption in this article written by Bruce Schneier a couple of months ago or from the Wikipedia article. Essentially the idea is to encrypt the entire hard drive rather than a small subset of files. Obviously this does not protect the files while the computer is operating but is especially useful if you have a laptop (something prone to being stolen) and want to ensure that if someone stole it the data on it would be useless. While some free utilities such as TrueCrypt have allowed you to encrypt entire volumes they have not allowed you to encrypt the boot drive, at least not when using the Windows operating system. You see the trick with encrypting the boot drive is that you need to unencrypt it for the system to boot so a driver must be loaded at boot time which will prompt the user for a password and thus unlock the key allowing the drive to be unencrypted and the system booted. Until recently there were no free or open source programs which allowed you to do this with the Windows OS (solutions for Linux were available).

In the span of just over a month that has all changed. In December a Russian security consultant released the open source program DiskCryptor (and on SourceForge) which allows you to install a Windows driver (which can be renamed for extra obscurity) which will encrypt your drive and also allow you to install a boot time driver onto the disk which allows for the encryption of the boot volume. The encryption algorithm and container is TrueCrypt compatible so if need be you can access the drive by putting it in another computer which has TrueCrypt installed and mount the volume (with the appropriate password of course). This is an especially nice touch as it ensures some kind of compatibility between the open source projects and makes data recovery from an otherwise dead system a bit less problematic. I've been successfully running DiskCryptor on my laptop boot drive for several weeks now and have found the program works as advertised though there is essentially no help file or other documentation so you have to learn the program by playing around with it and looking at menus.

Later today TrueCrypt plans to release version 5.0 of their popular open source encryption software which among other things promises to include a boot driver for Windows systems which will allow the encryption of the boot drive. I plan to try out this software once it becomes available. I am excited to see that there will be two open source solutions to whole drive encryption and look forward to improvements in one or both of the programs.

A few things to note. Neither of these solutions (as far as I'm aware) supports the TPM chip and fingerprint reader in my laptop. This means that you need to enter a separate password to unlock the hard drive in addition to unlocking the computer. It also means that the encryption is all taking place in software and utilizing CPU cycles and slowing down drive access times. While I haven't noticed a pronounced effect in my usual word processing and Internet browsing on this system I can see that this might be problematic for a media or gaming intensive situation. Hopefully advancements to these solutions will allow for better integration with hardware acceleration and authentication to improve this situation.

Once upon a time batch files were king in the PC world. Hardly a magazine issue, BBS discussion or user group meeting would go by without one of these handy scripts to add some functionality or usability to systems. Since the reign of Windows batch file programming has been on the decline. Of course shell scripting remains popular and extremely popular in Linux where most settings on the system are still controlled by text configuration files and command line utilities but in Microsoft land the script has been largely supplanted.

Even though the NT based operating systems (NT, 2000, XP, etc.) have actually made significantly more configuration available from the command line and there was a push for a new 'Windows Scripting' language these things have become largely forgotten and there are now an extremely limited number of users comparable to the Windows operating population which are comfortable writing scripts to automate things in Windows. Even among large corporate IT departments where there is perhaps the most to be gained by writing these sort of mini-utilities scripting is a dying art. One of the reasons for this is that most magazines and technical publications no longer regularly mention scripting or command line configuration utilities so there is a limited opportunity to learn about these tools.

Nevertheless these tools exist and when you find them they can be extremely useful. Take the "netsh" program for example. This handy little tool allows you to set and manipulate many of the Windows network settings from the command line and when combined with scripting it is possible to create scripts which will completely reconfigure your network interfaces (say from DHCP to a static address to another static address) for various network configurations all with the simple execution of a script.

You can learn more about this powerful tool from a few different Microsoft sites but while these provide some syntax and information perhaps the best place to get started is at one of the third party sites which covers it. Or now that you know about the utility you could just start experimenting with things.

For example running the "netsh -c interface dump" command will dump all kinds of interesting information about how your interfaces are currently configured to the prompt. It's possible to capture this information to a text file and then 'replay' the data to reconfigure things as they currently are using something like "netsh -f netsettings.txt"

Keep the art alive!