FreeOTFE Explorer logo FreeOTFE Explorer
Free disk encryption software for PCs and PDAs
(PDA version of WWW site)

Contents

Advanced Topics

Keyfiles

A "keyfile" is a small file (about 512 bytes) which can optionally be created for a volume, and contains a copy of the information required to mount a FreeOTFE volume. Keyfiles are encrypted based a user-supplied keyfile password, which must be supplied in order to use the keyfile.

Tip! More than one keyfile can be created for the same volume.

Keyfiles are useful as they allow critical information which is required in order to mount a particular volume to be stored separately to the volume which they relate to; on a floppy disk, or USB drive, for example - which would be too small to store the entire volume on. In this way, your volume may be stored on your computer, but the information required to access it can be stored in a physically more secure location (e.g. in a locked safe)

In a business environment, keyfiles may be used as a form of password recovery, or to reset forgotten passwords. When confidential information is held within a FreeOTFE volume, a keyfile can be created for that volume and stored in a safe location. Should the employee which normally uses the volume be unavailable, or cannot remember the volume's password, the volume may still be mounted using a keyfile that has was previously created for it (together with that keyfile's password) - even if the volume's password has been subsequently changed.

Keyfiles may also be used to provide multiple users with access to mount and use the same volume; each using a password of their own choosing.

Note: Keyfiles are specific to the volume they are created for! Although a keyfile for one volume may be able to successfully mount another volume, the virtual drive shown will appear to be unformatted - the files within the volume will remain securely encrypted and unreadable.

Creating a new keyfile

To create a new volume, select "Tools | Create keyfile..." to display the "keyfile wizard", which will guide you through the process in a series of simple steps.

Mounting a volume using a keyfile

The process of mounting a volume using a keyfile is identical to the normal mount procedure, with the exceptions that:

  1. The password used should be the keyfile's password, and not the volume's password.
  2. The full path and filename of the keyfile should be entered as the "keyfile file"

Creating Hidden Volumes

FreeOTFE Explorer offers users the ability to create "hidden volumes" stored inside other "host" volumes.

To create a hidden volume:

  1. If the volume you wish to create a hidden volume in is mounted, dismount it.
  2. Start the volume creation wizard as normal (select "File | New..." from the main menu).
  3. When prompted to select between creating a file or partition based volume, select "File" or "Partition", depending on whether the host volume you wish to use is file or partition based.
  4. When prompted for the filename/partition to create your hidden volume on, select the host file/partition you wish to create the hidden volume inside.
  5. The next step in the wizard will prompt you to enter an offset. The offset is the number of bytes from the start of the host volume where you wish the hidden volume to begin, and must be a multiple of 512. Make sure that the offset you specify is large enough such that it does not overwrite any of the system areas of that host volume (e.g. the FAT), or files already written to it.
  6. Continue with the volume creation wizard as normal.

To mount your hidden volume, proceed as if mounting the host volume, but when prompted to enter your password, click the "Advanced" button and enter the offset. (See the section on advanced password entry options).

Tip! Make sure you remember the value you enter for the offset value! For security reasons, FreeOTFE Explorer doesn't store this information anywhere, and so you will have to enter the same offset into the password entry dialog every time you wish to mount your hidden volume.

Security tip More than one hidden volume can be stored within the same host volume, by using different offsets

If you create a hidden volume within an existing volume, be warned: subsequently mounting and adding data to the host volume can potentially result in parts of the hidden volume being overwritten, and its data destroyed. This is by design, and increases the security of the hidden volume.

Please see the Plausible Deniability section for further information on the practical uses and considerations of hidden volumes.

Volume Creation: Advanced Options

At the end of the volume creation process, FreeOTFE Explorer will display a summary of the volume it is about to create. At this stage, more advanced options be configured for the new volume, by selecting the "Advanced..." button.

Advanced volume creation options

Key Iterations

Before the user's password is used to encrypt/decrypt the CDB, it is processed using PBKDF2 to increase security.

This tab allows the number of PBKDF2 iterations to be set by the user; higher values increase security, but will also increase the amount of time taken to mount the volume. This becomes more significant when mounting volumes on a PDA, which typically have slower CPUs.

The default number of key iterations is 2048.

Salt

Before the user's password is used to encrypt/decrypt the CDB, it is processed using PBKDF2 to increase security.

Part of this processing involves the use of a random "salt" value, which reduces the risk of dictionary based attacks. This tab allows the length of the salt value (in bits) to be set by the user.

It should be noted that every time a volume which has a non-default (256 bit) salt length is mounted, the user must specify the correct salt length (unless using a keyfile; in which case the keyfiles salt length must be specified) by using the "Advanced" options available on the FreeOTFE Explorer password entry dialog.

The default salt length is 256 bits. Any salt length entered must be a multiple of 8 bits.

Drive Letter

When mounting a volume using FreeOTFE, FreeOTFE will use the next available drive letter when mounting a volume.

This behaviour can be changed to use a specific drive letter on a volume-by-volume basis by setting it on this option.

The default setting here is "Use default"; use the next available drive letter

Note: If the chosen drive letter is in use at the time of mounting, the next free drive letter will be used

This setting has no effect on FreeOTFE Explorer, and it is only used when mounting volumes using FreeOTFE.

CDB Location

Normally, a volume's CDB will be stored as the first 512 bytes of the volume.

However, this does increase the size of the volume by the size of the CDB, which can FreeOTFE volumes more distinctive, and making it slightly more obvious that a volume file is volume file.

This is most clearly shown when creating a file based volume: a 2GB volume, for example, will be 2,147,484,160 bytes in length - made up of a 2,147,483,648 byte (2GB) encrypted disk image, plus a 512 byte embedded CDB.

To reduce this, it is possible to create a volume without an embedded CDB; the CDB begin stored in a separate file as a standard FreeOTFE Explorer keyfile.

In this case, a 2GB volume would comprise of a 2,147,483,648 byte (2GB) encrypted disk image, plus a separate 512 byte keyfile which may be stored in a separate location to the volume.

Note that if you store the volume's CDB in a keyfile, you will always need to supply a keyfile when mounting the volume, and ensure that the "Data from offset includes CDB" advanced option shown on the FreeOTFE Explorer password entry dialog shown when mounting must be unchecked after the keyfile is specified.

By default, FreeOTFE Explorer includes the CDB will be included as part of the volume.

Password Entry: Advanced Options

Note: This section only covers the password entry dialog shown when mounting FreeOTFE volumes. For mounting Linux volumes, please see the section on Linux volumes.

Advanced mount options

Advanced Security Details

Salt length

This should be set to the number of salt bits used in the PBKDF2 processing of the user's password, before using it to decrypt the volume's CDB/keyfile being used.

By default, this is set to 256 bits - the same default length used when creating a new volume.

Key iterations

This should be set to the number of key iterations used in the PBKDF2 processing of the user's password, before using it to decrypt the volume's CDB/keyfile being used.

By default, this is set to 2048 iterations - the same default number used when creating a new volume.

PKCS#11 secret key

This option is only available if PKCS#11 support is enabled (see the section on Security Token/Smartcard Support for more information on how to use this setting.

Mount Options

Volume Options

These options are intended for use with hidden volumes, and volumes which were created without a CDB embedded at the start of the volume Offset

When attempting to mount a hidden volume, this should be set to the offset (in bytes) where the hidden volume starts, as specified when creating it.

By default, this is set to an offset of 0 bytes. Data from offset includes CDB

This checkbox is only enabled if a keyfile has been specified.

If you are attempting to mount either a hidden, or normal, volume which was created without a CDB embedded at the start of the volume, this checkbox should be changed so that it is unchecked.

For mounting all other volumes, this checkbox should be checked.

By default, this checkbox is checked.