Introduction

Beginner's Tutorial

System Encryption

 Supported Systems

 Hidden Operating System

 Rescue Disk

Plausible Deniability

 Hidden Volume

  Protection of Hidden Vol.

  Security Requirements

 Hidden Operating System

Parallelization

Pipelining

Hardware Acceleration

Encryption Algorithms

 AES

 Serpent

 Twofish

 Cascades

Hash Algorithms

 RIPEMD-160

 SHA-512

 Whirlpool

Technical Details

 Notation

 Encryption Scheme

 Modes of Operation

 Header Key Derivation

 Random Number Gen.

 Keyfiles

 Volume Format Spec.

 Standards Compliance

 Source Code

TrueCrypt Volume

 Creating New Volumes

 Favorite Volumes

 System Favorite Volumes

Main Program Window

 Program Menu

 Mounting Volumes

Supported Systems

Portable Mode

Keyfiles

Tokens & Smart Cards

Language Packs

Hot Keys

Security Model

Security Requirements

 Data Leaks

  Paging File

  Hibernation File

  Memory Dump Files

 Unencrypted Data in RAM

 Physical Security

 Malware

 Multi-User Environment

 Authenticity and Integrity

 New Passwords & Keyfiles

 Password/Keyfile Change

 Trim Operation

 Wear-Leveling

 Reallocated Sectors

 Defragmenting

 Journaling File Systems

 Volume Clones

 Additional Requirements

Command Line Usage

Backing Up Securely

Miscellaneous

 Use Without Admin Rights

 Sharing over Network

 Background Task

 Removable Medium Vol.

 TrueCrypt System Files

 Removing Encryption

 Uninstalling TrueCrypt

 Digital Signatures

Troubleshooting

Incompatibilities

Issues and Limitations

License

Future Development

Acknowledgements

Version History

References

   

Miscellaneous >  Digital Signatures Search

Disclaimers





Please consider making a donation.

   Donate Now >> Donate   


Digital Signatures


Why Verify Digital Signatures

It might happen that a TrueCrypt installation package you download from our server was created or modified by an attacker. For example, the attacker could exploit a vulnerability in the server software we use and alter the installation packages stored on the server, or he/she could alter any of the files en route to you.

Therefore, you should always verify the integrity and authenticity of each TrueCrypt distribution package you download or otherwise obtain from any source. In other words, you should always make sure that the file was created by us and it was not altered by an attacker. One way to do so is to verify so-called digital signature(s) of the file.


Types of Digital Signatures We Use

We currently use two types of digital signatures:

  • PGP signatures (available for all binary and source code packages for all supported systems).
  • X.509 signatures (available for binary packages for Windows).


Advantages of X.509 Signatures

X.509 signatures have the following advantages, in comparison to PGP signatures:

  • It is much easier to verify that the key that signed the file is really ours, not attacker's (provided that you trust the certification authority).
  • You do not have to download or install any extra software to verify an X.509 signature (see below).
  • You do not have to download and import our public key (it is embedded in the signed file).
  • You do not have to download any separate signature file (the signature is embedded in the signed file).


Advantages of PGP Signatures

PGP signatures have the following advantages, in comparison to X.509 signatures:

  • They do not depend on any certificate authority (which might be e.g. infiltrated or controlled by an adversary, or be untrustworthy for other reasons).


How to Verify X.509 Signatures

Please note that X.509 signatures are currently available only for the TrueCrypt self-extracting installation packages for Windows. An X.509 digital signature is embedded in each of those files along with a digital certificate of the TrueCrypt Foundation issued by a public certification authority. To verify the integrity and authenticity of a self-extracting installation package for Windows, follow these steps:

  1. Download the TrueCrypt self-extracting installation package.

  2. In the Windows Explorer, click the downloaded file ('TrueCrypt Setup.exe') with the right mouse button and select 'Properties' from the context menu.

  3. In the Properties dialog window, select the 'Digital Signatures' tab.

  4. On the 'Digital Signatures' tab, in the 'Signature list', double click the line saying "TrueCrypt Foundation". (If you see any other name there, the package has very likely been altered by someone else since we released it. Do not continue. Please report this to us.)

  5. The 'Digital Signature Details' dialog window should appear now. If you see the following sentence at the top of the dialog window, then the integrity and authenticity of the package have been successfully verified:

    "This digital signature is OK."

    If you do not see the above sentence, the file is very likely corrupted. You should not run it. Note: On some obsolete versions of Windows (e.g. Windows 2000), some of the necessary certificates are missing, which causes the signature verification to fail.


How to Verify PGP Signatures

To verify a PGP signature, follow these steps:

  1. Install any public-key encryption software that supports PGP signatures. Links to such software can be found here.
  2. Create a private key (for information on how to do so, please see the documentation for the public-key encryption software).
  3. Download our PGP public key from our server or from a trusted public key repository, and import the downloaded key to your keyring (for information on how to do so, please see the documentation for the public-key encryption software).
  4. Sign the imported key with your private key to mark it as trusted (for information on how to do so, please see the documentation for the public-key encryption software).
    Note: If you skip this step and attempt to verify any of our PGP signatures, you will receive an error message stating that the signing key is invalid.
  5. Download the digital signature by clicking the PGP Signature button next to the file you want to verify (on one of the download pages).
  6. Verify the downloaded signature (for information on how to do so, please see the documentation for the public-key encryption software).






 Ads by Google 




  See also: Security Requirements and Precautions


Legal Notices www.truecrypt.org

 Ads by Google