Plausible Deniability

In case an adversary forces you to reveal your password, TrueCrypt provides and supports two kinds of plausible deniability:

Hidden volumes (see the section Hidden Volume) and hidden operating systems (see the section Hidden Operating System).
Until decrypted, a TrueCrypt partition/device appears to consist of nothing more than random data (it does not contain any kind of "signature"). Therefore, it is impossible to prove that a partition or a device is a TrueCrypt volume or that it has been encrypted (provided that the security precautions mentioned in the chapter Security Precautions are followed). A possible plausible explanation for the existence of a partition/device containing solely random data is that you have wiped (securely erased) the content of the partition/device using one of the tools that erase data by overwriting it with random data (in fact, TrueCrypt can be used to securely erase a partition/device too, by creating an empty encrypted partition/device-hosted volume within it). However, note that for system encryption, the first drive track contains the (unencrypted) TrueCrypt Boot Loader, which can be easily identified as such (for more information, see the chapter System Encryption). In such cases, plausible deniability can be achieved by creating a hidden operating system (see the section Hidden Operating System).

Although file-hosted TrueCrypt volumes (containers) do not contain any kind of "signature" either (until decrypted, they appear to consist solely of random data), they cannot provide this kind of plausible deniability, because there is practically no plausible explanation for the existence of a file containing solely random data. However, plausible deniability can still be achieved with a file-hosted TrueCrypt volume (container) by creating a hidden volume within it (see above).

Notes

When formatting a hard disk partition as a TrueCrypt volume, the partition table (including the partition type) is never modified (no TrueCrypt "signature" or "ID" is written to the partition table).
There are methods to find files or devices containing random data (such as TrueCrypt volumes). Note, however, that this does not affect plausible deniability in any way. The adversary still cannot prove that the partition/device is a TrueCrypt volume or that the file, partition, or device, contains a hidden TrueCrypt volume (provided that you follow the security precautions listed in the chapter Security Precautions and subsection Security Precautions Pertaining to Hidden Volumes).
Whenever TrueCrypt accesses a file-hosted volume (e.g., when dismounting, attempting to mount, changing or attempting to change the password, creating a hidden volume within it, etc.) or a keyfile, it preserves the timestamp of the container/keyfile (i.e., date and time that the container/keyfile was last accessed* or last modified), unless this behavior is disabled in the preferences.

* Note that if you use the Windows 'File Properties' tool to view a container/keyfile timestamp (e.g., by right-clicking the container/keyfile and selecting 'Properties'), you will alter the date and time that the container/keyfile was last accessed. Also note that if you view thumbnails of files in the Windows file selector (for instance, when selecting a container or keyfile in the Thumbnail file selector mode), Windows may modify the timestamps of the files (date and time that the files were last accessed).

Advertisements/Sponsored Links:

Next Section >>