Tag Archives: windows

Creating a UDF TrueCrypt Volume

I had an old hard drive I wanted to use as a secure, cross platform file transfer device, so I thought of TrueCrypt and UDF. Unfortunately, TrueCrypt for MacOS only supports formatting drives as Mac OS Extended and TrueCrypt for Windows only supports NTFS and FAT32. I ended up using TrueCrypt for Mac OS and the Mac’s command line formatting utility.

  1. Login as an Administrator
  2. Connect the drive you want to protect with TrueCrypt
  3. Open TrueCrypt and create a TrueCrypt Volume like normal, but select "None" when asked to select a filesystem
  4. Wait for the encryption to complete
  5. From TrueCrypt, click the "Select File…" or "Select Device…" to select your newly encrypted volume and click "Mount"
  6. Enter the password and any other authentication credentials required for the Volume. Check "Do not mount" before clicking "OK"TrueCrypt-Mount
  7. Back in the main TrueCrypt window, select the Volume and click "Volume Properties…"
  8. Record the Virtual Device value. In this case "/dev/disk3"TrueCrypt-Properties
  9. Open a Terminal window
  10. Run sudo newfs_udf /dev/disk3 to format the TrueCrypt volume with the UDF filesystem
  11. From now on, the UDF filesystem will automatically be mounted when mounting the TrueCrypt volume on Window or Mac OS

Chrome for Windows CLI Options

If you thought there were a lot of options in chrome://flags, there a ton options available as command line switches. See http://peter.sh/experiments/chromium-command-line-switches/ for a list of the available switches.

If you’re using Google Chrome on Windows, it is pretty easy to launch Chrome with these command line options. This assume you are launching Chrome from your start menu, an icon pinned to your taskbar, or a shortcut you created somewhere else. Note: You must do this for each shortcut you use to launch Chrome.

ChromeWinProperties

  1. (taskbar only) Right-click on the Chrome icon
  2. Right-click on your shortcut, in this case "Google Chrome"
  3. Click on "Properties"
  4. In the "Target" field, move the cursor all the way to the right (past chrome.exe) and add the switches you want to use.

    For example, adding --ssl-version-min=tls1 disables SSLv3.0:ChromeWinCmdOpt

Disabling Windows 7 Automatic Root CA Update

Windows comes with a small list of trusted CAs installed but automatically imports CAs as necessary from the Microsoft Windows Update service (Windows 7 Home Premium SP1 64bit for a while, I figure I’d imported all of the CAs I really need I figured I could mitigate the risk of forged certificates (e.g. Iraq/Gmail, Diginotar) by ensuring I don’t import any additional CAs. Sure the CAs I already trust could be compromised, but this significantly reduces the attack surface.

For Windows 7 Processional and Ultimate, Microsoft provides instructions for disabling Automatic Root Certificates Update using the Group Policy Editor; however, the Group Policy Editor cannot be installed on Windows 7 Starter and Home editions. If you have Windows 7 Starter or Home, or don’t want to deal with the Group Policy Editor, a simple registry update will turn Automatic Root Certificates Update off or on.

Note: You must be an Administrator to make any of these changes, and if you have a Group Policy set for Automatic Root Certificates Update, it will overwrite your registry changes.

I’ve created three .reg files you can download, and open to automatically update the correct registry keys:

  • Disable.reg (view) – this disables Automatic Root Certificates Update.
  • Enable.reg (view) – this disables Automatic Root Certificates Update.
  • Remove.reg (view) – this removes the registry entry effectively enabling Automatic Root Certificates Update.

Note: You will most likely receive security warnings downloading and opening these files. If you want to be safe, open the files in a text editor and double check the contents.

If you would rather directly edit your registry, do the following:

  1. Start regedit by clicking the Start menu, entering “regedit” in the search field, and pressing <enter>.
  2. Expand HKEY_LOCAL_MACHINE/Software/Policies/Microsoft/SystemCertificates/AuthRoot
  3. Right-click on AuthRoot and select New -> DWORD (32-bit) Value
  4. Enter name: DisableRootAutoUpdate
  5. Double-click on DisableRootAutoUpdate
  6. Set the Value data to 1, click OK, and close regedit.

Deleting DisableRootAutoUpdate or setting it to 0, re-enables downloading new CAs from Microsoft.

UDF (a FAT32 replacement) Part 3

I tested UDF and exFAT over a fairly wide range of non-computer devices, and none of the devices could read or write to it. If you need something that will work with non-computers, stick to FAT32. If you just need interoperability between computers (but don’t need to boot from the drive), switch over to UDF.

I UDF and exFAT did not work with:

I plan on testing UDF and exFAT with a few phones and will update this post when I do.