FreeOTFE logo FreeOTFE
Free disk encryption software for PCs and PDAs
(PDA version of WWW site)

FAQ

Tip! The latest version of this FAQ, along with the latest FreeOTFE user manual, can be found online at the FreeOTFE WWW site


FAQ Contents

General

FreeOTFE Specific (PC)

FreeOTFE4PDA Specific (PDA)

FreeOTFE Explorer Specific





General


Q: Whare are the differences between FreeOTFE and FreeOTFE Explorer?

A: Please see the FreeOTFE v. FreeOTFE Explorer Comparison


Q: How can I help the FreeOTFE project?

A: If you are a native speaker of a language other than English, please take a look at translating FreeOTFE page. FreeOTFE v4.3 introduced support for translating the user interface into different languages, though at present the actual number of translations into other languages is fairly limited.

Alternativly, FEEDBACK! If you have any comments or suggestions for how FreeOTFE can be improved - get in touch!


Q: Which of the hash/cypher algorithms should I use?

A: This decision is left up to the user.

Most users can simply accept the default algorithms offered, which provides a fairly high degree of security.


Q: Which of the random number generators (RNGs) should I use?

A: This decision is left up to the user.

Using more than one RNG increases the security offered by FreeOTFE as the combined random data generated will be at least as random as the most random RNG selected. Should one of the RNGs subsequently be found to be weak (i.e. producing data that is not as random as it should be), the random data used will still be as strong as the strongest RNG used.

See the Technical Details: Random Number Generators (RNGs) section for further information.


Q: Is FreeOTFE based on CrossCrypt?

A: The answer to that is an emphatic NO! FreeOTFE and CrossCrypt are two completely separate projects, written by completely different people.

It's easy to see why users may get the idea that FreeOTFE is based on CrossCrypt; CrossCrypt was released first, and the CrossCrypt's GUI (CrossCryptGUI) looks practically identical to FreeOTFE's interface.
The reality is that CrossCrypt itself is a command line based OTFE system; it has no GUI. CrossCryptGUI was a project I created to provide a GUI to CrossCrypt to improve its ease of use.

In actual fact, far from FreeOTFE looking a lot like CrossCryptGUI, it's actually the other way around - CrossCryptGUI looks a lot like FreeOTFE! The Delphi GUI to FreeOTFE was already developed before CrossCrypt was released. For the sake of expediency, I dropped the CrossCrypt Delphi component I wrote into FreeOTFE's GUI, hijacking it to produce CrossCryptGUI; a cannibalized version of the FreeOTFE interface.

The cyphers supplied with the first public release of FreeOTFE (v00.00.01) were the same as those used by CrossCrypt. Originally I had planned to release the first beta of FreeOTFE for compatibility testing with only the NULL, XOR, DES and AES cyphers; these apparently being the most common cyphers used with Linux volumes. After CrossCrypt was released (which uses AES and Twofish) DES was the only cypher in the above list I had not implemented. I decided to switch from DES to Twofish in order that people without Linux could easily use CrossCrypt to verify that FreeOTFE was operating correctly with AES and Twofish volumes (and vice versa; benefiting both systems).

Since its initial release, FreeOTFE has seen significant developments, including support for many more hashes, cyphers, and other options.


Q: Is FreeOTFE based on Linux's "losetup"?

A: No, FreeOTFE is a completely separate project in its own right. It was only after I realised how "simple" Linux encrypted losetup volumes are (they are nothing more than an encrypted partition image), that I added support for them into FreeOTFE.

Having said that the format of losetup volumes are "simple" - have you any idea how many different options, combinations, etc it has?! Each option on its own may be relatively simple, but there are a fair number of them...! (See the relative complexity of the FreeOTFE's Linux mount dialog - you have to tell it everything!)


Q: Right now, FreeOTFE supports losetup volumes; do you have any plans to include support for DriveCrypt, BestCrypt, etc volumes?

A: This is unlikely to happen as there is no standard for OTFE volume files (each system uses its own layout). Since adding support for other OTFE systems is non-trivial, and few OTFE systems have released proper technical documentation into the public domain, it may be awhile before such support is added


Q: When I mount a FAT/FAT32 formatted Linux volume under FreeOTFE everything works perfectly. When I do the same with my ext2/ext3/RiserFS/etc volume, I can't see my files!

A: FreeOTFE does one thing: when a volume file is mounted, FreeOTFE presents a new storage device to the operating system.
Like all OTFE systems, it has no comprehension at all of what FAT/FAT32/NTFS, let alone ext2/ext3/etc - this understanding lies well outside the scope of an OTFE system, and is the responsibility of the filesystem drivers installed.

Although MS Windows does come with filesystem drivers for FAT/FAT32/NTFS, it does not (natively) support other filesystems such as ext2.

As a result, in order to read/write to your encrypted Linux volumes under MS Windows, you will need to either:

  1. Format the volume under Linux using one of the filesystems MS Windows understands (e.g. FAT), or
  2. Install 3rd party software on your MS Windows system, which provides the filesystem (e.g. ext2) that you wish to use

Q: Why do the Linux examples for LUKS/dm-crypt volumes show "losetup" being used twice?

A: This actually has nothing to do with FreeOTFE(!), but appears to be an oddity with "mkdosfs"/dm-crypt.

Although this section of the documentation shows:

losetup /dev/loop1 /dev/mapper/myMapper
mkdosfs /dev/loop1
you should be able to simply use:
mkdosfs /dev/mapper/myMapper
However, when this section of the documentation was written and tested (under Fedora Core 3, with a v2.6.11.7 kernel installed and using cryptsetup-luks v1.0), this shorter (and more sensible) version resulted in mkdosfs generating the following error:
# mkdosfs /dev/mapper/myMapper
mkdosfs 2.8 (28 Feb 2001)
mkdosfs: unable to get drive geometry for '/dev/mapper/myMapper'
YMMV, though you may well find that formatting the volume with a different filesystem will remove the "double loop" issue. (Please note though, that if you are intending to encrypted volumes which don't use FAT/NTFS under MS Windows, you will need a suitable filesystem driver)


Q: FreeOTFE comes with a set of command line decryption utilities! Can't anyone just decrypt my data?

A:
The decryption software included with FreeOTFE is completely useless without the password used to encrypt your data. And anyone with that information can decrypt your data anyway!

The command line decryption utilities are not some form of "password cracking" tool - far from it; they actually act to increase your security by allowing you to verify that encryption is actually taking place.


Q: When I mount a volume and then view its properties under FreeOTFE, it states that the hash algorithm used is "n/a" - but I used a hash algorithm!

A:
The hash algorithm shown is the one used to generate sector IVs. If the sector IV generation method used does not require the use of a hash algorithm (see the "Sector IVs" item on this dialog), "n/a" will be displayed for the hash algorithm.

This is separate from any hash algorithm used to process your password, which in the case of FreeOTFE volumes can be seen in the output file of a CDB dump (select "Tools | Critical data block | Dump to human readable file..."), or in the case of Linux volumes, is specified at time of mounting.


Q: FreeOTFE is currently available for free - are you intending to "sell out" later, and start charging for it once enough users have been "hooked" on it?

A: NO! ABSOLUTELY NOT! FreeOTFE is free, and will always be free. As much as anything else, it would look a little silly if people had to pay for "FreeOTFE"! ;)

Seriously though, I have no intention in turning FreeOTFE into a commercial product.

The nearest that I may do is request donations. This would, of course, be fully voluntary.


Q: FreeOTFE may always be free, but will an "enhanced" version (which is charged for) with extra features be released (perhaps under a different name)?

A: Personally, this sounds a lot like the "selling out" idea above - if such a "paid for" version was to be released, FreeOTFE development may become at risk of stalling, ceasing completely, or omitting particularly useful features. This would have practically the same effect as making FreeOTFE a paid-for commercial system.


Q: What about klonsoft's "LockDisk" and WinCrypto LLC's "CryptoDisk"? Aren't they paid-for packages which are based on FreeOTFE?

A: Both "LockDisk" and "CryptoDisk" are unlicensed (and unlicensable) commercial rip-offs of FreeOTFE. They are based on FreeOTFE's source code (and only a beta version at that in the case of "LockDisk") and, because they are closed-source, are in direct violation of FreeOTFE's licence.

I have nothing to do with either "LockDisk" or "CryptoDisk", nor any involvement in their creation.

Personally, I would strongly recommend against using these products:

  • They have less functionality than FreeOTFE
  • They're closed source; there's no way of knowing how secure it is, or what it does
  • It is not possible to (legally) obtain a licence for these products
  • In the case of "LockDisk" the so-called "free" version is severely crippled (only permitting 35MB volumes)
  • In the case of "LockDisk", it's based on a pretty old and now obsolete (v0.59 BETA) version of FreeOTFE
  • And for all this, you have to pay for them?!!
I could list another few dozen reasons for not using these products, but I think you get the picture - FreeOTFE is simply better!


Q: How can I be sure that there are no backdoors in FreeOTFE?

A: Review the source code to your satisfaction, and build your own (see section Building FreeOTFE)

This is strongly recommended, and the best way of ensuring that the software is not compromised.

However, this is not always practical (many people are not familiar with how to read source code, or lack the required tools to build their own). In which case, if you trust the author, and the system on which the release was built on, then you may prefer to simply check the SHA-1 and PGP signatures associated with the binary release.


Q: Do FreeOTFE volumes have any kind of identifying "signature"?

A: No!

Please see the FAQ: By examining a FreeOTFE/encrypted Linux volume file, can anyone tell what it is? for further information.


Q: By examining a FreeOTFE/encrypted Linux volume file, can anyone tell what it is?

A: Neither FreeOTFE nor encrypted Linux volumes have any kind of "signature" that would allow an attacker to identify them for what they are.

In particular, the "critical data block" in every FreeOTFE volumes is encrypted, and as such it is not possible to identify it for what it is


Q: What is "plausible deniability?"

A: See the documentation section on "Plausible Deniability" for details.


Q: What to the numbers and letters after a hash name mean?

A: When required to choose which hash you wish to use, FreeOTFE will present you with a list of all hashes that are provided by the FreeOTFE drivers installed. These lists will display hash names in the format:
<hash name> (<hash length>/<block size>)
Note: The hash length and block sizes shown are in bits, not bytes.

For example:

SHA-512 (512/1024)
This indicates that the hash used is SHA-512, which generates 512 bit hash values, and processes data in 1024 bit blocks.

If the hash length shown is zero, then the hash generates no output.
If the hash length shown is "-1", then the length of the hash values returned can vary.

If the block size is "-1", then the hash processes data using a variable block size.

Typically, when presented with a selection of different hashes to choose from, you will see a "?" or "..." button next to the list; clicking this button will display full details on the driver.


Q: What to the numbers and letters after a cypher name mean?

A: When required to choose which cypher you wish to use, FreeOTFE will present you with a list of all cyphers that are provided by the FreeOTFE drivers installed. These lists will display cypher names in the format:
<cypher name> ([<mode>; ] <key size>/<block size>)
Note: The key and block sizes shown are in bits, not bytes.

For example:

AES (XTS; 256/128)
This indicates that the cypher is AES, operating in XTS mode with a key size of 256 bits and a block size of 128 bits.

If the key size shown is zero, then the cypher does need take a key (password) to carry out encryption (e.g. the "Null" test cypher).
If the key size shown is "-1", then the cypher can accept keys of arbitrary size.

If the block size is "-1", then the cypher encrypts/decrypts arbitrary block size.

Typically, when presented with a selection of different cyphers to choose from, you will see a "?" or "..." button next to the list; clicking this button will display full details on the driver.


Q: When creating a new volume file, why do I get a message asking me to ensure I have XX.XX GB free on the relevant drive?

A: If you get an error stating that:

Unable to create volume file; please ensure you have XX.XX GB free on the relevant drive

during volume creation, this is probably because the drive you are trying to create the volume on is formatted as FAT/FAT32 - both of which have a file size limit of 4GB.

Please see the FAQ "I tried to create a large volume (> 4GB), and FreeOTFE stopped halfway through with an error - why?"


Q: I tried to create a large volume (> 4GB), and FreeOTFE stopped halfway through with an error - why?

A: The most probable cause for this is that you were creating a volume file on a FAT/FAT32 filesystem, however FAT/FAT32 filesystems cannot support files larger than (4 GB - 1 byte).

See the FAQ: What is the largest volume that I can create? for further information and how to resolve this.


Q: What is the largest volume that I can create?

A: On a PC, FreeOTFE has a theoretical maximum volume size of 2^64 bytes (16777216 TB; 17179869184 GB). For fairly obvious reasons, I have not had the opportunity to test a volume this size!

In practice however, although partition based volumes may be able to realise volumes as large as this, file-based volumes may find that limitations with the filesystem that the volume file is to be stored upon may prevent this limit from being reached.

For example, a FAT32 drive cannot store a volume file which is 4GB or larger. In practical terms, this means that the largest volume you can create on a FAT32 filesystem is 3999 MB. An NTFS formatted drive can store volume files much larger; in excess of FAT32's 4GB limit, and up to FreeOTFE's maximum size stated above.

On a PDA, the largest volume supported is 2^32 (4GB). This is due to limitations with Windows Mobile.


Q: Help! I forgot my password! I know it was something like...

A: Oops. That was silly of you, wasn't it?

If you've secured your volume with something like AES, then you can pretty much kiss goodbye to your data.

If you know what most of your password is though, then you could certainly write an application which would carry out a brute force attack on your volume, assuming those known characters. How long this would take to run would depend on the cypher used, the strength of your password, and how much you remember of it.

Note: This is not a security risk; that last comment equally applies to pretty much any OTFE system which has been implemented correctly.


Q: Can I store an encrypted volume on a compressed NTFS drive?

A: Yes, though there is nothing to be gained from compressing encrypted data, as it is unlikely to compress by any significant amount (if at all)


Q: What hash algorithms does FreeOTFE use?

A: A full list of the hash algorithms used by FreeOTFE can be found on the introduction page


Q: What encryption algorithms does FreeOTFE use?

A: A full list of the cyphers and cypher modes used by FreeOTFE can be found on the introduction page


Q: Which cypher modes does FreeOTFE support?

A: With the exception of the NULL and XOR cyphers, FreeOTFE offers CBC, LRW and XTS modes, and has the flexibility for other modes to be easily added by simply changing drivers.

A full list of the cyphers and cypher modes used by FreeOTFE can be found on the introduction page


Q: Which is the best encryption algorithm to use?

A: That is a difficult question to answer!

The best advice that can be given here is to research the cyphers available, and make your own decision based on your particular security requirements.

FreeOTFE defaults to using the AES-256 cypher in XTS mode together with SHA-512 for hashing. This should prove more than enough for the overwhelming majority of users.


Q: How safe is FreeOTFE?

A: FreeOTFE is about as pretty much just as safe as writing directly data to your hard drive, without FreeOTFE encrypting it (see also the FAQ: "What happens if my volume file is corrupted or damaged in some way? Will I lose all my data?")

If you forget your password however, then by definition you will not be able to recover your data (see also the FAQ: "Help! I forgot my password! I know it was something like...")


Q: What happens if my volume file is corrupted or damaged in some way? Will I lose all my data?

A: As with pretty much all OTFE systems, if you were to corrupt a FreeOTFE volume is some way, the damage your data would receive would be about the same as if you had stored it directly on your hard drive, without FreeOTFE encrypting it.

For example: If you mount a FreeOTFE volume file and then write a byte of data, at random, to somewhere on that mounted drive, the effect would be exactly the same as if you had randomly written the same byte to a real hard drive.

On the other hand, if you were to write a byte to data to a random location within an umounted FreeOTFE volume, then the amount of damage caused would dependant on where that byte was written:

  1. If the volume file was created with a critical data block (CDB) at the start of it, and the byte was written to the first 512 bytes of the volume file (where the CDB is located), then the volume would be unmountable, unless you had made a backup of this area of your volume, or created a keyfile - in which case, you could restore from your backup/mount from your keyfile, and continue as if nothing had happened.
  2. If the volume file was created without a critical data block, or the byte was written to any other part of your volume file, then the sector that corresponded to the location that the byte was written to would be corrupted from approximately the point the byte was written, to the end of that sector; a maximum of 512 bytes.
To protect against (1), FreeOTFE included functionality to backup a volume's CDB (see "Tools | Critical data block... | Backup..."), and to create keyfiles (see "Tools | Create keyfile...")
Should case (2) occur, the damage to your volume would be minimal (up to a maximum of 512 bytes), and restricted to the sector that was corrupted.


Q: If someone steals my keyfile, will they be able to decrypt my data and read it?

A: No, not unless they have the keyfile's password as well.

Keyfiles are encrypted. Without the password used to encrypt it, a keyfile is pretty much just a useless block of random data.


Q: How do I know FreeOTFE is encrypting my data, and with the encryption algorithm I choose?

A: To verify that encryption/decryption is taking place for Linux volumes, create an encrypted volume using Linux; then mount it using FreeOTFE.

The encrypted Linux volume will be fully readable (and writable) using FreeOTFE - confirming that the same encryption is taking place under FreeOTFE as Linux.

For FreeOTFE volumes, the critical data block can be dumped out (see "Tools | Dump to human readable file..." menu), and the master encryption key used to mount the same volume under Linux (offsetting for the CDB) - again proving that encryption is taking place.

WARNING: Contrary to popular belief, a user interface which accepts and processes encryption test vectors does not prove anything! It is a trivial task to take a secure cypher, and use it to process test vectors provided by the user, while actually using a very weak and insecure cypher to carry out encryption/decryption on the data being stored!


Q: When selecting a cypher to use, why do the same cyphers appear multiple times?

A: This is because you have more than one version of a particular cypher driver installed. See also: Why are there duplicated cypher drivers?


Q: Why are there duplicated cypher drivers?

A: The "duplicated" drivers implement the same algorithms, but are built from different crypt libraries. For example, there are three Twofish drivers; one based on the Hi/fn and Counterpane Systems Twofish implementation, another which uses the libtomcrypt implementation, and a third which relies on the Gladman implementation.

They redundant drivers are primarily intended to allow verification of the implementations and increase confidence that they're actually doing what it's supposed to do.

These duplicated drivers do exactly the same thing. It is recommended that if you wish to use a cypher which has multiple supplied drivers, that you uninstall one of them. (See also: Which of the duplicated drivers should I use?)


Q: Which of the duplicated drivers should I use?

A: It doesn't particularly matter too much; they both do exactly the same thing, but are based on different implementations.

Simply choose one and uninstall the other.


Q: Can FreeOTFE generate keyfiles which only allow read only access?

A: Not at present, though if I receive enough requests for it, I may add this functionality.

Until then, it should be borne in mind that anyone with a "read only" keyfile has, pretty much by definition, a copy of your master key and so has the potential to modify their "read only" keyfile, turning it into a "read-write" keyfile.

i.e. It is debatable how much use this functionality has; certainly it should not be relied upon to prevent users from gaining write access to your volume files.


Q: Can I use the same encrypted volumes on both my PC and PDA?

A: Yes - you can! Both the PC and PDA versions of FreeOTFE are fully compatible with each other.

However, please create your volume using the PC version of FreeOTFE. Volumes created using the PDA version will include additional partition information which will not be understood by your PC.

Make sure that before attempting to mount your volume using the PDA version, you have enabled the relevant hash/cypher drivers used in securing the volume. By default, FreeOTFE4PDA only has the SHA-xxx and AES algorithms enabled. See Advanced Topics, "Enabling/Disabling Hash/Cypher Algorithms" section, for how to enable/disable other hash/cypher algorithms.


Q: When creating a new volume, how do I enable the sector IV options?

A: Sector IVs are only used with cyphers using CBC mode; to enable the sector IV options, select an encryption algorithm which operates in CBC mode.

If you select a cypher which uses either LRW or XTS, the IV options are automatically disabled as these algorithms don't use them.


Q: Is FreeOTFE vulnerable to "watermarking" attacks?

A: FreeOTFE volumes are not vulnerable to watermarking attacks, as long as they are created with a cypher using:

  • XTS mode
  • LRW mode
  • CBC mode with ESSIV
(see the "Create new volume" wizard, encryption settings step).

By default, FreeOTFE creates volumes using XTS mode. Users would have to deliberatly create their volumes using CBC mode with predictable IVs in order to be vulnerable to this type of attack.


Q: Is FreeOTFE vulnerable to "Cold Boot Attacks on Encryption Keys" (aka "DRAM attacks")?

A: No, it isn't - assuming common sense is used.

Description

A "cold boot attack" involves rebooting a computer which has been handling sensitive information, and dumping contents of its memory out to a disk in order to try to examine information stored in memory immediately prior to rebooting. This form of attack is detailed at http://citp.princeton.edu/memory/

This attack is nothing new, and has been well known for a long time; despite the disproportionate amount of attention it's now getting.

Solution

If you mount an OTFE volume, and simply walk away from your computer, the encryption keys used to secure your volume will be held in your computer's physical memory (obviously). If someone reboots your computer at that point, there is a risk they could successfully recover your encryption key.

However, it is not generally recommended that you simply walk away from your computer while you have volumes mounted - if anyone can come along and attempt to launch the above attack, THEY CAN SIMPLY READ THE CONTENTS OF YOUR ENCRYPTED VOLUME DIRECTLY ANYWAY!

If you dismount your volumes after using them, the FreeOTFE driver overwrites all sensitive data (key information, etc) that it holds before releasing it - which should prevent the above attack.

If you suddenly press your computer's power off button or reset it (i.e. using the physical "power off" button on the front of its case) while a volume is mounted, then an attacker could theoretically dump out your encryption keys using this attack. Please note that:

  1. All encryption systems are susceptible to this attack, since they have to store encryption keys in memory in order to use them
  2. Regardless of whether you use any form of disk encryption or not, it is not recommended that you do power off/reset your computer without first shutting down cleanly via the "Start -> Turn off computer"!

To prevent this attack in the situation described above, ensure that the computer remains powered off for several minutes after it is turned off in order for the contents of RAM to effectively "bleed away"

Summary

In summary, to completely remove the threat of this attack against your encryption keys:

  1. Dismount volumes after you have used them
  2. If you must power off your computer while one or more volumes are mounted: prevent anyone from powering it back on and dumping it's memory out for at least the first few minutes after it was powered off (or the first 15-20 minutes if they open up the case and spray coolant on the memory chips)
In short - just use common sense.

Notes

It should be noted that this attack is not limited in any way to disk encryption systems. The focus on these systems by the authors of the above paper is a red herring. Essentially the attack consists of attempting to take a snapshot of the PC's memory at the time it was reset, which can then be picked over at leisure. Any encryption system can be attacked in this way.

Furthermore, because this attack may allow whatever was in the computer's memory at the point it was rebooted to be recovered, it should also be noted that any information that applications had in memory at the time the computer is reset (e.g. a document open in MS Word, or image being displayed on the screen) may potentially be recovered. Disk encryption systems encrypt data stored on disks - not in RAM.


Q: Does FreeOTFE have any form of password recovery?

A: Yes; FreeOTFE keyfiles can be used to provide a form of password recovery; see the Getting Started Guide


Q: Isn't FreeOTFE's "keyfile" functionality a security risk?

A: No. In order to create a keyfile, both the volume and the volume's password (or an existing keyfile, and that keyfiles password) are required.

If an attacker already has this information, your security has already been compromised anyway.


Q: What happened to the NULL hash and NULL/XOR cypher drivers?

A: To improve performance, these drivers have been moved into a "weak drivers" directory in the PDA release. Really, you shouldn't be using these drivers at all; they are of little use from a security perspective, and are only really included to allow testing. They're still included with the release though, if you really need them...


Q: How do I resize an encrypted volume?

A: To change the size of an encrypted volume:

  1. Mount your existing volume
  2. Create a new FreeOTFE volume of the size required
  3. Mount the new volume (overwriting and formatting it if needed)
  4. Copy all data from the old volume to the new one
  5. Dismount both volumes
  6. Delete the old volume

Obviously, this procedure requires enough storage space to hold both the old and newly created volumes.

It should be noted that, although a number of other disk encryption systems claim to offer volume resizing functionality, they typically either carrying out the procedure above "behind the scenes" (often failing completely if insufficient storage is available to hold the new volume), or by storing the volume in a "sparse" files - which can lead to security leaks.


Q: How do I delete an encrypted volume?

A: If your volume is stored within a file, simply dismount the volume if already mounted, and delete the file.

IMPORTANT: Before deleting a volume file, make sure that you mount it first and copy any information stored in it to somewhere safe! Once deleted, you will lose access to your encrypted volume, and anything it contains!


Q: How do I backup an encrypted volume?

A: How you backup an encrypted volume depends on whether it is a file or partition based volume. In both cases however, volumes should be dismounted before being backed up.

For file based volumes

A file based volume is a file just like any other (albeit a fairly big one); simply let your backup software backup the volume as it chooses, and your data should be safe.

This will work regardless of what backup software you use, though you may wish to turn off FreeOTFE's timestamp reverting functionality in order for your backup software to identify when volumes have been changed. (See "View | Options..." dialog, "General" tab, "Revert volume timestamps on dismount")

For disk/partition based volumes

Whether you can backup disk/partition based volumes depends on the backup software being used. If your backup software takes a literal backup image of a disk/partition, then it should successfully backup FreeOTFE volumes (even if the backup copy is compressed). However, not all backup systems do this, and instead try to be "smart" about what they store to backup - and fail to backup everything they need to.

(This issue is true for all disk encryption systems, not just FreeOTFE)

For example, with Paragon Drive Backup, if you create an encrypted volume using an entire disk (i.e. without creating a partition on the disk, and encrypting that partition), Paragon Drive doesn't appear to think there's anything worth backing up (i.e. it doesn't see any partitions to backup) and therefore backs up practically nothing. As a result, it will not back up your volume correctly.

However! If you create an encrypted volume on a partition (even one filling the entire drive), and back that partition up, Paragon Drive Backup does what it should do - generates a compressed backup copy of the entire partition, which can then be restored back later.

Tip! No matter what you're backing up, when you setup a backup system for the first time, it is strongly recommended that you go through the restore process at least once before "setting it and forgetting it". The absolute worst time for learning how your software's restore function works is when you actually need it (e.g. after a disk failure, and you want to get your data back)

This advice applies to ALL backups, and not just backups of FreeOTFE volumes.

By doing a "dry run", you can have confidence in both your backups, and in your ability to use them should you need to.


Q: Can I use any filename/file extension for my FreeOTFE volume?

A: Yes!

Filenames and file extensions have no special meaning to FreeOTFE, which means any filename can be used.


Q: Does FreeOTFE support LVM2?

A: Yes - it certainly can!

FreeOTFE fully supports Linux LVM2 volumes, provided that you have a suitable Windows driver which allows access to LVM2 volumes, this will allow FreeOTFE to carry out disk encryption either above or below the LVM management system (i.e. on physical or logical volumes)

(It should be noted however that LVM2 is not a disk encryption issue!)


Q: Is it worth running file overwriter ("shredder") programs to securely delete existing data stored on my encrypted drive?

A: For most users, no - it would only have the effect of replacing encrypted files with encrypted garbage; neither is particularly useful to an attacker.

However, if you have concerns of an attacker being able to gain your password (and other details required to decrypt your encrypted volume), it may still be wise to overwrite data before its deletion. This way, should an attacker be able to decrypt your volume(s), they will not be able to use data recovery tools to retrieve sensitive data.


Q: What is the difference between the main FreeOTFE/FreeOTFE Explorer release and the PortableApps.com version?

A: The PortableApps.com version is identical to the main FreeOTFE/FreeOTFE Explorer release, but includes an additional:

  • "Launcher" executable, which simply starts FreeOTFE.exe/FreeOTFEExplorer.exe
  • Directory structure required to integrate it into the PortableApps.com menu software.
  • Configuration files required to integrate it into the PortableApps.com menu software.
Further, the installer has been created using the PortableApps.com installer-creator software instead of the standard FreeOTFE NSIS installer, and the translation source files (".po" files, which aren't needed to use the software) have been removed.


Q: What is the difference between the main FreeOTFE/FreeOTFE Explorer release and the U3 version?

A: The U3 version is identical to the main FreeOTFE/FreeOTFE Explorer release with the exception that a slightly different directory structure is used to support the U3 platform, and the translation source files (".po" files, which aren't needed to use the software) have been removed.

The ".u3p" file is simply a ZIP archive which has been renamed; it may be renamed to have a ".zip" file extension and uncompressed to verify its contents.


Q: When dismounting a file based volume, what does FreeOTFE do with the file timestamps?

A: By default, when mounting file based volumes, FreeOTFE stores the volume file's timestamps, and resets them back again after dismounting. This is carried out for security reasons (see section on plausible deniability).

This functionality can be turned off if needed (e.g. to assist backup processes; see FAQ "How do I backup an encrypted volume?") by turning off the "Revert volume timestamps on dismount" option on the Options dialog ("View | Options").


Q: What is volume "padding", and why would I want it?

A: A number of tools are available to "detect" encrypted volumes. These typically operate by detecting large files with a high amount of entropy and a file size that is a multiple of 512 bytes, or which is a certain "signature size" greater than the last 1MB boundary.

"Padding" is additional (random) data added to the end of the volume, and is used to prevent detection of FreeOTFE volumes by automated volume-finding tools which only carry out a cursory search for volumes, and rely on the size of files found.

Furthermore, padding also reduces the amount of information an attacker has about a volume, by preventing reliable detection of the size of the mounted volume (subject to the mounted volume being overwritten as described in the Plausible Deniability section).

Padding will not prevent a reasonably knowledgeable IT person from being able to reasonably identify an encrypted volume as such - like any security mechanism, padding is simply another tool which would be employed from a larger toolbox. For this reason, it is not recommended that padding be relied upon to help secure data against an attacker, and users considering using padding may benefit from reading the section on "Plausible Deniability"


Q: Why wouldn't I want to use padding?

A: Padding takes up additional storage on your hard drive beyond that required by the volume file.




FreeOTFE Specific (PC)


Q: When creating a FreeOTFE volume, the wizard shows me which stage of volume creation I am currently on - but it goes haywire, and the number of stages to complete keeps changing!

A:
The number of different stages to creating a new FreeOTFE volume varies, depending on what options you choose - for example, if you elect to the mouse movement to generate random data, then you will have to complete an extra step to actually generate this random data; if you switch to using the Microsoft CryptoAPI for generating random data, you can skip that step, as it is done for you automatically.


Q: Is it possible to dismount my FreeOTFE volumes when I hit a certain "hotkey"?

A: Yes; see under "View | Options..." - the "Hotkeys" tab


Q: Why can't I dismount my volume(s)?

A: The most common reason for this is because FreeOTFE cannot gain an exclusive lock on the associated drive. This is normally caused by one or more files being open on the encrypted volume.

"Normal" (non administrator) users may also have problems dismounting drives (see the TODO list this documentation)

If a volume cannot be dismounted "normally", you will be prompted if you want to forcefully dismount it; it is only recommended that volumes are dismounted in this way if all open files and documents are closed.


Q: Why are the drivers written in C, but the PC versions GUI in Delphi?!

A: Good question. The drivers are written in C as the DDK pretty much requires it. The PC GUI is in Delphi as this was the easiest for me to implement.

The PDA version of the GUI was written in C; this may be ported to the PC platform at a later date


Q: Why aren't I prompted to enter a password when creating a Linux volume?

A: This is covered in the documentation; see section relating to creating Linux volumes.

In a nutshell, creating a Linux volume only requires a file to be created of the appropriate size. It is when the volume is subsequently mounted that a password is required; the same process as when creating an encrypted Linux volume under Linux.


Q: Can I burn my volumes on a CD (or CDRW, or DVD), and mount them from there?

A: Yes; at the end of the day, volume files are just plain straight (albeit very large) files. Just ensure that when you mount them, you mount them as read only volumes, (for obvious reasons - even with CDRWs).

It is recommended that volumes which are to be written to CD are formatted using either the FAT or FAT32 filesystem. NTFS volumes will work (under Windows XP), though AFAIR Windows 2000 is unable to mount NTFS volumes read only (meaning the volume must be copied back to your HDD, the file set to read/write, and then mounted).


Q: Can I use FreeOTFE over a network?

A: Yes. By installing FreeOTFE on the computers you wish to access your data from, you can mount a volume file located on a networked server.

When mounting over a network, simply specify the UNC path (e.g. \\servername\sharename\path\volumefilename) to the volume file begin mounted.

When a volume is mounted over a network in this way, all data read/written to that volume will be sent over the network in encrypted form.

If you wish to mount a networked volume file by more than one computer at the same time, you may do so provided that they all mount the volume read only. If any computer has a volume file mounted as read/write, you should dismount all other computers (even if they were accessing the volume as read only), and ensure no other computer mounts the volume until the computer mounted as read/write has dismounted.


Q: Why do I get "Unable to connect to the FreeOTFE driver" errors?

A: This message indicates that you have either not installed the main FreeOTFE driver ("FreeOTFE.sys"), or you have not started it yet.

It is normal to see this message in the following circumstances:

  1. The first time you run FreeOTFE, when no drivers have been installed
  2. When exiting the driver installation dialog, if the main FreeOTFE driver hasn't been both installed and started.
  3. When starting FreeOTFE after installing the main FreeOTFE driver, if the driver has not been started (e.g. you rebooted, and the driver was set for manual start, as opposed to at system startup)
  4. When stopping all portable mode drivers, where the main FreeOTFE driver was started in portable mode.
  5. When exiting FreeOTFE and stopping all portable mode drivers, where the main FreeOTFE driver was started in portable mode.
To eliminate this error message, ensure that that the main FreeOTFE driver is installed and started.

To prevent this error message from being displayed when FreeOTFE is run after rebooting, set the main FreeOTFE driver to start at system startup.

The status of all installed drivers can be checked by selecting "File | Drivers..."


Q: Why do I get prompted to select a driver whenever I attempt to mount some of my FreeOTFE volume?

A: If your volume looks as though it can be decrypted by using more than one cypher/hash driver combination, you will be prompted to select which combination you wish to use.

This happens, for example, if you used Twofish or AES to encrypt your data as FreeOTFE comes supplied with a choice of drivers for these cyphers (see also: Which of the duplicated drivers should I use?)

To prevent the prompt appearing, please uninstall one of the offending drivers.


Q: Do I need Administrator privileges to use FreeOTFE on my computer?

A: No - Although Administrator privileges are needed to install the FreeOTFE drivers, or start/stop portable mode.

To allow "standard" (non Administrator) users to use FreeOTFE, please install the FreeOTFE drivers by following the instructions in the Installation and Upgrading section. After which, any user will be free to use FreeOTFE (e.g. to create, mount, dismount and use encrypted volumes)

To access an encrypted volume on a PC which doesn't have FreeOTFE installed, and on which you don't have Administrator privileges, please use FreeOTFE Explorer.


Q: Why do I need Administrator rights to install FreeOTFE?

A: This is probably the most common FAQ with respect to OTFE systems.

In order for most (if not all) OTFE systems to operate, they require the use of "kernel mode drivers" to carry out drive emulation.

A "kernel mode driver" is special piece of software which operates at a very low-level within your computer's operating system. As such, it can do pretty much anything to your system - including carrying out privileged actions that normal users are not allowed to do (e.g. formatting your HDD). Because of this, MS Windows only allows users with Administrator rights to install such drivers.

NOTE: Administrator rights are not required in order to use FreeOTFE once installed.

To access an encrypted volume on a PC which doesn't have FreeOTFE installed, and on which you don't have Administrator privileges, please use FreeOTFE Explorer.


Q: Why do I need Administrator rights to start "portable mode"?

A: Administrator rights are required to start "portable mode" starting portable mode implicitly registers the FreeOTFE drivers on the computer it's running on. When portable mode is stopped, they are unregistered.

Administrator rights are required for this operation, for the same reasons as given for the answer to "Why do I need Administrator rights to install FreeOTFE?"

To access an encrypted volume on a PC which doesn't have FreeOTFE installed, and on which you don't have Administrator privileges, please use FreeOTFE Explorer.


Q: Can FreeOTFE run under MS Windows 95/98/Me?

A: No - and there are currently no plans to port FreeOTFE to Windows 9x based systems due to the different driver model used.


Q: Can FreeOTFE run under Linux?

A: No - although FreeOTFE can read, write and create volumes which can be used under Linux.

FreeOTFE Explorer however, can be used under Linux when run under Wine.


Q: How can I get FreeOTFE to mount my volumes at startup/when I login?

A: By creating a shortcut with suitable command line parameters in your "Startup" directory (click the MS Windows "Start" button, then go to "Programs | Startup"), FreeOTFE can mount volume files after your system starts up/you login.

See the Command Line Interface section for full details of FreeOTFE's command line options.


Q: On the options dialog, what does the "Save above settings to" option do?

A: This allows you to change where your FreeOTFE settings are stored; in your user profile (only accessible to you), or with the FreeOTFE executable (which is useful if you want to take FreeOTFE with you; on a USB drive, for example).

You may also choose to not save your settings; in which case, the next time you start FreeOTFE, you will begin again with the default options.


Q: Can I save my settings in the same directory as my FreeOTFE executable?

A: Yes, you can - and this makes FreeOTFE more portable, and easier to use, if you want to take it with you on (for example) a USB drive.

There is only one exception though; if you are using Windows Vista, and have User Account Control (UAC) switched on, you will not be allowed to store your settings with the FreeOTFE executable if it is stored under your "Program Files" directory. This is due to one of the limitations imposed by Windows Vista's security system; though you are still free to store FreeOTFE's settings in your user profile.


Q: Where, and in what order does FreeOTFE search for my settings?

A: If you have chosen to save your settings, FreeOTFE will store them un a "FreeOTFE.ini" file stored on your computer at your chosen location

When it starts up, FreeOTFE will attempt to locate this file and read in your settings, by first checking for it in the same directory the executable (FreeOTFE.exe) was located in. If a settings file cannot be found in this location, it will try and look for the same file in your user's profile. If a settings file still cannot be found, FreeOTFE will fallback to using configured default values for all settings.


Q: After associating FreeOTFE with ".vol" files from the options dialog, I doubleclicked my ".vol" volume file, and nothing happened!

A: The FreeOTFE drivers must be running in order for you to mount a volume by doubleclicking on it. Please either install the FreeOTFE drivers (see the installation section), or start FreeOTFE's portable mode (see portable mode section).


Q: Why do volumes created with the FreeOTFE v2.00 and later have the extension ".vol"?

A: This is purely to maintain consistency with the PDA version (see other FAQ for an explanation as to why the PDA version uses filename extensions). FreeOTFE gives you complete freedom over what you name your volume files.


Q: What is the difference between the "Overwrite free space..." and "Overwrite entire drive..." options under the "Tools" menu?

A: These options are largely self-explanatory.

The "Overwrite free space.." option will simply overwrite all unused storage on the selected volume.

The "Overwrite entire drive.." option is more destructive - it will overwrite all storage on the selected volume - including overwriting (destroying) any data that may have been present on it.

Because the latter option is more destructive, it may only be used when a single mounted volume has been selected within the FreeOTFE user interface.


Q: Does FreeOTFE support encrypting data with multiple cyphers (aka "cascaded" cyphers, or "superencryption")

A: Yes! FreeOTFE allows volumes to be nested one inside another, with complete flexibility as to which encryption options are used with each volume.

This means that you can (for example) have:

  • An AES XTS (with SHA-512) encrypted volume, stored within
  • A Blowfish LRW (using Tiger) encrypted volume, stored within
  • A Serpent CBC-ESSIV (using RIPEMD-320)encrypted volume

In this example, any data stored within the "innermost" AES encrypted volume will be actually be triple-encrypted with AES, Blowfish and Serpent before written to disk.

Obviously, there is a performance impact in encrypting data more than once - as there would be in any system which encrypts data multiple times.

It's debatable how much this will increases security by, though in principle the "innermost" volume, in which sensitve files are stored, will be secured at least as strongly as the strongest cypher used. Should any of the cyphers be found to be weak at a later date, this will still hold true.

Note: Volumes nested in this manner must be dismounted in the reverse order to which they were mounted.


Q: FreeOTFE supports different languages, but why isn't mine listed?

A: Please see FreeOTFE's translations page for up-to-date information on language translations.


Q: How do I translate FreeOTFE into a different language?

A: Please see FreeOTFE's translations page for up-to-date information on language translations.


Q: Can I defragment encrypted volumes?

A: Yes! There are two things that you may wish to defragment:

  1. (File based volumes only) The drive on which the volume file is stored (i.e. defragmenting a volume file)

    Once dismounted, a volume file can be treated just like any other file. Volume files can be defragmented by then running any defragmentation tool on the drive it's stored on.

  2. The filesystem stored within the encrypted volume (i.e. defragmenting the encrypted files stored within the volume)

    By mounting a volume, you can defragment the encrypted data stored within it. Again, you can use any tool for this, with the exception of:

    • Raxco's PerfectDisk 2008
    • Diskeeper Corporation's "Diskeeper"
    • The defragmentation tool which comes bundled with Windows (which is a simply a stripped down version of Diskeeper)

    The above systems have limitations which prevent them from "seeing" mounted volumes, all other tools will work as normal. Examples of defragmentation tools which work with FreeOTFE volumes include:


Q: Can I use FreeOTFE with my USB flash drive?

A: Yes! FreeOTFE has been designed to be portable; see the section on Portable Mode for details on which files to copy onto your USB drive. Alternativly, insert your USB drive and select the "Tools | Copy FreeOTFE to USB drive..." menuitem to automatically copy FreeOTFE to your USB drive.

You can then use FreeOTFE on any PC - even if it doesn't have FreeOTFE installed.


Q: Why doesn't FreeOTFE run automatically when I insert my USB drive?

A: If you used the "Tools | Copy FreeOTFE to USB drive..." function, and selected the "Setup autorun.inf to launch FreeOTFE when drive inserted" option, FreeOTFE will normally run automatically whenever the drive is inserted (or prompt the user if they want to run it).

However, this does depend on your PC's configuration.

If FreeOTFE doesn't launch automatically (and you don't get prompted to launch FreeOTFE after inserting the drive), you probably have autorun turned off for removable disks.

Security tip It is generally recommended that "autorun" functionality be disabled, as this can have security implications; should an untrusted USB drive be plugged in, the program specified in an autorun.inf file on the device may be launched - without offering the user the chance to prevent it

To reset (enable) autorun functionality:

  1. Click the windows "Start" button
  2. Select "Run"
  3. Type in "gpedit.msc" and click "OK"
  4. Reset the setting for the local computer policy
    1. Select "Local Computer Policy \ Computer Configuration \ Administrative Template \ System"
    2. Double click the "Turn off Autoplay" entry
    3. Change the "Not configured"/"Enabled"/"Disabled" selection to any of the three options
    4. Click "Apply"
    5. Change the "Not configured"/"Enabled"/"Disabled" selection to either "Not configured" or "Disabled"
    6. Click "Apply"
  5. Reset the setting for users
    1. Select "User Configuration \ Computer Configuration \ Administrative Template \ System"
    2. Double click the "Turn off Autoplay" entry
    3. Change the "Not configured"/"Enabled"/"Disabled" selection to any of the three options
    4. Click "Apply"
    5. Change the "Not configured"/"Enabled"/"Disabled" selection to either "Not configured" or "Disabled"
    6. Click "Apply"

See also: Enable Autorun on DVD, CD and other removable media


Q: Can I use FreeOTFE with "MojoPac"?

A: Yes!

There are two basic ways of encrypting you data using FreeOTFE while using MojoPac:

  1. By creating an encrypted volume and installing MojoPac onto it.
  2. By installing MojoPac as normal (e.g. onto a USB drive), and running FreeOTFE from within MojoPac

Method one: Installing onto a FreeOTFE volume

The first method is probably the more secure, as your entire MojoPac setup is encrypted. Simply create a new FreeOTFE volume on your USB drive, mount it, and then install MojoPac onto the mounted volume.

In this way everything relating to your MojoPac system will be secured. Because of FreeOTFE's portable mode, MojoPac can be used as a fully mobile, secured, system by placing a copy of FreeOTFE onto your USB drive along with the volume file.

Method two: Running within the MojoPac environment

FreeOTFE can also be launched and used from within the MojoPac environment to create and use encrypted volumes in much the same way as on a normal PC.

In order to use FreeOTFE in this way, you must first either

  • Start FreeOTFE's portable mode on the host PC, or
  • Install and start the FreeOTFE drivers on the host PC

(See the Portable mode and Installation sections for further information)

When running MojoPac, your MojoPac device (i.e. your USB drive, iPod, etc) will appear as both the removable drive it is normally mounted as on the host PC (e.g. D:, E:), and as your MojoPac's C: drive.

To mount a FreeOTFE volume which is stored on your MojoPac device, you should select the volume file on the removable drive (e.g. D:, E:) and not the mirror copy which appears on you MojoPac's C: drive. Mounting volumes stored elsewhere should be unaffected.

Note that when a volume is mounted from within the MojoPac environment, it may also be accessed by the host PC by using the drive letter it is mounted as under the MojoPac session. Applications on the host PC will see the mounted volume as normal, with the exception of Windows Explorer which will not show a new drive icon for it - though even then, it can still be accessed by Windows Explorer on the host PC, by simply typing the drive letter the encrypted volume is mounted as, followed by a colon, into Windows Explorer's "Address" bar and pressing <ENTER>.

In the same manner, volumes mounted on the host PC will be accessible from within the MojoPac environment.


Q: Can FreeOTFE be used with RAID arrays?

A: Yes! FreeOTFE has been tested with, and works with, RAID arrays


Q: Does FreeOTFE try to connect to the internet??

A: No - not by default.

FreeOTFE and FreeOTFE Explorer will only ever try to connect to the internet if it has been configured to check for updates - and even then, they will only try to connect to the FreeOTFE WWW site to retrieve version information.

By default, both FreeOTFE and FreeOTFE Explorer are configured such that thtey will not check for updates - this functionality must be explicitly enabled by the user.


Q: How do I check FreeOTFE's exit code when passing parameters via the command line?

A: The easiest way is to check FreeOTFE's exit code is to run it via a batch file. For example, if you create a "FreeOTFE_cmdline.bat" file containing the following:

FreeOTFE.exe %1 %2 %3 %4 %5 %6 %7 %8 %9
@echo Exit code: %ERRORLEVEL%
and use "FreeOTFE_cmdline.bat" in places of "FreeOTFE.exe"


Q: Why won't FreeOTFE accept my password when supplied via the command line parameter?

A: If you're using the "/silent" switch, try removing it and just clicking "OK" on the password dialog to confirm that your password and other details have been entered correctly.

If FreeOTFE fails to mount, check your command line parameters carefully. If your password or volume filename have spaces in them, you'll need to surround them with doublequotes ("). Similarly "%" signs may be interpreted in batch files as batch file variables.


Q: Do I have to partition my drive to use FreeOTFE?

A: No. FreeOTFE volumes may be stored in files stored on your normal file system.


Q: I want to create a FreeOTFE partition on my unallocated space, but can't see it in the partition display - where is it?

A: For obvious reasons, the FreeOTFE only shows partitions which are reported to it by the OS.

Disk space which does not form any part of a partition (i.e. is not referenced in any partition table on the disk (primary or extended); reported as "Unallocated" by the Windows Disk Management tool) cannot be "seen" by FreeOTFE.

To make use of such space, use the Windows Disk Management tool to create a new partition for it, and then use FreeOTFE to turn it into an encrypted partition.

Please note that FreeOTFE is not responsible for partitioning your hard drive - you should be using a partitioning tool for that!


Q: When I'm prompted to select a partition, some of the partitions on my USB drive are shown in red (or not at all) - why?

A: See: Why can't I use encrypted partitions on a USB drive, unless it's the first partition?


Q: Why can't I use encrypted partitions on a USB drive, unless it's the first partition?

A: MS Windows has a limitation which prevents it from correctly using partitions on USB drives that are beyond the first one. As a result, the current version of FreeOTFE cannot use these partitions, and this is indicated by displaying such partitions in red (or not at all) in the partition selection display.

If you wish to use an encrypted partition on a USB drive under both Windows and Linux, please ensure that the encrypted partition is the first partition on the USB drive.

It should be noted that this limitation only applies to USB drives, and not physical disks installed inside the PC

A solution which will allow FreeOTFE to use second (and other) partitions on USB drives is currently under development.

Other possible solutions/information may be found at:



Q: After creating an encrypted partition/disk, MS Windows reports that partition I used as being type "RAW" and prompts me to format it - why?

A: After creating an encrypted partition/disk, if you have a drive letter associated with the physical partition used, MS Windows will report that drive as being "RAW" since it cannot understand what is stored on it (for obvious reasons, it can't understand what the encrypted data means).

WARNING: Do not let MS Windows format this partition! Although formatting the "virtual drive" FreeOTFE creates after mounting your encrypted partition is certainly a requirement before it can be used, formatting the partition it resides on could destroy your encrypted data!

The safest course of action is to prevent MS Windows from allocating a drive letter to the encrypted partition. By doing so:

  • MS Windows will not prompt you every time this drive is accessed, since you will not be able to accidentally access it
  • You'll be less likely to hit "OK" and format the partition, overwriting your encrypted data!
To do this, see the FAQ "How do I "hide" an encrypted partition such that MS Windows doesn't allocate it a drive letter?"


Q: How do I "hide" an encrypted partition such that MS Windows doesn't allocate it a drive letter?

A: Carry out the following steps:

  1. Go to "Start -> Settings -> Control Panel -> Administrative tools -> Computer Management"
  2. Select "Disk Management"
  3. Rightclick on the partition you have setup an encrypted and select "Change Drive Letter and Paths"
  4. Remove any drive letters associated with the partition
Windows should then remove any drive letters associated with the encrypted partition.


Q: Why does the partition/disk selection display sometimes display less information?

A: Depending on the user's access rights, FreeOTFE may only be able to obtain limited information about the various disk partitions.

When this happens, FreeOTFE will fallback to displaying a more restricted set of information (e.g. no partition sizes)

Because more information can be displayed if the user is an administrator (or under Windows Vista, the FreeOTFE process has been started with escalated under UAC), it is highly recommended that any partition based volumes are created when logged in as an administrator. (Under Vista, FreeOTFE should be launched by rightclicking on the executable, "FreeOTFE.exe", and selecting "Run as administrator".)

By displaying additional information, there is less likelihood of creating a volume on the wrong partition.

Partition selection dialog; full information shown

Partition selection dialog; restricted information shown


Q: I accidentally selected the wrong disk/partition when creating a new volume and now can't see my files! How can I get my data back?

A: The more important thing to do in this kind of situation is STOP and THINK. Before attempting any kind of recovery, understand what you are going to do and how you are going to do it - before doing anything.

For safety reasons, FreeOTFE only writes the initial 512 byte CDB to the start of the disk/partition when creating a new disk/partition based volume (see the Plausible Deniability section for how to initialize a volume by overwriting it). If you haven't yet mounted the volume and started writing data to it, or overwriting it, you have a good chance of getting your files back.

Obviously, if you have written data to the encrypted volume (e.g. by selecting one of the overwrite options or copying files to it), the amount you will be able to recover will decrease.

The recommended approach to recovering the data originally stored on the disk/partition is to:

  1. Dismount all mounted volumes.
  2. Take an image of the disk/partition the volume was created on (e.g. by using a tool such as USB Flash Tools, or any disk imaging/cloning tool)
  3. Use any standard recovery software (e.g. Restorer 2000 Pro) on the image taken - not the disk/partition itself - to try to recover your data.


Q: Does FreeOTFE offer whole disk encryption?

A:Yes! FreeOTFE does support whole disk encryption, although it does not yet support encrypting the system partition (i.e. the entire disk or partition that the OS boots from)

To encrypt a whole disk, proceed as though creating an encrypted partition and select the "entire disk" checkbox after selecting the drive to be used.


Q: Do I have to use a security token/smartcard with FreeOTFE?

A: No! FreeOTFE offers security token/smartcard as an option to provide additional security, they are not necessary to use FreeOTFE.


Q: What is the difference between PKCS#11, Cryptoki, and "tokens"?

A: PKCS#11 and Cryptoki are the same thing; an API for accessing security tokens/smartcards.

"Token" is a generic term to refer to a security token or smartcard.


Q: Does FreeOTFE encrypt my entire encrypted volume using my PKCS#11 token?

A: No, just the volume's CDB/keyfile. Encrypting the entire volume would incur significant performance penalties due to the relatively low power of security tokens when compared to a PC, and need to transfer data twice over the USB connection (once to sending the encrypted/plaintext data, and again to receive the plaintext/cyphertext)


Q: I've inserted my PKCS#11 (Cryptoki) token, but why is the "PKCS#11 token management..." menuitem disabled?

A: Please ensure that you have configured FreeOTFE to use your token via the "PKCS#11" tab on the Options dialog ("View | Options...")

See the section on Security Token/Smartcard Support for further details


Q: How do I change the password on a volume/keyfile which is secured with a PKCS#11 secret key?

A: To change the password on a volume/keyfile which is secured with a PKCS#11 secret key:

  1. Decrypt the volume's CDB/keyfile using the token's secret key:
    1. Go to "Tools | PKCS#11 token management..."
    2. Select the "Secret keys" tab
    3. Select the appropriate secret key
    4. Click "Decrypt", and select your volume/keyfile
  2. Change the password on it
  3. Re-encrypt the keyfile/volume's CDB using the token's secret key, using the "encrypt" function on the PKCS#11 token management dialog


Q: Can I use more than one security token with FreeOTFE?

A: Yes! FreeOTFE supports as many security tokens as you've got!

You can even use different tokens to mount different volumes, or the same token to mount multiple volumes, all at the same time if you wish!

The only caveat being that your PKCS#11 library provider may only support up to a certain number of security tokens being plugged in at the same time (typically this may allow up to 16 tokens to be used simultaneously)


Q: Why don't all of my volumes automatically dismount when I remove my security token?

A: First, please check that you have configured FreeOTFE to autodismount volumes on token removal by:

  1. Go to "View | Options..."
  2. Select the PKCS#11 tab
  3. Ensure that the "Auto dismount PKCS#11 volumes when associated token is removed" is checked

If you dismount, then remount, your volumes with your PKCS#11 token, they should be dismounted when it is removed.

Please note that only those volumes which were mounted with the removed token will be automatically dismounted.

More than one token may be used at the same time; again, only those volumes mounted with the removed token will be automatically dismounted.


Q: (Windows Vista only) Why do I get "unidentified program wants access to your computer" prompts when using FreeOTFE?

(This FAQ is only applicable when running under Windows Vista and later; it is not relevant for other operating systems)

A: Windows Vista incorporates a new security system called "User Access Control" (UAC), which is there to help prevent malicious software from doing things which could be harmful to your computer.

Whenever you attempt to use any part of FreeOTFE's functionality which Windows considers a malicious program could use to cause harm, Windows displays this dialog (called the "consent/credential" dialog), and asks you if you would give your permission for it to continue. You will be shown this dialog even if you are logged on as an Administrator.

The same type of dialog will appear when you attempt to (for example) go to Window's Control Panel, selecting "Date and Time", and then attempting to change the computer's time or date.

Because the FreeOTFE executable does not have a digital signature that Windows recognises, this dialog claims that "An unidentified program wants access to your computer". This is perfectly normal, and part of Vista's system to help protect you. If you would like to check that your copy of FreeOTFE is an original, you may do so by checking the hashes/signatures available from the FreeOTFE WWW site.

These prompts form part of Windows Vista's "User Access Control" (UAC) system, which you can find out more about from the Microsoft WWW site.


Q: (Windows Vista only) Why does FreeOTFE prompt me to enter my Administrator's password?

(This FAQ is only applicable when running under Windows Vista and later; it is not relevant for other operating systems)

A: FreeOTFE doesn't ask you to enter an Administrator's password; it has no use or need for this information. Windows Vista, however, will prompt you to enter an Administrator's password whenever you are logged in as a "standard" (i.e. non-Administrator) user, and attempt to carry out any operation which it deems could be harmful to your computer.

If you are happy for FreeOTFE to carry out the operation you requested of it, you should select the relevant option from the consent/credential dialog, and enter the appropriate Administrator's password to allow FreeOTFE to proceed.

Those operations which require Administrator's explicit approval before Windows Vista will permit you to carry them out are marked in FreeOTFE with a "shield icon".

It should be emphasised that it is Windows Vista itself which is generating these prompts, and not FreeOTFE, which will have no access to the password you type in.

These prompts form part of Windows Vista's "User Access Control" (UAC) system, which you can find out more about from the Microsoft WWW site.


Q: (Windows Vista only) How do I stop the Windows Vista "consent/credential" (UAC) dialog from being displayed?

(This FAQ is only applicable when running under Windows Vista and later; it is not relevant for other operating systems)

A: To prevent the UAC dialogs from being shown when using FreeOTFE (and all other applications), you can disable it by carrying out the following steps:

  1. Click on the "Start" button, and then select "Control Panel"
  2. Doubleclick "User Accounts"
  3. Click on "Turn User Account Control on or off"
  4. Make sure that the "Use User Account Control (UAC)" checkbox is unchecked
  5. Click "OK"
  6. Restart your computer


Q: (Windows Vista only) I have problems starting any of the drivers under the 64 bit version of Windows Vista/Windows 7 - what's wrong?

(This FAQ is only applicable when running under Windows Vista and later; it is not relevant for other operating systems)

A: The 64 bit versions of MS Windows Vista and MS Windows 7 both use driver signing; please see the section on installing FreeOTFE on Windows Vista x64 and Windows 7 x64


Q: (Windows Vista only) What are the little "shield" icons shown next to some menuitems?

(This FAQ is only applicable when running under Windows Vista and later; it is not relevant for other operating systems)

A: Functions marked with a "shield" icon require Administrator privileges in order to use them, for security reasons. This is for your security, and more information can be found on the Microsoft WWW site.




FreeOTFE4PDA Specific (PDA)


Q: I created my volume file using the PDA version of FreeOTFE and can mount it on my PC - but why does it keep asking if I want to format it?

A: When you created your volume on your PDA, your PDA fully formatted the volume as though it was a new device - not just a partition on a device.

In order for a volume to be mounted and used correctly on both a PDA and PC, it should be created and formatted using a PC as a FAT volume, and subject to the maximum volume size your PDA can support (see FAQ on volume sizes). This will ensure it can be read on all systems.


Q: I created a volume on my PC, and can mount it successfully on my PDA - but can't see any of my files!

A: The chances are that you formatted your volume on your PC using NTFS, and your PDA doesn't support this filesystem.

Volumes which are to be used on a PDA should normally be formatted as FAT or FAT32; this should be carried out on a PC, not a PDA (see related FAQ).

Please note also that FAT32 can only support volumes up to (4GB less one byte)


Q: How can I speed FreeOTFE up when mounting my volumes?

A: For security reasons, FreeOTFE doesn't store any information relating to which hash/cypher combination was used to encrypt a FreeOTFE volume.

As a result, FreeOTFE is forced to cycle through all of its possible hash/cypher combinations in order to determine which one to use. Reducing the number of combinations it has to check can significantly reduce the time this takes.

To reduce the number of combinations, without making any difference to the level of security FreeOTFE offers, simply disable any redundant cypher/hash implementation drivers such as either one of:

  • FreeOTFE4PDACypherAES_Gladman.dll
  • FreeOTFE4PDACypherAES_ltc.dll
and any two of:
  • FreeOTFE4PDACypherTwofish_Gladman.dll
  • FreeOTFE4PDACypherTwofish_HifnCS.dll
  • FreeOTFE4PDACypherTwofish_ltc.dll
Please see Advanced Topics, "Enabling/Disabling Hash/Cypher Algorithms" section, for instructions on how to enable/disable hash/cypher drivers.

(Please see the FAQ on duplicated drivers for an explanation as to why multiple implementations are included in the release)

The mount time can be reduced even more dramatically by disabling all of the hash/cypher drivers except for the ones which you have secured your data with. This however could decrease the level of security offered, as doing so would make it pretty clear to any attacker which combination you've used - though it's debatable whether this loss in security will actually be of any practical value to an attacker.

To speed things up even further, you could drop the number of key iterations your volume is secured with. This isn't particularly recommended, but might help some users...


Q: Does the PDA version support Linux volumes?

A: Yes!

FreeOTFE4PDA v4.0 and later support LUKS volumes.

A front-end interface to allow support for other Linux encrypted volumes is currently being implemented, and will appear in a later release.


Q: Why does FreeOTFE4PDA's version numbering skip from v0.55 to v2.00; what happened to v1.00?

A: FreeOTFE4PDA's version number was incremented to v2.00 in order to match the PC version of FreeOTFE, with which FreeOTFE4PDA shares a fair amount of common code.

A specific "v1.00" was never released, although there were a fair number of non-public versions released between v0.55 and v2.00 to various people to help with testing and confirm compatibility.


Q: Why does FreeOTFE4PDA's version numbering skip from v3.76 to v5.00; what happened to v4.00?

A: FreeOTFE4PDA's version number was incremented to v5.00 in order to better reflect that its level of functionality was on a par with the PC version with the same version number, after support for encrypted Linux volumes and language translations were added in v5.00.

A specific "v4.00" was never released, although there were a fair number of non-public versions released between v3.76 and v5.00 to various people to help with testing and confirm compatibility.


Q: When I use the "open" dialog to select my volume file/keyfile, it doesn't list the file I'm trying to specify - even when I select "All files" - where is it?

A: The standard Windows Mobile "open file" dialog is a little odd; this isn't just restricted to FreeOTFE!

Although FreeOTFE allows you the freedom to use any filename you wish, only files which have a filename extension (i.e. the volume's filename has a full stop followed by one or more letters) will be listed in the "open file" dialog; even if you selected the display "All files" option.

Furthermore, this dialog will only display those files located in the following places:

  • Any subdirectory on a storage card which is located from the root directory of that storage card.
  • Files in the "My Documents" directory on your PDA
  • Files in any subdirectory immediately underneath your "My Documents" directory
The simplest solution is to rename your file, and move it into one of the directories indicated above.

Alternatively, you can still specify your file by simply typing its full path and filename into the relevant entry box, instead of clicking "..." and using the "open file" dialog to select it.

Note that you don't need a filename extension, and can store volume/key files anywhere on your PDA. Conforming to the above restrictions allows you to use the "open file" dialog to select your files, and does not affect FreeOTFE's operation in any way.


Q: How can I reduce the amount of storage space FreeOTFE4PDA takes up when installed?

A: The easiest way of reducing FreeOTFE4PDA's installed "footprint" is to delete its user documentation from your PDA (i.e. everything in the "docs" subdirectory).

You don't (or at least, shouldn't!) really need this documentation as FreeOTFE4PDA is a pretty straightforward application to use - and if you do find you want to refer to it occasionally, tapping on "Help | User guide" will take you to the online version if a local copy cannot be found.

It is recommended that you keep a copy somewhere though; on your desktop PC, if nowhere else.

You can further reduce the amount of storage taken up by deleting any unused cypher and hash drivers; this will also increase the speed at which FreeOTFE4PDA will mount volumes. (See FAQ: "How can I speed FreeOTFE up when mounting my volumes?" for further details on how to do this)

If you don't need any of the language translations (or only one of them), deleting those translations you don't need from the "locale" subdirectory can free off a small amount more storage.


Q: Why do I get the message "Unable to locate local copy of user guide; would you like to see the latest version on the Internet?" when I try to view the user guide by selecting "Help | User guide"?

A: FreeOTFE4PDA attempts to locate a local copy of the user guide stored with the executable. If this is not found, it will fallback to trying to show you the latest version found on the FreeOTFE WWW site.
To prevent this, please place a copy of the "docs" directory included with the release into the same directory as your "FreeOTFE4PDA.exe" executable. (i.e. Such that you have a "docs" subdirectory in the same directory as the "FreeOTFE4PDA.exe" executable on your PDA)


Q: When I try to mount a volume, I sometimes the error: "Mount failed; the virtual storage device could not be activated at this time"

A: If you see this error message, you have correctly entered all details to allow FreeOTFE4PDA to mount your encrypted volume, however Windows Mobile has failed to activate the FreeOTFE4PDA virtual storage device.

This error appears to be related to the wireless functions (mobile phone/wifi/bluetooth) of these particular devices; turning off wireless functionality (and possibly carrying out a soft-reset of the device) can resolve this issue.

This issue has been reported to affect the following devices:

  • T-Mobile Vario (WM v5.1.195 (Build 14847.2.0.0))
  • MDA Vario II/HTC TyTn (WM v5.1.195 (Build 14955.2.3.0)
  • O2 Exec/QTEK 9000 (WM v5.1.195 (Build 1487.2.0.0))
  • Fujitsu Siemens Loox T830 (WM v5.1.195)

A version of FreeOTFE4PDA which should resolve this issue is currently under development and will appear in a later release


Q: Which PDAs will FreeOTFE4PDA work with?

A: FreeOTFE4PDA has been tested with various Windows Mobile 2003/2005 and Windows Mobile 6 devices, and should work with all Windows Mobile 2003 and later PDAs.

Smartphones which do not have a touchscreen may not display FreeOTFE4PDA's interface correctly though. Smartphones which do have a touchscreen can use FreeOTFE4PDA.


Q: What does the "Support WM 5.0 soft keys" option do?

A: Under Windows Mobile 5.0 and later, you have the option of displaying FreeOTFE's menus and Wizard navigation using the new style two-item "softkey" menus. This is the "Microsoft standard" for Windows Mobile 5 (and later) applications, and is designed to allow users with "softkeys" (i.e. smartphones with two buttons, left and right, below their display) to navigate more quickly and easily.

Alternatively, you can still opt to use the older "menu and toolbar" style used with Windows Mobile 2003 (second edition) and earlier.

Here is a sample of what the different menus look like:

Menu and toolbar style menus WM 5.0 soft key menus
Menu and toolbar style menubar Menu and toolbar style menuitems
WM 5.0 softkey menubar WM 5.0 softkey menuitems

You can change this setting by going to "Tools | Options".

If you have a PDA which runs Windows Mobile 2003 (second edition) or earlier, your PDA does not support this new style menu.


Q: I don't like the new two-item menus at the bottom of my display - how do I change them back to the older toolbar style menu?

A: The "Microsoft standard" for Windows Mobile 5 (and later) applications is to employ a two-item menu at the bottom of the display, as opposed to using a similar style menu as is found on desktop PCs running MS Windows.

This is to allow users with "softkeys" (i.e. smartphones with two buttons, left and right, below their display) to navigate more quickly and easily.

Of course, as with all user interfaces, there's always someone who doesn't like it! FreeOTFE4PDA does give you the option to change back the older style though; simply tap "Menu | View | Options" and uncheck the "Support WM 5.0 soft keys" option.

(See also FAQ: What does the "Support WM 5.0 soft keys" option do?)


Q: I don't like the multi-item menubar/toolbar at the bottom of FreeOTFE4PDA's display - how do I get it to use the newer two-item style (softkey) menus instead?

A: The two-item menu at the bottom of the display is the "Microsoft standard" for Windows Mobile 5 (and later) applications, and is designed to allow users with "softkeys" (i.e. smartphones with two buttons, left and right, below their display) to navigate more quickly and easily.

If you have a PDA which runs Windows Mobile 2003 (second edition) or earlier, your PDA does not support this new style menu.

However, if you are running Windows Mobile 2005 or later, you can enable the two-item style menu by simply tapping "Menu | View | Options" and making sure the "Support WM 5.0 soft keys" option is checked.

(See also FAQ: What does the "Support WM 5.0 soft keys" option do?)


Q: Can I use my PC volumes with the PDA version?

A: Yes!

See FAQ Can I use the same encrypted volumes on both my PC and PDA?


Q: I upgraded to the lastest version of FreeOTFE4PDA, can I still mount my old volumes?

A: Yes, you can!

It should be noted that v3.75 and later only have the SHA hash and AES cypher drivers enabled by default. If your volume was secured using a different hash/cypher algorithm, please enable the required drivers by following the procedure described in Advanced Topics, under "Enabling/Disabling Hash/Cypher Algorithms".


Q: I would like to use hash/cypher XYZ, why doesn't it appear as an option?

A: The most likely reason is that XYZ has been disabled within FreeOTFE4PDA; please see Advanced Topics, "Enabling/Disabling Hash/Cypher Algorithms" section, for how to enable/disable hash/cypher algorithms, and show XYZ as an option.


Q: How to I enable hash/cypher XYZ?

A: See Advanced Topics, "Enabling/Disabling Hash/Cypher Algorithms" section.




FreeOTFE Explorer Specific


Q: Does FreeOTFE Explorer support drag and drop with MS Windows Explorer?

A: Yes - FreeOTFE Explorer supports dragging files and folders from MS Windows Explorer to FreeOTFE Explorer, but doesn't currently support dragging files from FreeOTFE Explorer to MS Windows Explorer.


Q: What filesystems does FreeOTFE Explorer support?

A: FreeOTFE Explorer supports volumes using the FAT12, FAT16 and FAT32 filesystems. Support for other filesystems is currently under development.


Q: Does FreeOTFE Explorer try to connect to the internet?

A: No - not unless you configure it to do so; see the FAQ "Does FreeOTFE try to connect to the internet?"


Q: How do I securely overwrite files stored on a flash drive?

A: FreeOTFE Explorer includes (optional) functionality to overwrite files as they are moved into an encrypted volume, or on demand, to destroy plaintext (non-secured) copies.

This works well for destroying files stored on a normal (magnetic) hard drives, however many flash drives employ "wear levelling" to reduce wear and prolong their useful life. This can cause overwrite data to be written to locations on the disk other than where the data to be overwritten is stored.

As a consequence, most (if not all) file overwrite tools are not be able to overwrite files stored on such flash drives - even though it may report that they have operated successfully.

To securely overwrite files on flash drives, please delete them as normal - and then overwrite all remaining free space available on the device.

This will prevent any form of wear levelling from redirecting overwrite data to other parts of the disk, and guarantee a successful overwrite.


Q: How do I get FreeOTFE Explorer to display filename extensions for all files?

A: Like MS Windows Explorer, FreeOTFE Explorer default to hiding filename extensions for "known file types".

To configure FreeOTFE Explorer to display filename extensions for all files, please set your options as follows:

  • Select the "View | Options..." menuitem.
  • Select the "Advanced" tab
  • Unselect the "Hide extensions of known file types" option


Q: Can FreeOTFE Explorer run under Linux?

A: Yes - FreeOTFE Explorer can be used under Linux when run under Wine.