FreeOTFE logo FreeOTFE
Free disk encryption software for PCs and PDAs
(PDA version of WWW site)

Contents

FAQ

Contents

General

PC Version Specific

PDA Version Specific

General
Q: Is FreeOTFE based on CrossCrypt?

A: The answer to that is an emphatic NO! FreeOTFE and CrossCrypt are two completely separate projects, written by completely different people.

It's easy to see why users may get the idea that FreeOTFE is based on CrossCrypt; CrossCrypt was released first, and the CrossCrypt's GUI (CrossCryptGUI) looks practically identical to FreeOTFE's interface.

The reality is that CrossCrypt itself is a command line based OTFE system; it has no GUI. CrossCryptGUI was a project I created to provide a GUI to CrossCrypt to improve its ease of use.

In actual fact, far from FreeOTFE looking a lot like CrossCryptGUI, it's actually the other way around - CrossCryptGUI looks a lot like FreeOTFE! The Delphi GUI to FreeOTFE was already developed before CrossCrypt was released. For the sake of expediency, I dropped the CrossCrypt Delphi component I wrote into FreeOTFE's GUI, hijacking it to produce CrossCryptGUI; a cannibalized version of the FreeOTFE interface.

The cyphers supplied with the first public release of FreeOTFE (v00.00.01) were the same as those used by CrossCrypt. Originally I had planned to release the first beta of FreeOTFE for compatibility testing with only the NULL, XOR, DES and AES cyphers; these apparently being the most common cyphers used with Linux volumes. After CrossCrypt was released (which uses AES and Twofish) DES was the only cypher in the above list I had not implemented. I decided to switch from DES to Twofish in order that people without Linux could easily use CrossCrypt to verify that FreeOTFE was operating correctly with AES and Twofish volumes (and vice versa; benefiting both systems).

Since its initial release, FreeOTFE has seen significant developments, including support for many more hashes, cyphers, and other options.

Q: Is FreeOTFE based on Linux's "losetup"?

A: No, FreeOTFE is a completely separate project in its own right. It was only after I realised how "simple" Linux encrypted losetup volumes are (they are nothing more than an encrypted partition image), that I added support for them into FreeOTFE.

Having said that the format of losetup volumes are "simple" - have you any idea how many different options, combinations, etc it has?! Each option on its own may be relatively simple, but there are a fair number of them...! (See the relative complexity of the FreeOTFE's Linux mount dialog - you have to tell it everything!)

Q: Right now, FreeOTFE supports losetup volumes; do you have any plans to include support for DriveCrypt, BestCrypt, etc volumes?

A: This is unlikely to happen as there is no standard for OTFE volume files (each system uses its own layout). Since adding support for other OTFE systems is non-trivial, and few OTFE systems have released proper technical documentation into the public domain, it may be awhile before such support is added

Q: When I mount a FAT/FAT32 formatted Linux volume under FreeOTFE everything works perfectly. When I do the same with my ext2/ext3/RiserFS/etc volume, I can't see my files!

A: FreeOTFE does one thing: when a volume file is mounted, FreeOTFE presents a new storage device to the operating system.

Like all OTFE systems, it has no comprehension at all of what FAT/FAT32/NTFS, let alone ext2/ext3/etc - this understanding lies well outside the scope of an OTFE system, and is the responsibility of the filesystem drivers installed.

Although MS Windows does come with filesystem drivers for FAT/FAT32/NTFS, it does not (natively) support other filesystems such as ext2.

As a result, in order to read/write to your encrypted Linux volumes under MS Windows, you will need to either:
  1. Format the volume under Linux using one of the filesystems MS Windows understands (e.g. FAT), or
  2. Install 3rd party software on your MS Windows system, which provides the filesystem (e.g. ext2) that you wish to use
Q: Why do the Linux examples for LUKS/dm-crypt volumes show "losetup" being used twice?

A: This actually has nothing to do with FreeOTFE(!), but appears to be an oddity with "mkdosfs"/dm-crypt.

Although this section of the documentation shows: 
losetup /dev/loop1 /dev/mapper/myMapper
mkdosfs /dev/loop1
you should be able to simply use: 
mkdosfs /dev/mapper/myMapper
However, when this section of the documentation was written and tested (under Fedora Core 3, with a v2.6.11.7 kernel installed and using cryptsetup-luks v1.0), this shorter (and more sensible) version resulted in mkdosfs generating the following error: 
# mkdosfs /dev/mapper/myMapper
mkdosfs 2.8 (28 Feb 2001)
mkdosfs: unable to get drive geometry for '/dev/mapper/myMapper'
YMMV, though you may well find that formatting the volume with a different filesystem will remove the "double loop" issue. (Please note though, that if you are intending to encrypted volumes which don't use FAT/NTFS under MS Windows, you will need a suitable filesystem driver)

Q: FreeOTFE comes with a set of command line decryption utilities! Can't anyone just decrypt my data?

A: The decryption software included with FreeOTFE is completely useless without the password used to encrypt your data. And anyone with that information can decrypt your data anyway!

The command line decryption utilities are not some form of "password cracking" tool - far from it; they actually act to increase your security by allowing you to verify that encryption is actually taking place.

Q: When I mount a volume and then view its properties under FreeOTFE, it states that the hash algorithm used is "n/a" - but I used a hash algorithm!

A: The hash algorithm shown is the one used to generate sector IVs. If the sector IV generation method used does not require the use of a hash algorithm (see the "Sector IVs" item on this dialog), "n/a" will be displayed for the hash algorithm.

This is separate from any hash algorithm used to process your password, which in the case of FreeOTFE volumes can be seen in the output file of a CDB dump (select "Tools | Critical data block | Dump to human readable file..."), or in the case of Linux volumes, is specified at time of mounting.

Q: FreeOTFE is currently available for free - are you intending to "sell out" later, and start charging for it once enough users have been "hooked" on it?

A: NO! ABSOLUTELY NOT! FreeOTFE is free, and will always be free. As much as anything else, it would look a little silly if people had to pay for "FreeOTFE"! ;)

Seriously though, I have no intention in turning FreeOTFE into a commercial product.

The nearest that I may do is request donations. This would, of course, be fully voluntary.

Q: What about klonsoft's "LockDisk"? Isn't that a paid-for package which is based on FreeOTFE?

A: "LockDisk" is an unlicensed (and unlicensable) commercial rip-off of FreeOTFE. It's based on FreeOTFE's source code (and only a beta version at that!) and, because it's closed-source, is in direct violation of FreeOTFE's licence.

I have nothing to do with "LockDisk", nor any involvement in its creation.

Personally, I would strongly recommend against using "LockDisk":
  • It has less functionality than FreeOTFE
  • It's closed source; there's no way of knowing how secure it is, or what it does
  • The "free" version is severely crippled (only permitting 35MB volumes)
  • It is not possible to (legally) obtain a licence for it
  • It's based on a pretty old (v0.59 BETA) version of FreeOTFE
  • And for all this, you have to pay for it(?!!)
I could list another few dozen reasons for not using "LockDisk", but I think you get the picture - FreeOTFE is simply better!

Q: FreeOTFE may always be free, but will an "enhanced" version (which is charged for) with extra features be released (perhaps under a different name)?

A: Personally, this sounds a lot like the "selling out" idea above - if such a "paid for" version was to be released, FreeOTFE development may become at risk of stalling, ceasing completely, or omitting particularly useful features. This would have practically the same effect as making FreeOTFE a paid-for commercial system.

Q: How can I be sure that there are no backdoors in FreeOTFE?

A: Review the source code to your satisfaction, and build your own (see section Building FreeOTFE)

This is strongly recommended, and the best way of ensuring that the software is not compromised.

However, this is not always practical (many people are not familiar with how to read source code, or lack the required tools to build their own). In which case, if you trust the author, and the system on which the release was built on, then you may prefer to simply check the SHA-1 and PGP signatures associated with the binary release.

Q: By examining a FreeOTFE/encrypted Linux volume file, can anyone tell what it is?

A: Neither FreeOTFE nor encrypted Linux volumes have any kind of "signature" that would allow an attacker to identify them for what they are.

In particular, the "critical data block" in every FreeOTFE volumes is encrypted, and as such it is not possible to identify it for what it is

Q: What is "plausible deniability?"

A: See the documentation section on "Plausible Deniability" for details.

Q: Is FreeOTFE vulnerable to "watermarking" attacks?

A: No; as long as ESSIV mode is used (see the "Create new volume" wizard, encryption settings step), such attacks will not succeed.

Q: What to the numbers and letters after a hash name mean?

A: When required to choose which hash you wish to use, FreeOTFE will present you with a list of all hashes that are provided by the FreeOTFE drivers installed. These lists will display hash names in the format:
<hash name> (<hash length>/<block size>)
Note: The hash length and block sizes shown are in bits, not bytes.

For example:
SHA-512 (512/1024)
This indicates that the hash used is SHA-512, which generates 512 bit hash values, and processes data in 1024 bit blocks.

If the hash length shown is zero, then the hash generates no output.
If the hash length shown is "-1", then the length of the hash values returned can vary.

If the block size is "-1", then the hash processes data using a variable block size.

Typically, when presented with a selection of different hashes to choose from, you will see a "?" or "..." button next to the list; clicking this button will display full details on the driver.

Q: What to the numbers and letters after a cypher name mean?

A: When required to choose which cypher you wish to use, FreeOTFE will present you with a list of all cyphers that are provided by the FreeOTFE drivers installed. These lists will display cypher names in the format:
<cypher name> ([<mode>; ] <key size>/<block size>)
Note: The key and block sizes shown are in bits, not bytes.

For example:
AES (CBC; 256/128)
This indicates that the cypher is AES, operating in CBC mode with a key size of 256 bits and a block size of 128 bits.

If the key size shown is zero, then the cypher does need take a key (password) to carry out encryption (e.g. the "Null" test cypher).
If the key size shown is "-1", then the cypher can accept keys of arbitrary size.

If the block size is "-1", then the cypher encrypts/decrypts arbitrary block size.

Typically, when presented with a selection of different cyphers to choose from, you will see a "?" or "..." button next to the list; clicking this button will display full details on the driver.

Q: What is the largest volume that I can create?

A: On a PC, the largest volume supported is theoretically 2^64 bytes (16777216 TB; 17179869184 GB). For fairly obvious reasons, I have not had the opportunity to test a volume this size!

In practice however, limitations with the filesystem that the volume file is to be stored upon may prevent this limit from ever being reached.

On a PDA, the largest volume supported is 2^32 (4GB). This is due to your limitations with your PDA.

Q: Help! I forgot my password! I know it was something like...

A: Oops. That was silly of you, wasn't it?

If you've secured your volume with something like AES, then you can pretty much kiss goodbye to your data.

If you know what most of your password is though, then you could certainly write an application which would carry out a brute force attack on your volume, assuming those known characters. How long this would take to run would depend on the cypher used, the strength of your password, and how much you remember of it.

Note: This is not a security risk; that last comment equally applies to pretty much any OTFE system which has been implemented correctly.

Q: Which cypher modes does FreeOTFE support?

A: With the exception of the NULL and XOR cyphers, FreeOTFE uses CBC mode and has the flexibility for other modes to be easily added by simply changing drivers.

Q: How safe is FreeOTFE?

A: FreeOTFE is about as pretty much just as safe as writing directly data to your hard drive, without FreeOTFE encrypting it (see also the FAQ: "What happens if my volume file is corrupted or damaged in some way? Will I lose all my data?")

If you forget your password however, then by definition you will not be able to recover your data (see also the FAQ: "Help! I forgot my password! I know it was something like...")

Q: What happens if my volume file is corrupted or damaged in some way? Will I lose all my data?

A: As with pretty much all OTFE systems, if you were to corrupt a FreeOTFE volume is some way, the damage your data would receive would be about the same as if you had stored it directly on your hard drive, without FreeOTFE encrypting it.

For example: If you mount a FreeOTFE volume file and then write a byte of data, at random, to somewhere on that mounted drive, the effect would be exactly the same as if you had randomly written the same byte to a real hard drive.

On the other hand, if you were to write a byte to data to a random location within an umounted FreeOTFE volume, then the amount of damage caused would dependant on where that byte was written:
  1. If the volume file was created with a critical data block (CDB) at the start of it, and the byte was written to the first 512 bytes of the volume file (where the CDB is located), then the volume would be unmountable, unless you had made a backup of this area of your volume, or created a keyfile - in which case, you could restore from your backup/mount from your keyfile, and continue as if nothing had happened.
  2. If the volume file was created without a critical data block, or the byte was written to any other part of your volume file, then the sector that corresponded to the location that the byte was written to would be corrupted from approximately the point the byte was written, to the end of that sector; a maximum of 512 bytes.
To protect against (1), FreeOTFE included functionality to backup a volume's CDB (see "Tools | Critical data block... | Backup..."), and to create keyfiles (see "Tools | Create keyfile...")
Should case (2) occur, the damage to your volume would be minimal (up to a maximum of 512 bytes), and restricted to the sector that was corrupted.

Q: If someone steals my keyfile, will they be able to decrypt my data and read it?

A: No, not unless they have the keyfile's password as well.

Keyfiles are encrypted. Without the password used to encrypt it, a keyfile is pretty much just a useless block of random data.

Q: When selecting a cypher to use, why do the same cyphers appear multiple times?

A: This is because you have more than one version of a particular cypher driver installed. See also: Why are there duplicated cypher drivers?

Q: Why are there duplicated cypher drivers?

A: The "duplicated" drivers implement the same algorithms, but are built from different crypt libraries. For example, there are three Twofish drivers; one based on the Hi/fn and Counterpane Systems Twofish implementation, another which uses the libtomcrypt implementation, and a third which relies on the Gladman implementation.

They redundant drivers are primarily intended to allow verification of the implementations and increase confidence that they're actually doing what it's supposed to do.

These duplicated drivers do exactly the same thing. It is recommended that if you wish to use a cypher which has multiple supplied drivers, that you uninstall one of them. (See also: Which of the duplicated drivers should I use?)

Q: Which of the duplicated drivers should I use?

A: It doesn't particularly matter too much; they both do exactly the same thing, but are based on different implementations.

Simply choose one and uninstall the other.

Q: Can FreeOTFE generate keyfiles which only allow read only access?

A: Not at present, though if I receive enough requests for it, I may add this functionality.

Until then, it should be borne in mind that anyone with a "read only" keyfile has, pretty much by definition, a copy of your master key and so has the potential to modify their "read only" keyfile, turning it into a "read-write" keyfile.

i.e. It is debatable how much use this functionality has; certainly it should not be relied upon to prevent users from gaining write access to your volume files.

Q: Can I use the same encrypted volumes on both my PC and PDA?

A: Yes - you can!

However, please create your volume using the PC version of FreeOTFE; volumes created using the PDA version will include additional partition information which will not be understood by your PC.

Q: When creating a new volume, how do I enable the sector IV options?

A: Sector IVs are only used with cyphers using CBC mode; to enable the sector IV options, select an encryption algorithm which operates in CBC mode.

If you select a cypher which uses either LRW or XTS, the IV options are automatically disabled as these algorithms don't use them.

Q: Is FreeOTFE vulnerable to "Cold Boot Attacks on Encryption Keys" (aka "DRAM attacks")?

A: No, it isn't - assuming common sense is used.

Description

A "cold boot attack" involves rebooting a computer which has been handling sensitive information, and dumping contents of its memory out to a disk in order to try to examine information stored in memory immediately prior to rebooting. This form of attack is detailed at http://citp.princeton.edu/memory/

This attack is nothing new, and has been well known for a long time; despite the disproportionate amount of attention it's now getting.

Solution

If you mount an OTFE volume, and simply walk away from your computer, the encryption keys used to secure your volume will be held in your computer's physical memory (obviously). If someone reboots your computer at that point, there is a risk they could successfully recover your encryption key.

However, it is not generally recommended that you simply walk away from your computer while you have volumes mounted - if anyone can come along and attempt to launch the above attack, THEY CAN SIMPLY READ THE CONTENTS OF YOUR ENCRYPTED VOLUME DIRECTLY ANYWAY!

If you dismount your volumes after using them, the FreeOTFE driver overwrites all sensitive data (key information, etc) that it holds before releasing it - which should prevent the above attack.

If you suddenly press your computer's power off button or reset it (i.e. using the physical "power off" button on the front of its case) while a volume is mounted, then an attacker could theoretically dump out your encryption keys using this attack. Please note that:

  1. All encryption systems are susceptible to this attack, since they have to store encryption keys in memory in order to use them
  2. Regardless of whether you use any form of disk encryption or not, it is not recommended that you do power off/reset your computer without first shutting down cleanly via the "Start -> Turn off computer"!

To prevent this attack in the situation described above, ensure that the computer remains powered off for several minutes after it is turned off in order for the contents of RAM to effectively "bleed away"

Summary

In summary, to completely remove the threat of this attack against your encryption keys:

  1. Dismount volumes after you have used them
  2. If you must power off your computer while one or more volumes are mounted: prevent anyone from powering it back on and dumping it's memory out for at least the first few minutes after it was powered off (or the first 15-20 minutes if they open up the case and spray coolant on the memory chips)
In short - just use common sense.

Notes

It should be noted that this attack is not limited in any way to disk encryption systems. The focus on these systems by the authors of the above paper is a red herring. Essentially the attack consists of attempting to take a snapshot of the PC's memory at the time it was reset, which can then be picked over at leisure. Any encryption system can be attacked in this way.

Furthermore, because this attack may allow whatever was in the computer's memory at the point it was rebooted to be recovered, it should also be noted that any information that applications had in memory at the time the computer is reset (e.g. a document open in MS Word, or image being displayed on the screen) may potentially be recovered. Disk encryption systems encrypt data stored on disks - not in RAM.

Q: Does FreeOTFE have any form of password recovery?

A: Yes; FreeOTFE keyfiles can be used to provide a form of password recovery; see the Getting Started Guide

Q: Isn't FreeOTFE's "keyfile" functionality a security risk?

A: No. In order to create a keyfile, both the volume and the volume's password (or an existing keyfile, and that keyfiles password) are required.

If an attacker already has this information, your security has already been compromised anyway.


PC Version Specific
Q: When creating a FreeOTFE volume, the wizard shows me which stage of volume creation I am currently on - but it goes haywire, and the number of stages to complete keeps changing!

A: The number of different stages to creating a new FreeOTFE volume varies, depending on what options you choose - for example, if you elect to the mouse movement to generate random data, then you will have to complete an extra step to actually generate this random data; if you switch to using the Microsoft CryptoAPI for generating random data, you can skip that step, as it is done for you automatically.

Q: Is it possible to dismount my FreeOTFE volumes when I hit a certain "hotkey"?

A: Yes; see under "View | Options..."

Q: Why can't I dismount my volume(s)?

A: The most common reason for this is because FreeOTFE cannot gain an exclusive lock on the associated drive. This is normally caused by one or more files being open on the encrypted volume.

"Normal" (non administrator) users may also have problems dismounting drives (see the TODO list this documentation)

If a volume cannot be dismounted "normally", you will be prompted if you want to forcefully dismount it; it is only recommended that volumes are dismounted in this way if all open files and documents are closed.
Q: Why are the drivers written in C, but the PC versions GUI in Delphi?!

A: Good question. The drivers are written in C as the DDK pretty much requires it. The PC GUI is in Delphi as this was the easiest for me to implement.

The PDA version of the GUI was written in C; this may be ported to the PC platform at a later date

Q: Why aren't I prompted to enter a password when creating a Linux volume?

A: This is covered in the documentation; see section relating to creating Linux volumes.

In a nutshell, creating a Linux volume only requires a file to be created of the appropriate size. It is when the volume is subsequently mounted that a password is required; the same process as when creating an encrypted Linux volume under Linux.

Q: Can I burn my volumes on a CD (or CDRW, or DVD), and mount them from there?

A: Yes; at the end of the day, volume files are just plain straight (albeit very large) files. Just ensure that when you mount them, you mount them as read only volumes, (for obvious reasons - even with CDRWs).

It is recommended that volumes which are to be written to CD are formatted using either the FAT or FAT32 filesystem. NTFS volumes will work (under Windows XP), though AFAIR Windows 2000 is unable to mount NTFS volumes read only (meaning the volume must be copied back to your HDD, the file set to read/write, and then mounted).

Q: Can I use FreeOTFE over a network?

A: Yes. By installing FreeOTFE on the computers you wish to access your data from, you can mount a volume file located on a networked server.

When mounting over a network, simply specify the UNC path (e.g. \\servername\sharename\path\volumefilename) to the volume file begin mounted.

When a volume is mounted over a network in this way, all data read/written to that volume will be sent over the network in encrypted form.

If you wish to mount a networked volume file by more than one computer at the same time, you may do so provided that they all mount the volume read only. If any computer has a volume file mounted as read/write, you should dismount all other computers (even if they were accessing the volume as read only), and ensure no other computer mounts the volume until the computer mounted as read/write has dismounted.

Q: Why do I get "Unable to connect to the FreeOTFE driver" errors?

A: This message indicates that you have either not installed the main FreeOTFE driver ("FreeOTFE.sys"), or you have not started it yet.

It is normal to see this message in the following circumstances:
  1. The first time you run FreeOTFE, when no drivers have been installed
  2. When exiting the driver installation dialog, if the main FreeOTFE driver hasn't been both installed and started.
  3. When starting FreeOTFE after installing the main FreeOTFE driver, if the driver has not been started (e.g. you rebooted, and the driver was set for manual start, as opposed to at system startup)
  4. When stopping all portable mode drivers, where the main FreeOTFE driver was started in portable mode.
  5. When exiting FreeOTFE and stopping all portable mode drivers, where the main FreeOTFE driver was started in portable mode.
To eliminate this error message, ensure that that the main FreeOTFE driver is installed and started.

To prevent this error message from being displayed when FreeOTFE is run after rebooting, set the main FreeOTFE driver to start at system startup.

The status of all installed drivers can be checked by selecting "File | Drivers..."

Q: Why do I get prompted to select a driver whenever I attempt to mount some of my FreeOTFE volume?

A: If your volume looks as though it can be decrypted by using more than one cypher/hash driver combination, you will be prompted to select which combination you wish to use.

This happens, for example, if you used Twofish or AES to encrypt your data as FreeOTFE comes supplied with a choice of drivers for these cyphers (see also: Which of the duplicated drivers should I use?)

To prevent the prompt appearing, please uninstall one of the offending drivers.

Q: Do I need Administrator privileges to use FreeOTFE on my computer?

A: No - Although Administrator privileges are needed to install the FreeOTFE drivers, or start/stop portable mode.

To allow "standard" (non Administrator) users to use FreeOTFE, please install the FreeOTFE drivers by following the instructions in the Installation and Upgrading section. After which, any user will be free to use FreeOTFE (e.g. to create, mount, dismount and use encrypted volumes)

Q: Why do I need Administrator rights to install FreeOTFE?

A: This is probably the most common FAQ with respect to OTFE systems.

In order for most (if not all) OTFE systems to operate, they require the use of "kernel mode drivers" to carry out drive emulation.

A "kernel mode driver" is special piece of software which operates at a very low-level within your computer's operating system. As such, it can do pretty much anything to your system - including carrying out privileged actions that normal users are not allowed to do (e.g. formatting your HDD). Because of this, MS Windows only allows users with Administrator rights to install such drivers.

NOTE: Administrator rights are not required in order to use FreeOTFE once installed.

Q: Why do I need Administrator rights to start "portable mode"?

A: Administrator rights are required to start "portable mode" starting portable mode implicitly registers the FreeOTFE drivers on the computer it's running on. When portable mode is stopped, they are unregistered.

Administrator rights are required for this operation, for the same reasons as given for the answer to "Why do I need Administrator rights to install FreeOTFE?"

Q: Can FreeOTFE run under MS Windows 95/98/Me?

A: No - and there are currently no plans to port FreeOTFE to Windows 9x based systems due to the different driver model used.

Q: Can FreeOTFE run under Linux?

A: No - although FreeOTFE can read, write and create volumes which can be used under Linux.

Q: How can I get FreeOTFE to mount my volumes at startup/when I login?

A: By creating a shortcut with suitable command line parameters in your "Startup" directory (click the MS Windows "Start" button, then go to "Programs | Startup"), FreeOTFE can mount volume files after your system starts up/you login.

See the Command Line Interface section for full details of FreeOTFE's command line options.

Q: On the options dialog, what does the "Save above settings to" option do?

A: This allows you to change where your FreeOTFE settings are stored; in your user profile (only accessible to you), or with the FreeOTFE executable (which is useful if you want to take FreeOTFE with you; on a USB drive, for example).

You may also choose to not save your settings; in which case, the next time you start FreeOTFE, you will begin again with the default options.

Q: Can I save my settings in the same directory as my FreeOTFE executable?

A: Yes, you can - and this makes FreeOTFE more portable, and easier to use, if you want to take it with you on (for example) a USB drive.

There is only one exception though; if you are using Windows Vista, and have User Account Control (UAC) switched on, you will not be allowed to store your settings with the FreeOTFE executable if it is stored under your "Program Files" directory. This is due to one of the limitations imposed by Windows Vista's security system; though you are still free to store FreeOTFE's settings in your user profile.

Q: Where, and in what order does FreeOTFE search for my settings?

A: If you have chosen to save your settings, FreeOTFE will store them un a "FreeOTFE.ini" file stored on your computer at your chosen location

When it starts up, FreeOTFE will attempt to locate this file and read in your settings, by first checking for it in the same directory the executable (FreeOTFE.exe) was located in. If a settings file cannot be found in this location, it will try and look for the same file in your user's profile. If a settings file still cannot be found, FreeOTFE will fallback to using configured default values for all settings.

Q: Can I use FreeOTFE with my USB flash drive?

A: Yes! FreeOTFE has been designed to be portable; see the section on Portable Mode for details on which files to copy onto your USB drive.
You can then use FreeOTFE on any PC - even if it doesn't have FreeOTFE installed.

Q: After associating FreeOTFE with ".vol" files from the options dialog, I doubleclicked my ".vol" volume file, and nothing happened!

A: The FreeOTFE drivers must be running in order for you to mount a volume by doubleclicking on it. Please either install the FreeOTFE drivers (see the installation section), or start FreeOTFE's portable mode (see portable mode section).

Q: Why do volumes created with the FreeOTFE v2.00 have the extension ".vol"?

A: This is purely to maintain consistency with the PDA version (see other FAQ for an explanation as to why the PDA version uses filename extensions). FreeOTFE gives you complete freedom over what you name your volume files.

Q: (Windows Vista only) Why do I get "unidentified program wants access to your computer" prompts when using FreeOTFE?

(This FAQ is only applicable when running under Windows Vista and later; it is not relevant for other operating systems)

A: Windows Vista incorporates a new security system called "User Access Control" (UAC), which is there to help prevent malicious software from doing things which could be harmful to your computer.

Whenever you attempt to use any part of FreeOTFE's functionality which Windows considers a malicious program could use to cause harm, Windows displays this dialog (called the "consent/credential" dialog), and asks you if you would give your permission for it to continue. You will be shown this dialog even if you are logged on as an Administrator.

The same type of dialog will appear when you attempt to (for example) go to Window's Control Panel, selecting "Date and Time", and then attempting to change the computer's time or date.

Because the FreeOTFE executable does not have a digital signature that Windows recognises, this dialog claims that "An unidentified program wants access to your computer". This is perfectly normal, and part of Vista's system to help protect you. If you would like to check that your copy of FreeOTFE is an original, you may do so by checking the hashes/signatures available from the FreeOTFE WWW site.

These prompts form part of Windows Vista's "User Access Control" (UAC) system, which you can find out more about from the Microsoft WWW site.


Q: (Windows Vista only) Why does FreeOTFE prompt me to enter my Administrator's password?

(This FAQ is only applicable when running under Windows Vista and later; it is not relevant for other operating systems)

A: FreeOTFE doesn't ask you to enter an Administrator's password; it has no use or need for this information. Windows Vista, however, will prompt you to enter an Administrator's password whenever you are logged in as a "standard" (i.e. non-Administrator) user, and attempt to carry out any operation which it deems could be harmful to your computer.

If you are happy for FreeOTFE to carry out the operation you requested of it, you should select the relevant option from the consent/credential dialog, and enter the appropriate Administrator's password to allow FreeOTFE to proceed.

Those operations which require Administrator's explicit approval before Windows Vista will permit you to carry them out are marked in FreeOTFE with a "shield icon".

It should be emphasised that it is Windows Vista itself which is generating these prompts, and not FreeOTFE, which will have no access to the password you type in.

These prompts form part of Windows Vista's "User Access Control" (UAC) system, which you can find out more about from the Microsoft WWW site.


Q: (Windows Vista only) How do I stop the Windows Vista "consent/credential" (UAC) dialog from being displayed?

(This FAQ is only applicable when running under Windows Vista and later; it is not relevant for other operating systems)

A: To prevent the UAC dialogs from being shown when using FreeOTFE (and all other applications), you can disable it by carrying out the following steps:

  1. Click on the "Start" button, and then select "Control Panel"
  2. Doubleclick "User Accounts"
  3. Click on "Turn User Account Control on or off"
  4. Make sure that the "Use User Account Control (UAC)" checkbox is unchecked
  5. Click "OK"
  6. Restart your computer

Q: (Windows Vista only) What are the little "shield" icons shown next to some menuitems?

(This FAQ is only applicable when running under Windows Vista and later; it is not relevant for other operating systems)

A: Functions marked with a "shield" icon require Administrator privileges in order to use them, for security reasons. This is for your security, and more information can be found on the Microsoft WWW site.



PDA Version Specific
Q: I created my volume file using the PDA version of FreeOTFE and can mount it on my PC - but why does it keep asking if I want to format it?

A: When you created your volume on your PDA, your PDA fully formatted the volume as though it was a new device - not just a partition on a device.

In order for a volume to be mounted and used correctly on both a PDA and PC, it should be created and formatted using a PC as a FAT volume, and subject to the maximum volume size your PDA can support (see FAQ on volume sizes). This will ensure it can be read on all systems.

Q: How can I speed FreeOTFE up when mounting my volumes?

A: For security reasons, FreeOTFE doesn't store any information relating to which hash/cypher combination was used to encrypt a FreeOTFE volume.

As a result, FreeOTFE is forced to cycle through all of its possible hash/cypher combinations in order to determine which one to use. Reducing the number of combinations it has to check can significantly reduce the time this takes.

To reduce the number of combinations, without making any difference to the level of security FreeOTFE offers, simply remove the redundant cypher/hash implementations (.DLL files) that are in the FreeOTFE directory.

Specifically, delete either one of:
  • FreeOTFE4PDACypherAES_Gladman.dll
  • FreeOTFE4PDACypherAES_ltc.dll
and any two of:
  • FreeOTFE4PDACypherTwofish_Gladman.dll
  • FreeOTFE4PDACypherTwofish_HifnCS.dll
  • FreeOTFE4PDACypherTwofish_ltc.dll
(Please see the FAQ on duplicated drivers for an explanation as to why multiple implementations are included in the release)

The mount time can be reduced even more dramatically by removing all of the hash/cypher .DLL files except for the ones which you have encrypted your data with. This however could decrease the level of security offered as doing so would make it pretty clear to any attacker which combination you've used - though it's debatable whether this loss in security will actually be of any practical value to an attacker.

To speed things up even further, you could drop the number of key iterations your volume is secured with. This isn't particularly recommended, but might help some users...

Q: What happened to the NULL hash and NULL/XOR cypher drivers?

A: To improve performance, these drivers have been moved into a "weak drivers" directory in the PDA release. Really, you shouldn't be using these drivers at all; they are of little use from a security perspective, and are only really included to allow testing. They're still included with the release though, if you really need them...

Q: Does the PDA version support Linux volumes?

A: The PDA version does support Linux volumes, however at time of writing (17th March 2007), the GUI has no user interface to access this functionality.

A front-end interface to allow this is currently being implemented, and will appear in a later release.

Q: Why does FreeOTFE4PDA's version numbering skip from v0.55 to v2.00; what happened to v1.00?

A: FreeOTFE4PDA's version number was incremented to v2.00 in order to match the PC version of FreeOTFE, with which FreeOTFE4PDA shares a fair amount of common code.

A specific "v1.00" was never released, although there were a fair number of non-public versions released between v0.55 and v2.00 to various people to help with testing and confirm compatibility.

Q: When I try to mount my volume, I get the error: "Mount failed; the virtual storage device could not be activated at this time"

A: If you see this error message, you have correctly entered all details to allow FreeOTFE4PDA to mount your encrypted volume, however Windows Mobile has failed to activate the FreeOTFE4PDA virtual storage device.

This error appears to be related to the wireless functions (mobile phone/wifi/bluetooth) of these particular devices; turning off wireless functionality (and possibly carrying out a soft-reset of the device) can resolve this issue.

A version of FreeOTFE4PDA which should resolve this issue is currently under development and will appear in a later release

Q: Which PDAs will FreeOTFE4PDA work with?

A: FreeOTFE4PDA has been tested with various Windows Mobile 2003/2005 and Windows Mobile 6 devices, and should work with all Windows Mobile 2003 and later PDAs.

However, one issue has been reported which prevents FreeOTFE4PDA from mounting volume files when used with the following combined mobile phone/PDA devices:
  • T-Mobile Vario (WM v5.1.195 (Build 14847.2.0.0))
  • MDA Vario II/HTC TyTn (WM v5.1.195 (Build 14955.2.3.0)
  • O2 Exec/QTEK 9000 (WM v5.1.195 (Build 1487.2.0.0))
  • Fujitsu Siemens Loox T830 (WM v5.1.195)
This happens when (for some reason) Windows Mobile fails to activate the FreeOTFE4PDA virtual storage device, and appears to be related to the wireless functions (mobile phone/wifi/bluetooth) of these particular devices. Turning off wireless functionality (and possibly carrying out a soft-reset of the device) before using FreeOTFE4PDA can resolve this issue.

A version of FreeOTFE4PDA which should resolve this issue is currently under development and will appear in a later release

Q: When I use the "open" dialog to select my volume file/keyfile, it doesn't list the file I'm trying to specify - even when I select "All files" - where is it?

A: The standard Windows Mobile "open file" dialog is a little odd; this isn't just restricted to FreeOTFE!

Although FreeOTFE allows you the freedom to use any filename you wish, only files which have a filename extension (i.e. the volume's filename has a full stop followed by one or more letters) will be listed in the "open file" dialog; even if you selected the display "All files" option.

Furthermore, this dialog will only display those files located in the following places:
  • Any subdirectory on a storage card which is located from the root directory of that storage card.
  • Files in the "My Documents" directory on your PDA
  • Files in any subdirectory immediately underneath your "My Documents" directory
The simplest solution is to rename your file, and move it into one of the directories indicated above.

Alternatively, you can still specify your file by simply typing its full path and filename into the relevant entry box, instead of clicking "..." and using the "open file" dialog to select it.

Note that you don't need a filename extension, and can store volume/key files anywhere on your PDA. Conforming to the above restrictions allows you to use the "open file" dialog to select your files, and does not affect FreeOTFE's operation in any way.

Q: How can I reduce the amount of storage space FreeOTFE4PDA takes up when installed?

A: The easiest way of reducing FreeOTFE4PDA's installed "footprint" is to delete its user documentation from your PDA (i.e. everything in the "docs" subdirectory).

You don't (or at least, shouldn't!) really need this documentation as FreeOTFE4PDA is a pretty straightforward application to use - and if you do find you want to refer to it occasionally, tapping on "Help | User guide" will take you to the online version if a local copy cannot be found.

It is recommended that you keep a copy somewhere though; on your desktop PC, if nowhere else.

You can further reduce the amount of storage taken up by deleting any unused cypher and hash drivers; this will also increase the speed at which FreeOTFE4PDA will mount volumes. (See FAQ: "How can I speed FreeOTFE up when mounting my volumes?" for further details on how to do this)

Q: Why do I get the message "Unable to locate local copy of user guide; would you like to see the latest version on the Internet?" when I try to view the user guide by selecting "Help | User guide"?

A: FreeOTFE4PDA attempts to locate a local copy of the user guide stored with the executable. If this is not found, it will fallback to trying to show you the latest version found on the FreeOTFE WWW site.
To prevent this, please place a copy of the "docs" directory included with the release into the same directory as your "FreeOTFE4PDA.exe" executable. (i.e. Such that you have a "docs" subdirectory in the same directory as the "FreeOTFE4PDA.exe" executable on your PDA)

Q: What does the "Support WM 5.0 soft keys" option do?

A: Under Windows Mobile 5.0 and later, you have the option of displaying FreeOTFE's menus and Wizard navigation using the new style two-item "softkey" menus. This is the "Microsoft standard" for Windows Mobile 5 (and later) applications, and is designed to allow users with "softkeys" (i.e. smartphones with two buttons, left and right, below their display) to navigate more quickly and easily.

Alternatively, you can still opt to use the older "menu and toolbar" style used with Windows Mobile 2003 (second edition) and earlier.

Here is a sample of what the different menus look like:

Menu and toolbar style menus WM 5.0 soft key menus
Menu and toolbar style menubar Menu and toolbar style menuitems
WM 5.0 softkey menubar WM 5.0 softkey menuitems


You can change this setting by going to "Tools | Options".

If you have a PDA which runs Windows Mobile 2003 (second edition) or earlier, your PDA does not support this new style menu.

Q: I don't like the new two-item menus at the bottom of my display - how do I change them back to the older toolbar style menu?

A: The "Microsoft standard" for Windows Mobile 5 (and later) applications is to employ a two-item menu at the bottom of the display, as opposed to using a similar style menu as is found on desktop PCs running MS Windows.

This is to allow users with "softkeys" (i.e. smartphones with two buttons, left and right, below their display) to navigate more quickly and easily.

Of course, as with all user interfaces, there's always someone who doesn't like it! FreeOTFE4PDA does give you the option to change back the older style though; simply tap "Menu | View | Options" and uncheck the "Support WM 5.0 soft keys" option.

Q: I don't like the multi-item menubar/toolbar at the bottom of FreeOTFE4PDA's display - how do I get it to use the newer two-item style (softkey) menus instead?

A: The two-item menu at the bottom of the display is the "Microsoft standard" for Windows Mobile 5 (and later) applications, and is designed to allow users with "softkeys" (i.e. smartphones with two buttons, left and right, below their display) to navigate more quickly and easily.

If you have a PDA which runs Windows Mobile 2003 (second edition) or earlier, your PDA does not support this new style menu.

However, if you are running Windows Mobile 2005 or later, you can enable the two-item style menu by simply tapping "Menu | View | Options" and making sure the "Support WM 5.0 soft keys" option is checked.

Q: Do I have to partition my drive to use FreeOTFE?

A: No. FreeOTFE volumes may be stored in files stored on your normal file system.

Q: I want to create a FreeOTFE partition on my unallocated space, but can't see it in the partition display - where is it?

A: For obvious reasons, the FreeOTFE only shows partitions which are reported to it by the OS.

Disk space which does not form any part of a partition (i.e. is not referenced in any partition table on the disk (primary or extended); reported as "Unallocated" by the Windows Disk Management tool) cannot be "seen" by FreeOTFE.

To make use of such space, use the Windows Disk Management tool to create a new partition for it, and then use FreeOTFE to turn it into an encrypted partition.

Please note that FreeOTFE is not responsible for partitioning your hard drive - you should be using a partitioning tool for that!

Q: When I'm prompted to select a partition, some of the partitions on my USB drive are shown in red (or not at all) - why?

A: See: Why can't I use encrypted partitions on a USB drive, unless it's the first partition?

Q: Why can't I use encrypted partitions on a USB drive, unless it's the first partition?

A: MS Windows has a limitation which prevents it from correctly using partitions on USB drives that are beyond the first one. As a result, the current version of FreeOTFE cannot use these partitions, and this is indicated by displaying such partitions in red (or not at all) in the partition selection display.

If you wish to use an encrypted partition on a USB drive under both Windows and Linux, please ensure that the encrypted partition is the first partition on the USB drive.

It should be noted that this limitation only applies to USB drives, and not physical disks installed inside the PC

A solution which will allow FreeOTFE to use second (and other) partitions on USB drives is currently under development.

Other possible solutions/information may be found at:


Q: After creating an encrypted partition/disk, MS Windows reports that partition I used as being type "RAW" and prompts me to format it - why?

A: After creating an encrypted partition/disk, if you have a drive letter associated with the physical partition used, MS Windows will report that drive as being "RAW" since it cannot understand what is stored on it (for obvious reasons, it can't understand what the encrypted data means).

WARNING: Do not let MS Windows format this partition! Although formatting the "virtual drive" FreeOTFE creates after mounting your encrypted partition is certainly a requirement before it can be used, formatting the partition it resides on could destroy your encrypted data!

The safest course of action is to prevent MS Windows from allocating a drive letter to the encrypted partition. By doing so:
  • MS Windows will not prompt you every time this drive is accessed, since you will not be able to accidentally access it
  • You'll be less likely to hit "OK" and format the partition, overwriting your encrypted data!
To do this:
  1. Go to "Start -> Settings -> Control Panel -> Administrative tools -> Computer Management"
  2. Select "Disk Management"
  3. Rightclick on the partition you have setup an encrypted and select "Change Drive Letter and Paths"
  4. Remove any drive letters associated with the partition

Q: Can FreeOTFE be used with RAID arrays?

A: Yes! FreeOTFE has been tested with, and works with, RAID arrays

Q: Can I use FreeOTFE with "MojoPac"?

A: Yes!

There are two basic ways of encrypting you data using FreeOTFE while using MojoPac:

  1. By creating an encrypted volume and installing MojoPac onto it.
  2. By installing MojoPac as normal (e.g. onto a USB drive), and running FreeOTFE from within MojoPac

Method one: Installing onto a FreeOTFE volume

The first method is probably the more secure, as your entire MojoPac setup is encrypted. Simply create a new FreeOTFE volume on your USB drive, mount it, and then install MojoPac onto the mounted volume.

In this way everything relating to your MojoPac system will be secured. Because of FreeOTFE's portable mode, MojoPac can be used as a fully mobile, secured, system by placing a copy of FreeOTFE onto your USB drive along with the volume file.

Method two: Running within the MojoPac environment

FreeOTFE can also be launched and used from within the MojoPac environment to create and use encrypted volumes in much the same way as on a normal PC.

In order to use FreeOTFE in this way, you must first either

  • Start FreeOTFE's portable mode on the host PC, or
  • Install and start the FreeOTFE drivers on the host PC

(See the Portable mode and Installation sections for further information)

When running MojoPac, your MojoPac device (i.e. your USB drive, iPod, etc) will appear as both the removable drive it is normally mounted as on the host PC (e.g. D:, E:), and as your MojoPac's C: drive.

To mount a FreeOTFE volume which is stored on your MojoPac device, you should select the volume file on the removable drive (e.g. D:, E:) and not the mirror copy which appears on you MojoPac's C: drive. Mounting volumes stored elsewhere should be unaffected.

Note that when a volume is mounted from within the MojoPac environment, it may also be accessed by the host PC by using the drive letter it is mounted as under the MojoPac session. Applications on the host PC will see the mounted volume as normal, with the exception of Windows Explorer which will not show a new drive icon for it - though even then, it can still be accessed by Windows Explorer on the host PC, by simply typing the drive letter the encrypted volume is mounted as, followed by a colon, into Windows Explorer's "Address" bar and pressing <ENTER>.

In the same manner, volumes mounted on the host PC will be accessible from within the MojoPac environment.

Q: Why does the partition/disk selection display sometimes display less information?

A: Depending on the user's access rights, FreeOTFE may only be able to obtain limited information about the various disk partitions.

When this happens, FreeOTFE will fallback to displaying a more restricted set of information (e.g. no partition sizes)

Because more information can be displayed if the user is an administrator (or under Windows Vista, the FreeOTFE process has been started with escalated under UAC), it is highly recommended that any partition based volumes are created when logged in as an administrator. (Under Vista, FreeOTFE should be launched by rightclicking on the executable, "FreeOTFE.exe", and selecting "Run as administrator".)

By displaying additional information, there is less likelihood of creating a volume on the wrong partition.

Partition selection dialog; full information shown

Partition selection dialog; restricted information shown


Q: I've inserted my PKCS#11 (Cryptoki) token, but why is the "PKCS#11 token management..." menuitem disabled?

A: Please ensure that you have configured FreeOTFE to use your token via the "PKCS#11" tab on the Options dialog ("View | Options...")

See the section on Security Token/Smartcard Support for further details

Q: What is the difference between PKCS#11, Cryptoki, and "tokens"?

A: PKCS#11 and Cryptoki are the same thing; an API for accessing security tokens/smartcards.

"Token" is a generic term to refer to a security token or smartcard.

Q: How do I change the password on a volume/keyfile which is secured with a PKCS#11 secret key?

A: To change the password on a volume/keyfile which is secured with a PKCS#11 secret key:
  1. Decrypt the volume's CDB/keyfile using the token's secret key:
    1. Go to "Tools | PKCS#11 token management..."
    2. Select the "Secret keys" tab
    3. Select the appropriate secret key
    4. Click "Decrypt", and select your volume/keyfile
  2. Change the password on it
  3. Re-encrypt the keyfile/volume's CDB using the token's secret key, using the "encrypt" function on the PKCS#11 token management dialog