topbanner_forum
  *

avatar image

Welcome, Guest. Please login or register.
Did you miss your activation email?

Login with username, password and session length
  • Thursday March 28, 2024, 8:12 am
  • Proudly celebrating 15+ years online.
  • Donate now to become a lifetime supporting member of the site and get a non-expiring license key for all of our programs.
  • donate

Last post Author Topic: TrueCrypt alternative  (Read 46079 times)

Midnight Rambler

  • Supporting Member
  • Joined in 2005
  • **
  • Posts: 228
    • View Profile
    • Donate to Member
TrueCrypt alternative
« on: May 30, 2014, 07:01 PM »
Now that TrueCrypt is dead, I and likely many others are looking for alternative freeware disk encryption programs.  MS's own BitLocker is mentioned often but to my knowledge can only be used on certain versions of Vista, Win 7 and 8.  Also have heard of DiskCryptor but this program appears to be not the most user friendly.  Anybody?
Compaq Presario 5716 (98), Dell Dimension 4700 (XP), Lenovo ThinkPad T530 (Win 7 Pro > Win 10 Pro).

x16wda

  • Supporting Member
  • Joined in 2007
  • **
  • Posts: 888
  • what am I doing in this handbasket?
    • View Profile
    • Read more about this member.
    • Donate to Member
Re: TrueCrypt alternative
« Reply #1 on: May 30, 2014, 08:51 PM »
To my mind the best alternative to Truecrypt is ... Truecrypt.

- Has Truecrypt ever failed the basic file system store/retrieve process for anyone here?
- Has anyone shown or explained an exploit based on algorithm or due to coding error (as opposed to brute force, or finding keys cached in memory, or "ghost-reading" frozen memory sticks)?
- Are there any valid reasons anyone could think of why a perfectly good encryption product, that has been in use for years, reliably, without known vulnerabilities or exposures, might be shut down without much notice (nobody say Lavabit)?

Just sayin'.

Edit: Of course the above could as well be in the other Truecrypt thread. I am always interested in other comparable encryption tools, and have looked around extensively but have not found its equal. That said, for individual file encryption (which Truecrypt doesn't do) I tend to use Axcrypt (or fSekrit for pure text files), sometimes that's more appropriate for my purposes.
vi vi vi - editor of the beast
« Last Edit: May 30, 2014, 09:23 PM by x16wda »

40hz

  • Supporting Member
  • Joined in 2007
  • **
  • Posts: 11,857
    • View Profile
    • Donate to Member
Re: TrueCrypt alternative
« Reply #2 on: May 30, 2014, 09:37 PM »
I think it will only be a matter of time before a functionally equivalent, fully audited, and genuinely open replacement appears. There's far too much interest and demand for it to remain unmet. And FOSS abhors such a vacuum. 8)

rgdot

  • Supporting Member
  • Joined in 2009
  • **
  • Posts: 2,192
    • View Profile
    • Donate to Member
Re: TrueCrypt alternative
« Reply #3 on: May 30, 2014, 10:04 PM »
Are personal users using Truecrypt containers in communication or in the cloud (email, Dropbox, etc.)? If not and using 7.1a on a local network - or in more 'paranoid' case on an offline computer - then I agree with

To my mind the best alternative to Truecrypt is ... Truecrypt.

If an equivalent arrives more power to those creating it and they will most likely have me as a user.

wraith808

  • Supporting Member
  • Joined in 2006
  • **
  • default avatar
  • Posts: 11,186
    • View Profile
    • Donate to Member
Re: TrueCrypt alternative
« Reply #4 on: May 30, 2014, 10:45 PM »
+1  :Thmbsup:

bit

  • Supporting Member
  • Joined in 2013
  • **
  • Posts: 686
    • View Profile
    • Donate to Member
Re: TrueCrypt alternative
« Reply #5 on: May 31, 2014, 02:09 AM »
AFAIC TrueCrypt is not 'dead'; v.7.1a works fine, and so does AxCrypt (which BTW includes a nice file shredder feature).

There may be a Scramdisk for Linux, but the reports are several years old and I'm not sure if it's compatible with any current Linux OS, and I would appreciate anyone cluing me in on that question.
Or if you can dual-boot to an older OS like Win98, Scramdisk works within that OS.
Scramdisk is freeware and rather robust, with plausible deniability, but does have the above limitations.

Another interesting alternative is freeware DIIT.
This is its pretty and brainy creator, Dr. Kathryn Hempstalk of New Zealand:
20080724 Kathryn Hempstalk.jpg

It includes plausible deniability, but is rather limited in file size capacity.
Also it is rather involved to work with because the GUI does not allow drag & drop.
But FWIW, it actually works.

"The Digital Invisible Ink Toolkit ((DIIT)) is a Java steganography tool that can hide any sort of file inside a digital image (regarding that the message will fit, and the image is 24 bit colour). It will work on Windows, Linux and Mac OS because it is written in Java and thus platform independent."
It also works fine with black & white pix.
« Last Edit: May 31, 2014, 02:36 AM by bit »

Tuxman

  • Supporting Member
  • Joined in 2006
  • **
  • Posts: 2,466
    • View Profile
    • Donate to Member
Re: TrueCrypt alternative
« Reply #6 on: May 31, 2014, 05:11 AM »
1. I'll stick with TrueCrypt for my container file until it's clear what happens with the audited planned fork.
2. Why use containers anyway? Use EncFS.

x16wda

  • Supporting Member
  • Joined in 2007
  • **
  • Posts: 888
  • what am I doing in this handbasket?
    • View Profile
    • Read more about this member.
    • Donate to Member
Re: TrueCrypt alternative
« Reply #7 on: May 31, 2014, 07:53 AM »
2. Why use containers anyway? Use EncFS.
Portability.
vi vi vi - editor of the beast

wraith808

  • Supporting Member
  • Joined in 2006
  • **
  • default avatar
  • Posts: 11,186
    • View Profile
    • Donate to Member
Re: TrueCrypt alternative
« Reply #8 on: May 31, 2014, 10:37 AM »
2. Why use containers anyway? Use EncFS.
Portability.

ding ding ding

Tuxman

  • Supporting Member
  • Joined in 2006
  • **
  • Posts: 2,466
    • View Profile
    • Donate to Member
Re: TrueCrypt alternative
« Reply #9 on: May 31, 2014, 11:15 AM »
EncFS isn't portable, because...?

40hz

  • Supporting Member
  • Joined in 2007
  • **
  • Posts: 11,857
    • View Profile
    • Donate to Member
Re: TrueCrypt alternative
« Reply #10 on: May 31, 2014, 12:40 PM »
2. Why use containers anyway? Use EncFS.
Portability.

ding ding ding

Precisely. Easy to install and easy to use were TC's biggest selling points for the average user. People that preferred an encrypted file system instead of an encrypted container approach went with Bitlocker and similar tools.

 

Tuxman

  • Supporting Member
  • Joined in 2006
  • **
  • Posts: 2,466
    • View Profile
    • Donate to Member
Re: TrueCrypt alternative
« Reply #11 on: May 31, 2014, 12:42 PM »
How's EncFS not portable?

x16wda

  • Supporting Member
  • Joined in 2007
  • **
  • Posts: 888
  • what am I doing in this handbasket?
    • View Profile
    • Read more about this member.
    • Donate to Member
Re: TrueCrypt alternative
« Reply #12 on: May 31, 2014, 12:50 PM »
I should have said easy portability, just one file for a TrueCrypt volume.

EncFS4win has more pieces & parts to the program, and individually encrypted files. Looks like you could use Boxcrypt (which appears to be a gui for EncFS4win) to make it easier, but then you are limited to 2gb of stuff unless you want to pay.  
vi vi vi - editor of the beast

Tuxman

  • Supporting Member
  • Joined in 2006
  • **
  • Posts: 2,466
    • View Profile
    • Donate to Member
Re: TrueCrypt alternative
« Reply #13 on: May 31, 2014, 12:51 PM »
One file for a volume - and TrueCrypt itself. Now what?

Midnight Rambler

  • Supporting Member
  • Joined in 2005
  • **
  • Posts: 228
    • View Profile
    • Donate to Member
Re: TrueCrypt alternative
« Reply #14 on: June 12, 2014, 10:51 AM »
Helpful and not too long article on this topic from a credible source: The life and untimely demise of TrueCrypt.

Excerpt: My recommendation to current TrueCrypt users? Don’t panic! But also don’t deploy any new versions of TrueCrypt; simply maintain what you have. Based on the OCAP audit, TrueCrypt does not have any back doors and still provides secure encryption that can’t be easily cracked.

Article also references BitLocker (again!) and 7-Zip.  Think I'll just stick with v7.1a for now.
Compaq Presario 5716 (98), Dell Dimension 4700 (XP), Lenovo ThinkPad T530 (Win 7 Pro > Win 10 Pro).

mwb1100

  • Supporting Member
  • Joined in 2006
  • **
  • Posts: 1,645
    • View Profile
    • Donate to Member
Re: TrueCrypt alternative
« Reply #15 on: June 12, 2014, 12:26 PM »
I disagree with the tone of the article about the trustworthiness of free software. At least a couple times, the article says things such as:

I think we’ve all received a wakeup call. We might need to step back and question the source of our open-source software — and in the future, review its pedigree before installing it.

I don't think open source or free software should be called out for this, but not closed source software. This "wakeup call" applies to any software you depend on - whether it's free or paid, open or closed source. Paid-for, closed source software often gets abandoned or has support dropped suddenly - that's not a problem unique to free software.

At least with open source software, the possibility exists of someone/anyone forking the project and continuing to support it if there's a need or demand (keep in mind that as discussions have mentioned before, it's not entirely clear whether the TrueCrypt software is truly open source and possible to legally fork). That possibility doesn't exist for closed source software that gets abandoned.

wraith808

  • Supporting Member
  • Joined in 2006
  • **
  • default avatar
  • Posts: 11,186
    • View Profile
    • Donate to Member
Re: TrueCrypt alternative
« Reply #16 on: June 12, 2014, 01:24 PM »
I disagree with the tone of the article about the trustworthiness of free software. At least a couple times, the article says things such as:

I think we’ve all received a wakeup call. We might need to step back and question the source of our open-source software — and in the future, review its pedigree before installing it.

I don't think open source or free software should be called out for this, but not closed source software. This "wakeup call" applies to any software you depend on - whether it's free or paid, open or closed source. Paid-for, closed source software often gets abandoned or has support dropped suddenly - that's not a problem unique to free software.

At least with open source software, the possibility exists of someone/anyone forking the project and continuing to support it if there's a need or demand (keep in mind that as discussions have mentioned before, it's not entirely clear whether the TrueCrypt software is truly open source and possible to legally fork). That possibility doesn't exist for closed source software that gets abandoned.

I think what was meant is that if you buy software from X, then you know that you've bought in from X, and that X is supporting it.  On many open source projects, this isn't the case.  The authors don't have to be known, and there is zero in the way of accountability.  So it wasn't so much that we don't need to assess with closed source projects- people already do that.  It's just leaning towards people *don't* do that with OSS in a lot of cases... after all, we can see the source, so it's not important.

But it is.

mwb1100

  • Supporting Member
  • Joined in 2006
  • **
  • Posts: 1,645
    • View Profile
    • Donate to Member
Re: TrueCrypt alternative
« Reply #17 on: June 12, 2014, 01:58 PM »
I still don't think that purchasing software or having software provided by a well-known entity provides any better trustworthiness.

While not a paid product, Google Reader was offered by a well-known entity.  I know that many people were upset by it being shutdown.

A much smaller, but personal, example: I used to use some software called SafeWallet by SBSH, and I had paid the couple dollars for it. The vendor was as well known or well established as many software vendors I've purchased from. Which is to say, I didn't know much of anything about them. They had a website, they offered software for purchase, and they accepted credit cards for payment.  Other than the huge software vendors like MS, Google, Adobe, Symantec, I think this is a similar level of knowledge that most people have about their software vendors.  The SafeWallet software is no longer supported, and the servers used to sync the data across devices stopped working.  Fortunately, I was able to move on by exporting my local data and getting it read into another password wallet program without too much trouble.

I think that Microsoft actually comes out looking pretty good in this area. While they do abandon software, it seems that generally they give a fair bit of notice. However, even if given a lot of notice many people can still be unhappy. Note that I still read about complaints regarding XP being unsupported.  There's even the occasional complaint I come across about VB6.

Again, I don't think open source vs. closed source plays into this very much, except that with open source you at least have the possibility of self-supporting (even if it would be a lot of effort) if the vendor goes away. With closed source, you don't even get the option.

wraith808

  • Supporting Member
  • Joined in 2006
  • **
  • default avatar
  • Posts: 11,186
    • View Profile
    • Donate to Member
Re: TrueCrypt alternative
« Reply #18 on: June 12, 2014, 02:28 PM »
If you have the name of Microsoft, or Google, or whomever behind a project, then you at least have knowledge of the history of whom is making it and some knowledge of what they have done/are doing- for good or ill.  On many OSS projects, there isn't this level of transparency.  It's not about abandoning or choosing to discontinue a project.  It's about knowing who is behind the project.  If you buy from someone, there is some level of transparency on this.  On quite a few OSS projects, there isn't.  It is the same concern to a smaller degree on smaller freeware projects... but those don't give the artificial level of reassurance that knowing a project is OSS tends to.

mwb1100

  • Supporting Member
  • Joined in 2006
  • **
  • Posts: 1,645
    • View Profile
    • Donate to Member
Re: TrueCrypt alternative
« Reply #19 on: June 12, 2014, 03:05 PM »
I guess I take issue that the article portrays this as an 'open source' problem. It's not. The problem of determining whether or not you can trust the team behind a software project/product is largely independent of whether the software is open source or not.

I think that implying that this is a problem particular to open source software or even just that it's more of a problem for open source software is wrong.

wraith808

  • Supporting Member
  • Joined in 2006
  • **
  • default avatar
  • Posts: 11,186
    • View Profile
    • Donate to Member
Re: TrueCrypt alternative
« Reply #20 on: June 12, 2014, 03:42 PM »
I guess I take issue that the article portrays this as an 'open source' problem. It's not. The problem of determining whether or not you can trust the team behind a software project/product is largely independent of whether the software is open source or not.

I think that implying that this is a problem particular to open source software or even just that it's more of a problem for open source software is wrong.


The problem that is endemic to OSS in this regard (and I know I'm guilty of it) is the transparency of whom is behind the project.  I didn't even know, nor take the time to find out who was behind TrueCrypt.  Nor many of the other OSS that I use.  And I'm pretty on top of things... but having the source available makes a lot of that... just seem not to matter.

But it does.

IainB

  • Supporting Member
  • Joined in 2008
  • **
  • Posts: 7,540
  • @Slartibartfarst
    • View Profile
    • Read more about this member.
    • Donate to Member
Re: TrueCrypt alternative
« Reply #21 on: June 12, 2014, 07:29 PM »
I would like to see a report on the still-ongoing project to audit TrueCrypt (which project website apparently also holds a full copy of all the software and code) before pronouncing it as "dead".
Presumably it was not for nothing that Amazon Web Services some time back mandated the use of only TrueCrypt for its encryption, if you wanted to use their secure storage services. That mandate would presumably have been made for solid business reasons, and they would not have entered into it lightly. That alone could spell more for TrueCrypt's longevity than any recent unexplained closure of the TrueCrypt website.
The best alternative to TrueCrypt could yet well be TrueCrypt.

Others more cynical than I might suggest that, if the TrueCrypt takedown was the result of being nobbled by the NSA (e.g., like the two encrypted email services over the last 12 months), then the TrueCrypt developers may have been left little option but to shut down, rather than be obliged to leave TrueCrypt fitted full of NSA backdoors like Symantec and Microsoft encryption have been rumoured to be.
It's all a matter of trust.

TaoPhoenix

  • Supporting Member
  • Joined in 2011
  • **
  • Posts: 4,642
    • View Profile
    • Donate to Member
Re: TrueCrypt alternative
« Reply #22 on: June 12, 2014, 09:41 PM »
I would like to see a report on the still-ongoing project to audit TrueCrypt (which project website apparently also holds a full copy of all the software and code) before pronouncing it as "dead".
Presumably it was not for nothing that Amazon Web Services some time back mandated the use of only TrueCrypt for its encryption, if you wanted to use their secure storage services. That mandate would presumably have been made for solid business reasons, and they would not have entered into it lightly. That alone could spell more for TrueCrypt's longevity than any recent unexplained closure of the TrueCrypt website.
The best alternative to TrueCrypt could yet well be TrueCrypt.

Others more cynical than I might suggest that, if the TrueCrypt takedown was the result of being nobbled by the NSA (e.g., like the two encrypted email services over the last 12 months), then the TrueCrypt developers may have been left little option but to shut down, rather than be obliged to leave TrueCrypt fitted full of NSA backdoors like Symantec and Microsoft encryption have been rumoured to be.
It's all a matter of trust.

Another fascinating comment. I guess what's confusing me is to my knowledge encryption is "just an algorithm" so I'd think if you took "Iain B rulez!" it might spit out weflhjegehwgewig or whatever. But I'd think you ran the same process twice in exactly the same way (maybe even including timestamps), you're get the *same* gobledy gook, right?

So you'd think Amazon wouldn't mess around, and maybe at some conference they sent a rep to, he'd get to comparing notes and Google sez "Hey, your output in your test case is different from mine. What's up with that?"

So even if the NSA is putting back doors in there, aren't we back to that famous discussion of "security via obscurity"? That the NSA is gambling that the back doors it's putting in there can't be found by anyone else?

And I'm still not happy with "the devs got tired and bored so they dumped their product." How would you normally end-of-life a security encryption suite? I'd think Bruce Schneier's alarm bells and maybe connections must be as good as anyone else's, so I'm sure he's been reviewing TrueCrypt forever, so maybe prior versions *used* to be good and only a *new* NSA letter threatens future editions. And I'm also amazed how no one can "find" the developers to hear their side. With how tricky the non-reveal clauses are, if someone called the devs and gets hung up on, "no words are many words" just like the did to the website.

And then the community - let's say a backdoor is in there, I'd think they would be pissed that their entire collective study and review of the program would miss them.



« Last Edit: June 12, 2014, 09:52 PM by TaoPhoenix »

Stoic Joker

  • Honorary Member
  • Joined in 2008
  • **
  • Posts: 6,646
    • View Profile
    • Donate to Member
Re: TrueCrypt alternative
« Reply #23 on: June 12, 2014, 10:08 PM »
So even if the NSA is putting back doors in there, aren't we back to that famous discussion of "security via obscurity"? That the NSA is gambling that the back doors it's putting in there can't be found by anyone else?

Yes.

IainB

  • Supporting Member
  • Joined in 2008
  • **
  • Posts: 7,540
  • @Slartibartfarst
    • View Profile
    • Read more about this member.
    • Donate to Member
Re: TrueCrypt alternative
« Reply #24 on: June 13, 2014, 05:41 AM »
It would generally be easier to set and conceal backdoors in proprietary encryption software, and for it to remain "undiscovered" because the software would not usually be open to scrutiny/audit by third parties who would thus effectively need to trust/use the software on blind faith.

Let's be speculative:
  • As above, maybe:
    ...the TrueCrypt takedown was the result of being nobbled by the NSA (e.g., like the two encrypted email services over the last 12 months), then the TrueCrypt developers may have been left little option but to shut down, rather than be obliged to leave TrueCrypt fitted full of NSA backdoors like Symantec and Microsoft encryption have been rumoured to be.
    _______________________

  • Or maybe that's not the case. Maybe the backdoors had already been established for some time in TrueCrypt, so the unknown developers pulled the plug realising that discovery could be imminent in the aforementioned TrueCrypt audit project.

  • Maybe the developers and/or the auditors are effectively the NSA. Who knows? After what we have been allowed to learn or led to believe from the public dripfeed out of the SnowdenGate theatre (bring your own popcorn), anything's possible, but skepticism would seem to be recommended. One thing that was learned/perfected in WWII was that good military intelligence and the skilful dissemination of misinformation were essential ingredients to a winning strategy in a war, with the Nazis arguably setting the initial standards to be met. Out of this sprung our modern-day advertising, marketing and PR - even the terminology used employs military terms. And be in no doubt that we are involved in some kind of a war - a war in which every citizen is apparently a potential enemy and thus not to be trusted, so surveillance and the manipulation of public perceptions by whatever means deemed necessary would be mandatory (QED). This was where Mao's Revolution was so successful. Maybe the book "1984" does form an authoritative set of rules and guiding principles for the kind of increasingly totalitarian states that we seem to be finding ourselves inhabiting.

I had always been a fan of PGP (Pretty Good Privacy) encryption methods, but lost interest when PGP was acquired by Norton/Symantec as I figured it was thereby probably irretrievably lost as a definitively secure/trustworthy encryption approach/software - I mean, how would one know?

However, in the interesting case of Ramona Fricosu (January 2012) in Peyton, Colo., USA, Fricosu had been charged with conducting a fraud (a mortgage scam) and it was deemed necessary to access her Toshiba laptop to discover details about the fraud and her associates - but the laptop was secured using PGP Desktop Professional | Symantec, which the FBI apparently claimed to be unable to unlock.
So a federal judge ruled that she had to:
...decrypt the hard drive of a Toshiba laptop computer no later than February 21--or face the consequences including contempt of court.
Refer: Judge: Americans can be forced to decrypt their laptops | Privacy Inc. - CNET News

(Out of this came the use of a legal defence concept of "Plausible deniability".)

This was a civilian matter, not a defence matter. Maybe the FBI did have the ability to crack the encryption key, but were not about to reveal that potentially strategically and militarily important fact if it did not have to be revealed, and so forced the issue (apparently successfully) through the judicial system.
Maybe this started people looking with increasing interest at the backdoored Symantec PGP product, or maybe it wasn't backdoored. Either way, it wouldn't matter, because the public perception set by this display was that Symantec PGP is unhackable, and maybe that was desirable/necessary/intentional.

So the alternatives to TrueCrypt could be:
  • TrueCrypt software - presumed to be unhackable.
  • Symantec PGP software - "proven" to be unhackable.
  • Microsoft BitLocker software + hardware - presumed to be unhackable.

So maybe the NSA or other SS (Secret Service) cannot hack these things. Then again, maybe they can, or have already done so some time ago.
And don't forget that it has apparently already been established that the NSA would seem to have already nobbled the so-called "random" keys used in PKE (Public Key Encryption).
« Last Edit: June 13, 2014, 06:20 AM by IainB, Reason: Minor corrections. »