DonationCoder.com Forum
Main Area and Open Discussion => General Software Discussion => Topic started by: Midnight Rambler on May 30, 2014, 07:01 PM
-
Now that TrueCrypt is dead, I and likely many others are looking for alternative freeware disk encryption programs. MS's own BitLocker is mentioned often but to my knowledge can only be used on certain versions of Vista, Win 7 and 8. Also have heard of DiskCryptor (https://diskcryptor.net/wiki/Main_Page) but this program appears to be not the most user friendly. Anybody?
-
To my mind the best alternative to Truecrypt is ... Truecrypt.
- Has Truecrypt ever failed the basic file system store/retrieve process for anyone here?
- Has anyone shown or explained an exploit based on algorithm or due to coding error (as opposed to brute force, or finding keys cached in memory, or "ghost-reading" frozen memory sticks)?
- Are there any valid reasons anyone could think of why a perfectly good encryption product, that has been in use for years, reliably, without known vulnerabilities or exposures, might be shut down without much notice (nobody say Lavabit)?
Just sayin'.
Edit: Of course the above could as well be in the other Truecrypt thread. I am always interested in other comparable encryption tools, and have looked around extensively but have not found its equal. That said, for individual file encryption (which Truecrypt doesn't do) I tend to use Axcrypt (or fSekrit for pure text files), sometimes that's more appropriate for my purposes.
-
I think it will only be a matter of time before a functionally equivalent, fully audited, and genuinely open replacement appears. There's far too much interest and demand for it to remain unmet. And FOSS abhors such a vacuum. 8)
-
Are personal users using Truecrypt containers in communication or in the cloud (email, Dropbox, etc.)? If not and using 7.1a on a local network - or in more 'paranoid' case on an offline computer - then I agree with
To my mind the best alternative to Truecrypt is ... Truecrypt.
If an equivalent arrives more power to those creating it and they will most likely have me as a user.
-
+1 :Thmbsup:
-
AFAIC TrueCrypt is not 'dead'; v.7.1a works fine, and so does AxCrypt (which BTW includes a nice file shredder feature).
There may be a Scramdisk for Linux, but the reports are several years old and I'm not sure if it's compatible with any current Linux OS, and I would appreciate anyone cluing me in on that question.
Or if you can dual-boot to an older OS like Win98, Scramdisk works within that OS.
Scramdisk is freeware and rather robust, with plausible deniability, but does have the above limitations.
Another interesting alternative is freeware DIIT (http://diit.sourceforge.net/).
This is its pretty and brainy creator, Dr. Kathryn Hempstalk of New Zealand:
[ You are not allowed to view attachments ]
It includes plausible deniability, but is rather limited in file size capacity.
Also it is rather involved to work with because the GUI does not allow drag & drop.
But FWIW, it actually works.
"The Digital Invisible Ink Toolkit ((DIIT)) is a Java steganography tool that can hide any sort of file inside a digital image (regarding that the message will fit, and the image is 24 bit colour). It will work on Windows, Linux and Mac OS because it is written in Java and thus platform independent."
It also works fine with black & white pix.
-
1. I'll stick with TrueCrypt for my container file until it's clear what happens with the audited planned fork.
2. Why use containers anyway? Use EncFS.
-
2. Why use containers anyway? Use EncFS.
-Tuxman
Portability.
-
2. Why use containers anyway? Use EncFS.
-Tuxman
Portability.
-x16wda
ding ding ding
-
EncFS isn't portable, because...?
-
2. Why use containers anyway? Use EncFS.
-Tuxman
Portability.
-x16wda
ding ding ding
-wraith808
Precisely. Easy to install and easy to use were TC's biggest selling points for the average user. People that preferred an encrypted file system instead of an encrypted container approach went with Bitlocker and similar tools.
-
How's EncFS not portable?
-
I should have said easy portability, just one file for a TrueCrypt volume.
EncFS4win has more pieces & parts to the program, and individually encrypted files. Looks like you could use Boxcrypt (which appears to be a gui for EncFS4win) to make it easier, but then you are limited to 2gb of stuff unless you want to pay.
-
One file for a volume - and TrueCrypt itself. Now what?
-
Helpful and not too long article on this topic from a credible source: The life and untimely demise of TrueCrypt (http://windowssecrets.com/top-story/the-life-and-untimely-demise-of-truecrypt/).
Excerpt: My recommendation to current TrueCrypt users? Don’t panic! But also don’t deploy any new versions of TrueCrypt; simply maintain what you have. Based on the OCAP audit, TrueCrypt does not have any back doors and still provides secure encryption that can’t be easily cracked.
Article also references BitLocker (again!) and 7-Zip. Think I'll just stick with v7.1a for now.
-
I disagree with the tone of the article about the trustworthiness of free software. At least a couple times, the article says things such as:
I think we’ve all received a wakeup call. We might need to step back and question the source of our open-source software — and in the future, review its pedigree before installing it.
I don't think open source or free software should be called out for this, but not closed source software. This "wakeup call" applies to any software you depend on - whether it's free or paid, open or closed source. Paid-for, closed source software often gets abandoned or has support dropped suddenly - that's not a problem unique to free software.
At least with open source software, the possibility exists of someone/anyone forking the project and continuing to support it if there's a need or demand (keep in mind that as discussions have mentioned before, it's not entirely clear whether the TrueCrypt software is truly open source and possible to legally fork). That possibility doesn't exist for closed source software that gets abandoned.
-
I disagree with the tone of the article about the trustworthiness of free software. At least a couple times, the article says things such as:
I think we’ve all received a wakeup call. We might need to step back and question the source of our open-source software — and in the future, review its pedigree before installing it.
I don't think open source or free software should be called out for this, but not closed source software. This "wakeup call" applies to any software you depend on - whether it's free or paid, open or closed source. Paid-for, closed source software often gets abandoned or has support dropped suddenly - that's not a problem unique to free software.
At least with open source software, the possibility exists of someone/anyone forking the project and continuing to support it if there's a need or demand (keep in mind that as discussions have mentioned before, it's not entirely clear whether the TrueCrypt software is truly open source and possible to legally fork). That possibility doesn't exist for closed source software that gets abandoned.
-mwb1100
I think what was meant is that if you buy software from X, then you know that you've bought in from X, and that X is supporting it. On many open source projects, this isn't the case. The authors don't have to be known, and there is zero in the way of accountability. So it wasn't so much that we don't need to assess with closed source projects- people already do that. It's just leaning towards people *don't* do that with OSS in a lot of cases... after all, we can see the source, so it's not important.
But it is.
-
I still don't think that purchasing software or having software provided by a well-known entity provides any better trustworthiness.
While not a paid product, Google Reader was offered by a well-known entity. I know that many people were upset by it being shutdown.
A much smaller, but personal, example: I used to use some software called SafeWallet by SBSH, and I had paid the couple dollars for it. The vendor was as well known or well established as many software vendors I've purchased from. Which is to say, I didn't know much of anything about them. They had a website, they offered software for purchase, and they accepted credit cards for payment. Other than the huge software vendors like MS, Google, Adobe, Symantec, I think this is a similar level of knowledge that most people have about their software vendors. The SafeWallet software is no longer supported, and the servers used to sync the data across devices stopped working. Fortunately, I was able to move on by exporting my local data and getting it read into another password wallet program without too much trouble.
I think that Microsoft actually comes out looking pretty good in this area. While they do abandon software, it seems that generally they give a fair bit of notice. However, even if given a lot of notice many people can still be unhappy. Note that I still read about complaints regarding XP being unsupported. There's even the occasional complaint I come across about VB6.
Again, I don't think open source vs. closed source plays into this very much, except that with open source you at least have the possibility of self-supporting (even if it would be a lot of effort) if the vendor goes away. With closed source, you don't even get the option.
-
If you have the name of Microsoft, or Google, or whomever behind a project, then you at least have knowledge of the history of whom is making it and some knowledge of what they have done/are doing- for good or ill. On many OSS projects, there isn't this level of transparency. It's not about abandoning or choosing to discontinue a project. It's about knowing who is behind the project. If you buy from someone, there is some level of transparency on this. On quite a few OSS projects, there isn't. It is the same concern to a smaller degree on smaller freeware projects... but those don't give the artificial level of reassurance that knowing a project is OSS tends to.
-
I guess I take issue that the article portrays this as an 'open source' problem. It's not. The problem of determining whether or not you can trust the team behind a software project/product is largely independent of whether the software is open source or not.
I think that implying that this is a problem particular to open source software or even just that it's more of a problem for open source software is wrong.
-
I guess I take issue that the article portrays this as an 'open source' problem. It's not. The problem of determining whether or not you can trust the team behind a software project/product is largely independent of whether the software is open source or not.
I think that implying that this is a problem particular to open source software or even just that it's more of a problem for open source software is wrong.
-mwb1100
The problem that is endemic to OSS in this regard (and I know I'm guilty of it) is the transparency of whom is behind the project. I didn't even know, nor take the time to find out who was behind TrueCrypt. Nor many of the other OSS that I use. And I'm pretty on top of things... but having the source available makes a lot of that... just seem not to matter.
But it does.
-
I would like to see a report on the still-ongoing project to audit TrueCrypt (which project website apparently also holds a full copy of all the software and code) before pronouncing it as "dead".
Presumably it was not for nothing that Amazon Web Services some time back mandated the use of only TrueCrypt for its encryption, if you wanted to use their secure storage services. That mandate would presumably have been made for solid business reasons, and they would not have entered into it lightly. That alone could spell more for TrueCrypt's longevity than any recent unexplained closure of the TrueCrypt website.
The best alternative to TrueCrypt could yet well be TrueCrypt.
Others more cynical than I might suggest that, if the TrueCrypt takedown was the result of being nobbled by the NSA (e.g., like the two encrypted email services over the last 12 months), then the TrueCrypt developers may have been left little option but to shut down, rather than be obliged to leave TrueCrypt fitted full of NSA backdoors like Symantec and Microsoft encryption have been rumoured to be.
It's all a matter of trust.
-
I would like to see a report on the still-ongoing project to audit TrueCrypt (which project website apparently also holds a full copy of all the software and code) before pronouncing it as "dead".
Presumably it was not for nothing that Amazon Web Services some time back mandated the use of only TrueCrypt for its encryption, if you wanted to use their secure storage services. That mandate would presumably have been made for solid business reasons, and they would not have entered into it lightly. That alone could spell more for TrueCrypt's longevity than any recent unexplained closure of the TrueCrypt website.
The best alternative to TrueCrypt could yet well be TrueCrypt.
Others more cynical than I might suggest that, if the TrueCrypt takedown was the result of being nobbled by the NSA (e.g., like the two encrypted email services over the last 12 months), then the TrueCrypt developers may have been left little option but to shut down, rather than be obliged to leave TrueCrypt fitted full of NSA backdoors like Symantec and Microsoft encryption have been rumoured to be.
It's all a matter of trust.
-IainB
Another fascinating comment. I guess what's confusing me is to my knowledge encryption is "just an algorithm" so I'd think if you took "Iain B rulez!" it might spit out weflhjegehwgewig or whatever. But I'd think you ran the same process twice in exactly the same way (maybe even including timestamps), you're get the *same* gobledy gook, right?
So you'd think Amazon wouldn't mess around, and maybe at some conference they sent a rep to, he'd get to comparing notes and Google sez "Hey, your output in your test case is different from mine. What's up with that?"
So even if the NSA is putting back doors in there, aren't we back to that famous discussion of "security via obscurity"? That the NSA is gambling that the back doors it's putting in there can't be found by anyone else?
And I'm still not happy with "the devs got tired and bored so they dumped their product." How would you normally end-of-life a security encryption suite? I'd think Bruce Schneier's alarm bells and maybe connections must be as good as anyone else's, so I'm sure he's been reviewing TrueCrypt forever, so maybe prior versions *used* to be good and only a *new* NSA letter threatens future editions. And I'm also amazed how no one can "find" the developers to hear their side. With how tricky the non-reveal clauses are, if someone called the devs and gets hung up on, "no words are many words" just like the did to the website.
And then the community - let's say a backdoor is in there, I'd think they would be pissed that their entire collective study and review of the program would miss them.
-
So even if the NSA is putting back doors in there, aren't we back to that famous discussion of "security via obscurity"? That the NSA is gambling that the back doors it's putting in there can't be found by anyone else?
-TaoPhoenix
Yes.
-
It would generally be easier to set and conceal backdoors in proprietary encryption software, and for it to remain "undiscovered" because the software would not usually be open to scrutiny/audit by third parties who would thus effectively need to trust/use the software on blind faith.
Let's be speculative:
- As above, maybe:
...the TrueCrypt takedown was the result of being nobbled by the NSA (e.g., like the two encrypted email services over the last 12 months), then the TrueCrypt developers may have been left little option but to shut down, rather than be obliged to leave TrueCrypt fitted full of NSA backdoors like Symantec and Microsoft encryption have been rumoured to be.
_______________________
- Or maybe that's not the case. Maybe the backdoors had already been established for some time in TrueCrypt, so the unknown developers pulled the plug realising that discovery could be imminent in the aforementioned TrueCrypt audit project.
- Maybe the developers and/or the auditors are effectively the NSA. Who knows? After what we have been allowed to learn or led to believe from the public dripfeed out of the SnowdenGate theatre (bring your own popcorn), anything's possible, but skepticism would seem to be recommended. One thing that was learned/perfected in WWII was that good military intelligence and the skilful dissemination of misinformation were essential ingredients to a winning strategy in a war, with the Nazis arguably setting the initial standards to be met. Out of this sprung our modern-day advertising, marketing and PR - even the terminology used employs military terms. And be in no doubt that we are involved in some kind of a war - a war in which every citizen is apparently a potential enemy and thus not to be trusted, so surveillance and the manipulation of public perceptions by whatever means deemed necessary would be mandatory (QED). This was where Mao's Revolution was so successful. Maybe the book "1984" does form an authoritative set of rules and guiding principles for the kind of increasingly totalitarian states that we seem to be finding ourselves inhabiting.
I had always been a fan of PGP (Pretty Good Privacy) encryption methods, but lost interest when PGP was acquired by Norton/Symantec as I figured it was thereby probably irretrievably lost as a definitively secure/trustworthy encryption approach/software - I mean, how would one know?
However, in the interesting case of Ramona Fricosu (January 2012) in Peyton, Colo., USA, Fricosu had been charged with conducting a fraud (a mortgage scam) and it was deemed necessary to access her Toshiba laptop to discover details about the fraud and her associates - but the laptop was secured using PGP Desktop Professional | Symantec (https://www.symantec.com/encryption-desktop-pro), which the FBI apparently claimed to be unable to unlock.
So a federal judge ruled that she had to:
...decrypt the hard drive of a Toshiba laptop computer no later than February 21--or face the consequences including contempt of court.
Refer: Judge: Americans can be forced to decrypt their laptops | Privacy Inc. - CNET News (http://file:///C:/Workdata.004/LIBRARY/Private/ScrapBook/data/20120128002645/index.html)
(Out of this came the use of a legal defence concept of "Plausible deniability".)
This was a civilian matter, not a defence matter. Maybe the FBI did have the ability to crack the encryption key, but were not about to reveal that potentially strategically and militarily important fact if it did not have to be revealed, and so forced the issue (apparently successfully) through the judicial system.
Maybe this started people looking with increasing interest at the backdoored Symantec PGP product, or maybe it wasn't backdoored. Either way, it wouldn't matter, because the public perception set by this display was that Symantec PGP is unhackable, and maybe that was desirable/necessary/intentional.
So the alternatives to TrueCrypt could be:
- TrueCrypt software - presumed to be unhackable.
- Symantec PGP software - "proven" to be unhackable.
- Microsoft BitLocker software + hardware - presumed to be unhackable.
So maybe the NSA or other SS (Secret Service) cannot hack these things. Then again, maybe they can, or have already done so some time ago.
And don't forget that it has apparently already been established that the NSA would seem to have already nobbled the so-called "random" keys used in PKE (Public Key Encryption).
-
^good post
So the alternatives to TrueCrypt could be:
TrueCrypt software - presumed to be unhackable.
Symantec PGP software - "proven" to be unhackable.
Microsoft BitLocker software + hardware - presumed to be unhackable.
-IainB
I trust him, I trust him not; I trust him...
[ You are not allowed to view attachments ]
-
Have been following Lincoln Spector's advice for years and he recently posted this: Data-encryption alternatives to TrueCrypt (http://windowssecrets.com/top-story/data-encryption-alternatives-to-truecrypt/).
Excerpt: Currently, I’m still using TrueCrypt. But I don’t know for how long. TrueCrypt, like many other public encryption applications, can be cracked with some effort and the right tools. With no updates, it might become more vulnerable over time. If a new version of TrueCrypt doesn’t rise from the ashes relatively soon, I’ll seriously consider moving over to Cryptainer LE or ME.
At this site (http://www.cypherix.com/index.htm), it's referred to as Cypherix rather than Cryptainer.
-
TrueCrypt, like many other public encryption applications, can be cracked with some effort and the right tools.
-Midnight Rambler
What kind of effort and tools is he talking about?
TrueCrypt 7.1a is no less secure today than it was before this whole debacle started. I've heard nothing that indicates that there's a vulnerability. In fact, the audit that so far hasn't found any evidence of a backdoor is far more evidence of no backdoor than any of the other suggested alternatives have (which haven't been looked at by an independent party at all).
I suppose it's possible that all the speculation that TrueCrypt has been weakened by the NSA - either by planting a backdoor or by having discovered a vulnerability that hasn't been disclosed - is true, but it's all speculation as far as I know.
I doubt that any of the alternatives suggested are any more secure than TrueCrypt 7.1a, and quite possibly less secure. For example, while I don't know if BitLocker has been backdoored by the NSA, I think that a backdoor in BitLocker is at least as likely as a backdoor in TrueCrypt - and probably more likely.
-
@Midnight Rambler: Thanks for that info.
-
Useful ideas from windowssecrets.com newsletter:
(Copied below sans embedded hyperlinks/images.)
Data-encryption alternatives to TrueCrypt
By Lincoln Spector
It seems as if everyone who kept sensitive files secure did it with TrueCrypt. Edward Snowden depended on it. So did I.
But now that the popular disk-encryption app is effectively dead — at least for the foreseeable future — it's time to look for a replacement.
In last week's (June 12) Top Story, "The life and untimely demise of TrueCrypt," Susan Bradley reviewed the application's history and stated, "It's a mystery that we gave TrueCrypt such an extraordinary level of trust. It had dubious legal foundations, its developers were unknown, and its support was primarily relegated to forums that are now missing."
In this follow-up article, I'll discuss my own approach to protecting sensitive files, and I'll explain why I — unlike Susan — typically don't recommend Microsoft's BitLocker. I will recommend two file-encryption programs that might take TrueCrypt's place.
How safe is safe enough — and for what?
Let's use your home as an analogy. You probably keep your front door locked — at least at night and when you're away. You might have an alarm system or even bars on the windows. But your security system most likely doesn't match those used by New York's Metropolitan Museum of Art or the Getty Center in Los Angeles.
Why? Well, for one thing, you can't afford it. But mostly, it would be overkill. Few of us have anything in our homes that would attract the sort of professional thieves who might steal a Van Gogh.
To a large extent, the same rules apply to data. It takes a lot of time and skill to crack encryption, and most criminals are looking for an easy score. Even the NSA, which has the ability to crack all but the best encryption, probably won't bother. It might soak up everyone's cellphone metadata because that's relatively easy. But it reserves the hard work for the few people of interest.
That doesn't mean you shouldn't take precautions. Going back to that house analogy, encrypting sensitive files is like locking your front door — a reasonable and generally sufficient line of defense. (And you must ensure that unprotected bits of those files don't remain on your hard drive.) You also need to protect the encryption key with a long, complex password that's extremely difficult to crack — and be wary of phishing scams and other deceits that might trick you into handing over the key.
Which files should be encrypted and where?
You don't need to encrypt every file. We'll assume that neither the NSA nor criminals are really interested in your collection of cat photos or your daughter's term papers.
Obviously, you do need to protect files containing bank statements, credit-card information, and Social Security numbers — basic data about your personal identity. But you also might want to encrypt any information that you don't want others to see — and anyone else's personal information you might possess. The simple rule: If in doubt, encrypt it.
Your work might dictate different encryption procedures. For example, a small construction company might need to encrypt just a few financial and customer files, whereas nearly every file an accountant handles probably needs encryption.
The safest place for sensitive files is on an encrypted (and fully backed-up) partition or drive. File-by-file encryption can leave temporary, unencrypted copies on the hard drive. But if every sector on the drive is encrypted, these temporary copies will be unreadable as well.
I'm partial to using a virtual drive/partition — what TrueCrypt called a volume. This is typically a single, often quite large, encrypted file. When you open it with the correct password, Windows sees it as a standard drive from which you can launch files, manage them with Windows Explorer, and so on. When you're done, you close the volume and all files inside are once again inaccessible. Temporary and "deleted" files stay within the volume, so they, too, are encrypted.
You can, of course, encrypt real partitions. In fact, you can encrypt all partitions — including C:. Booting and signing in to Windows automatically opens these encrypted, physical partitions. But if someone boots the system from a flash drive or connects your hard drive to another computer, nothing will be accessible.
Arguably, this is the safest type of data protection. Because your entire hard drive is encrypted, even Windows' swap and hibernation files are locked. But full-drive encryption has its own problems. For example, you won't be able to pull files off an unbootable system by using other boot media.
Also, with full-drive encryption, all data files are accessible whenever you're signed in to the PC. They can be stolen by a remote cyber thief via malware or by a co-worker while you're on a coffee break. By contrast, you have to consciously open an encrypted volume, which can remain locked when you're in a not-so-safe environment — such as on a public Wi-Fi network.
Bottom line: Full-drive encryption makes the most sense if you work primarily and continuously with sensitive information — as in accounting. In most cases, an encrypted partition makes more sense; it's nearly as secure as full-drive encryption and offers more flexibility. File-by-file encryption is the least secure but is worth considering if you can't use drive/partition encryption, as discussed in the May 15 Top Story, "Better data and boot security for Windows PCs," and in a follow-up in this week's LangaList Plus.
BitLocker best for corporate environments
For many, Windows' own BitLocker encryption tool is the obvious TrueCrypt replacement. Susan Bradley put it at the top of her short list, and the infamous TrueCrypt warning on the SourceForge download page provides extensive directions for setting it up.
BitLocker comes with Windows 7 Ultimate and Enterprise plus Windows 8 Pro and Enterprise. It can encrypt real and virtual partitions or the entire drive. In my view, BitLocker has its place — primarily when managed by a PC expert in an office scenario. BitLocker is sort of set-and-forget; non-techie office workers can simply sign in and out of Windows in the normal way without even knowing (or caring) whether their files are encrypted.
But for personal use, BitLocker's password/key system can be overly complex or confusing. For example, when you set up BitLocker, you create an unlock password. (You can also have a BitLocker-encrypted drive unlock automatically when users sign in to Windows — or they can use a smartcard or PIN.) But you must also create a separate key-recovery password that's stored on the system if the PC has a Trusted Platform Module (TPM; more info) chip, or on a flash drive if it doesn't. Setting up BitLocker on a system without a TPM chip can take some time and admin skills.
Basically, if you don't have a newer PC and an advanced version of Windows, BitLocker is simply not a viable option. For an individual maintaining his or her PC, it's just another layer of complication.
Here are two better data-encryption applications for personal PCs.
DiskCryptor: For drives and partitions
Like TrueCrypt, DiskCryptor (info) is free. It's also open-source, though I'm not as confident as I once was that being open-source is an advantage. (As Susan pointed out last week, "There's even debate whether TrueCrypt qualifies as open-source."
DiskCryptor is designed to encrypt partitions. According to the DiskCryptor site, Windows 8 isn't supported. But it seemed to work fine encrypting a separate, nonboot partition on a fully updated Win8.1 Update system.
DiskCryptor's user interface is somewhat unattractive, but it's relatively easy to figure out. The program offers industry-standard AES, Twofish, and Serpent encryptions (see Figure 1). If you're really paranoid, you can combine them, encrypting first one way and then another.
DiskCryptor encryption
Figure 1. DiskCryptor lets you combine encryption technologies for extra security.
A simple wizard helps you quickly encrypt any partition — including C:. If you encrypt C:, you'll have to enter your DiskCryptor password before Windows will load. (If C: is your only partition, you've effectively encrypted the entire drive.) Note: As with all current, third-party encryption apps, you can't use DiskCryptor on a Win8 system's boot (C:) drive that has Secure Boot enabled. For more info, see "Reader disagrees with data-encryption advice" in this week's LangaList Plus (paid content).
Although DiskCryptor doesn't support TrueCrypt-like virtual partitions, you can use a real partition for a similar result. Use Windows' Disk Management program or a third-party partition tool to create a small, separate partition for your sensitive files. Then use DiskCryptor to encrypt that partition (see Figure 2). The result is much like a TrueCrypt volume, except that it's a real partition.
DiskCryptor menu
Figure 2. DiskCryptor's main menu for managing drive encryption
But using a real partition has some disadvantages. For example, the encrypted partition is clearly visible in Windows' Disk Management, though it's labeled as unformatted.
And backups can be tricky. The only way to back up the files when the partition is closed is with image-backup software. Using the default settings for EaseUS Todo Backup resulted in an error message, as shown in Figure 3. After selecting the sector-by-sector backup option, both the backup and the restore worked.
EaseUS Todo Backup
Figure 3. Backing up an encrypted partition with EaseUS default settings generated with an error message.
You can also open the partition and use a conventional file-backup program. But make sure it's one that has its own built-in encryption to secure your files.
On the other hand, backup is very simple with a virtual partition, which to Windows is simply another (really big) file. Keep the file in a standard folder — such as Documents — and it'll get backed up automatically and regularly.
Cryptainer LE: The tool for virtual partitions
If, like me, you prefer a virtual partition, Cryptainer LE (also called Cypherix LE; site) is the better option. The free version doesn't let you create a volume greater than 100MB (see Figure 4), but if you're judicious about what you encrypt, it might be enough.
And if it isn't enough, you can shell out U.S. $30 and get Cryptainer ME, which comes with a 2.5GB-file limit. Shell out $70, and you can create terabyte-sized volumes. But if you're going that big, you may as well encrypt the whole drive.
Cryptainer volume
Figure 4. The free Cryptainer LE lets you set up small encrypted volumes.
Cryptainer is easy to set up and use; the buttons are big and colorful, and — more importantly — they're easy to understand. Tabs help you use and control multiple volumes (see Figure 5).
Cryptainer main menu
Figure 5. Cryptainer LE has a simple menu system for creating and managing encrypted volumes.
When you set up a volume, the free version appears to offer AES 256-bit and Blowfish 488-bit encryption — but you actually get only 128-bit Blowfish. Again, for most people, that's sufficient. Blowfish 488-bit and AES 256-bit encryption are, obviously, enabled in the paid versions.
The choice: Stay with TrueCrypt or move on
If you don't already have TrueCrypt, either DiskCryptor or Cryptainer should do; it just depends on how you prefer to work with encrypted files. (Or, if your encryption needs are relatively simple, use file-by-file encryption as detailed in the May 15 Top Story.)
On the other hand, if you're already using TrueCrypt, you can probably stick with it — at least for a while. As Susan pointed out, a formal code review of TrueCrypt showed that it "does not have any back doors and still provides secure encryption that can't be easily cracked." (Note: There's still a downloadable version of TrueCrypt, but it's read-only — i.e., you can open encrypted volumes to remove files, but you can't create new ones.)
Currently, I'm still using TrueCrypt. But I don't know for how long. TrueCrypt, like many other public encryption applications, can be cracked with some effort and the right tools. With no updates, it might become more vulnerable over time. If a new version of TrueCrypt doesn't rise from the ashes relatively soon, I'll seriously consider moving over to Cryptainer LE or ME.
-
@IainB - thx for sharing that. For once I find myself almost entirely in agreement with WindowsSecrets about something important.
(Note: I do however have a problem with Cryptainer's tiered pricing scheme. In the past I've always had trouble recommending it (as in not) because of that. But that's likely more just me being me. ;))
-
@IainB - thx for sharing that. For once I find myself almost entirely in agreement with WindowsSecrets about something important.
(Note: I do however have a problem with Cryptainer's tiered pricing scheme. In the past I've always had trouble recommending it (as in not) because of that. But that's likely more just me being me. ;))
-40hz
Well, in the past, there were more alternatives :( I wouldn't recommend diskcryptor just because they say that OSes are not supported. Just because it seems to work when you encrypt it now, there's no guarantee that it won't stop working if they don't support the OS. They presumably say that for some reason...
-
...Just because it seems to work when you encrypt it now, there's no guarantee that it won't stop working if they don't support the OS. They presumably say that for some reason...
-wraith808
I reckon that is a valid point, and if you follow it to a logical conclusion, then one conclusion you could end up with is Microsoft BitLocker being arguably the only safe/stable encryption tool for the Windows OSes. That might be OK if you could trust Microsoft, but Microsoft's own actions would seem to have demonstrated that there is no rational basis for such trust - quite the opposite, in fact.
For example - DRM:
- Microsoft kinda showed their colours in that regard when they unilaterally decided to embed the functionality of proprietary DRM (Digital Rights Management) into the otherwise apparently excellent WMP (Windows Media Player) several years ago, and then proceeded to cement that into the works right up until the present day. WMP will thus apparently refuse/disable playing of any music/media file that has a dodgy DRM key, and also it wants to phone home an awful lot, passing on goodness-knows-what information about one's media collection and PC to Big Brother's Head Office. A sort of electronic form of Brownshirt or one of Mao's card-carrying child revolutionaries. How could one trust that?
- Why was Microsoft doing that? Presumably it hadn't been because the users were clamouring for DRM, but because MS had concluded a deal with the **AA to have DRM policing embedded into the OS for every PC as much as possible, for which MS would probably receive monies on some kind of a fee scale. From that perspective, and instigated so many years ago, it would seem to have been a very far-sighted move, and you can bet that the **AA probably didn't dream it up but had to be persuaded of its merit by a third party (i.e., MS).
For example - Stacker:
In the area of disk compression (and some encryption), MS arguably demonstrated its true colours in the '80s - refer:
- Stac Electronics (https://en.wikipedia.org/wiki/Stac_Electronics) and
- Hifn (https://en.wikipedia.org/wiki/Hifn)
Can MS be trusted not to behave like this in the future? Probably not.
The general rule would be that a good corporate psychopath - e.g., including such as Microsoft or Google - is a leopard that cannot change its spots, by law and as a legal person, and it would be irrational to expect it to do so, regardless of any corporate propaganda, hype or BS to the contrary (e.g., Google's reported "Do no evil").
There are some (a few) notable exceptions to that general rule that I am aware of, including:
- Cadbury - founders were philanthropic Quakers.
- CDC (Control Data Corporation) - founder was philanthropic.
- but this would be (or was) only true whilst they were still under the chairmanship of their philanthropic/Quaker founding presidents/families. However, CDC and Cadbury arguably would not have properly fitted the definition of being "a good corporate psychopath" in any event.
And then there was this curious statement from Apple's CEO (http://arstechnica.com/apple/2014/03/at-apple-shareholders-meeting-tim-cook-tells-off-climate-change-deniers/):
He didn't stop there, however, as he looked directly at the NCPPR representative and said, "If you want me to do things only for ROI reasons, you should get out of this stock."
So, we know that the motivation is probably not philanthropy (QED - by their own marketing behaviour and the apparently confirmed reports of Apple's use of slave/sweatshop labour in Asian countries), and now we know (or are being told, apparently) that it's not always ROI - so what is it? The inescapable conclusion would seem to be that it could well be (in this case, at least) for religio-political ideological reasons. But that would be incredible - because Apple is an incorporated, for-profit legal person and is obliged to act in that regard at all times.
Thus it is more likely to be driven by the usual cynical corporate psychopathy, which in this case would be to make itself appealing to the huge financial backing of a large green/environmental investment lobby, which has taken on the definite shape of an investment cartel. So Apple's CEO is more likely just a very smart businessman and was dissembling, and he will be acting to increase ROI, since you can't fault investment in green/environmental can you - especially if it is a policy that is backed by the US government?
(Whoops! Did somebody just say "Solyndra"?)
But any sensible investor (those who matter, at any rate) would have known this and would have seen the CEO's statement for what it was - a clever response to appeal to that large green/environmental investment lobby/cartel.
So who can one trust for honesty and ethical integrity in the development of encryption technology? At this point, I would have said "TrueCrypt". (Ostensibly public domain, open technology, not-for-profit.)
Hmm, tricky.
-
I reckon that is a valid point, and if you follow it to a logical conclusion, then one conclusion you could end up with is Microsoft BitLocker being arguably the only safe/stable encryption tool for the Windows OSes. That might be OK if you could trust Microsoft, but Microsoft's own actions would seem to have demonstrated that there is no rational basis for such trust - quite the opposite, in fact.
-IainB
Not exactly. If you find an encryption tool that's valid for your current OS, then it should be valid up until the point that you change OS. And you can take steps before you change to see (a) if that particular software supports your new OS before you install it, and (b) if not, find another and switch.
-
...because Apple is an incorporated, for-profit legal person and is obliged to act in that regard at all times.
-IainB
Not really. There's no legal requirement they do so, contrary to the erroneous but widely held belief there is. That Apple (and other corporations) may, in practice, act as if there is such a requirement, is a separate issue.
An article over at the Washington Post by Neil Irwin has a good discussion about the myths and issues surrounding the notion of "maximizing shareholder value." Find it here (http://www.washingtonpost.com/blogs/wonkblog/wp/2013/09/09/how-the-cult-of-shareholder-value-wrecked-american-business/?wprss=rss_ezra-klein&clsrd=&utm_source=dlvr.it&utm_medium=twitter).
From the article:
...There are no statutes that put the shareholder at the top of the corporate priority list. In most states, corporations can be formed for any lawful purpose. Cornell University law professor Lynn Stout has been looking for years for a corporate charter that even mentions maximizing profits or share price. She hasn’t found one.
Nor does the law require, as many believe, that executives and directors owe a special fiduciary duty to shareholders. The fiduciary duty, in fact, is owed simply to the corporation, which is owned by no one, just as you and I are owned by no one — we are all “persons” in the eyes of the law. Shareholders, however, have a contractual claim to the “residual value” of the corporation once all its other obligations have been satisfied — and even then directors are given wide latitude to make whatever use of that residual value they choose, as long they’re not stealing it for themselves.
It is true that only shareholders have the power to select a corporation’s directors. But it requires the peculiar imagination of a corporate lawyer to leap from that to a broad mandate that those directors have a duty to put the interests of shareholders above all others...
I think it's important to keep in mind that companies do what they do for their own reasons. There are no laws which compel them to behave in an immoral or abusive manner. That some in business attempt to claim there are such laws is simply a smokescreen put up in the attempt to avoid culpability for acts which often are illegal. So let's not get taken in by it.
:)
-
@40hz: Though I am a bit rusty now, I don't think it will have changed much in UK Company law since I studied it years ago, where I recall that the link to any implicit obligation for financial performance is from the shareholders via the Articles of Association which is the document created when a company is initially formed. In short, the Articles are the legal means by which the shareholders may exercise control over the day-to-day operation of the company by the Board of Directors. In a for-profit company, the shareholders will require annual profitability and growth, and can/will turf out Board members who do not demonstrate an ability to meet or successfully pull the company towards those objectives.
They can do this via the mechanism of special or annual general meetings, where they can also confirm/re-elect well-performing directors, to retain them for another year/term, and elect new/additional directors, and vote on various proposed resolutions on the published AGM agenda.
The ROI for the "A" ordinary shareholders (i.e., those with voting shares entitling them to vote in the AGM) would usually be a combination of actual dividend/interest paid on their stocks (or accrued/retained) and the growth in market value of the share price. The shares have a nominal value, which will tend to be exceeded by the market value if the company is profitable. Other stockholders - e.g., "B" ordinary shareholders (non-voting), and debenture holders and preference shareholders, may have slightly different objectives for ROI peculiar to their stakeholding, but they will all share the common objective of making a profit out of their stakeholdings.
I thus must admit to a certain confusion when considering the notion of (say) running a FP (for-profit) company as though it were NFP (not-for-profit), since the idea itself would be absurd, the company would soon be wound up or need to have its Articles and tax status changed appropriately - a NFP would generally have different purposes, Articles and governance structure to a FP company.
I certainly do not consider myself an authority, and what I say generally comes from narrow but mixed experience including having previously been a chief accountant for a UK company, involved as an accountant in setting-up several small FP companies in the UK, acting pro bono as an accounting systems advisor to a leprosy charity based in the UK, acting as a tax accountant to a UK property company, having reported to a director on the board of a syndicated multi-bank off-balance-sheet banking subsidiary in Australasia, and being a director of two companies at present in Australasia, and from having also been a director on the board of the UK charitable trust for an international educational organisation based in Europe.
So, with that narrow experience, I would not be able to state definitively what the law might be relating to Apple or any other US corporation. Where I mainly got my information from in that regard was from a study of the history of the '80s corporate collapse syndrome in US and Germany, and from doing some research in 2004 after watching the fascinating documentary "The Corporation". It was the latter that led me to understand that US (and I think it included Canadian) corporations were different to UK companies in that they had some kind of an explicit legal objective to operate to maximise legally-earned profits and which thus encouraged/compelled management behaviours that could effectively sometimes make them operate as "corporate psychopaths" (which concept has been discussed quite a bit, elsewhere in the DC Forum). I regret if I was mistaken or if I took what the documentary talked about at face value and did not think to verify what the relevant US/Canadian company law actually was. I shall have to do some more homework now. :-[
-
I reckon that is a valid point, and if you follow it to a logical conclusion, then one conclusion you could end up with is Microsoft BitLocker being arguably the only safe/stable encryption tool for the Windows OSes. That might be OK if you could trust Microsoft, but Microsoft's own actions would seem to have demonstrated that there is no rational basis for such trust - quite the opposite, in fact.
-IainB
Not exactly. If you find an encryption tool that's valid for your current OS, then it should be valid up until the point that you change OS. And you can take steps before you change to see (a) if that particular software supports your new OS before you install it, and (b) if not, find another and switch.
-wraith808
Not sure I understand you there. Are you trying to say that the argument:
if you follow it to a logical conclusion, then one conclusion you could end up with is Microsoft BitLocker being arguably the only safe/stable encryption tool for the Windows OSes.
- is incorrect?
-
I reckon that is a valid point, and if you follow it to a logical conclusion, then one conclusion you could end up with is Microsoft BitLocker being arguably the only safe/stable encryption tool for the Windows OSes. That might be OK if you could trust Microsoft, but Microsoft's own actions would seem to have demonstrated that there is no rational basis for such trust - quite the opposite, in fact.
-IainB
Not exactly. If you find an encryption tool that's valid for your current OS, then it should be valid up until the point that you change OS. And you can take steps before you change to see (a) if that particular software supports your new OS before you install it, and (b) if not, find another and switch.
-wraith808
Not sure I understand you there. Are you trying to say that the argument:
if you follow it to a logical conclusion, then one conclusion you could end up with is Microsoft BitLocker being arguably the only safe/stable encryption tool for the Windows OSes.
- is incorrect?
-IainB
Yes. The only argument I was making was that if they say its not compatible with the OS, they are probably saying it for a reason, and if they aren't supporting the OS, then just because it works now, doesn't mean it always will. If they are *actively supporting the OS*, then I think if you trust it, the stability isn't really in question. Changes within the cycle for an OS can affect any software, including Microsoft's.
-
@wraith808: Ah, I think I see what you meant. I think you pretty much made that point earlier too.
What I was suggesting wasn't refuted by that though, since it could still be correct as far as it went as a general possibility.
What I was alluding to was the possibility that the narrowing of choice of encryption systems by the abrupt removal of TrueCrypt from the market scene (coincidentally preceded by unusual and well-publicised FUD with only vaguely apparent sources) might not have been an entirely coincidental set of events.
Wouldn't it be a pleasant surprise for Microsoft if BitLocker came out as being suddenly the market's apparently best-choice best-man-left-standing encryption system? Ah, serendipity.
Some people (not me, you understand) might say that the open technology of TrueCrypt could have been just too good by far and too difficult for "criminals" to hack, and so had to be summarily executed, and that the criminals may wish to encourage us to use a standard proprietary encryption system which they had the keys to - as and when they might need them. And it would be good if we could be encouraged to pay for this at the same time. However, I couldn't possibly comment.
-
Hi!
Maybe Veracrypt (https://veracrypt.codeplex.com/) could be an alternative for Truecrypt.
-
@The_Doomer: Thanks. Looks
rather very interesting. :up:
I wonder if Amazon AWS is a potential candidate for using Veracrypt? Maybe not without some difficulty, as I see the latter, though based on TrueCrypt:
VeraCrypt storage format is INCOMPATIBLE with TrueCrypt storage format.
PS: Nice icon you have there...
-
TrueCrypt is still alive and well!
GRC.com TrueCrypt Archive. https://www.grc.com/misc/truecrypt/truecrypt.htm (https://www.grc.com/misc/truecrypt/truecrypt.htm)
-
Interesting read, cyoung_mi. So stick with v7.1a for now until late summer of 2014.
-
@cyoung_mi: Thanks for the link to the Gibson Research post. Very interesting.
Note that once TrueCrypt has been independently audited
it will be the only mass storage encryption solution to have
been audited. This will likely cement TrueCrypt's position
as the top, cross-platform, mass storage encryption tool.
This was why the developers' actions - attempting to pull the plug on TC - seem so strange, and premature. They would have known whether the audit was likely to find any major fault, and that their pulling the plug was unlikely to stop the audit completing in any event.
-
In the end I strongy suspect there'll be nothing at all mysterious or sinister behind any of this. I'm guessing they were simply hired by somebody, and were either required to ditch their old opus as a condition of employment/contract - or they did it on their own as a gesture of goodwill to whomever. Probably either Microsoft or Uncle Sam.
:huh:
-
In the end I strongy suspect there'll be nothing at all mysterious or sinister behind any of this. I'm guessing they were simply hired by somebody, and were either required to ditch their old opus as a condition of employment/contract - or they did it on their own as a gesture of goodwill to whomever. Probably either Microsoft or Uncle Sam. :huh:
-40hz
I can't think of anything more sinister than that! ;D
-
I have been using skycrypt for few months and it seems to work for me. I tried the free trial from skycrypt.com. does anyone have experience with this?
-
CipherShed is free encryption software for keeping your data secure and private. It started as a fork of the now-discontinued TrueCrypt Project (coming soon):
https://ciphershed.org/
-
CipherShed is free encryption software for keeping your data secure and private. It started as a fork of the now-discontinued TrueCrypt Project (coming soon):
https://ciphershed.org/
-panzer
GUI appears like a TrueCrypt clone. Looks promising. Too bad it's still in development. Thanks for the heads-up.
-
More alternatives: So long, TrueCrypt: 5 alternative encryption tools (http://www.pcworld.com/article/2304851/so-long-truecrypt-5-encryption-alternatives-that-can-lock-down-your-data.html).
Once again, TrueCrypt 7.1 and DiskCryptor are recommended.
-
I've been spending the past few hours encrypting an OpenBSD machine with OpenBSD's own softraid(8) tools. At least full disk encryption works like a charm. Container files might work via vndconfig (which is deprecated). So, basically, OpenBSD seems to be a viable TrueCrypt alternative.
-
Maybe Veracrypt (https://veracrypt.codeplex.com/) could be an alternative for Truecrypt.
-The_Doomer
From this article, How to encrypt sensitive data? Put it in an encrypted container (http://www.pcworld.com/article/2835162/how-to-encrypt-sensitive-data-put-it-in-an-encrypted-container.html#tk.nl_pwr), VeraCrypt looks to be a TrueCrypt clone which implies a shorter learning curve. Going to install this to, um - verify.
-
Like CipherShed (formerly truecrypt.ch or TCnext), VeraCrypt is a fork of TrueCrypt. Apparently one difference in VeraCrypt is that the containers are not compatible with TC containers for some reason that I don't fully understand (something to do with the number of rounds of hashing that keys go through).
A blog posting on CipherShed indicates that there's some level of cooperation between CipherShed and VeraCrypt, but it's unclear to what degree:
- https://truecrypt.ch/2014/06/veracrypt-truecrypt-ch-working-together-towards-common-goal/
-
Indeed. VeryCrypt wouldn't open one of my TC files. The program just hanged (hung?). Maybe the next version will or one can create a new container with the same files and delete the TC container along with TC itself.
I'm glad at least there is a viable alternative available that's both free and open source. It appears to be the most versatile currently available and I tend to trust Lincoln Spector's advice.
-
Emailed Spector regarding the article and his response:
VeraCrypt changed its file format to improve security. It should have offered TrueCrypt file support--at least in read-only--but it didn't.
You can still download TrueCrypt 7.2, which I believe is read-only. Use it to move your files to a new VeraCrypt container.
So one should create a new VeraCrypt container, transfer the TC files into it then delete the TC container along with TC itself. Think though I'll wait to do this until a newer version of VeraCrypt is posted as I have a bias against v. 1.x programs. Rather like never buying the first model year of a new car model, which brings to mind another advantage of TC in that it was a mature program. Sure will miss it despite its funky container setup procedure.
-
TrueCrypt audit shows no sign of NSA backdoors, just some minor glitches (http://www.pcworld.com/article/2905995/truecrypt-audit-shows-no-sign-of-nsa-backdoors-just-some-minor-glitches.html#tk.nl_today).
V. 7.1a still good to go apparently.
-
I'm with TrueCrypt 7.1a for my offline storage until one of the TC forks mature, and dm-crypt on my file server.
The algorithms are industry-standard, there seems to be no planted backdoors, and so far the issues found by the audit have been minor - there's no viable cold-attacks, which is the only thing that really matters. Yeah, being able to tweak the PBKDF2 rounds would be good, but that is really just a password brute-force mitigation, not a super big issue.
As for why the TC authors decided to pull the plug, perhaps we'll never know. My guess, though, is that it's a combination of two simple factors:
1) Fatigue/Real-Life. The authors worked on the project for more than 10 years.
2) Technical issues supporting it on modern OSes.
Issue #2 deserves a more thorough explanation. Basically, the only way to use TrueCrypt entirely securely on Windows is using an encrypted system partition. If you only use it for data partitions, you risk your encryption keys leaking to your page or hibernation files. You can't entirely avoid these issues through code (disabling hibernation and paging should be OK, though, but most people don't/can't run like that).
Supporting encrypted system partition requires some pretty low-level code, and UEFI booting changes everything. Combine fatigue with the massive amount of work it would be supporting UEFI-booting and the fact that both OSX and Windows now have very good built-in encryption, and you have an Occam's Razor of the discontinuation. (I'm sure NSA don't mind that the project was stopped, but I don't really think they flexed their muscle).
As for MS BitLocker and Apple FileVault, I would be very, very, very surprised if they contained backdoors. Those are the encryption systems I'd use for company laptops, and certainly not slow junk like Symantec and others produce. I'm pretty confident there's no cold-attacks against BL or FV.
However, if I were up to mischief, I wouldn't use either of the two... but that's because I'd never do mischievous things on Windows or OSX... there's so many other way for Apple, Microsoft and others to Get Root on those systems if you're become targeted.
-
I'm very pleased to hear that TrueCrypt has been audited and deemed secure. I mostly use it to keep out the casually curious than to keep anything 'super important' secure so I can accept the possibility that things might leak into the hibernation and paging files. The casually curious don't have the skills to capitalize on that. However, I'll be watching the forks with interest.
However, for those who do have 'super important' stuff to secure or those who are exceptionally paranoid or security-conscious, something Linux-based or OpenBSD-based is the only way to go. No. Really. It *is* the *only* way to go. Open source, the ability to compile everything yourself, security permissions down to the per-file level are just a few of the tools for the security-minded individual to protect what he feels is worth protecting.
-
I'm very pleased to hear that TrueCrypt has been audited and deemed secure.-Innuendo
Please note that it has only been partially audited (last time I checked, anyway, several months ago. Haven't heard any news about the audit, but haven't followed up, either. No wonder if all that has been stalled a bit with the project shutdown and forking...) - but the partial work has been reassuring. And yes, an audit is necessary for a project like TrueCrypt, since the "many eyes" argument of open source has failed again and again.
However, for those who do have 'super important' stuff to secure or those who are exceptionally paranoid or security-conscious, something Linux-based or OpenBSD-based is the only way to go. No. Really. It *is* the *only* way to go. Open source, the ability to compile everything yourself, security permissions down to the per-file level are just a few of the tools for the security-minded individual to protect what he feels is worth protecting.-Innuendo
Windows/NTFS has way more fine-grained access control than you find on your typical *u*x, but other than that, yeah. Kinda. Reflections on Trusting Trust (http://cm.bell-labs.com/who/ken/trust.html) and all that - but it certrainly is easier to get a feeling of confidence with an open-source stack...
-
Please note that it has only been partially audited (last time I checked, anyway, several months ago. Haven't heard any news about the audit, but haven't followed up, either.-f0dder
I'm going by the linked article that Midnight Rambler posted above on April 3rd. The article, written by Jared Newman, states that the audit has come to a close. TrueCrypt has been deemed to be totally secure with the exception of some minor glitches. He covers those glitches in detail and outlines what the forks are doing to correct them.
Windows/NTFS has way more fine-grained access control than you find on your typical *u*x, but other than that, yeah. Kinda.
I decided not to go there with Windows/NTFS because those who want s00per-sekrit file encryption are the same people who do not trust Microsoft. So to echo your sentiment....yeah. Kinda. :)
-
...And yes, an audit is necessary for a project like TrueCrypt, since the "many eyes" argument of open source has failed again and again.
-f0dder
I think this is a different nuance of minor note along the way.
To me the "many eyes" of "regular" open source software is at the first level to hopefully catch nasty errors that just do "low to medium" level damage. Anything from irritants to data loss, to even at the mid level making sure there's no security hole.
But the software itself "is tame" - maybe server code, maybe some application, whatever. It "just does stuff that isn't quite exciting when it's behaving".
But software *designed to encrypt material against knowing target enemies using best-of-breed and even (govt/super-corps) "better than best of breed" attempts to break it - go beyond just needing "eyes" - you need "attestation services" which is what an audit is.
Ignoring for ex server code just for a moment, so long as an application doesn't destroy my data, I "grudgingly don't care what it does after grumping about it" - varying levels of annoying from irritating to Enhanced Experiences, but in the end it's "just bad software". But if someone either cracks open TrueCrypt&cousins or someone put backdoors in it, "data traveling" can ruin ... lives!
:o
-
FWIW, VeraCrypt (https://veracrypt.codeplex.com/) has been able to mount/convert TrueCrypt partitions (non-system) and containers since v1.0f (30-12-2014).
And can mount, but not convert, a TC system partition since v1.0f-2 (05-04-2014).
The above is WRT to Windows OS.
-
Kryptel Standard Edition 7.1 is free via this link (http://www.windowsdeal.com/w/kryptel-standard-edition-discount-coupon-code/). What's nice is there's a USB version.
-
Personally I am still using TC 7.1a.
If the NSA or someone with similar skills and resources decides they want to see what's on my computer, I already have much bigger problems than a few torrented movies and stream recordings off of Spotify that may be sitting there.
My biggest concern would be anyone getting my logins and financial info. This is protected within a KeePass file which has both a strong password and a keyfile (the latter hidden inside the windows\system folder) all of which is inside a TrueCrypt file which also has a strong password and a keyfile (the latter is stored on a USB stick I keep in my wallet, and a backup in my safe deposit box).
So far I haven't seen any signs of a TrueCrypt vulnerability that would enable J. Malicious Hacker to get to the valuable stuff, given the way I have it set up.
-
@Lolipop Jones: Reading this reminds me that I should consider using TC 7.1a as the "alternative" to TrueCrypt.
Sounds like your data backup is certainly secure - exactly the way, for example, that Tresorit isn't.
-
Coincidentally, I just read this in my feed-reader: Governments of the World Agree: Encryption Must Die! (http://lauren.vortex.com/archive/001104.html).
I think the writer makes a point - or two - but probably nothing that we collectively might not have already independently observed.
However, the article got me to thinking: Wouldn't it be a piece of bad luck if, for some merely technical reason, TC and other perfectly good encryption systems discussed in this thread were not supported by new operating systems or file systems ... for example, (say) in Win10 or later? :tellme:
-
Coincidentally, I just read this in my feed-reader: Governments of the World Agree: Encryption Must Die! (http://lauren.vortex.com/archive/001104.html).
I think the writer makes a point - or two - but probably nothing that we collectively might not have already independently observed.
However, the article got me to thinking: Wouldn't it be a piece of bad luck if, for some merely technical reason, TC and other perfectly good encryption systems discussed in this thread were not supported by new operating systems or file systems ... for example, (say) in Win10 or later? :tellme:
-IainB
"Never assume malice before assuming incompetence". Except here they begin to twist together...
I'll bring up the harmless case ... Media Center. Of all the stuff that's falling off the page with the Win 10 upgrade, why is THAT suddenly getting nuked?
Linking about three things together, (from NeoWin's copy) "If you have Windows 7 Home Premium, Windows 7 Professional, Windows 7 Ultimate, Windows 8 Pro with Media Center, or Windows 8.1 Pro with Media Center and you install Windows 10, Windows Media Center will be removed." I haven't dug, but I didn't see any splashy reasons why - this from the company that prided itself on supporting stuff back to like Dos 3.x or something. So Media Center was important enough to be part of two full iterations of the OS, and now it is going to "be removed"?! What is THAT?!
The other ones are fiddling with versions of stuff, but this is a major application that is mysteriously "getting removed". It's not about the media ... it's about "____ getting removed when you upgrade". Now mash that up with their announced "rolling upgrades" and how we're all nervous at the lack of hardcoded iso's or whatever for milestones. It's that whole "we are changing what you think your OS will do. Pray we don't change it further when we decide TrueCrypt will be removed when you upgrade."
-
Fix two TrueCrypt vulnerabilities reported by James Forshaw (Google Project Zero)
CVE-2015-7358 (critical): Local Elevation of Privilege on Windows by abusing drive letter handling.
CVE-2015-7359: Local Elevation of Privilege on Windows caused by incorrect Impersonation Token Handling.
via https://veracrypt.codeplex.com/wikipage?title=Release%20Notes
-
http://arstechnica.com/security/2015/11/truecrypt-is-safer-than-previously-reported-detailed-analysis-concludes/
-
Critical flaws found in open-source encryption software VeraCrypt (http://www.pcworld.com/article/3132368/security/critical-flaws-found-in-open-source-encryption-software-veracrypt.html).