TrueCrypt alternative

ATTENTION: You are viewing a page formatted for mobile devices; to view the full web page, click HERE.

Main Area and Open Discussion > General Software Discussion

<< < (12/14) > >>

Midnight Rambler:
TrueCrypt audit shows no sign of NSA backdoors, just some minor glitches.

V. 7.1a still good to go apparently.

f0dder:
I'm with TrueCrypt 7.1a for my offline storage until one of the TC forks mature, and dm-crypt on my file server.

The algorithms are industry-standard, there seems to be no planted backdoors, and so far the issues found by the audit have been minor - there's no viable cold-attacks, which is the only thing that really matters. Yeah, being able to tweak the PBKDF2 rounds would be good, but that is really just a password brute-force mitigation, not a super big issue.

As for why the TC authors decided to pull the plug, perhaps we'll never know. My guess, though, is that it's a combination of two simple factors:
1) Fatigue/Real-Life. The authors worked on the project for more than 10 years.
2) Technical issues supporting it on modern OSes.

Issue #2 deserves a more thorough explanation. Basically, the only way to use TrueCrypt entirely securely on Windows is using an encrypted system partition. If you only use it for data partitions, you risk your encryption keys leaking to your page or hibernation files. You can't entirely avoid these issues through code (disabling hibernation and paging should be OK, though, but most people don't/can't run like that).

Supporting encrypted system partition requires some pretty low-level code, and UEFI booting changes everything. Combine fatigue with the massive amount of work it would be supporting UEFI-booting and the fact that both OSX and Windows now have very good built-in encryption, and you have an Occam's Razor of the discontinuation. (I'm sure NSA don't mind that the project was stopped, but I don't really think they flexed their muscle).

As for MS BitLocker and Apple FileVault, I would be very, very, very surprised if they contained backdoors. Those are the encryption systems I'd use for company laptops, and certainly not slow junk like Symantec and others produce. I'm pretty confident there's no cold-attacks against BL or FV.

However, if I were up to mischief, I wouldn't use either of the two... but that's because I'd never do mischievous things on Windows or OSX... there's so many other way for Apple, Microsoft and others to Get Root on those systems if you're become targeted.

Innuendo:
I'm very pleased to hear that TrueCrypt has been audited and deemed secure. I mostly use it to keep out the casually curious than to keep anything 'super important' secure so I can accept the possibility that things might leak into the hibernation and paging files. The casually curious don't have the skills to capitalize on that. However, I'll be watching the forks with interest.

However, for those who do have 'super important' stuff to secure or those who are exceptionally paranoid or security-conscious, something Linux-based or OpenBSD-based is the only way to go. No. Really. It *is* the *only* way to go. Open source, the ability to compile everything yourself, security permissions down to the per-file level are just a few of the tools for the security-minded individual to protect what he feels is worth protecting.

f0dder:
I'm very pleased to hear that TrueCrypt has been audited and deemed secure.-Innuendo (April 04, 2015, 09:44 AM)
--- End quote ---
Please note that it has only been partially audited (last time I checked, anyway, several months ago. Haven't heard any news about the audit, but haven't followed up, either. No wonder if all that has been stalled a bit with the project shutdown and forking...) - but the partial work has been reassuring. And yes, an audit is necessary for a project like TrueCrypt, since the "many eyes" argument of open source has failed again and again.

However, for those who do have 'super important' stuff to secure or those who are exceptionally paranoid or security-conscious, something Linux-based or OpenBSD-based is the only way to go. No. Really. It *is* the *only* way to go. Open source, the ability to compile everything yourself, security permissions down to the per-file level are just a few of the tools for the security-minded individual to protect what he feels is worth protecting.-Innuendo (April 04, 2015, 09:44 AM)
--- End quote ---
Windows/NTFS has way more fine-grained access control than you find on your typical *u*x, but other than that, yeah. Kinda. Reflections on Trusting Trust and all that - but it certrainly is easier to get a feeling of confidence with an open-source stack...

Innuendo:
Please note that it has only been partially audited (last time I checked, anyway, several months ago. Haven't heard any news about the audit, but haven't followed up, either.-f0dder (April 04, 2015, 01:24 PM)
--- End quote ---

I'm going by the linked article that Midnight Rambler posted above on April 3rd. The article, written by Jared Newman, states that the audit has come to a close. TrueCrypt has been deemed to be totally secure with the exception of some minor glitches. He covers those glitches in detail and outlines what the forks are doing to correct them.

Windows/NTFS has way more fine-grained access control than you find on your typical *u*x, but other than that, yeah. Kinda.
--- End quote ---

I decided not to go there with Windows/NTFS because those who want s00per-sekrit file encryption are the same people who do not trust Microsoft. So to echo your sentiment....yeah. Kinda. :)

Navigation

[0] Message Index

[#] Next page

[*] Previous page

Go to full version