Encryption software, now that TrueCrypt has ceased operations?

[waterjug]

I remember a year or so ago that TrueCrypt stopped running their project, what are people using now to replace it?

 

[tnt118]

I'm still using TrueCrypt 7.1a and, at least in my circle, that remains the solution of choice.

 

[Mushkins]

From a professional and security standpoint, I would not recommend TrueCrypt as a solution due to the absolutely sketchy way it was abandoned and the things independent security audits have found after the fact.

That being said, nothing has really taken its place in the enthusiast space. So it's still better than the alternative of not encrypting at all. If you're talking enterprise, there's tons of encryption products available from reputable vendors whereas TrueCrypt was never really an enterprise-grade solution due to lack of any sort of centralized management.

 

[Captante]

If for example all your doing is protecting personal data on a laptop in case of theft or loss Truecrypt is most likely still fine.

Anything more serious then that I wouldn't rely on it, although as Mushkins said above there's really no slam-dunk alternative.

 

[waterjug]

Thanks! This is non-enterprise; I just want to protect from loss, etc.

 

[John Connor]

Truecrypt is perfectly fine. It went though an extensive audit and other than some sloppy code it will keep your data protected on a PC that is shut down.

I would NEVER trust propitiatory crap!

 

[srohanahmed]

Never heard about it tough :sneaky:

 

[PrincessFrosty]

I remember a year or so ago that TrueCrypt stopped running their project, what are people using now to replace it?

I'm still using TrueCrypt, the fact that it's not "supported" isn't really relevant to anything, it's one of the few encryption applications which is both open source and has been audited for security by a neutral 3rd party. It also works well enough up to Win10, I think the only issue it has right now is doing FDE with a boot partition on motherboards that only use UEFI as a replacement for BIOS.

You could use a fork of truecrypt of which there are now several, things like Veracrypt but at the end of the day that's just more risk that using the last audited version of TrueCrypt.

 

[Joepublic2]

On windows Bitlocker is fine as far as preventing data loss due to hardware loss/theft. They just upgraded it to support XTS cipher mode if you're using win10 >= version 1151. Older versions were "behind the curve" (hyuck) and limited to CBC mode. It can encrypt GPT formatted boot drives as well and can use a keyfile to boot OS partitions/drives unlike true/veracrypt. It doesn't support software raid volumes. It does work with fake raid, though. Diskcryptor is another one I've used. Very fast and highly optimized, moreso if you have a core isomething processor, but the latest version is over a year old and it doesn't support GPT booting, either. It does support keyfile for OS partitions/drives along with Bitlocker, and it does support encrypting software raid volumes unlike Bitlocker.

On linux you have much better options; dm-crypt with or without LUKS (no good reason not to use LUKS imo). It does keyfiles, GPT partitions, software raid volumes; pretty much whatever you can think of. I don't know anything about Mac encryption options/software.

Also remember that FDE is only useful if you actually turn off your computer when you're away from it/not using it.

 

[John Connor]

I think the only issue it has right now is doing FDE with a boot partition on motherboards that only use UEFI as a replacement for BIOS.

Yes, that is TC's limitaion. You can use Legacy mode if your MOBO supports it. I believe most do.

 

[Athlex]

Truecrypt is perfectly fine. It went though an extensive audit and other than some sloppy code it will keep your data protected on a PC that is shut down.

Not exactly. The crypto is sound, but the windows driver in Truecrypt is broken. It'd be best to switch to Veracrypt 1.15 or newer.

 

[John Connor]

An anonymous reader writes: Back in September, members of Google's Project Zero team found a pair of flaws in the TrueCrypt disk encryption software that could lead to a system compromise. Their discovery raised concerns that TrueCrypt was unsuitable for use in securing sensitive data. However, the Fraunhofer Institute went ahead with a full audit of TrueCrypt's code, and they found it to be more secure than most people think. They correctly point out that for an attacker to exploit the earlier vulnerabilities (and a couple more vulnerabilities they found themselves), the attacker would already need to have "far-reaching access to the system," with which they could do far worse things than exploit an obscure vulnerability.

The auditors say, "It does not seem apparent to many people that TrueCrypt is inherently not suitable to protect encrypted data against attackers who can repeatedly access the running system. This is because when a TrueCrypt volume is mounted its data is generally accessible through the file system, and with repeated access one can install key loggers etc. to get hold of the key material in many situations. Only when unmounted, and no key is kept in memory, can a TrueCrypt volume really be secure." For other uses, the software "does what it's designed for," despite its code flaws. Their detailed, 77-page report (PDF) goes into further detail.

http://it.slashdot.org/story/15/11/21/1320229/truecrypt-safer-than-previously-thought

Truecrypt is perfectly fine. It went though an extensive audit and other than some sloppy code it will keep your data protected on a PC that is shut down.

That's like totally the basis of all disk encryption yo!

 

[Athlex]

True, physical access to a system is game over.

 

[Ken g6]

A "cleanroom" implementation of TrueCrypt: https://github.com/bwalex/tc-play

 

[blackangst1]

I'm still using TrueCrypt 7.1a and, at least in my circle, that remains the solution of choice.

I'm still using TrueCrypt, the fact that it's not "supported" isn't really relevant to anything, it's one of the few encryption applications which is both open source and has been audited for security by a neutral 3rd party. It also works well enough up to Win10, I think the only issue it has right now is doing FDE with a boot partition on motherboards that only use UEFI as a replacement for BIOS.

You could use a fork of truecrypt of which there are now several, things like Veracrypt but at the end of the day that's just more risk that using the last audited version of TrueCrypt.

+1 to these. TC 7.1a is available on GRC's site HERE

 

[Chiefcrowe]

What exactly is the "cleanroom" version?

A "cleanroom" implementation of TrueCrypt: https://github.com/bwalex/tc-play

 

[John Connor]

YAET (Yet Another Encryption Tool) that hasn't been audited.

 

[Ken g6]

What exactly is the "cleanroom" version?

Means it implements the same functions, but it was written without any of the TrueCrypt source code.

https://en.wikipedia.org/wiki/Clean_room_design

 

[smakme7757]

Windows: Diskcryptor
Linux: Standard disk encryption with dm-crypt/LUKS

If you're not as paranoid just use Bitlocker on Windows, but edit group policy to make it use AES256 instead of 128.

 

[Zodiark1593]

Is Truecrypt still the gold standard of encryption?

Juat threw in a cpu in my laptop with AES-NI and now looking to encrypt that for traveling in the near future.

 

[John Connor]

Truecrypt would work. It's never been cracked by the FBI or French authorities. Just make sure you don't use UEFI. Just make sure you don't install anything with SafeCast. Of course your boot CD created from TC should help to recover.

Incompatibility with FlexNet Publisher and SafeCast

Main article: FlexNet Publisher § Issues with bootloaders
Installing third-party software which uses FlexNet Publisher or SafeCast (which are used for preventing software piracy on products by Adobe such as Adobe Photoshop) can damage the TrueCrypt bootloader on Windows partitions/drives encrypted by TrueCrypt and render the drive unbootable.[56] This is caused by the inappropriate design of FlexNet Publisher writing to the first drive track and overwriting whatever non-Windows bootloader exists there.[57]

https://en.wikipedia.org/wiki/TrueCrypt

Also, if I were going over seas I'd change the boot loader screen options in System/settings to say Missing operating system. This is so you have somewhat plausible deniability as customs or whatever may want to make sure your laptop does boot. Just say it's broken, but okay...

If I read the article right. I read that having a CPU with AES capability doesn't add to speed at all. That's a real bummer, but I have a laptop with TC installed with no speed degradation I can tell. I do use a SSD.

 

[TheRyuu]

If you're not as paranoid just use Bitlocker on Windows, but edit group policy to make it use AES256 instead of 128.

Also Windows 10 supports XTS mode in addition to the previously used CBC mode.

If I read the article right. I read that having a CPU with AES capability doesn't add to speed at all. That's a real bummer, but I have a laptop with TC installed with no speed degradation I can tell. I do use a SSD.

Truecrpyt supports the AES-NI instruction set if that's what you were referring to. I'm not entirely sure but I would imagine that Bitlocker does as well.

 

[BirdDad]

The AES-NI do not make it any faster for TC, I am on a 14core Xeon @2.5GHz and it takes me at least a minute to load windows from my m.2 SSD , however once Windows is loaded everything is fast again.