The TrueCrypt website says: The development of TrueCrypt was ended in 5/2014
It was working yesterday!
Anyone know of alternatives? I want to encypt an entire USB drive.
Truecrypt no longer available. Alternatives?
(6 posts) (4 voices)-
mikiem2
ModeratorThese two articles seem to do a good job of analyzing &/or summarizing its status.
"Open Source Crypto TrueCrypt Disappears With Suspicious Cloud Of Mystery"
http://www.forbes.com/sites/jameslyne/2014/05/29/open-source-crypto-truecrypt-disappears-with-suspicious-cloud-of-mystery/"True Goodbye: ‘Using TrueCrypt Is Not Secure’"
http://krebsonsecurity.com/2014/05/true-goodbye-using-truecrypt-is-not-secure/Posted 10 years ago # -
mikiem2
ModeratorAnyone know of alternatives? I want to encypt an entire USB drive.
The Truecrypt page recommends a move to BitLocker, & it is possible to use BitLocker on a USB stick/drive.
"Enable BitLocker on USB Flash Drives to Protect Data"
http://technet.microsoft.com/en-us/magazine/ff404223.aspxOtherwise there are a Lot of encryption apps out there -- many will only protect a folder, but if everything on the drive is in that folder, everything's protected. For minor stuff I still use an old GOTD, "USB Stick Encryption" from GiliSoft, but I'm not sure how secure it is, using it for convenience more than anything, & it has problems with win8.1. I don't like their newer versions nearly as much from a low impact standpoint.
Truecrypt works by creating a VHD [Virtual Hard Drive] that could be encrypted. You can use BitLocker with a vhd as well...
http://wunger.wordpress.com/2009/08/09/creating-an-encrypted-file-container-using-vhd-files-and-bitlocker-to-go/
http://cyber-defense.sans.org/blog/2009/11/17/bitlocker-attached-vhd-driveThe 2 big problems with BitLocker IMHO is that you need certain versions of win7, & there's a good chance it's not bulletproof with NSA type backdoors inserted. I'm not convinced there's any encryption software that hasn't been touched by some gov, & I don't believe that any gov employs only honest people -- IOW if backdoors for a gov exist, someone in that gov has very likely sold the details.
You can Google on "encrypted virtual disk software" [without quotes] & get 2.5 mill hits, like http://sourceforge.net/projects/freeotfe.mirror/
Posted 10 years ago # -
ChrisS
AdministratorIf you read the Forbes article that Mikiem linked, you'll likely come to the conclusion that I've long held - no encryption software is secure and using it may, in fact, make your data less secure.
At any rate, you can find what you need on this page: Probably the Best Free Security List in the World (link takes you to the encrypting section)
Posted 10 years ago # -
marshrat53
Memberhttps://www.grc.com/misc/truecrypt/truecrypt.htm
Worth a look.Posted 10 years ago # -
mikiem2
ModeratorNot sure anyone outside the devs & maybe a circle of their friends knows what's up with Truecrypt. The guy at GRC has one tentative explanation -- one guy in the comments on the GOTD download page talked about a message re: the NSA. IMHO the bit at GRC was a bit naive & overly optimistic, hinting that Truecrypt belonged to the public & users who had come to trust it -- not the way the world, software or otherwise works. Doesn't work that way for countries relying on outside support, with employees hoping for job security, with people who thought they owned a home, and never has worked that way with software that can leave the stage at any minute. The people that own whatever can & will do as they please, as they feel they must or want.
But enough editorializing -- down from the soapbox. :) If anyone wants to put total faith in Truecrypt, or whatever comes afterward, go right ahead. I've never gone around bashing Truecrypt, & don't think I will in the future, because lots of people love it, & anything contrary I said would be meaningless. Here's why I've never used Truecrypt, purely FWIW...
There is always an underlying tension with any gov, because a government's tasks & ideals run counter to their citizens' total freedom -- you don't want to be a victim of crime so you have law enforcement for example, handing over [hopefully a minimum] of your rights & freedoms to enable them to do their job.
[People sometimes talk about the NSA as if it was an evil empire -- in some cases that might be apt, but it most always ignores the fact that the US is hardly any world leader in intelligence gathering. If they were you would have never read of them on any front page. Their job is secrecy, not fame.]
The best security is analog, carried out through history by people hiding whatever without being seen & keeping their mouths shut about it. It's the way criminals & crime organizations & spys & moonshiners & smugglers etc. always worked, & it drove law enforcement crazy trying to bust them. Then digital came along & governments saw their opportunity. It was/is in their best interest, & in their view, in your best interest, for governments to make sure they helped build the framework for anything digital, so that they could watch everything going on -- no more relying on happenstance & informers to be in the right place at the right time for surveillance. Those outside any gov who were engaged in building that framework had little choice -- if your gov couldn't get in without your knowledge they'd do it anyway & demand your silence... Any gov has always had the ability to shut anyone down, &/or incarcerate them, whether we like to pretend otherwise or not.
Now, what gov could let something like Truecrypt exist without some sort of involvement on their part? In a digital world where you can find anybody, given enough resources, what are the odds of Truecrypt's devs maintained their anonymity without a bit of help? In a time of gov budget cuts what better alternative is there than voluntary public funding [i.e. Kickstarter]? The guy running the whole audit thing had cash left over when Truecrypt closed the doors, & was publicly wondering what to do with what was left. Assuming he does like the guy at GRC proposes, the audit is finished, changes made in the forked version, & a new release born, could there be a better time for a gov to update any code & escape notice? Could there be a better way to increase Truecrypt's use than with a newer, better fork designed after a thorough audit?
I could very well be wrong -- I'm just hinting at what makes sense to me. I believe that if you think in terms of what governments want, not what much of the public feels is right, then governments would be inept not to take advantage of every such opportunity.
Personally I tend to distrust any gov because people are people. The world's governments are made up of the same people you see day in & day out. Most are nice enough, they help out their friends & family, & they do the same whether they work for a gov or not. Some people are lazy, others inclined to be a dufus, while some are thieves and scoundrels, whether they are employed by a gov or not. I personally don't like the potential for abuse when any of those last 4 are in a government position where they might have some power & authority. I'm not alone -- most democracies were set up by people having the same, pragmatic views. That's why most democracies can be slow & less efficient & well, messy at times.
I believe that if any gov has access to whatever tools &/or data, it has been & will be sold by less scrupulous people working in that gov -- why would a crook working for the gov stop being a crook? If politicians can be dishonest, & they serve at the public's whim, I can't see any reason why unelected people working in government have any reason to not be dishonest, other than their personal morals. The prospect of prison time doesn't deter criminals from doing what they do, or there wouldn't be any, and in government your odds of getting prison time are less -- it's government after all that does the policing. And then there's the basic nature of most bureaucracies.
Bureaucracies are like living organisms, always seeking to be healthy, grow, & reproduce. Health equals security that comes from bigger budgets. Bigger budgets, & the increased authority they confer on those running that bureaucracy, come from more employees. Embracing inefficiency is a common way to always need more people. Regardless any union constraints, getting rid of dead weight runs counter to growth in employee numbers. That's not how private sector business is supposed to work, where if you don't do your job you can get fired. Consider Microsoft & Patch Tuesday... Microsoft has much higher hiring requirements than is legal for the US gov, & they do get rid of people that are incompetent [not all of them, but much more than a comparable gov agency]. If Microsoft leaves holes in Windows, and they have better employees than the gov, what are the odds of any government team writing code with fewer holes than Microsoft's stuff?
If the US [or any other] gov had anything to do with Truecrypt or similar, &/or have anything to do with Truecrypt's proposed successor, there will probably be security holes, perhaps a lot of rather large ones. Many of the security holes that are discovered in Windows & other software are not reported -- you never hear about them because hacking pros, either criminal or working for the equivalent of arms dealers, make money off their existence [Google Vupen]. The audit on Truecrypt may or may not have found whatever security weaknesses, but there is no doubt at all that if the US gov wanted something kept quiet, they could force any company to not release info, saying it was a threat to national security. Some of the biggest, wealthiest companies in the world, e.g. Microsoft, Google, Apple etc., complain about some of the [maybe more minor] stuff the gov won't let them talk about, after it was 1st revealed in the press -- how much else can't they tell you about at all?
So, at the end of the day [&/or any other cliche that may be appropriate], I never completely trusted Truecrypt so I never bothered to use it. I've used & use encryption software that I doubt was ever really that secure, but it's been very convenient & took zero learning or research [unlike Truecrypt]. I work with VHDs, but the major types you'd expect to find in Windows, & I keep them there [though that may be just a base copy] -- there's all sorts of stuff to tell if a VHD was used but not present, same as there's stuff to look for Truecrypt VHDs, so no reason to make anyone want to look further.
Posted 10 years ago #
Reply
You must log in to post.