View previous topic :: View next topic |
Author |
Message |
majoron Apprentice
Joined: 12 Oct 2005 Posts: 239 Location: Frankfurt
|
Posted: Tue Jun 03, 2014 8:11 am Post subject: alternatives to TrueCrypt |
|
|
Hi,
Recently "something" happened to TrueCrypt. AFAIK there is not public statement apart from a red warning in its home site saying that TrueCrypt is not secure. I was interested in using it until I saw this message.
My question is: is there any tested alternative to TrueCrypt?
My needs are: I just need to encrypt an external disk which will be used only under Linux. It has to be free software.
Thanks in advance and best regards _________________ Computers are like air conditioners, they stop working properly if you open Windows |
|
Back to top |
|
|
zaphyr Guru
Joined: 07 Dec 2004 Posts: 312 Location: Copenhagen, Denmark
|
Posted: Tue Jun 03, 2014 10:50 am Post subject: |
|
|
It is my personal opinion that TrueCrypt 7.1a is still safe to use for now. At the very least for personal use.
My opinion may change depending on the results of the security audit
As for alternatives...perhaps dm-crypt or tcplay _________________ emerge IQ |
|
Back to top |
|
|
xaviermiller Bodhisattva
Joined: 23 Jul 2004 Posts: 8711 Location: ~Brussels - Belgique
|
|
Back to top |
|
|
khayyam Watchman
Joined: 07 Jun 2012 Posts: 6227 Location: Room 101
|
Posted: Tue Jun 03, 2014 10:59 am Post subject: Re: alternatives to TrueCrypt |
|
|
majoron wrote: | My question is: is there any tested alternative to TrueCrypt?. My needs are: I just need to encrypt an external disk which will be used only under Linux. It has to be free software. |
majoron ... see app-crypt/tc-play, "a free, pretty much fully featured and stable TrueCrypt implementation". The current upstream is version 2.0, but only 1.2 is available via portage, there is a bug open, and bumping the 1.2 ebuild to 2.0 works (obviously you would need to use a local overlay).
best ... khay |
|
Back to top |
|
|
krinn Watchman
Joined: 02 May 2003 Posts: 7470
|
Posted: Tue Jun 03, 2014 12:48 pm Post subject: Re: alternatives to TrueCrypt |
|
|
majoron wrote: | AFAIK there is not public statement apart from a red warning in its home site saying that TrueCrypt is not secure. |
I don't use it myself, but i saw that story and it wakeup my curiosity. From what i know, it is a sudden act.
What is strange is that the project is down, when you don't get down a project with a security hole, you fix it.
Anyone have answer to that? |
|
Back to top |
|
|
mv Watchman
Joined: 20 Apr 2005 Posts: 6749
|
Posted: Tue Jun 03, 2014 1:54 pm Post subject: Re: alternatives to TrueCrypt |
|
|
krinn wrote: | Anyone have answer to that? |
It seems that currently there are no public informations which answer that. One can find many theories of various sorts, though... |
|
Back to top |
|
|
majoron Apprentice
Joined: 12 Oct 2005 Posts: 239 Location: Frankfurt
|
Posted: Tue Jun 03, 2014 2:43 pm Post subject: |
|
|
Thank you.
Yes, precisely when I was browsing those pages the question came to my mind: what are people using, and what do you recommend?
BR _________________ Computers are like air conditioners, they stop working properly if you open Windows |
|
Back to top |
|
|
majoron Apprentice
Joined: 12 Oct 2005 Posts: 239 Location: Frankfurt
|
Posted: Tue Jun 03, 2014 2:46 pm Post subject: Re: alternatives to TrueCrypt |
|
|
khayyam wrote: | majoron wrote: | My question is: is there any tested alternative to TrueCrypt?. My needs are: I just need to encrypt an external disk which will be used only under Linux. It has to be free software. |
majoron ... see app-crypt/tc-play, "a free, pretty much fully featured and stable TrueCrypt implementation". The current upstream is version 2.0, but only 1.2 is available via portage, there is a bug open, and bumping the 1.2 ebuild to 2.0 works (obviously you would need to use a local overlay).
best ... khay |
Thank you. I also saw this package. And although I don't have really critical data to protect, my fear is that this tc-play software is implementing the same wrong thing as TrueCrypt does. However, if some expert(s) give(s) me arguments to make me believe that this is not the case, I could consider this possibility.
BR _________________ Computers are like air conditioners, they stop working properly if you open Windows |
|
Back to top |
|
|
Yamakuzure Advocate
Joined: 21 Jun 2006 Posts: 2285 Location: Adendorf, Germany
|
Posted: Wed Jun 04, 2014 11:32 am Post subject: Re: alternatives to TrueCrypt |
|
|
majoron wrote: | Hi,
Recently "something" happened to TrueCrypt. AFAIK there is not public statement apart from a red warning in its home site saying that TrueCrypt is not secure. I was interested in using it until I saw this message. | Maybe the truecrypt page was hacked:
https://www.mywot.com/en/scorecard/truecrypt.sourceforge.net?utm_source=addon&utm_content=warn-viewsc
Even the project page is strange:
https://sourceforge.net/projects/truecrypt wrote: | WARNING: Using TrueCrypt is not secure as it may contain unfixed security issues
The development of TrueCrypt was ended in 5/2014 after Microsoft terminated support of Windows XP. Windows 8/7/Vista and later offer integrated support for encrypted disks and virtual disk images. Such integrated support is also available on other platforms. You should migrate any data encrypted by TrueCrypt to encrypted disks or virtual disk images supported on your platform. | Why would that be true and then release a new version on May 28th 2014?
This is complete nonsense, as BitLocker is fine for whole partitions/disks, but has (AFAIK) no container feature. And no hidden containers. And, AFAIR, you need Windows 7 professional and up to even get Bitlocker.
edit: Oh and to use BitLocker, your computer TPM module must be activated. Another No-No for me. _________________ Important German:- "Aha" - German reaction to pretend that you are really interested while giving no f*ck.
- "Tja" - German reaction to the apocalypse, nuclear war, an alien invasion or no bread in the house.
|
|
Back to top |
|
|
Yamakuzure Advocate
Joined: 21 Jun 2006 Posts: 2285 Location: Adendorf, Germany
|
Posted: Wed Jun 04, 2014 11:37 am Post subject: Re: alternatives to TrueCrypt |
|
|
Yamakuzure wrote: | Why would that be true and then release a new version on May 28th 2014? | Because it is rumored to be compromised. The whole thing seems to be hacked: http://forums.theregister.co.uk/forum/1/2014/05/28/truecrypt_hack/ _________________ Important German:- "Aha" - German reaction to pretend that you are really interested while giving no f*ck.
- "Tja" - German reaction to the apocalypse, nuclear war, an alien invasion or no bread in the house.
|
|
Back to top |
|
|
Yamakuzure Advocate
Joined: 21 Jun 2006 Posts: 2285 Location: Adendorf, Germany
|
Posted: Wed Jun 04, 2014 11:49 am Post subject: |
|
|
Okay, it is dead.
But now there is : http://www.truecrypt.ch/ _________________ Important German:- "Aha" - German reaction to pretend that you are really interested while giving no f*ck.
- "Tja" - German reaction to the apocalypse, nuclear war, an alien invasion or no bread in the house.
|
|
Back to top |
|
|
khayyam Watchman
Joined: 07 Jun 2012 Posts: 6227 Location: Room 101
|
Posted: Wed Jun 04, 2014 12:09 pm Post subject: Re: alternatives to TrueCrypt |
|
|
majoron wrote: | khayyam wrote: | see app-crypt/tc-play, "a free, pretty much fully featured and stable TrueCrypt implementation". |
Thank you. I also saw this package. And although I don't have really critical data to protect, my fear is that this tc-play software is implementing the same wrong thing as TrueCrypt does. However, if some expert(s) give(s) me arguments to make me believe that this is not the case, I could consider this possibility. |
majoron ... you're welcome. I can't comment on the tc-play implimentation of TrueCrypt but the README does provide some comments on TrueCrypt and some implimentation notes. It also states that its a "core part of the DragonFly BSD operating system" so I asume those involved with the project have some relation to DragonFly BSD, and assumedly *care* about how well its implimented.
Also, I'm not using it myself (I use dm-crypt/LUKS), though I have it installed. The only reason I have it is that a group of us here provided a workshop on various privacy issues and we created some small test images using LUKS and tcplay.
best ... khay |
|
Back to top |
|
|
Havin_it Veteran
Joined: 17 Jul 2005 Posts: 1247 Location: Edinburgh, UK
|
Posted: Fri Jun 06, 2014 3:34 pm Post subject: |
|
|
TrueCrypt will come through all this, I think, in some shape or form. I was a bit panicked like many people by the news, but if you look into it a bit, and take Occam's razor to it, I find there's little reason to think the worst.
The first thing that's notable about the updated web page is how rudimentary it is: it's pretty much the HTML equivalent of a scribbled note. If you discount the possibility of defacement (which doesn't make a lot of sense and is contraindicated by the new binary apparently signed with a legit key), then you must conclude that the devs who re-did the page either (A) were in a big hurry, or (B) couldn't be arsed putting much effort into it.
I believe (B) is more likely, and that opinion is lent weight by this snippet from one of the devs as relayed to the head of the audit project (reported by Steve Gibson here):
Quote: | We worked hard on this for 10 years, nothing lasts forever. |
Everyone loves a good conspiracy theory, but it looks to me like the reality is more prosaic: they've had enough of it, and they don't have a successor lined up to take over because nobody understands the codebase like they do. That's fair enough, and tc-play is evidence that the format can outlive the original product, whether that product reincarnates in a direct fork or not.
I'll certainly be interested to see how the audit turns out, but I feel no less confident using TrueCrypt now than I did before this development. |
|
Back to top |
|
|
Pearlseattle Apprentice
Joined: 04 Oct 2007 Posts: 162 Location: Switzerland
|
Posted: Fri Jun 06, 2014 8:39 pm Post subject: |
|
|
My recommendation: encfs
It's since years that I use it to encrypt my home directories and a portion of my raid and it has never failed (e.g. when my raid5 lost 1hdd on xfs the whole thing was ok as you expected when using any other filesystem, when I lost my main backup drives the restoration from the secondary backup gave me everything without problems, etc...).
Important:
encfs is not a filesystem - it's just an additional layer that you put on top of whatever you're using as filesystem.
You will therefore format your device(s) with whichever fs you want (e.g. ext3/ext4/xfs/jfs/btrfs/ufs/whatever...) and use whichever functionality you want on it (e.g. a jfs fs on top of a raid6 fs) and only at the end use "encfs" to mount a virtual unencrypted device which will write all data to the underlying layers (again, e.g. a SSD using nilfs2 with "trim" functionality switched on) in encrypted form.
Sounded at the time like a great idea to decouple the encryption process from the filesystem (you still have the same advantages whichever filesystem you use, plus encryption) and it still seems to be to me.
Downsides:
1)
I don't know if Truecrypt was better but encfs uses always only 1 thread to encrypt a single stream of data that is being written => you max thoughput will be limited to the effectivity of the encryption algorithm that you use vs. the CPU that you have.
2)
(I think that) you cannot encrypt your whole rootfs - whatever is needed to boot and get into an operational state will have to be unencrypted (but I might be wrong).
3)
If you're writing file "A" and the system goes down (e.g. no power) then the whole file won't be readable anymore as its encrypted form won't be complete. I personally prefer this white&black situation than half-ok files. |
|
Back to top |
|
|
mv Watchman
Joined: 20 Apr 2005 Posts: 6749
|
Posted: Sat Jun 07, 2014 6:35 am Post subject: |
|
|
Pearlseattle wrote: | My recommendation: encfs |
This is fine for some directories, but probably not approrpiate for large parts of the system: Either you drop supports for some random seeds or some lengths will have to be recalculating meaning a real speed loss, especially for block-optimized databases (though I do not know whether such databases still exist nowadays).
Seriously, if you want encryption of a whole partition under linux, use dm-crypt: This is officially supported and likely continues to work as long as linux will exist, and has all advantages of truecrypt except for windows compatbility.
Quote: | If you're writing file "A" and the system goes down (e.g. no power) then the whole file won't be readable anymore as its encrypted form won't be complete |
Have you tested this? I doubt it. A partially written encoded file should be partially decodable as well; in fact, encfs should not even be able to detect that the file is not completely written, since the length is not stored separately. |
|
Back to top |
|
|
mhogomchungu n00b
Joined: 18 May 2013 Posts: 19
|
Posted: Wed Jun 11, 2014 5:11 pm Post subject: Re: alternatives to TrueCrypt |
|
|
majoron wrote: |
Thank you. I also saw this package. And although I don't have really critical data to protect, my fear is that this tc-play software is implementing the same wrong thing as TrueCrypt does. However, if some expert(s) give(s) me arguments to make me believe that this is not the case, I could consider this possibility.
BR |
There is TrueCrypt,the binary program and TrueCrypt,the on-disk format,these two are not the same thing.
cryptsetup can parse TrueCrypt on-disk format and this allows cryptsetup to unlock TrueCrypt volumes.
What tc-play can create and parse TrueCrypt on-disk format and this allows tc-play to create and unlock TrueCrypt volumes.
The on-disk format is well documented and known and its good enough[1]
This maybe the end of line for TrueCrypt,the binary program but i think its on-disk format should continue to live on as a "cross platform encrypted volume format". This is because the format is currently the most widely used if not the only one cross platform encrypted volume format.
All that it will take for the format to continue to live on with its current status is for windows and OSX block device encryption programs to support it.
[1] https://github.com/bwalex/tc-play/issues/57#issuecomment-44778858 |
|
Back to top |
|
|
Yamakuzure Advocate
Joined: 21 Jun 2006 Posts: 2285 Location: Adendorf, Germany
|
Posted: Thu Jun 12, 2014 1:14 pm Post subject: |
|
|
Just a side question:
Substituting TrueCrypt with BitLocker, LUKS or whatever for disks, partitions and directories is all fine, but what if you rely heavily on the cross platform container capability of truecrypt? How to substitute that?- We often build containers of different sizes on our Debian servers, put data into them, copy them on external NTFS hard drives, and our customers mount those under windows where they, surely enough, need to be able to open the containers. So Windows-only or Linux-only substitutes are a big no-no.
- My personal data resides in a subfolder in my home directory. This folder is a RAIDZ (zfs) drive put together out of 7 truecrypt containers that are individually backed up.
- My backup folders use the same technique apart from the fact that the 6 truecrypt containers are backed up using three different dropbox accounts.
How on earth is this to be substituted by anything else?
(My zpool configs:) Code: | ~ # zpool status bpool
pool: bpool
state: ONLINE
scan: scrub repaired 0 in 0h0m with 0 errors on Thu Apr 17 12:29:34 2014
config:
NAME STATE READ WRITE CKSUM
bpool ONLINE 0 0 0
raidz1-0 ONLINE 0 0 0
truecrypt21 ONLINE 0 0 0
truecrypt22 ONLINE 0 0 0
truecrypt24 ONLINE 0 0 0
truecrypt25 ONLINE 0 0 0
truecrypt26 ONLINE 0 0 0
spares
truecrypt23 AVAIL
errors: No known data errors
~ # zpool status ppool
pool: ppool
state: ONLINE
scan: scrub repaired 0 in 0h9m with 0 errors on Thu Apr 17 12:42:02 2014
config:
NAME STATE READ WRITE CKSUM
ppool ONLINE 0 0 0
raidz2-0 ONLINE 0 0 0
truecrypt11 ONLINE 0 0 0
truecrypt12 ONLINE 0 0 0
truecrypt13 ONLINE 0 0 0
truecrypt14 ONLINE 0 0 0
truecrypt15 ONLINE 0 0 0
truecrypt16 ONLINE 0 0 0
truecrypt17 ONLINE 0 0 0
spares
truecrypt18 AVAIL
errors: No known data errors |
_________________ Important German:- "Aha" - German reaction to pretend that you are really interested while giving no f*ck.
- "Tja" - German reaction to the apocalypse, nuclear war, an alien invasion or no bread in the house.
|
|
Back to top |
|
|
depontius Advocate
Joined: 05 May 2004 Posts: 3509
|
Posted: Thu Jun 12, 2014 3:35 pm Post subject: Re: alternatives to TrueCrypt |
|
|
mv wrote: | krinn wrote: | Anyone have answer to that? |
It seems that currently there are no public informations which answer that. One can find many theories of various sorts, though... |
I read in one spot that a little bird (warrant canary) died. _________________ .sigs waste space and bandwidth |
|
Back to top |
|
|
|