TrueCrypt - volume encryption [discontinued]
-
- Posts: 116
- Joined: Wed May 10, 2006 5:08 pm
TrueCrypt - volume encryption [discontinued]
[Moderator note: this is the primary TrueCrypt program thread. View database entry]
---
truecrypt v4.2a has been released 3 July 06
---
truecrypt v4.2a has been released 3 July 06
- Andrew Lee
- Posts: 3083
- Joined: Sat Feb 04, 2006 9:19 am
- Contact:
Re: TrueCrypt
EDIT: after the demise of TrueCrypt, Veracrypt is pretty much regarded nowadays as its successor: https://www.portablefreeware.com/?id=2703.
Old topic udpate: in view of current news coverage of a possible TrueCrypt hack, here are a few pointers for relevant reading -- for current info, browse links posted in the latest database entry's comments (see http://www.portablefreeware.com/index.p ... addcomment).
Old topic udpate: in view of current news coverage of a possible TrueCrypt hack, here are a few pointers for relevant reading -- for current info, browse links posted in the latest database entry's comments (see http://www.portablefreeware.com/index.p ... addcomment).
- Securely download [and verify] TrueCrypt v7.1a
http://www.akselvoll.net/2014/05/how-to ... t-71a.html
- [Related blog post by Steve Gibson of Gibson Research]
http://steve.grc.com/2014/05/28/whither-truecrypt/
- http://www.portablefreeware.com/forums/ ... hp?t=21224
http://www.portablefreeware.com/forums/ ... hp?t=11209
http://www.portablefreeware.com/forums/ ... php?t=7629
http://www.portablefreeware.com/forums/ ... php?t=6636
http://www.portablefreeware.com/forums/ ... php?t=6633
http://www.portablefreeware.com/forums/ ... php?t=5943
http://www.portablefreeware.com/forums/ ... php?t=5929
http://www.portablefreeware.com/forums/ ... php?t=3555
http://www.portablefreeware.com/forums/ ... php?t=2872
http://www.portablefreeware.com/forums/ ... php?t=1821
http://www.portablefreeware.com/forums/ ... php?t=1797
Last edited by Midas on Sun Feb 19, 2017 7:21 am, edited 1 time in total.
Re: TrueCrypt
I'm split on whether or not to put a disclaimer up on the entry since the security piece of this is really unclear. I mean, insecure to who? Huge organizations with loads of money? It probably wasn't secure against them before either. Maybe we recommend using the version before the current one?
Having seen very large, very well-funded organizations make very dumb security decisions, I'm wondering if not bad isn't more than enough. Shneier for example was still using it as of two weeks ago.
Also, someone in the comments of the link above noted the following:
Suggestions welcome.
Having seen very large, very well-funded organizations make very dumb security decisions, I'm wondering if not bad isn't more than enough. Shneier for example was still using it as of two weeks ago.
Also, someone in the comments of the link above noted the following:
It's certainly a better prospect to work with an open program that has seen this kind of scrutiny rather than closed systems like FileVault and BitLocker for whom serious analysis relies upon their company of origin (Apple and Microsoft).Those who fear that TrueCrypt is subverted might profit from spending a few minutes pondering that there are Computer Science departments all over the world with many hundreds of professors and thousands of graduate students, some of whom specialize in infosec/crypto.
Because TrueCrypt is so widely used and relied upon, the first CompSci department to announce that they'd proved a backdoor in TrueCrypt would be world-famous, attract rivers of funding, and have the best imaginable prospects for their future careers.
Suggestions welcome.
Re: TrueCrypt
This doesn't make sense [not referring to the quote]. And for the time being I'wouldn't migrate data just yet.@Aaron you are aware of recent discoveries about NSA and commercial companies cooperation, aren't you? I can't imagine any sane person, who have followed news, using closed source encryption tools made by a "Fortune 500 company" and expect it's not backdoored. That's why a suggestion by TC developers to use one of such tools would be strange at least. It looks much more like red herring or warrant canary.
Re: TrueCrypt
Open TrueCrypt alternatives
* FreeOTFE - definitely portable but not cross platform and doesn't seem to be under development any longer. Still, might be more secure than TrueCrypt.
* encfs4win (Encrypted File System for Windows) http://members.ferrara.linux.it/freddy77/encfs.html ... based on encfs for Linux, it's probably cross-platform. No clear idea of the program maturity.
* DiskCryptor https://diskcryptor.net/ The program has a much better license than TrueCrypt's (GPL) but not very portable. Quoting the FAQ:
* FreeOTFE - definitely portable but not cross platform and doesn't seem to be under development any longer. Still, might be more secure than TrueCrypt.
* encfs4win (Encrypted File System for Windows) http://members.ferrara.linux.it/freddy77/encfs.html ... based on encfs for Linux, it's probably cross-platform. No clear idea of the program maturity.
* DiskCryptor https://diskcryptor.net/ The program has a much better license than TrueCrypt's (GPL) but not very portable. Quoting the FAQ:
The FAQ goes on to say that the driver installation (and admin access requirement) isn't something they could remove without a substantial rewrite. I'm also going to go ahead and guess that this makes the program difficult to take beyond Windows.> How can I create portable version of DiskCryptor and use it from USB flash drive?
Portable mode will be realized together with container's support as they can be mounted without driver installation. Currently DiskCryptor supports volumes and driver installation is obligatory (administrator rights required) and the following restart (it is possible to load driver without rebooting, however in this case filter can be assigned with volume class only by hacks, which I do not want to use).
Re: TrueCrypt
http://truecrypt.sourceforge.net/WARNING: Using TrueCrypt is not secure as it may contain unfixed security issues
I don't believe this shit! Why a security software programmer would say that his software "may" contain security issues? Does it or doesn't it? Is this sourceforge page hacked? TC wasn't updated for many months, so I think that 7.1a version is secure enough. I won't switch to any other software until I have real proof that TC is trash. I'll keep an eye on this: https://twitter.com/OpenCryptoAudit/sta ... 4977131520 More here: http://www.pcworld.com/article/2143841/ ... found.html
Re: TrueCrypt
Sorry for the double post, but this is important:
http://truecrypt.ch/
http://truecrypt.ch/
- Andrew Lee
- Posts: 3083
- Joined: Sat Feb 04, 2006 9:19 am
- Contact:
Re: TrueCrypt
I am using TrueCrypt myself and I will simply wait for the code audit to be out.
This whole affair is really fishy but since it is open-source, I think the source code can stand for itself.
This whole affair is really fishy but since it is open-source, I think the source code can stand for itself.
- JohnTHaller
- Posts: 720
- Joined: Wed Feb 10, 2010 4:44 pm
- Location: New York, NY
- Contact:
Re: TrueCrypt
While the source code is available, it is worth pointing out that it is not 'open source' by the common definition (according to the FSF, OSI, Ubuntu, Debian, etc). It's more like 'freeware with source available' in many ways. TrueCrypt is under a one-off license called the TrueCrypt license designed to specifically discourage forks. It's incompatible with other open source licenses (limiting code re-use), doesn't permit use of the TrueCrypt name, requires an advertising clause (like the old, frowned-upon, 4-clause BSD license), and specifically allows the original authors to sue you. All of this seems put in place to allow the original authors to shut down the project if they see fit. And to disallow anyone to continue development of 'TrueCrypt' as is without changing the name even if the authors have no interest in continuing.
Realistically, someone could probably continue it as TrueCrypt, but they'd always have the possibility of a lawsuit hanging over their head. And anyone wishing to utilize the code or binaries in other projects will have a similar worry. We still don't know why it was shut down, though several folks in the community are theorizing they they received a National Security Letter and this was their way of letting the world know without stating that they did and being thrown in jail.
Realistically, someone could probably continue it as TrueCrypt, but they'd always have the possibility of a lawsuit hanging over their head. And anyone wishing to utilize the code or binaries in other projects will have a similar worry. We still don't know why it was shut down, though several folks in the community are theorizing they they received a National Security Letter and this was their way of letting the world know without stating that they did and being thrown in jail.
PortableApps.com - The open standard for portable software | Support Net Neutrality
Re: TrueCrypt
JohnTHaller wrote:We still don't know why it was shut down, though several folks in the community are theorizing they they received a National Security Letter and this was their way of letting the world know without stating that they did and being thrown in jail.
- In support of that theory one of the best explanations I came across is at http://en.wikipedia.org/wiki/Warrant_Canary...
And before anyone shouts "conspiracy theory alert", reputable sources confirm that this is not entirely unheard of: some US public libraries setup similar strategies to defend patron privacy in case of user record subpoenas under provisions from so-called "Patriot Act"...
Re: TrueCrypt
I always assumed that the Truecrypt license was there so that they could eventually start a company surrounding that program. This frankly would have protected them better than staying anonymous. After all, Microsoft just successfully defended themselves against an NSL.Haller wrote:TrueCrypt is under a one-off license called the TrueCrypt license designed to specifically discourage forks.
Regardless, I much prefer standard, tested licensing.
Hopefully someone will run a kickstarter or something similar and stand the server up in Germany, Switzerland, or whatever country that would be friendly to an effort like this. I don't expect it would ever offer iron clad security, but access to open, reasonably strong security measures shouldn't be revolutionary or strange.
Someone suggested over on Schneier's site that LUKS would be a much better base to start with than forking TrueCrypt. FreeOTFE lists support for them, though I don't know what version since it's evidently no longer under development.
Re: TrueCrypt
Given that the website now offers a crippled version of TrueCrypt, I went ahead and added a something.webfork wrote:I'm split on whether or not to put a disclaimer up
Re: TrueCrypt
webfork wrote:Open TrueCrypt alternatives
[...]
* DiskCryptor https://diskcryptor.net/ The program has a much better license than TrueCrypt's (GPL) but not very portable.
- On the wake of TrueCrypt debacle, here's a recent article reporting on DiskCryptor use:
- Five Tips for the disk encryption software DiskCryptor
http://www.ghacks.net/2014/06/06/five-t ... skcryptor/
- Could VeraCrypt become the next TrueCrypt?
http://www.ghacks.net/2014/06/08/veracr ... truecrypt/
- Five Tips for the disk encryption software DiskCryptor
Re: TrueCrypt
For whom it may concern, the Open Crypto Audit Project has this posted at their site:
- [url]http://opencryptoaudit.org/[/url] author wrote:Update June 25, 2014: A verified TrueCrypt v7.1 source and binary mirror is online at GitHub. File hash lists are available as well.