Sunday, January 25, 2015

Truecrypt Forks

January 25, 2015:

As everyone knows, the anonymous creators of Truecrypt have declared it unsupported and hinted that it might be defective. While no one believes that Truecrypt has a security hole (see Gibson for example), and an initial audit did not find one, everyone wants to find a supported substitute.

I use Truecrypt encrypted container files to encrypt sensitive data on my Windows systems.  A container is a file which can be mounted as if it were a separate unencrypted volume.   Truecrypt can also encrypt entire disk volumes, though I do not use that mode, because of the complication and because containers are so easily backed up with full encryption to multiple destinations including the Cloud, Blu-Ray discs, hard discs, and thumb drives.

Requirements:
  • To reduce the likelihood of a hole or a back door, the software must be open source.  This rules out all commercial encryption software.
  • It must support some kind of portable encrypted containers.
  • It should have a credible support team.
BitLocker is not a candidate because it is not open source and does not conveniently produce encrypted containers.

In my search for a Truecrypt substitute, here is what I found today. Things are moving fast, so this may not hold true for long:

https://ciphershed.org/US, UK, Germany, Asia  Available as pre-alpha release
https://truecrypt.ch/SwitzerlandDownloads Truecrypt 7.1a
https://veracrypt.codeplex.com/  FranceRev 1.0f-1 downloaded and working

CipherShed is currently in a pre-alpha release only, apparently using some Truecrypt code and some new code. They caution against using it in production. Purportedly it will eventually all be new code, and with a team to support it. Currently I'll stick with Truecrypt 7.1a until (1) a problem is discovered in it, or (2) CipherShed or some other supported program is available.

Truecrypt.ch (also called TCnext) seems to be two Swiss guys who want to fork Truecrypt but, for now, are simply offering Truecrypt 7.1a, the final good release, on a download site. I suspect they are watching CipherShed and may eventually support that.

Veracrypt is the only fork currently available as an official release, and is a modest modification of the original Truecrypt open-source code. Apparently it is mostly written and supported by one Frenchman, Idrassi, and long-term support may be dependent on him, though there is a lively discussion board.

I have installed it, to discover that opening a container takes a long time, but he defends that as necessary to defeat a brute force attack.  In that respect, he believes that Veracrypt is quite superior to Truecrypt.  That judgment is above my pay grade.  Otherwise it walks and talks just like Truecrypt.  I have not tried any command-line arguments yet - I use those a lot in Truecrypt.

The delay on opening is dependent on a particular iteration count, and there is discussion about allowing the user to trade off password length versus iteration count, so that a longer password could result in a shorter opening time.

Veracrypt containers are not compatible with Truecrypt containers, but Veracrypt does have a Truecrypt mode.  I tried that and it did successfully open a Truecrypt container. I didn't try modifying the files in that container.

I recommend tuning in to those sites from time to time, to keep abreast of their progress.  I may or may not blog about it again.


No comments: