It works! I recently switched to VeraCrypt from TrueCrypt, because TrueCrypt is now unsupported and rumor has it that technology was making TrueCrypt less and less secure. I do not use Partition/Device encryption or System encryption, only Volume Encryption, meaning that specially-created "container" files in the normal unencrypted Windows environment are mounted as encrypted volumes exactly as if they were separate, encrypted disk drives. I keep my personal and business files there, and I do it this way because it is simple, because backup of those container files is trivially easy, and because there is zero risk of a complete failure.
If you want to know more about Partition/Device encryption or System encryption, the information in this post may not help you.
A year ago I wrote about TrueCrypt Forks. I didn't like VeraCrypt then because it took a very long time, a minute or more, to open a container after entering the correct password. This was by design - the VeraCrypt developer, Idrassi, by default uses hundreds of thousands of iterations in the key derivation function, contending that it helps protect against brute-force attacks, where a computer is automatically trying billions of password guesses. He is right - this method of attack is becoming faster and more effective as computer power increases and multiple processors can be brought to bear. However, I open and close encrypted volumes frequently and the defaults pushed my patience too far.
Happily, the current version of VeraCrypt, Release 1.17, offers a compromise: If the password is 20 characters or more, VeraCrypt allows the user to bypass the defaults and choose a lower number of iterations by specifying a Personal Iteration Multiplier (PIM). The minimum multiplier of 1 will still result in an iteration count 8 to 16 times greater than that used in TrueCrypt, with a very short delay, whereas multipliers in the range of 10 to 100 will increase security but will cause somewhat greater delays. Those delays might still be acceptable, depending on the speed of the processor. I experimented with several different PIM values.
The PIM is a secret value, chosen when the container file is created, and it must be entered correctly as a separate parameter when the password is entered to mount an encrypted volume. Therefore, though the PIM may be used to reduce the iteration count and make a brute force attack easier, it also effectively increases the password strength, making the attack more difficult again.
I use passwords of 20 characters or more anyway, so the PIM is a perfect compromise. During the process of creating new volumes I did have to wait through some long delays, but now that the volumes are created and in place, the delays are quite acceptable. PIM works.
Also interesting, VeraCrypt can actively coexist with TrueCrypt on the same system, running at the same time. I created new VeraCrypt containers and copied the encrypted contents of the old mounted TrueCrypt volumes directly into the mounted VeraCrypt volumes with no problems. During that process, none of the encrypted files were ever decrypted on disk. That's cool - no disk wiping required. Actually, VeraCrypt can mount most TrueCrypt volumes (though not my oldest ones), so the applications might not have to coexist, but it was slick.
I rarely use the TrueCrypt or VeraCrypt console, instead using command-line scripts (cmd.exe processor) to automatically mount and dismount volumes, create backups of volumes, copy volumes to the cloud and to other computers, and more. Every script that worked with TrueCrypt still works with VeraCrypt, after just changing the run path. It just works, no errors, no problems.
For a thorough, functional test I uploaded a 3 GB encrypted container full of files to the cloud, using both iDrive and CloudBerry, then downloaded that same file back to the desktop. Using Microsoft's comp program, the files compared exactly with the original in each case. Also, in each case, the downloaded encrypted container opened without issue, the true proof that the file was not corrupted.
I use VeraCrypt on two computers, a desktop and a laptop, The desktop runs a clean install of Windows 10 (it once ran Vista), and the laptop runs Windows 10 upgraded from Windows 7. Both have plenty of RAM and disk, with dual processors in the 2 - 3 GHz range.
My congratulations to Mounir Idrassi, the force behind VeraCrypt. I'll be making a PayPal donation to the cause.
By the way: I also downloaded CipherShed, intending to compare it with VeraCrypt. However, the CipherShed installer informed me that I would have to uninstall TrueCrypt first. Since I want to keep TrueCrypt around, I did not install CipherShed.
Showing posts with label TrueCrypt. Show all posts
Showing posts with label TrueCrypt. Show all posts
Saturday, March 5, 2016
Sunday, January 25, 2015
Truecrypt Forks
January 25, 2015:
As everyone knows, the anonymous creators of Truecrypt have declared it unsupported and hinted that it might be defective. While no one believes that Truecrypt has a security hole (see Gibson for example), and an initial audit did not find one, everyone wants to find a supported substitute.
I use Truecrypt encrypted container files to encrypt sensitive data on my Windows systems. A container is a file which can be mounted as if it were a separate unencrypted volume. Truecrypt can also encrypt entire disk volumes, though I do not use that mode, because of the complication and because containers are so easily backed up with full encryption to multiple destinations including the Cloud, Blu-Ray discs, hard discs, and thumb drives.
Requirements:
In my search for a Truecrypt substitute, here is what I found today. Things are moving fast, so this may not hold true for long:
CipherShed is currently in a pre-alpha release only, apparently using some Truecrypt code and some new code. They caution against using it in production. Purportedly it will eventually all be new code, and with a team to support it. Currently I'll stick with Truecrypt 7.1a until (1) a problem is discovered in it, or (2) CipherShed or some other supported program is available.
Truecrypt.ch (also called TCnext) seems to be two Swiss guys who want to fork Truecrypt but, for now, are simply offering Truecrypt 7.1a, the final good release, on a download site. I suspect they are watching CipherShed and may eventually support that.
Veracrypt is the only fork currently available as an official release, and is a modest modification of the original Truecrypt open-source code. Apparently it is mostly written and supported by one Frenchman, Idrassi, and long-term support may be dependent on him, though there is a lively discussion board.
I have installed it, to discover that opening a container takes a long time, but he defends that as necessary to defeat a brute force attack. In that respect, he believes that Veracrypt is quite superior to Truecrypt. That judgment is above my pay grade. Otherwise it walks and talks just like Truecrypt. I have not tried any command-line arguments yet - I use those a lot in Truecrypt.
The delay on opening is dependent on a particular iteration count, and there is discussion about allowing the user to trade off password length versus iteration count, so that a longer password could result in a shorter opening time.
Veracrypt containers are not compatible with Truecrypt containers, but Veracrypt does have a Truecrypt mode. I tried that and it did successfully open a Truecrypt container. I didn't try modifying the files in that container.
I recommend tuning in to those sites from time to time, to keep abreast of their progress. I may or may not blog about it again.
As everyone knows, the anonymous creators of Truecrypt have declared it unsupported and hinted that it might be defective. While no one believes that Truecrypt has a security hole (see Gibson for example), and an initial audit did not find one, everyone wants to find a supported substitute.
I use Truecrypt encrypted container files to encrypt sensitive data on my Windows systems. A container is a file which can be mounted as if it were a separate unencrypted volume. Truecrypt can also encrypt entire disk volumes, though I do not use that mode, because of the complication and because containers are so easily backed up with full encryption to multiple destinations including the Cloud, Blu-Ray discs, hard discs, and thumb drives.
Requirements:
- To reduce the likelihood of a hole or a back door, the software must be open source. This rules out all commercial encryption software.
- It must support some kind of portable encrypted containers.
- It should have a credible support team.
In my search for a Truecrypt substitute, here is what I found today. Things are moving fast, so this may not hold true for long:
| https://ciphershed.org/ | US, UK, Germany, Asia | Available as pre-alpha release |
| https://truecrypt.ch/ | Switzerland | Downloads Truecrypt 7.1a |
| https://veracrypt.codeplex.com/ | France | Rev 1.0f-1 downloaded and working |
CipherShed is currently in a pre-alpha release only, apparently using some Truecrypt code and some new code. They caution against using it in production. Purportedly it will eventually all be new code, and with a team to support it. Currently I'll stick with Truecrypt 7.1a until (1) a problem is discovered in it, or (2) CipherShed or some other supported program is available.
Truecrypt.ch (also called TCnext) seems to be two Swiss guys who want to fork Truecrypt but, for now, are simply offering Truecrypt 7.1a, the final good release, on a download site. I suspect they are watching CipherShed and may eventually support that.
Veracrypt is the only fork currently available as an official release, and is a modest modification of the original Truecrypt open-source code. Apparently it is mostly written and supported by one Frenchman, Idrassi, and long-term support may be dependent on him, though there is a lively discussion board.
I have installed it, to discover that opening a container takes a long time, but he defends that as necessary to defeat a brute force attack. In that respect, he believes that Veracrypt is quite superior to Truecrypt. That judgment is above my pay grade. Otherwise it walks and talks just like Truecrypt. I have not tried any command-line arguments yet - I use those a lot in Truecrypt.
The delay on opening is dependent on a particular iteration count, and there is discussion about allowing the user to trade off password length versus iteration count, so that a longer password could result in a shorter opening time.
Veracrypt containers are not compatible with Truecrypt containers, but Veracrypt does have a Truecrypt mode. I tried that and it did successfully open a Truecrypt container. I didn't try modifying the files in that container.
I recommend tuning in to those sites from time to time, to keep abreast of their progress. I may or may not blog about it again.
Tuesday, December 11, 2007
TrueCrypt Is Cool
My business requires me to safeguard the security of certain files. For years I have used Encrypted Magic Folders (EMF) from PC-Magic to encrypt those files, and to hide them from the view of an interloper. I loved it, because files were always encrypted on disk and yet were fully accessible to applications. However, when I upgraded to Vista 64, the new EMF crashed my system so completely that it was unbootable even in safe mode. I tried it twice, recovered twice with some difficulty, and gave up on EMF.
In the meantime I had heard about TrueCrypt, an open-source disk encryption package for Windows and Linux. It's free! I must admit that after I downloaded it, I needed some time to get my mind around it.
Here are the basics:
That's the simple view of TrueCrypt. There is lots more. For example:
In the meantime I had heard about TrueCrypt, an open-source disk encryption package for Windows and Linux. It's free! I must admit that after I downloaded it, I needed some time to get my mind around it.
Here are the basics:
- Using the TrueCrypt application you create a large "container" file on your system, larger than you will need to hold your encrypted files. It can be on any read/write disk, even a memory stick, and is initially filled with random data.
- The container file can be copied, moved, deleted, or renamed just like any other file. It's not fragile. It can have any name and any file extension. You can have more than one.
- With the TrueCrypt application, you mount that container file as a disk volume with its own drive letter. You choose the letter.
- The TrueCrypt application runs in the background and manages TrueCrypt volumes.
- Within the TrueCrypt volume you create folders, or copy them in, and create or copy in any files that ought to be encrypted. A TrueCrypt volume behaves exactly like any other disk, even though it's really just a file on your hard drive or mem stick. Every file within it is totally encrypted, including file names and even its file system.
- Unused space in the TrueCrypt container file is filled with random data which cannot be distinguished from actual encrypted files.
- When you open an encrypted file in an application, such as a wordprocessor or graphic editor, the file is decrypted on the fly so that the application sees it decrypted.
- The file is never decrypted on disk, however, unless the application keeps temporary backup copies, and of course you should tell your applications to keep those in an encrypted volume too.
- Backup of encrypted data is easy: Just dismount the encrypted volume and copy its container file, still encrypted, to the backup medium.
- If the backup medium is another disk, mem stick, DVD, or CD-ROM, you can actually mount that backup container file whenever you want without ever copying it back to the original hard disk.
That's the simple view of TrueCrypt. There is lots more. For example:
- Anyone examining your system or your disk can tell that you use TrueCrypt, and can probably even identify the container files.
- However, you can host a TrueCrypt volume within another truecrypt volume in a manner that makes the internal volume both hidden and undectable even if the outer volume is mounted and visible. Really cool. The TrueCrypt people call this "plausible deniability," and consider it quite important.
- Example: An adversary points a gun at you and demands to see your encrypted files. You can give them the password to the outer encrypted volume without ever revealing that an inner, hidden volume even exists. It's invisible. I don't actually see the need for a hidden volume in my business, but evidently some folks do.
- You can host a truecrypt volume on a public computer, or another person's computer, without installing any software on that computer, so your encrypted files are portable.
- You can tell TrueCrypt to mount certain TrueCrypt volumes automatically at bootup, though you will be required to enter a password to complete the mounting process.
- TrueCrypt allows you to use any of eight different encryption algorithms and three different hash algorithms, making decryption by an adversary even more difficult.
Subscribe to:
Posts (Atom)
