Truecrypt Forks

January 25, 2015:

As everyone knows, the anonymous creators of Truecrypt have declared it unsupported and hinted that it might be defective. While no one believes that Truecrypt has a security hole (see Gibson for example), and an initial audit did not find one, everyone wants to find a supported substitute.

I use Truecrypt encrypted container files to encrypt sensitive data on my Windows systems.  A container is a file which can be mounted as if it were a separate unencrypted volume.   Truecrypt can also encrypt entire disk volumes, though I do not use that mode, because of the complication and because containers are so easily backed up with full encryption to multiple destinations including the Cloud, Blu-Ray discs, hard discs, and thumb drives.

Requirements:

• To reduce the likelihood of a hole or a back door, the software must be open source.  This rules out all commercial encryption software.
• It must support some kind of portable encrypted containers.
• It should have a credible support team.

BitLocker is not a candidate because it is not open source and does not conveniently produce encrypted containers.

In my search for a Truecrypt substitute, here is what I found today. Things are moving fast, so this may not hold true for long:

https://ciphershed.org/	US, UK, Germany, Asia	Available as pre-alpha release
https://truecrypt.ch/	Switzerland	Downloads Truecrypt 7.1a
https://veracrypt.codeplex.com/	France	Rev 1.0f-1 downloaded and working

CipherShed is currently in a pre-alpha release only, apparently using some Truecrypt code and some new code. They caution against using it in production. Purportedly it will eventually all be new code, and with a team to support it. Currently I'll stick with Truecrypt 7.1a until (1) a problem is discovered in it, or (2) CipherShed or some other supported program is available.

Truecrypt.ch (also called TCnext) seems to be two Swiss guys who want to fork Truecrypt but, for now, are simply offering Truecrypt 7.1a, the final good release, on a download site. I suspect they are watching CipherShed and may eventually support that.

Veracrypt is the only fork currently available as an official release, and is a modest modification of the original Truecrypt open-source code. Apparently it is mostly written and supported by one Frenchman, Idrassi, and long-term support may be dependent on him, though there is a lively discussion board.

I have installed it, to discover that opening a container takes a long time, but he defends that as necessary to defeat a brute force attack.  In that respect, he believes that Veracrypt is quite superior to Truecrypt.  That judgment is above my pay grade.  Otherwise it walks and talks just like Truecrypt.  I have not tried any command-line arguments yet - I use those a lot in Truecrypt.

The delay on opening is dependent on a particular iteration count, and there is discussion about allowing the user to trade off password length versus iteration count, so that a longer password could result in a shorter opening time.

Veracrypt containers are not compatible with Truecrypt containers, but Veracrypt does have a Truecrypt mode.  I tried that and it did successfully open a Truecrypt container. I didn't try modifying the files in that container.

I recommend tuning in to those sites from time to time, to keep abreast of their progress.  I may or may not blog about it again.

Google Desktop vs. Copernic

The basic idea: What if I could search my own computer as easily as I can search the web? Then I could find an email or a Word document, even a PDF document, or a previously-viewed web page, or all of those on my own computer in an instant, just by entering a few words of text that I think might be in the document or in its name.

Enter Google Desktop (GD). I discovered this a year or two ago, when I was running Windows XP, and thought it was slicker than sliced bread. Well, almost, and certainly better than anything that Microsoft offered. It didn't work exactly right - sometimes I would click on a result and nothing would come up - but at least it did seem to find everything.

Except WordPerfect documents. I use WordPerfect and certainly prefer it to Microsoft Word, but the documents apparently have a unique format and are not correctly indexed by GD or by Microsoft's Vista indexing software. No surprise that Microsoft would deliberately omit WordPerfect, because they have been trying to bury it with Word for years (with obvious success), but we expect better from Google. There is a contributed Google Desktop plugin called Larry's WordPerfect Indexer, and it seemed to work when installed, but Google Desktop kept uninstalling it for some reason; I never solved that problem.

Enter Windows Vista; I have the 64-bit version. It supposedly has its own indexing, but I find that awkward and obtuse; I still haven't entirely figured what IS and what IS NOT indexed. Google Desktop was better.

However, if you Google "google desktop" and "vista" you will find complaints about Google Desktop slowing down Vista, and you will find that Google and Microsoft are having a legal hassle. Nevertheless a few days ago I downloaded GD and installed it. To my surprise, GD did not offer ANY indexing commands. I could not make it re-index, and there was no pause-indexing command. When I did a GD search it DID come up with results though, without ever doing an indexing search. From this I assume that it uses Vista's built-in index, and no longer builds its own index. I "installed" Larry's WordPerfect Indexer, but of course a search still did not bring up any WordPerfect documents. Conclusion: At least for now, Google Desktop is broken - no better than Vista's search, which itself is very clumsy and which will apparently never be able to search WordPerfect documents.

Enter Copernic. I downloaded this desktop searcher and couldn't be more pleased. It runs exactly the same on both XP (my laptop) and Vista 64 (my new desktop computer). In both cases it built its index in almost no time at all. Here are some of the features:

• It automatically indexes WordPerfect documents - important to me if not to you;
• You can select the types of files it will index, including PDF documents and ZIP folders, by type extension;
• You choose whether the indexing function pauses while you use the computer, and if so, for how long;
• You choose which folders you index and which you do not. For example, I have files that are encrypted and certainly don't want them in the index!;
• Regardless how the index is built, you can limit a search to any particular file type, to avoid getting too many results;
• For any specific class of files you can limit the search by date, partial file name, folder, and other attributes;
• There is a quick and easy way to check for updates to Copernic;
• I haven't even discovered all of the features yet.

Copernic does NOT seem to offer complex (advanced) searches. It seems to require that ALL of the words in the search box must appear in the document, with no "ANY" option or "DOES NOT HAVE" option. But I can live with that. Many of the features in the list above are also available in Google Desktop and Vista Search, but not all of them are.

I've only had Copernic for a couple of days now, but it sure seems far more robust than the competition, and yet easier to use. Unlike those, it's a completed, working product. If I continue to like it, I may just turn off Vista indexing altogether.

Please let me know if you agree, or disagree, or want more information.

TrueCrypt Is Cool

My business requires me to safeguard the security of certain files. For years I have used Encrypted Magic Folders (EMF) from PC-Magic to encrypt those files, and to hide them from the view of an interloper. I loved it, because files were always encrypted on disk and yet were fully accessible to applications. However, when I upgraded to Vista 64, the new EMF crashed my system so completely that it was unbootable even in safe mode. I tried it twice, recovered twice with some difficulty, and gave up on EMF.

In the meantime I had heard about TrueCrypt, an open-source disk encryption package for Windows and Linux. It's free! I must admit that after I downloaded it, I needed some time to get my mind around it.

Here are the basics:

• Using the TrueCrypt application you create a large "container" file on your system, larger than you will need to hold your encrypted files. It can be on any read/write disk, even a memory stick, and is initially filled with random data.
• The container file can be copied, moved, deleted, or renamed just like any other file. It's not fragile. It can have any name and any file extension. You can have more than one.
• With the TrueCrypt application, you mount that container file as a disk volume with its own drive letter. You choose the letter.
• The TrueCrypt application runs in the background and manages TrueCrypt volumes.
• Within the TrueCrypt volume you create folders, or copy them in, and create or copy in any files that ought to be encrypted. A TrueCrypt volume behaves exactly like any other disk, even though it's really just a file on your hard drive or mem stick. Every file within it is totally encrypted, including file names and even its file system.
• Unused space in the TrueCrypt container file is filled with random data which cannot be distinguished from actual encrypted files.
• When you open an encrypted file in an application, such as a wordprocessor or graphic editor, the file is decrypted on the fly so that the application sees it decrypted.
• The file is never decrypted on disk, however, unless the application keeps temporary backup copies, and of course you should tell your applications to keep those in an encrypted volume too.
• Backup of encrypted data is easy: Just dismount the encrypted volume and copy its container file, still encrypted, to the backup medium.
• If the backup medium is another disk, mem stick, DVD, or CD-ROM, you can actually mount that backup container file whenever you want without ever copying it back to the original hard disk.

That's the simple view of TrueCrypt. There is lots more. For example:

• Anyone examining your system or your disk can tell that you use TrueCrypt, and can probably even identify the container files.
• However, you can host a TrueCrypt volume within another truecrypt volume in a manner that makes the internal volume both hidden and undectable even if the outer volume is mounted and visible. Really cool. The TrueCrypt people call this "plausible deniability," and consider it quite important.
• Example: An adversary points a gun at you and demands to see your encrypted files. You can give them the password to the outer encrypted volume without ever revealing that an inner, hidden volume even exists. It's invisible. I don't actually see the need for a hidden volume in my business, but evidently some folks do.
• You can host a truecrypt volume on a public computer, or another person's computer, without installing any software on that computer, so your encrypted files are portable.
• You can tell TrueCrypt to mount certain TrueCrypt volumes automatically at bootup, though you will be required to enter a password to complete the mounting process.
• TrueCrypt allows you to use any of eight different encryption algorithms and three different hash algorithms, making decryption by an adversary even more difficult.

I love it, and in fact am using it for my encrypted files on my new computer. It works very well indeed, even on Vista 64. It is certainly no more trouble than EMF was, and backup is much simpler. It is far better than Windows Encrypted File System (EFS) because: (1) EFS files are always available when you log on, whereas TrueCrypt files require you to enter another password; and (2) EFS files cannot easily be backed up in their encrypted form. TrueCrypt is also much simpler than Windows BitLocker encryption, which requires you to partition your drive and poses some risk of losing the entire drive if something goes wrong.