Saturday, May 31, 2014

TrueCrypt: A Perspective

OK. By now everyone who cares should already be familiar with the world getting turned upside down this past week regarding TrueCrypt.

Just in case, here is a collection of the best news I can find about the situation. Read up if this is news to you, listed in semi-breaking order.

Conspiracy theories aside, it appears (most likely) that the project developers decided to throw in the towel on the project.

This is the best full-summary page I can find on the whole thing; and archive downloads of the working version.

Last good “working” (meaning encrypting supporting) version? TrueCrypt 7.1a.

That’s actually the same version I have been running on my Win 7 laptop for some time now with no issues.

My use of TrueCrypt at home isn’t to keep my system locked down from any three-letter government agencies. If some theories are true and it was compromised/backdoored, then we all have bigger issues to worry about--well we have those already. What I mean to say is my use of full-disk-encryption is to protect the system if our home is broken into and it is lost due to common theft/burglary. TrueCrypt should be able to keep our data safe and minimize the impact of the system’s loss.

As such, I’ve seen nothing to believe that I should discontinue use of TrueCrypt at home in this protection and security scenario. I will continue to do so until new data comes to light that suggests a common, non-technical thief could easily bypass TrueCrypt.

However.

If I did want/need to go to a different whole-disk encryption solution here are the options I personally would be considering.

Microsoft Bitlocker?

This is what the TrueCrypt developers tossed their fans towards, cryptically.

Only I have Windows 7 Premium that doesn’t come with our support Bitlocker. Bummer for us sheeple.

I suppose I could just go ahead and do a Windows Anytime Upgrade to Ultimate or Enterprise, right? Would cost me some money but hey…not too shabby?

Umm, it looks like now that Win 8/8.1 is out, no more Anytime Upgrades to higher Win 7 editions. That sucks.

So, I could just pony up the money for a full Win 7 update OS upgrade.

But at those price-points, I probably would be considering just purchasing a commercial ($-$$) whole disk encryption solution for less.

BIOS based or Self Encrypting Drive locking?

So, rather than using an OS-based software solution, one could switch over to using the BIOS to lock down the hard-drive access. Some BIOS systems allow setting of a hard drive access password. This is similar to, but not always the same as, a Self Encrypting Drive (SED) solution.

These might be a pretty good solution on modern hardware; but may not work if the system is kept in a hibernate/sleep mode. It’s also hard to find a lot of hardware options to retrofit a SED drive. Price and formats are very limited in my searches for one.

That said, if your system does support it, you may already be able to go to an alternative whole disk encryption/access protection without any additional expense.

Freeware Whole Disk Encryption Alternatives

CE-Infosys : FREE CompuSec PC Security Suite - This is a German freeware product. I used it along time ago in testing against Kon Boot bypass technique. It worked great, was well documented, and remains free for personal usage.  My biggest concern is that it does not seem to support use with WinPE so that if some kind of failure occurred, I could not off-line authenticate to the encrypted contents. I must do a full disk-decryption.

TrueCrypt protected drives can be off-line accessed from a WinPE environment as long as you have the TrueCrypt drivers/application available.

DiskCryptor - This application seems to have continued to mature in the shadow of TrueCrypt. It is frequently updated and does support off-line access of a encrypted volume from a WinPE environment. LiveCD - DiskCryptor wiki. Bart and Winbuilder guides are available to assist with the process.  I suspect this project will get renewed support as TrueCrypt fans shift there attention here.

FreeOTFE - I’m not familiar with this product but it did get a bit of mention in some comment sections after TrueCrypt’s stage exit.

For the Truly Paranoid

Tails - Privacy for anyone anywhere

I guess the theory would go, run Tails from a boot media (CD/DVD/USB) on your system.  Keep the HDD itself zero’ed out, or use an encrypted volume on it, and then use an encrypted USB tool as well for file-storage…or keep your required files in a cloud store…that supports encryption as well.

That’s a bit extreme to me with the other solutions…but some people in some countries may very well need that level of protection.

I’m sure we will see some alternative free/Open Source solutions for whole disk encryption come in to fill the void left by TrueCrypt…if things bear out on the current trajectory.  In the meantime, alternatives do exist…including continued use of TrueCrypt 7.1a.

Cheers.

--Claus Valca

1 comment:

Anonymous said...

Hi Claus, how are you? Long time no comment :-)

AFAIK some of the methods suggested are not equivalent. In particular HDD passwords (again, AFAIK) don't encrypt the content of the disk, but rather store the password in a separate area (HPA - Host Protected Area) and require you to validate it. You can bypass it by moving the platters into an other HDD (which didn't have a password set). While not trivial, it is much easier than breaking a proper full-disk encryption.