Subscribe via e-mail: 
I’ve been using TrueCrypt drive encryption for some time for my external hard drives. Some days ago, I moved to BitLocker and I am quite happy with it. In this post I explain why. Please note that this comparison is about device-hosted encryption and not about system drive encryption.
No system image backups
The one thing I disliked most about TrueCrypt is that I couldn’t use my external drive for system image backups because the Windows 7 Backup and Restore applet no longer recognized this drive. You might say that this is not TrueCrypt’s fault. However, for me, it didn’t matter whose fault it was as I was just robbed from an important function of my external hard drive.
No TPM support
One of the advantages of BitLocker is that it supports the Trusted Platform Module (TPM) chip. This not only improves security, significantly, but it also makes the use of encryption technology more convenient. Of course, you then need a computer with TPM, but BitLocker also works without TPM. You might have read the news that TPM was cracked, recently. However, the procedure is extremely time consuming and can only be done by experts. When it comes to security, vulnerabilities are absolutely unimportant. What counts is who possesses the capabilities to crack a system and how much effort is necessary. The TPM significantly raises the bar to crack an encrypted system, and TrueCrypt doesn’t reach this level of security.
Password hassle
Thanks to the TPM, you don’t have to type a password every time you connect the drive. Passwords are the weak point of any security mechanism. I don’t just have key loggers in mind. There are a myriad of ways to steal a password. This is what they teach hackers in elementary school. Password plus hardware token is the most secure way to protect your encrypted data. BitLocker also allows you to work without a password. This is still secure as long as you are the only one who can log on to your computer. This way encryption becomes convenient and ensures that people use it.
Manual auto-mount
I like this “Auto-mount device” button in TrueCrypt. I always thought “auto” means that I don’t have to do it manually. Well, yes, only two clicks are required to “auto-mount” a TrueCrypt device. If these were the only clicks, I might just ignore this little hassle. Of course, BitLocker can “automatically auto-mount” encrypted volumes.
“You need to format the disk”
This is just a minor glitch; however, after a while it got on my nerves. Every time I plugged in the drive, Windows would welcome this new device with “You need to format the disk in drive F: before you can use it.” Perhaps, there is a switch somewhere deep down in the Windows engine room that would allow me to turn off this unnerving popup message. But why didn’t the TrueCrypt developers do that for me?
Additional drive letter
Another minor glitch. Windows Explorer always uses two drive letters for one disk: one for the TrueCrypt drive and the one that Windows is so eager to format. Since I often have quite a few drives connected (external, network, etc.) this can be disturbing because it is one more thing that can mess up your drive letter order. This is particularly true if you work with multiple TrueCrypt encrypted drives because it multiplies the number of used drive letters by two.
Decrypting TrueCrypt
This is not a minor glitch. At first, I didn’t believe it when I wasn’t able to find a decryption function in the TrueCrypt user interface. So I went to the TrueCrypt site to confirm that I was just too blind to see how to get rid of the encryption. I was happy when I finally found the How to Remove Encryption page. Happiness turned into anger when my blind eyes were shocked to read the instructions:
Right-click the area representing the storage space of the encrypted device and select ‘New Partition’ or ‘New Simple Volume’.
So I decrypt a TrueCrypt volume by formatting it? Thank you very much for this brilliant tip. The suggestion to copy the data to a different place before I format the disk is also exceptional. Unfortunately, the instructions had no tip where I could just cache my 1.5TB of data. I wonder, why TrueCrypt offers decryption for system drives but not for simple data volumes?
I am still using TrueCrypt for file-hosted encryption. It is the best tool around for this purpose. I also prefer the tool for thumb drive encryption because BitLocker To Go doesn’t support write access on Windows XP. But when it comes to device-hosted encryption TrueCrypt is no match for BitLocker. This also applies to system drive encryption, which was significantly improved in Windows 7 especially because you can now start the encryption process without hassle after the system is installed. Together with TPM support and Active Directory integration BitLocker is the more secure and the more powerful solution.
Just one final note for those of you who think that it is unfair to bash “free” software. No software is really free because it costs time and therefore money to manage it. And the fact that TrueCrypt doesn’t support decryption cost me a lot of time. So, I thought, I should just warn others not to make the same mistake and use TrueCrypt for drive encryption.
Not to mention TrueCrypt encryption becane recently decryptable by Passware (www.prnewswire.com/news-releases/passware-kit-forensic-decrypts-truecrypt-hard-disks-in-minutes-89502507.html).
Yes, I also linked to it in my news section. But as far I as understand this attack the corresponding vulnerability doesn’t really affect security as long as you also encrypt the system drive or ensure that the attacker has no access to the PC while it is running. Besides, BitLocker can also be cracked by the same tool under these conditions.
You should mention that Bitlocker is only available in Windows 7 Ultimate and Enterprise. If your company decides to go with Windows 7 Professional (as many do), you might have to stick with Truecrypt or another 3rd party tool.
You are right. I will mention it tomorrow where I will outline why BitLocker alone is worth deploying Windows 7 Enterprise instead of Windows 7 Professional.
Re: “You need to format the disk”
It takes less time to Google the answer than it does to complain about it
http://superuser.com/questions/49382/how-do-i-disable-you-need-to-format-this-disk-message-in-windows-vista-7
Indeed. But complaining is much more fun.
To the anonymous poster. If you did some research you would see that the exploit can only be exploited if a) Truecrypt is being used at the time and b) if the computer is still on or whilst details remain in ram (30 seconds ?) c) someone physically has access to your computer / laptop.
Seriously the folks who write Truecrypt have known about this for some time and even posted about it.
Michael as you say Bitlocker should be used in organisations as more and more people become mobile. Laptops, USB storage etc etc.
I think your review is a little out of date now…
The “Do you want to format this disk?” is a Windows Annoyance
– not really a feature of the True Crypt encrypted disk.
– The fact it doesn’t do it for Bit Locker encrypted devices is a hack on MS part.
This can be disabled by running diskmgmt.msc and Change/Remove Drive Letter Assignment
True Crypt does have a two-factor authentication (where passwords aren’t enough)
-It’s called Key File(s).
- I Keep myne on a USB stick on my car keys, so even if my password is compromised (and even my computer stolen) my data still can’t be decrypted.
- You could even create a TrueCrypt Boot CD / USB stick – better than TPM for the really paranoid!
True Crypt can support all sorts of combinations of automatically mounting encrypted media
(with / without cached password, key files etc)
- Although the options are hidden in the menus!
True Crypt’s ability to have data volumes encrypted with different passwords / key files for partitioning sensitive data is very useful.
True Crypt really is a swiss-army-knife for Drive/Volume/File encryption
- But I think it would be great if they released a “simple” version for casual (non-techie) users.
Combine with JungleDisk (Portable)
- Supports end-to-end encryption of single/multi-user remote drive/sync/backup of files across the internet.
- You can even run JunglDisk Portable from inside a True Crypt encrypted volume – to support partitioning of remote sensitive data.
Jay, thanks for your sharing your view in detail. When I wrote this post I was quite aware of the fact that some of the problems are solvable. I also mentioned this. The point is that TrueCrypt drive encryption gives an immature impression. As an IT pro I don’t have the time to google all these teething troubles. With BitLocker I just say “encrypt now” and I am done. IT is too fascinating to spend time with such stupid annoyances. Besides, a USB stick can’t replace a TPM chip. It is less secure and inconvenient. Also, you didn’t provide a solution for my system backup problem. And I think the fact alone that TrueCrypt volumes can’t be decrypted is reason enough not to use this software. Thus I think my review is quite up-to-date.
I’m more found of Truecrypt as its standalone in the corporate enviroment. Truecrypt the volume (no need to format or anything), give the user a password to enter at boot and there you are.
Bitlocker stores they keys in AD which is bad when it comes to PCI-DSS, keymanagment is very strict.
Also definetly about Bitlocker and possibly Truecrypt is the Firewire attack.
http://siblog.mcafee.com/data-protection/bitlockertruecrypt-decryption-tool/
So, if you have a laptop with Firewire then Bitlocker is pretty damn useless in some cases.
The inevitable truth is that BitLocker will be the defacto encryption system for corporate Wintel Networks – because of its ease of use and tight integration with Windows Network Administration Tasks.
It’s perfect for the CEO that leaves his laptop in the airport terminal, or the drive that needs to be disposed of, or the meeting of corporate policies.
That being said, I have no reason to believe that Microsoft would not keep a way of accessing BitLocker encrypted data should a Country, State Department, Political Power, or the man with the Thick-Thick Glasses request it.
Does that mean I know this to be the case? Of course not. But it should be a genuine concern of anyone interested in the mechanisms and motivations of information security. If I were a foreign country, or political dissident, I would stick to the third party tools.
And please, let’s not forget the obvious: Key-Based Encryption does NO GOOD against a dedicated attacker if the password/key can be brute forced, guessed, or pulled off your network in some other fashion. …. and frankly … that’s a much more likely attack vector for someone that’s really after your data.
Elvar, I think you only have to disable Firewire and/or disable booting from USB in the BIOS to make this attack impossible. Of course, you also have to secure the BIOS with a password. As for storing the BitLocker keys in Active Directory, this is only an option but not a requirement for BitLocker. However, in many environments AD support is a must-have feature.
Ethan, don’t you think that it is even easier for governments to convince small third party companies or a poor Open Source hacker to add their code? Besides, if you don’t happen to be a terrorist, it is not very likely that the NSA is interested in the contents of your hard disk.
Yes, as a die-hard TC user I have no plans to switch to BitLocker,especially given that :
1.It’s an M$ product
2.There’s a big question mark over M$’s involvement with government and law-enforcement re OS backdoors. Yes, nothing’s been proven, but at least TC is open-source !
TC isn’tperfect but then what is ?
Michael,
As long as the computer is on, in sleep mode or just powered on the hack can be done. They showed on a video that by taking the memory out of the laptop while its running, putting it into another laptop and boot it up they could read the key which was in memory. By cooling the memory chip with a can of compressed air they had about 10 minutes to get the key.
Elvar, every security mechanism can be broken, just like every locked door can be opened. As I’ve said before, it always depends on the costs and who can can do this. Just because some NSA agents can open your entrance with three expensive locks within a few seconds, doesn’t mean that locking your door is useless. Do you know anybody who can remove memory of a running laptop and extract its contents? I don’t. But if you are really afraid of the NSA, just turn off your laptop.
I agree with Scott McLagan,
Being an MS application can be the only reason for me to avoid Bitlocker,
(Offroad: I think anyone with some brain will avoid using MS if they want keep their system ultrasecure,
Do I need to mention that last week google told it’s employees to avoid MS & use Linux or mac instaed)
What do you recommend for Windows XP. Most of my company is still using it.
Alan, I wouldn’t deploy a third party encryption solution. This would be more hassle than upgrading to Windows 7. XP is history, try to get rid off it as soon as possible. If security matters in your organization, then this should be your priority now.
Tk, are you serious? Don’t you know that this was just was just a cheap marketing trick of Google? IBM did something similar a few years ago when the Linux hype reached its maximum. Nothing really happened. Visit Google in a year or so and you will see that the majority of their desktops will still run Windows. Of course, there will be no press release then.
Upgrading from XP isn’t an option at this time. Encryption is a requirement so I’ll probably go with TrueCrypt.
Has anyone here used McAfee disk encryption? It sounds good on paper.
Alan, just to make my point clear. What you are planning is to board up all your windows and leave your main entrance wide open. XP is now hopelessly outdated and therefore an inherently insecure operating system. I agree with you, an upgrade to Windows 7 is not an option. It is a must!
Mike,
I have 500GB external hard drive in enclosure which I store all my data, and connected to my laptop through USB port.
I did experimenting with TrueCrypt and CHOOSE: “Encrypt a Non-System Partition/Drive” (instead of “Create an encrypted file container”), it takes 6 hrs. My questions:
(1)Is there any way when using TrueCrypt, to format faster.
(2)Based on your experience with BitLocker, is BitLocker has procedure faster & simpler than TrueCrypt?
Thanks in advance for anybody answer my questions
Well done on this beautiful article! These are the kind of issues I ran into when I recently used Truecrypt. I don’t think Truecrypt is ready for an average user as yet!
I tried to post the link to your article in Truecrypt forums describing some of the design deficiencies in Truecrypt. I thought I was helping Truecrypt by engaging in civil discussion. Guess what….Truecrypt forum immediately removed my post stating I violated the rule “Discussion of any third-party encryption software or hardware.”
So much in the name of open source software and open discussion! I guess not only Truecrypt software but the Truecrypt forum and their admins NEED help too!
Andrew, there is no way to format faster. It appears BitLocker is faster than TrueCrypt after the encryption process.
Rothan, that is interesting. I realized that some supporters of the Open Source encryption tool get very emotional if you dare to question TrueCrypt. The “justification” sounds like “You shall have no other Gods but me.” Imagine what would happen if an admin removed a TrueCrypt post with such a explanation from a Microsoft forum.
Michael, what do you expect with such inflammatory headings like:
“Don’t use TrueCrypt drive encryption – BitLocker is better”
It’s easy to come up with counter arguments against this statement – such as mounting the same Truecrypt volume under both Linux and Windows), but maybe your servitude is why Microsoft is happy to renew your MVP?
(see, isn’t it easy to be inflammatory;-)
Rohtan, if really wanted to contribute then follow the forum rules and just post a summary of Truecrypt’s deficiencies. It’s not the fault of the Truecrypt forum admins if you can’t be bothered to read or follow their rules.
si, the heading just expresses my opinion. I am sorry if it stirs up emotions. However, using a milder title would be a lie as far as my opinion is concerned. So you see my inner conflict.
It is not that easy to evoke my own emotions, though. Your “inflammatory” argument only made me smile. I have no problem criticizing BitLocker as well. I don’t think that expressing my opinion has an influence on my MVP renewal.
I think it is indeed the fault of the TrueCrypt admins because they have the wrong forum rules. Why not allow people compare TrueCrypt with competitors?
No problems Michael, and I’m glad you took my comment in the right (attempt to be humorous) context.
There are plenty of other forums, blogs, etc. to discuss encryption software, and the Truecrypt rules are crystal clear:
http://forums.truecrypt.org/viewtopic.php?t=1651
Anyway, I’m glad this thread got updated, TrueCrypt 7 just got released, time to upgrade
si, yes, the TrueCrypt forums are crystal clear. It is also crystal clear that is another good reason not to use TruCrypt. I am tempted to add this to the list above. I could understand if a software vendor has such a forum rule, but an Open Source community? Imagine in a Debian forum posts were censored if someone dares to mention Ubuntu with the excuse that there are Linux forums.
The point is that this article is only about TrueCrypt and not really about BitLocker. It just mentions BitLocker as an example that doesn’t have these TrueCrypt decencies. Obviously, the TrueCrypt community is afraid of competition and not open to critic. Censoring critics is the worst an Open Source community can do. This significantly reduces my trust in this community and trust is everything when it comes to encryption. I don’t think that I will have a look at TrueCrypt’s hard drive encryption again anytime soon.
“Obviously, the TrueCrypt community is afraid of competition and not open to critic.”
Seriously? I’m amazed you have such insight as to their thinking, all I can infer is that they consider discussion of third party software and hardware to be off-topic.
Perhaps the forum admin didn’t read this blog entry thoroughly enough, because I agree with you that it’s mostly about Truecrypt, but with nearly 70,000 forum posts I can certainly understand why they would prefer to spend their time answering questions about TrueCrypt and keep signal-to-noise as good as possible.
I guess we shall agree to disagree
si, I absolutely agree (that we disagree)
I’ve found solution for Windows backup to truecrypt volume. There is option to backup to network shared folders, so you have to share your truecrypt volume and access it using netword with address \\localhost.
Concerning the waste of drive letters, in WinXP you can mount a formatted drive into a folder using Computer Management > Disk Management > … > Change Drive Letter and Paths. I presume there is a way to do this in Windows 7.
I wonder if this can be applied to fully encrypted (i.e., unformatted) drives as well.
A very good tool to get rid of all USB/SD/FW/eSATA/… drive letter issues with Win-OS including useless truecrypt drive letters and automounting of truecrypt files and drives is the software USBDLM.
http://uwe-sieber.de/usbdlm_e.html
Regards from Rudy
“Not to mention TrueCrypt encryption becane recently decryptable by Passware”
Same is true for BitLocker^
Passware Kit Forensic, has become the first commercially available software to break TrueCrypt hard drive encryption without applying a time-consuming brute-force attack. It was also the first product to decrypt BitLocker drives.
http://www.prnewswire.com/news-releases/passware-kit-forensic-decrypts-truecrypt-hard-disks-in-minutes-89502507.html
You say you like bitlocker for the ease of use with your computer or the CEO leaving his laptop at the airport and it will be safe? If I found that laptop I would run ophcrack on, retrive the login password, plug in the thumb drive and have at it. Ease of use to me means less secure. And the fact windows pops up saying it wants to format with a trucrypt drive I like cause that means a normal user would think the drive is trashed.
LOL @ argument: Don’t use BMW – Mercedes is better
Comments are moderated. * No insults please! *
OK.
I read some weird articles ( http://www.google.se/search?q=bitlocker+cracked ) stating that BitLocker is not really that safe. Some even indicates that it’s already cracked. I’ve been using TrueCrypt since several years back. Now, since I migrated into the new world of M$ operating systems, I’m curious on BitLocker.
hmmm. No offence but Truecrypt’s non-use of TPM can actually be an advantage rather than a disadvantage:
(i) Recovering one’s HDD data on new hardware (with a new TPM BUT without any of its old security data) could be a nightmare or even impossible depending upon how Bitlocker was set up.
(ii) This TPM as another point of failure or access could be also construed as yet another possible back door (Note that it is also somewhat proprietary also).
Truecrypt is cross platform (also meaning you an more easily access or rescue your data e.g. from a linux boot cd and off of a failing HDD.
It also doesnt cost $200+ to upgrade to get it and you would better off spending that money on an SSD or faster HDD to reduce the performance difference! Which is exactly what I think I will do: 5400RPM to 7200RPM and I dont much notice the performance hit of Truecrypt!
What I would really like is an FDE SSD but too expensive for now so i will go with the above as my interim solution.
one last point: switching to a 64-bit windows should give a slight performance over the same encryption on a 32-bit operating system: the wider register size should ease the number crunching just a little bit though the newer multithreaded (i5) is better than my old dual core at least I wont be running on a netbook anyway…
later gen i5′s… etc have the AES instructions and that and cheaper SSDs (inc FDE hopefully) might be worth waiting for so I am just gonna have suck up some clock cycles and take the hit!
Regards
mjs, do you have any evidence that the TPM can be used as a back door? It is well-known that the number one back door of all security systems are passwords entered by human beings. Cracking weak passwords, attacking a system with key loggers or through social engineering are the most popular hacking methods. I think this one of the main reasons why TrueCrypt is a relatively insecure way to encrypt confidential data.
“TrueCrypt…relatively …insecure” ? Surely not?
TrueCrypt volumes can have two (or more) factor authentication, can chain algorithms and supports plausible deniability (via hidden volume) – most security experts would agree it is exceptionally secure.
*Anyone* using a weak password however, or the target of key loggers or social engineering would *not* be in a better position using BitLocker over TrueCrypt: both solutions could be compromised with similar ease.
I use Bitlocker and TrueCrypt on many (modern) laptops – even with slow hard disks (5400rpm), and can not tell the difference in performance between the two systems.
I you use a ‘sensible’ password or pass phrase, either of these solutions will work fine, but if you write your password on a post-it note and stick it to your monitor – you’ve had it!
I’m afraid the weak link is neither TrueCrypt or BitLocker – it’s the end user!
The guy in south america got away because his drive was encrypted. Thats enough for me.
The arguments you present seem to be rather “bitchy” than actual flaws in TC. No software is perfect! TC is also FREE my friend! Windows is NOT!
May I suggest you find real reason to complain about something? I can imagine you as the type of person that complains about everything just because.
What about DriveCrypt, which is similar to TrueCrypt.
Michael, it’s that sort of attitude that makes me hope you’re not hired for NASA or some agency that needs highly sensitive data secured. If you’re not willing to go the extra mile spending more time securing and unlocking data then I don’t see how you can call yourself being into IT.
There have been incidents where government HDDs have been thrown out unsecured and a NASA laptop stolen or missing with the ISS access codes. I mean what’s going on here? Where is the responsibility? What I’m hearing is excuses and an admiration for the easy way out!