System drive encryption: TrueCrypt 5 vs. Bitlocker

Michael PietroforteMVP By Michael Pietroforte - Thu, February 14, 2008 - 21 comments google+ icon

Michael Pietroforte is the founder and editor of 4sysops. He is a Microsoft Most Valuable Professional (MVP) with more than 30 years of experience in system administration.

TrueCrypt 5 is available for some days now. Today, I found time to have a look at the new version of my favorite free encryption tool. The most noteworthy new feature certainly is its ability to encrypt system drives/partitions. Until now TrueCrypt was only an alternative to the Encrypting Files System (EFS) under Windows. Now, Truecrypt 5 also competes with Vista’s Bitlocker. In this post, I explore the pros and cons of both crypto tools.

If you don’t know TrueCrypt yet, I recommend reading my review of TrueCrypt 4 first so you will get a general idea about the tool. As far as I can see, everything I said there is still valid for TrueCrypt 5.0. Today, I will only focus on the system partition encryption feature.

TrueCrypt 5Encrypting the hard disk makes sense on any computer that is prone to getting into the wrong hands. This applies especially to laptops and computers in public places. Vista’s Bitlocker is a solution to this problem provided you have Vista Enterprise or Ultimate. TrueCrypt 5 is another option and it not only works on every Vista edition it also supports Windows XP/2000/2003.

Encrypting a system partition with Truecrypt 5 is super simple. A wizard guides you to a process offering detailed information for every step. When I tested this feature, I didn’t need any documentation. This is not the case with Bitlocker. It is highly recommended to read the Bitlocker documentation first in order to understand all its options. The installations process is certainly more complex. The fact that Bitlocker requires two partitions illustrates this. If you installed Vista without configuring it first for Bitlocker you already have a problem. TrueCrypt, on the other hand, allows you to encrypt your system drive without hassle after you installed the OS. Actually, there is no other way for TrueCrypt, anyway.

TrueCrypt pre-bootAfter TrueCrypt has encrypted your system drive, you won’t realize any difference at first. That is, encryption and decryption works in the background and you shouldn’t realize any performance loss. However, when you boot-up the next time, you will make out the difference. Before the OS is loaded you have to enter your TrueCrypt password. Bitlocker works similarly, but has more options to offer here. Instead of entering the so-called pre-boot PIN you can also insert a USB device that contains the start-up key. And if your computer has a TPM chip (Trusted Platform Module), you can logon to Vista as usual, i.e. you don’t need a pre-boot PIN or a USB device with the start-up key. TrueCrypt doesn’t support TPM.

TrueCrypt repairBitlocker has other features that TrueCrypt lacks. If you lose your TrueCrypt password, you’ll be lost, too. TrueCrypt creates an ISO file for a Rescue disc during the configuration process, but this CD will only be of help if the TrueCrypt boot loader was damaged or if you want to decrypt your system drive. However, without the correct password, you won’t get very far. (Please also read the comments below about this topic) Bitlocker allows you to store the recovery password on one or more USB devices and it is even possible to store recovery information in Active Directory. Of course, you can save the password manually on a safe place with TrueCrypt, too. As long as you have to do this for one or two computers only, it is not big a deal. But big enterprises probably will go for Bitlocker.

So Bitlocker’s biggest advantages are its TPM support and its sophisticated recovery options. TrueCrypt is much easier to handle and practically needs no preparations. Hence, if you have not much time to read the Bitlocker documentation and just a couple of users who want to be sure that nobody gets access to the data on a lost laptop, TrueCrypt is the better choice.

-1+1 - Rate this post
Loading ... Loading ...
Your question wasn't answered? Ask in the new 4sysops forum!

21 Comments- Leave a Reply

  1. Tademos says:

    Hi

    What if I make an image of a harddisk and restore it on another hardware, is it possible to use it with the same TC-password?

    Or is it only possible to restore it on the same hardware?

    Thanks for answer!

    Tademos

  2. Michael Pietroforte Michael says:

    I didn’t try it, but I guess it is possible since TrueCrypt doesn’t create a hardware hash.

  3. trasshbox says:

    Hi and thankx for the review,

    I used TC4 before and was pleased about the new version and features. I checked and tested TrueCrypt 5 (for company purpose) and had some troubles with it (system drive encryption).

    Then I tried some other system drive encyption tools and the Free version of CompuSec (www.ce-infosys.com) and it did very well. It’s easy to use, has some nice additional features and you can use it in company environments for free, but you can only encrypt your drives with AES (128, 256). The possbility to manage client versions (with GlobalAdmin – not free) finally satisfied me to take Free CompuSec.

    Best,
    Mike

  4. abbe22 says:

    Michael,

    you wrote:

    “If you lose your TrueCrypt password, you’ll be lost, too. TrueCrypt creates an ISO file for a Rescue disc during the configuration process, but this CD will only be of help if the TrueCrypt boot loader was damaged or if you want to decrypt your system drive.”

    Below is fragment of official TrueCrypt FAQ.

    “Similarly, you can reset a password used for pre-boot authentication (‘System’ > ‘Create Rescue Disk’; in the TrueCrypt Rescue Disk screen, select ‘Repair Options’ > ‘Restore key data’).”

    So, it seems, that forgetting password should be not a problem _if_ you have rescue disk. And BitLocker is no better I think…

  5. Michael Pietroforte Michael says:

    trashbox, what kind of troubles did you have with TrueCrypt?

    abbe22, thanks a lot for the hint! Seems TrueCrypt is better than I thought.

  6. Rab says:

    Hi Michael,

    Interesting summary – I look forward to trying out Truecrypt 5 for the last XP laptops we have at work, based on your article here.

    I take it from your review that you didn’t have access to Vista Ultimate for your bitlocker test, though? One of the ‘Ultimate Extras’ it comes with is a wizard that makes bitlocker installation very easy indeed – even if you already have a mature Vista installation up and running. It automatically shrinks (non-destructively) the running partition, installs a small boot partition for the unencrypted boot files and holds your hand through the only couple of stages of the process that require your intervention.

    Without the wizard I agree it’s an unpleasant process. If you’ve got access to the wizard it’s easy – but of course, in a very dumb, unhelpful, shoot-the-marketing-dept-at-MS move, it’s only there in the ultimate edition. What were they thinking!?

    Keep up the good work!

  7. Rab says:

    Update:

    After a little investigation, it turns out the wizard I was talking about (the BitLocker Drive Preparation Tool) *is* available on Enterprise – you just have to request it from support and they’ll email it over:

    http://support.microsoft.com/kb/930063

    Though personally I’d much rather see it in the DVD image, one of the installation tool kits, or as a free KB. It’s not even on Technet Plus in the Tools section, as far as I can see… Inconvenient, to say the least.

  8. [...] complicated. I don’t know if it allows for hibernation or not. There’s an excellent overview of the two together at 4sysops, a blog I highly recommend overall.  Print This [...]

  9. Michael Pietroforte Michael says:

    Rab, I have read about this Preparation tool, but I never tried. Thanks for the link. I believe that following this wizard as you describe it, is not a big deal. However when I skimmed over the KB article my respect for Bitlocker grew again. All those requirements, example scenarios and common problems make it seem to be a not-so-simple tool. I am sure if you have the time to learn all the details about Bitlocker, you will have a great encryption tool. But without it, encryption is a risky business. I have already read horror stories of people who lost their data because of one of those “common problems”.

  10. Tomas M. says:

    Perhaps trasshbox had problems with error: “Insufficient memory for encryption”, but it was fixed in the 5.0a maintenance release:
    http://www.truecrypt.org/docs/?s=version-history

  11. ovancantfort says:

    @Abbe22

    Sorry, but you are wrong about TrueCrypt Rescue Disk. You have to understand how TrueCrypt works. It is using block encryption using a Master key that is stored in the header of the volume or partition. This Master key is encrypted with your password. During the rescue disk creation, it will backup the header containing the Master key, but this key is in its encrypted form! So you still need the password. For recovery, you have to backup the header AND note the corresponding password (not at the same place if you are paranoïd).
    Remember that these serious encryption software are designed with as few holes as possible, and a rescue disk that would open all doors would be a big one!

  12. Michael Pietroforte Michael says:

    ovancantfort, did you read the part in the FAQ that starts with “We use TrueCrypt in a corporate environment”? It seems that an admin is able to reset the volume to the original admin pw. I guess he needs this original pw for this. I didn’t try this yet, though.

  13. cpfoutz says:

    tp expand on ovancantfort’s answer the header file is unlocked by a password…so when you originally install truecrypt, you save off the header file, which is locked by the first password. Give it to your employee and they change the password, quit then give you back the computer. You’d use the rescue disk to cover the data, decrypting the header file witht he original password you assigned. Each time you save off a rescue disk, the header file is encrypted with the current password, thus allowing you to decrypt your volume with any of the past passwords you’ve assigned.

  14. phic says:

    Another big feature of TrueCrypt is that there also is a linux version (from v5 also the GUI). It’s the main reason for me! it! It’s so flexible and adapts to every situation. Ok for the moment I’m only using it for private reasons and for the laptop I use for business.
    Using TC you can also create single encrypted files, or single partitions (with the option of hidden other partitions in it, for ultra high security). You can even choose many algortims (or combination of them). It the best (worse case?) you can use AES, Twofish AND serpent together… as result you have a 256*3=768bit encryption. Should be enough eheheh.

    Tried with BitLocker and had the first error message saying that the drive is not ready for it. Ok I know I should create two partitions…. Then I’ll get the second error: No TPM found or no compatible BIOS, even when I have a TPM 1.2 chip. That was enough for me to trash the idea of using BitLocker.

    But… thanks really for the review, it’s short but it exactly compares what I wanted to know. Now that you told me of the BitLocker Active Directory integration and the password recovery features, I’ll check it again when I’ll deploy it on more machines of my company.

    Just one question, is there some min requirement for the active directory integration? Server 2007 perhaps?

    Thank again for the review.

  15. hs says:

    Nice comparison.
    I made performance comparison (under VMware) truecrypt vs compusec:
    http://sites.google.com/site/hstecproj/pub/crypt-test

  16. Andy says:

    - This is exactly how I would have put if I knew all that before I read it !!! – I recently got TrueCrypt (I’m on Vista Bus) – and it’s got a proper – respectable office blue interface and a beginners tutorial on off site.
    – I’ve encrypted DVD – RW’s. No problems at all.
    – The simple truth is that big companies will insist on paid version – especially to acquire more responsibility towards themselves.

  17. Christoph says:

    Never, ever use a closed source encryption utility. Period.

  18. Christoph, old argument, never ever convincing. Exclamation mark. ;-)

  19. DooDee says:

    Hello.
    As an average computer litterate, I had a surprisingly pleasant experience with Truecrypt 5, solid software easy to use and versatile.

    True crypt loader cd does not back up your password, which if you loose or forget, won’t let you access your encrypted volume or partition ( which makes this encryption impenetrable).

    A real SERIOUS SOLID encryption software easy to use and free !

  20. Nikhil Tom says:

    I’m using TrueCrypt for 2 years and I’m really happy with it,
    I use it to encrypt my system harddisk, external harddisk, Pen drives,CD’s & DVD’s,
    I never got any single problem,
    Well, somebody may think that I’m just bluffing about TC, or a I’m againest the evil empire (ms);), I’m not,

    Instead what I said is from my on experience

  21. LAR says:

    Truecrypt is great and stable.

    Truecrypt drived by the features and marketing strategies.
    Then People and IT Pros like it.
    They just don’t care if it is 100% safe.

    But any security product which is not 100% open sourced is very dangerous for keeping very sensitive data on your expensive laptop or your super tiny usb flash disk.

    We can’t prove that it is really safe if we do not have the complete source code and a certification.

    Imagine have sex with someone you don’t really know.
    Then 1 week later you are positive.

    Forum is not also open to anyone.

    I believe any security free/open source products should be certified (not recognized) as 100% safe (certified (not by anyone but by a legit institution like NIST)

    If i am working on the goverment.
    Should I tell anyone that the conspired product gave us backdoor on it.
    If i am one of the developer.
    Should i tell anyone that i created a personal backdoor on it.

    LAR

===Leave a Comment===

Login

Lost your password?