Comments on: System drive encryption: TrueCrypt 5 vs. Bitlocker

By: Andy

Andy — Thu, 28 May 2009 20:57:07 +0000

- This is exactly how I would have put if I knew all that before I read it !!! – I recently got TrueCrypt (I’m on Vista Bus) – and it’s got a proper – respectable office blue interface and a beginners tutorial on off site.
– I’ve encrypted DVD – RW’s. No problems at all.
– The simple truth is that big companies will insist on paid version – especially to acquire more responsibility towards themselves.

By: hs

hs — Fri, 23 Jan 2009 16:24:42 +0000

Nice comparison.
I made performance comparison (under VMware) truecrypt vs compusec:
http://sites.google.com/site/hstecproj/pub/crypt-test

By: phic

phic — Tue, 24 Jun 2008 07:08:41 +0000

Another big feature of TrueCrypt is that there also is a linux version (from v5 also the GUI). It’s the main reason for me! it! It’s so flexible and adapts to every situation. Ok for the moment I’m only using it for private reasons and for the laptop I use for business.
Using TC you can also create single encrypted files, or single partitions (with the option of hidden other partitions in it, for ultra high security). You can even choose many algortims (or combination of them). It the best (worse case?) you can use AES, Twofish AND serpent together… as result you have a 256*3=768bit encryption. Should be enough eheheh.

Tried with BitLocker and had the first error message saying that the drive is not ready for it. Ok I know I should create two partitions…. Then I’ll get the second error: No TPM found or no compatible BIOS, even when I have a TPM 1.2 chip. That was enough for me to trash the idea of using BitLocker.

But… thanks really for the review, it’s short but it exactly compares what I wanted to know. Now that you told me of the BitLocker Active Directory integration and the password recovery features, I’ll check it again when I’ll deploy it on more machines of my company.

Just one question, is there some min requirement for the active directory integration? Server 2007 perhaps?

Thank again for the review.

By: cpfoutz

cpfoutz — Sat, 31 May 2008 13:41:59 +0000

tp expand on ovancantfort’s answer the header file is unlocked by a password…so when you originally install truecrypt, you save off the header file, which is locked by the first password. Give it to your employee and they change the password, quit then give you back the computer. You’d use the rescue disk to cover the data, decrypting the header file witht he original password you assigned. Each time you save off a rescue disk, the header file is encrypted with the current password, thus allowing you to decrypt your volume with any of the past passwords you’ve assigned.

By: Michael

Michael — Thu, 21 Feb 2008 07:32:52 +0000

ovancantfort, did you read the part in the FAQ that starts with "We use TrueCrypt in a corporate environment"? It seems that an admin is able to reset the volume to the original admin pw. I guess he needs this original pw for this. I didn't try this yet, though.

By: ovancantfort

ovancantfort — Thu, 21 Feb 2008 05:17:59 +0000

@Abbe22

Sorry, but you are wrong about TrueCrypt Rescue Disk. You have to understand how TrueCrypt works. It is using block encryption using a Master key that is stored in the header of the volume or partition. This Master key is encrypted with your password. During the rescue disk creation, it will backup the header containing the Master key, but this key is in its encrypted form! So you still need the password. For recovery, you have to backup the header AND note the corresponding password (not at the same place if you are paranoïd).
Remember that these serious encryption software are designed with as few holes as possible, and a rescue disk that would open all doors would be a big one!

By: Tomas M.

Tomas M. — Tue, 19 Feb 2008 23:04:16 +0000

Perhaps trasshbox had problems with error: “Insufficient memory for encryption”, but it was fixed in the 5.0a maintenance release:
http://www.truecrypt.org/docs/?s=version-history

By: Michael

Michael — Tue, 19 Feb 2008 20:13:40 +0000

Rab, I have read about this Preparation tool, but I never tried. Thanks for the link. I believe that following this wizard as you describe it, is not a big deal. However when I skimmed over the KB article my respect for Bitlocker grew again. All those requirements, example scenarios and common problems make it seem to be a not-so-simple tool. I am sure if you have the time to learn all the details about Bitlocker, you will have a great encryption tool. But without it, encryption is a risky business. I have already read horror stories of people who lost their data because of one of those “common problems”.

By: TrueCrypt Whole-Disk Encryption: Why I Turned It Off

TrueCrypt Whole-Disk Encryption: Why I Turned It Off — Mon, 18 Feb 2008 17:30:07 +0000

[...] complicated. I don’t know if it allows for hibernation or not. There’s an excellent overview of the two together at 4sysops, a blog I highly recommend overall. Print This [...]

By: Rab

Rab — Sun, 17 Feb 2008 03:26:32 +0000

Update:

After a little investigation, it turns out the wizard I was talking about (the BitLocker Drive Preparation Tool) *is* available on Enterprise – you just have to request it from support and they’ll email it over:

http://support.microsoft.com/kb/930063

Though personally I’d much rather see it in the DVD image, one of the installation tool kits, or as a free KB. It’s not even on Technet Plus in the Tools section, as far as I can see… Inconvenient, to say the least.

By: Rab

Rab — Sun, 17 Feb 2008 03:04:27 +0000

Hi Michael,

Interesting summary – I look forward to trying out Truecrypt 5 for the last XP laptops we have at work, based on your article here.

I take it from your review that you didn’t have access to Vista Ultimate for your bitlocker test, though? One of the ‘Ultimate Extras’ it comes with is a wizard that makes bitlocker installation very easy indeed – even if you already have a mature Vista installation up and running. It automatically shrinks (non-destructively) the running partition, installs a small boot partition for the unencrypted boot files and holds your hand through the only couple of stages of the process that require your intervention.

Without the wizard I agree it’s an unpleasant process. If you’ve got access to the wizard it’s easy – but of course, in a very dumb, unhelpful, shoot-the-marketing-dept-at-MS move, it’s only there in the ultimate edition. What were they thinking!?

Keep up the good work!

By: Michael

Michael — Fri, 15 Feb 2008 19:29:59 +0000

trashbox, what kind of troubles did you have with TrueCrypt?

abbe22, thanks a lot for the hint! Seems TrueCrypt is better than I thought.

By: abbe22

abbe22 — Fri, 15 Feb 2008 18:50:04 +0000

Michael,

you wrote:

“If you lose your TrueCrypt password, you’ll be lost, too. TrueCrypt creates an ISO file for a Rescue disc during the configuration process, but this CD will only be of help if the TrueCrypt boot loader was damaged or if you want to decrypt your system drive.”

Below is fragment of official TrueCrypt FAQ.

“Similarly, you can reset a password used for pre-boot authentication (’System’ > ‘Create Rescue Disk’; in the TrueCrypt Rescue Disk screen, select ‘Repair Options’ > ‘Restore key data’).”

So, it seems, that forgetting password should be not a problem _if_ you have rescue disk. And BitLocker is no better I think…

By: trasshbox

trasshbox — Fri, 15 Feb 2008 02:05:55 +0000

Hi and thankx for the review,

I used TC4 before and was pleased about the new version and features. I checked and tested TrueCrypt 5 (for company purpose) and had some troubles with it (system drive encryption).

Then I tried some other system drive encyption tools and the Free version of CompuSec (www.ce-infosys.com) and it did very well. It’s easy to use, has some nice additional features and you can use it in company environments for free, but you can only encrypt your drives with AES (128, 256). The possbility to manage client versions (with GlobalAdmin – not free) finally satisfied me to take Free CompuSec.

Best,
Mike

By: Michael

Michael — Thu, 14 Feb 2008 21:25:32 +0000

I didn’t try it, but I guess it is possible since TrueCrypt doesn’t create a hardware hash.

By: Tademos

Tademos — Thu, 14 Feb 2008 20:39:29 +0000

What if I make an image of a harddisk and restore it on another hardware, is it possible to use it with the same TC-password?

Or is it only possible to restore it on the same hardware?

Thanks for answer!

Tademos