I've been using TrueCrypt drive encryption for some time for my external hard drives. Some days ago, I moved to BitLocker and I am quite happy with it. In this post I explain why. Please note that this comparison is about device-hosted encryption and not about system drive encryption.
- Author and member of the year 2019 – Why DevOps still doesn't rule the IT world - Wed, Jan 1 2020
- Results of the 4sysops member and author competition in 2018 - Tue, Jan 8 2019
- Why Microsoft is using Windows customers as guinea pigs - Reply to Tim Warner - Tue, Dec 18 2018
No system image backups ^
The one thing I disliked most about TrueCrypt is that I couldn’t use my external drive for system image backups because the Windows 7 Backup and Restore applet no longer recognized this drive. You might say that this is not TrueCrypt's fault. However, for me, it didn't matter whose fault it was as I was just robbed from an important function of my external hard drive.
No TPM support ^
One of the advantages of BitLocker is that it supports the Trusted Platform Module (TPM) chip. This not only improves security, significantly, but it also makes the use of encryption technology more convenient. Of course, you then need a computer with TPM, but BitLocker also works without TPM. You might have read the news that TPM was cracked, recently. However, the procedure is extremely time consuming and can only be done by experts. When it comes to security, vulnerabilities are absolutely unimportant. What counts is who possesses the capabilities to crack a system and how much effort is necessary. The TPM significantly raises the bar to crack an encrypted system, and TrueCrypt doesn't reach this level of security.
Password hassle ^
Thanks to the TPM, you don't have to type a password every time you connect the drive. Passwords are the weak point of any security mechanism. I don't just have key loggers in mind. There are a myriad of ways to steal a password. This is what they teach hackers in elementary school. Password plus hardware token is the most secure way to protect your encrypted data. BitLocker also allows you to work without a password. This is still secure as long as you are the only one who can log on to your computer. This way encryption becomes convenient and ensures that people use it.
Manual auto-mount ^
I like this "Auto-mount device" button in TrueCrypt. I always thought "auto" means that I don't have to do it manually. Well, yes, only two clicks are required to "auto-mount" a TrueCrypt device. If these were the only clicks, I might just ignore this little hassle. Of course, BitLocker can "automatically auto-mount" encrypted volumes.
"You need to format the disk" ^
This is just a minor glitch; however, after a while it got on my nerves. Every time I plugged in the drive, Windows would welcome this new device with "You need to format the disk in drive F: before you can use it." Perhaps, there is a switch somewhere deep down in the Windows engine room that would allow me to turn off this unnerving popup message. But why didn’t the TrueCrypt developers do that for me?
Additional drive letter ^
Another minor glitch. Windows Explorer always uses two drive letters for one disk: one for the TrueCrypt drive and the one that Windows is so eager to format. Since I often have quite a few drives connected (external, network, etc.) this can be disturbing because it is one more thing that can mess up your drive letter order. This is particularly true if you work with multiple TrueCrypt encrypted drives because it multiplies the number of used drive letters by two.
Decrypting TrueCrypt ^
This is not a minor glitch. At first, I didn't believe it when I wasn't able to find a decryption function in the TrueCrypt user interface. So I went to the TrueCrypt site to confirm that I was just too blind to see how to get rid of the encryption. I was happy when I finally found the How to Remove Encryption page. Happiness turned into anger when my blind eyes were shocked to read the instructions:
Right-click the area representing the storage space of the encrypted device and select 'New Partition' or 'New Simple Volume'.
So I decrypt a TrueCrypt volume by formatting it? Thank you very much for this brilliant tip. The suggestion to copy the data to a different place before I format the disk is also exceptional. Unfortunately, the instructions had no tip where I could just cache my 1.5TB of data. I wonder, why TrueCrypt offers decryption for system drives but not for simple data volumes?
I am still using TrueCrypt for file-hosted encryption. It is the best tool around for this purpose. I also prefer the tool for thumb drive encryption because BitLocker To Go doesn't support write access on Windows XP. But when it comes to device-hosted encryption TrueCrypt is no match for BitLocker. This also applies to system drive encryption, which was significantly improved in Windows 7 especially because you can now start the encryption process without hassle after the system is installed. Together with TPM support and Active Directory integration BitLocker is the more secure and the more powerful solution.
Just one final note for those of you who think that it is unfair to bash "free" software. No software is really free because it costs time and therefore money to manage it. And the fact that TrueCrypt doesn't support decryption cost me a lot of time. So, I thought, I should just warn others not to make the same mistake and use TrueCrypt for drive encryption.