Latest posts by Michael Pietroforte (see all)
- Results of the 4sysops member and author competition in 2018 - Tue, Jan 8 2019
- Why Microsoft is using Windows customers as guinea pigs - Reply to Tim Warner - Tue, Dec 18 2018
- PowerShell remoting with SSH public key authentication - Thu, May 3 2018
If you open the TrueCrypt homepage, this is the first thing you read:
WARNING: Using TrueCrypt is not secure as it may contain unfixed security issues
Improved security ^
The people who doubted that TrueCrypt is trustworthy were not so far off the mark. Let’s leave it open regarding how these “unfixed security issues” entered the code in the first place, considering that we don’t know who wrote the code. What is most interesting is that, even though TrueCrypt is open source and was once very popular, these security issues remained undetected by the “community” for quite a while. Or perhaps they were actually detected, but those hackers found a better a way to use their knowledge than to receive friendly pats by the community. So much for the claim that open source is more secure than closed source.
Since the anonymous TrueCrypt developers lost interest in the project in May 2014, no fixes for these security holes are available. The likely official successor is CipherShed, but the first version of CipherShed is still in development.
VeraCrypt was forked from TrueCrypt in June 2013, I think shortly before the doubts about TrueCrypt emerged. VeraCrypt’s UI is identical to TrueCrypt, and the tool solves many vulnerabilities and security issues found in TrueCrypt. It can’t presently be seen as a successor to TrueCrypt because these encryption tools are incompatible with each other. However, Mounir Idrassi, the main developer behind VeraCrypt, seems to have promised to offer a conversion tool.
VeraCrypt has the same UI as TrueCrypt.
According to Idrassi, the number of iterations that TrueCrypt uses to encrypt containers is not sufficient to prevent brute force attacks, which is the reason you can’t mount TrueCrypt volumes in VeraCrypt. A downside of the larger number of iterations is that VeraCrypt is quite slow in mounting containers. When I mounted a 1GB container on a computer with a core i7 CPU and SSD, VeraCrypt took several seconds to make the volume available, whereas TrueCrypt manages this task in a blink of an eye.
Despite the technical differences that improved VeraCrypt’s security, what makes the tool more trustworthy, in my view, is mostly the fact that it’s clear who is behind the project. Some people will probably like that the project is located in France, which makes it perhaps less vulnerable to social engineering by some well-known secret services. Whether you see this as an advantage certainly depends on whether you consider these agencies as a threat to your data. By the way, the developers behind CipherShed are also known. Most of them are from the US, one is from the UK, and one is German living in Taiwan. I leave it up to you to decide whether this makes the project more vulnerable to social attacks or not.
Drive encryption not recommended ^
I wouldn’t use VeraCrypt for encrypting system or data drives. The main reason that speaks against encrypting data volumes with VeraCrypt is that you can’t decrypt those volumes. As with TrueCrypt, the only way to get rid of an encrypted VeraCrypt volume is to format the partition. This is, of course, ridiculous.
You can decrypt system volumes with the help of the rescue disk. However, the main problem with VeraCrypt's system drive encryption is that the tool doesn’t support a TPM chip. This means that you always have to enter a password before Windows boots up. In my view, this is not only inconvenient but also makes VeraCrypt more vulnerable than BitLocker.
No TPM support ^
Idrassi claims that the use of a TPM chip doesn’t improve security because, if an attacker has physical access to the machine, the attacker can always access the master keys whether the encryption solution uses a TPM or not.
It is true that BitLocker, in combination with TPM, is also vulnerable to such attacks, just like any other drive encryption solution. Once an attacker has physical access to the machine, he can manipulate the hardware in order to intercept the password or encryption keys when the victim uses the computer after the attack. Thus, the attacker needs either access to a running machine or access to the machine a second time after the victim has started the computer when the hardware manipulations are in place.
However, the point of using a TPM is not to prevent such physical attacks. Microsoft only speaks of external software attacks and physical theft. For simple physical theft, a BitLocker-encrypted machine is secure.
Idrassi makes the same mistake that many security experts make. He imagines attacks that are possible in theory, and he doesn’t really consider the likelihood of such a scenario. The main purpose of drive encryption solutions is to ensure that sensitive data on a stolen laptop doesn’t get into the wrong hands. Its purpose is not to prevent James Bond and company, who have the support of super hackers with very sophisticated hardware skills to steal data from the evil enemy.
Having said that, TPM support in a drive encryption tool provides a huge advantage because users don’t have to enter a password before the machine boots up. It is well known that passwords in user hands are the weakest part of any security solution. The habit of pinning the password right on the computer is still quite popular. The more passwords a user needs, the more likely this practice will continue and the higher the security risk is.
Once passwords are involved, you need a policy and procedure in place that ensures that passwords are changed regularly. This drives costs and increases the likelihood that data becomes inaccessible because of forgotten passwords. Thus, at least in a professional environment, disk encryption without TPM is absolutely not recommended. In addition, BitLocker’s good integration into Active Directory makes it a far superior drive encryption solution anyway.
Nevertheless, VeraCrypt’s file container encryption is useful and has many advantages compared to Microsoft’s Encrypting File System (EFS). For instance, you can use the tool to store encrypted containers in your cloud drive and sync them with your Android phone because EDS now also supports VeraCrypt containers.
I think I will give VeraCrypt a chance. I’ve been using TrueCrypt for a long time, and VeraCrypt’s UI appears to be more or less identical, which means that the transition will be fairly smooth even though I have to move my data from TrueCrypt to VeraCrypt. However, I am unsure if this slow mounting won’t get on my nerves in the long run. We will see.
Unfortunately, VeraCrypt only runs on Windows. Linux and Macs are not supported. If you want secure TrueCrypt encryption on one of those operating systems, you’ll have to wait until the CipherShed project offers the first version of their TrueCrypt successor. (See comment below.)