Link to home
Create AccountLog in
Avatar of jana
janaFlag for United States of America

asked on

Recommend a disk encryption software that we use as a replacement of TrueCrypt

In a recent question, an EE advised to move our TrueCrypt to Veracrypt or Bitlocker, since truecrypt is not considered safe anymore (unfixed security issues with its driver), etc.

That said, we started to search for an encryption apps that would replace TC.  We are looking for an application that can open our TC volumes and also upgrade it to it's format; if applicable.  We do create volumes in our hard drives and also in our USB devices.  So far, we have found AES, Crypt, AxCrypt, DiskCryptor, EncFS, dm-Crypt/LUKS Secrecy (and obvious Veracrypt).

please advice on which to turn to .
Avatar of Dirk Kotte
Dirk Kotte
Flag of Germany image

We use Sophos SafeGuard encryption (formally utimaco)
Good, enterprise software but i don#t know if TC volumes are usable.
https://www.sophos.com/en-us/products/safeguard-encryption.aspx
You can use Geli or Bitlocker
To give sound advice, you should describe what you expect of that software.
Avatar of madunix
madunix

ASKER CERTIFIED SOLUTION
Avatar of btan
btan

Link to home
membership
Create an account to see this answer
Signing up is free. No credit card required.
Create Account
SOLUTION
Link to home
membership
Create an account to see this answer
Signing up is free. No credit card required.
Create Account
SOLUTION
Link to home
membership
Create an account to see this answer
Signing up is free. No credit card required.
Create Account
Don't make it so complicated for him.
This is the start of a change management process. He used TC and was happy - but we do not even know how you used it, ramante... you need to describe the goals and procedures.
Now I told him that TC leaves a vulnerability on his machines and he jumps to action. I already tried to appeal for reviewing of needs, but that was unheard. If you were to change your encryption solution, there are so many things to consider, there's no use in discussing solutions/products, yet.

Ramante, we need to know essential things like
-how do you use it? Multiple users per machine? GPT in use?
-what should it protect against?
-would bitlocker be possible (is your edition capable?)
-are you looking for freewware or what's your yearly budget for it?
-what manageability options are you looking for
-do you prefer open source software?
And many more. So it's definitely your turn, now :)
Veracrypt does need auditing, but I suspect that should wait until they finish fixing up any or all issues; the base code is identical to the audited tc code, so it might come in a bit cheaper (after all, they only really need to audit the changes, not start over from scratch).

In the meantime, I can't see it being any worse than tc, and there is a clean upgrade path (while if they go bitlocker or some commercial solution, they will have to migrate the data)
In fact, do we really need to change and shift away from TC : )  there must be some internal debate to derive the shift away..maybe by being status quo, that is the least complicated and simpler means to solve the issue. None is the wiser. We just trust what the findings are but not willing to take the risk. But we are willing to shift into another new software not knowing that they are clear as well... Pardon me for the sidetracking
Avatar of jana

ASKER

Thanx for the info.  Ok, chronologically per entry:

We need to be compatible with TC; don't know if Sofo, Geli, Bitlocker, Endpoint can open and manage TC volumes.

We expect from the software similar attributes as of TrueCrypt as in creating volume, manage them, etc., but also if the apps can open present TC volumes and also permit to give maintenance.

That is what we hope for.

Thanx for the VeraCrypt link, we'll check it.

Our version is TC 7.1a.  We also viewed some pages regarding that audit and even more, some recommended to stay in that version until the audit is finish in order who determine which direction to go.
Saw a recommendation for CipherShed; is it total compatible with TC?

To answer your questions:
how do you use it? – MAINLY FOR BACKUP PURPUSES AND DATA TRANSFER FROM ONE PC TO ANOTHER VIA USB
Multiple users per machine? - NO
GPT in use? – DON’T WHAT IS GPT, WHAT IS?
what should it protect against? – AGAINST ALL THAT IS POSSIBLE (SIMILAR TO TC PROTECTION)
would bitlocker be possible (is your edition capable?) – SINCE WINDOWS WE HAVE BAD TASTE FOR THAT OPTION BUT IF WE CAN USE TC WITH IT, MAYBE
are you looking for freewware or what's your yearly budget for it? – COST FREE
what manageability options are you looking for – CREATE/MODIFY/DELETE/FIX VOLUMES
o you prefer open source software? – DOES’T MATTER

Yes seems VC may be the choice, but with u guys help we can determine the road to go.
SOLUTION
Link to home
membership
Create an account to see this answer
Signing up is free. No credit card required.
Create Account
Yeah. gpt support is on the wishlist so I hope they get to that soon. the whole "we can mount it offline" thing is less of an issue, as that is true anyhow; if you have the appropriate credentials and the right software, you can unlock *any* encrypted disk solution. FBI are currently working on getting Apple to let them have some software to do just that for iPhones :D
"if you have the appropriate credentials and the right software, you can unlock *any* encrypted disk solution" - ok, tell me the steps to unlock a bitlocked OS drive offline if you just have the PIN. What are they?
TC volume should be loadeded via Ciphershed. But as all shared go for VC. The other product still need to open the volume amd do that manual data transfer. Create your backup.
McKnife: most pro grade forensic packages such as EnCase (EnCase v7 just prompts for the pin or recovery string when needed; I have used this with Bitlocker on Win7 Enterprise reliably)
Avatar of jana

ASKER

So definitely VeraCrypt is the way to go for our use of only for backup and transferring data via USB.

But reading everything else, that weakness described for full disk encryption, is only for full disk encryption not present in just backup & usb?
@Dave
Sorry, are you aware of the fundamental difference between PIN and recovery key?
See the audit findings. I see it more of poor insecure coding besides the crypto aspects.  I will not say it is only Disk Encryption though TC is only supporting that aspect or volume (for that matter)
 - https://wiki.ciphershed.org/Audit
McKnife: yes, I am, and that's what EnCase prompts for - pin *or* recovery key. It will take either.
Dave, I'd bet a good amount of money that it won't work with the PIN. Password: yes, Recovery key: yes. PIN: no. Or else the whole TPM concept is flawed.
Avatar of jana

ASKER

Hi guys, great info, but just FYI in my entry ID: 41488528:

"So definitely VeraCrypt is the way to go for our use of only for backup and transferring data via USB.

But reading everything else, that weakness described for full disk encryption, is only for full disk encryption not present in just backup & usb?
Good Comment?"
If you read closely, that has been answered. Yes, for usb data transfer/backup, veracrypt is as good as others.
It is good for VC. Backup if crypto keys as like what TC is already doing as well. Normally it has the header containng the encrypted volume key backup. You use your recovery password in evemt of forgotten passwords.
Avatar of jana

ASKER

Yes, that part we got, "VeraCrypt is as good as the others", but our question is:

We are looking for an application that can open our current TC volumes, also, if desired, upgrade TC to it's format and finally, able to manage TC volumes without converting.

Based on our input, which apps EE recommends as the closest to TC that we should consider as a replacement?

(as the question stated, we found many option and the decision is a bit confusing, AES, Crypt, AxCrypt, DiskCryptor, EncFS, dm-Crypt/LUKS Secrecy, VeraCrypt and the ones added by your guys in the thread Sophos SafeGuard encryption, Geli, Bitlocker, Symantec Endpoint, Ciphershed, TCnext)

Thank you guys for your patience, really (users not too knowledgable like us must be frustrating sometimes)
If you do decide to migrate all your data to a new encryption system, consider BESTCRYPT.
I consider it to be the best commercial solution available. The source code is available online.
It's not expensive and support is great.
TrueCrypt was based on/inspired by BestCrypt.

Listen this if you are worried about 'backdoors'
http://www.jetico.com/about-jetico/newsroom/690-jetico-ceo-michael-waksman-talks-about-backdoors-truecrypt-and-bruce-schneier-on-computer-america
It starts at 65 minutes in
There is chit-chat for 5 minutes and it discusses BCwipe
The interesting encryption stuff starts about 80 minutes in


Data encrypted with 1993 DOS version is still accessible with the current version
so you will never run into version compatibility problems.
SOLUTION
Link to home
membership
Create an account to see this answer
Signing up is free. No credit card required.
Create Account
SOLUTION
Link to home
membership
Create an account to see this answer
Signing up is free. No credit card required.
Create Account
Avatar of jana

ASKER

Ok Guys!!! Thanx!! We have homework to do in this decision!
(will proceed close question)
McKnife - it does seem to work with the pin, however that doesn't mean the TPM is flawed. If it could access the Bitlocker volume *without* the pin, that would be a significant flaw, but compare this to the HSM at the heart of the current Apple Vs FBI fight - that (given a pin) will quite happily supply the key to decrypt the media, but without the pin, your only hope is to brute-force the correct pin by exhaustive search. I can't imagine the TPM is much different?