Recommend a disk encryption software that we use as a replacement of TrueCrypt

In a recent question, an EE advised to move our TrueCrypt to Veracrypt or Bitlocker, since truecrypt is not considered safe anymore (unfixed security issues with its driver), etc.

That said, we started to search for an encryption apps that would replace TC.  We are looking for an application that can open our TC volumes and also upgrade it to it's format; if applicable.  We do create volumes in our hard drives and also in our USB devices.  So far, we have found AES, Crypt, AxCrypt, DiskCryptor, EncFS, dm-Crypt/LUKS Secrecy (and obvious Veracrypt).

please advice on which to turn to .
LVL 1
janaAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Dirk KotteSECommented:
We use Sophos SafeGuard encryption (formally utimaco)
Good, enterprise software but i don#t know if TC volumes are usable.
https://www.sophos.com/en-us/products/safeguard-encryption.aspx
Natty GregIn Theory (IT)Commented:
You can use Geli or Bitlocker
McKnifeCommented:
To give sound advice, you should describe what you expect of that software.
Exploring SharePoint 2016

Explore SharePoint 2016, the web-based, collaborative platform that integrates with Microsoft Office to provide intranets, secure document management, and collaboration so you can develop your online and offline capabilities.

madunixChief Information Officer Commented:
btanExec ConsultantCommented:
You probably need some conversion done to your existing TC volume. In the VeraCrypt, there is handled , see
https://veracrypt.codeplex.com/wikipage?title=Converting%20TrueCrypt%20volumes%20and%20partitions
Also the faq
Can I use my TrueCrypt volumes in VeraCrypt?

Yes. Starting from version 1.0f, VeraCrypt supports mounting TrueCrypt volumes.

Can I convert my TrueCrypt volumes to VeraCrypt format?

Yes. Starting from version 1.0f, VeraCrypt offers the possibility to convert TrueCrypt containers and non-system partitions to VeraCrypt format. This can achieved using the "Change Volume Password" or "Set Header Key Derivation Algorithm" actions. Just check the "TrueCrypt Mode", enter you TrueCrypt password and perform the operation. After that, you volume will have the VeraCrypt format.
Before doing the conversion, it is advised to backup the volume header using TrueCrypt. You can delete this backup safely once the conversion is done and after checking that the converted volume is mounted properly by VeraCrypt.
https://veracrypt.codeplex.com/wikipage?title=FAQ

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Dave HoweSoftware and Hardware EngineerCommented:
As btan says, veracrypt is a successor (technically a fork) of the TC project - you can mount existing TC volumes unchanged, but one of the items that came out of the NCC audit was that the mechanism that TC uses to get from password to key is rather dated; veracrypt offers a much more modern (slower :D) mechanism, so upgrading this (which doesn't change the data encrypted in any way) is advisable after all nodes that need to access the TC volume are veracrypt.

Any other migration would require creating a new volume of the new type, and migrating data to it.
btanExec ConsultantCommented:
To add,  while the TrueCrypt 7.1a code has been independently audited, VeraCrypt’s code has not. I believe the other candidate also did not went through such tight regime reviews. We will not known what we do not know but at best use to a measured risk with the necessary action like data backup taken up.

Besides this, I know in the past there are fork of TC and  open-source for anyone review like Ciphershed and TCnext. The latter is the actual TC which I will not touch on further and probably you are looking at the same code either... However, the CipherShed is one that you may want to take a looks though it is still in the works. It did shares the audit view of TC as its parent and it is in works with OpenCryptoAuditProject which is the same group that review TC. I still see it not as ready.

https://www.ciphershed.org/
https://truecrypt.ch/

Overall, I do not see there is exact replacement as we are moving into a newer ground as always. Sheer diligence is the best effort to ensure the s/w is alright to use. Maybe that is why most may consider a more conservative (or convenient?) stand to shift into commercial product like those from Symantec, Sophos and McAfee Endpoint Security besides the native Bitlocker.
McKnifeCommented:
Don't make it so complicated for him.
This is the start of a change management process. He used TC and was happy - but we do not even know how you used it, ramante... you need to describe the goals and procedures.
Now I told him that TC leaves a vulnerability on his machines and he jumps to action. I already tried to appeal for reviewing of needs, but that was unheard. If you were to change your encryption solution, there are so many things to consider, there's no use in discussing solutions/products, yet.

Ramante, we need to know essential things like
-how do you use it? Multiple users per machine? GPT in use?
-what should it protect against?
-would bitlocker be possible (is your edition capable?)
-are you looking for freewware or what's your yearly budget for it?
-what manageability options are you looking for
-do you prefer open source software?
And many more. So it's definitely your turn, now :)
Dave HoweSoftware and Hardware EngineerCommented:
Veracrypt does need auditing, but I suspect that should wait until they finish fixing up any or all issues; the base code is identical to the audited tc code, so it might come in a bit cheaper (after all, they only really need to audit the changes, not start over from scratch).

In the meantime, I can't see it being any worse than tc, and there is a clean upgrade path (while if they go bitlocker or some commercial solution, they will have to migrate the data)
btanExec ConsultantCommented:
In fact, do we really need to change and shift away from TC : )  there must be some internal debate to derive the shift away..maybe by being status quo, that is the least complicated and simpler means to solve the issue. None is the wiser. We just trust what the findings are but not willing to take the risk. But we are willing to shift into another new software not knowing that they are clear as well... Pardon me for the sidetracking
janaAuthor Commented:
Thanx for the info.  Ok, chronologically per entry:

We need to be compatible with TC; don't know if Sofo, Geli, Bitlocker, Endpoint can open and manage TC volumes.

We expect from the software similar attributes as of TrueCrypt as in creating volume, manage them, etc., but also if the apps can open present TC volumes and also permit to give maintenance.

That is what we hope for.

Thanx for the VeraCrypt link, we'll check it.

Our version is TC 7.1a.  We also viewed some pages regarding that audit and even more, some recommended to stay in that version until the audit is finish in order who determine which direction to go.
Saw a recommendation for CipherShed; is it total compatible with TC?

To answer your questions:
how do you use it? – MAINLY FOR BACKUP PURPUSES AND DATA TRANSFER FROM ONE PC TO ANOTHER VIA USB
Multiple users per machine? - NO
GPT in use? – DON’T WHAT IS GPT, WHAT IS?
what should it protect against? – AGAINST ALL THAT IS POSSIBLE (SIMILAR TO TC PROTECTION)
would bitlocker be possible (is your edition capable?) – SINCE WINDOWS WE HAVE BAD TASTE FOR THAT OPTION BUT IF WE CAN USE TC WITH IT, MAYBE
are you looking for freewware or what's your yearly budget for it? – COST FREE
what manageability options are you looking for – CREATE/MODIFY/DELETE/FIX VOLUMES
o you prefer open source software? – DOES’T MATTER

Yes seems VC may be the choice, but with u guys help we can determine the road to go.
McKnifeCommented:
You use it "MAINLY FOR BACKUP PURPUSES AND DATA TRANSFER FROM ONE PC TO ANOTHER VIA USB" - so not for securing your OS, just for encrypting data drives? Then use veracrypt, no ifs or buts.
If however you'd like to use it for full disk encryption on bootable (OS-) disks, I'll give you 2 reasons against veracrypt:
1 It knows no hierarchy, so whoever got the password can do anything with the drive including offline manipulation. That is unwanted for OS disks in tightly secured environments so a no-go for veracrypt there if we assume that users should definitely be kept from promoting themselves to administrators.
2  It does not support GPT based installations (GPT is a partitioning scheme)
GPT is used by default for win8.x/win10 and enables us to use secure boot (another security feature) and use boot partitions bigger than 2 GB. Both are not possible with veracrypt (nor with truecrypt).
Dave HoweSoftware and Hardware EngineerCommented:
Yeah. gpt support is on the wishlist so I hope they get to that soon. the whole "we can mount it offline" thing is less of an issue, as that is true anyhow; if you have the appropriate credentials and the right software, you can unlock *any* encrypted disk solution. FBI are currently working on getting Apple to let them have some software to do just that for iPhones :D
McKnifeCommented:
"if you have the appropriate credentials and the right software, you can unlock *any* encrypted disk solution" - ok, tell me the steps to unlock a bitlocked OS drive offline if you just have the PIN. What are they?
btanExec ConsultantCommented:
TC volume should be loadeded via Ciphershed. But as all shared go for VC. The other product still need to open the volume amd do that manual data transfer. Create your backup.
Dave HoweSoftware and Hardware EngineerCommented:
McKnife: most pro grade forensic packages such as EnCase (EnCase v7 just prompts for the pin or recovery string when needed; I have used this with Bitlocker on Win7 Enterprise reliably)
janaAuthor Commented:
So definitely VeraCrypt is the way to go for our use of only for backup and transferring data via USB.

But reading everything else, that weakness described for full disk encryption, is only for full disk encryption not present in just backup & usb?
McKnifeCommented:
@Dave
Sorry, are you aware of the fundamental difference between PIN and recovery key?
btanExec ConsultantCommented:
See the audit findings. I see it more of poor insecure coding besides the crypto aspects.  I will not say it is only Disk Encryption though TC is only supporting that aspect or volume (for that matter)
 - https://wiki.ciphershed.org/Audit
Dave HoweSoftware and Hardware EngineerCommented:
McKnife: yes, I am, and that's what EnCase prompts for - pin *or* recovery key. It will take either.
McKnifeCommented:
Dave, I'd bet a good amount of money that it won't work with the PIN. Password: yes, Recovery key: yes. PIN: no. Or else the whole TPM concept is flawed.
janaAuthor Commented:
Hi guys, great info, but just FYI in my entry ID: 41488528:

"So definitely VeraCrypt is the way to go for our use of only for backup and transferring data via USB.

But reading everything else, that weakness described for full disk encryption, is only for full disk encryption not present in just backup & usb?
Good Comment?"
McKnifeCommented:
If you read closely, that has been answered. Yes, for usb data transfer/backup, veracrypt is as good as others.
btanExec ConsultantCommented:
It is good for VC. Backup if crypto keys as like what TC is already doing as well. Normally it has the header containng the encrypted volume key backup. You use your recovery password in evemt of forgotten passwords.
janaAuthor Commented:
Yes, that part we got, "VeraCrypt is as good as the others", but our question is:

We are looking for an application that can open our current TC volumes, also, if desired, upgrade TC to it's format and finally, able to manage TC volumes without converting.

Based on our input, which apps EE recommends as the closest to TC that we should consider as a replacement?

(as the question stated, we found many option and the decision is a bit confusing, AES, Crypt, AxCrypt, DiskCryptor, EncFS, dm-Crypt/LUKS Secrecy, VeraCrypt and the ones added by your guys in the thread Sophos SafeGuard encryption, Geli, Bitlocker, Symantec Endpoint, Ciphershed, TCnext)

Thank you guys for your patience, really (users not too knowledgable like us must be frustrating sometimes)
EirmanChief Operations ManagerCommented:
If you do decide to migrate all your data to a new encryption system, consider BESTCRYPT.
I consider it to be the best commercial solution available. The source code is available online.
It's not expensive and support is great.
TrueCrypt was based on/inspired by BestCrypt.

Listen this if you are worried about 'backdoors'
http://www.jetico.com/about-jetico/newsroom/690-jetico-ceo-michael-waksman-talks-about-backdoors-truecrypt-and-bruce-schneier-on-computer-america
It starts at 65 minutes in
There is chit-chat for 5 minutes and it discusses BCwipe
The interesting encryption stuff starts about 80 minutes in


Data encrypted with 1993 DOS version is still accessible with the current version
so you will never run into version compatibility problems.
McKnifeCommented:
Everyone agreed, take veracrypt. It can mount the TC volumes, so no big effort migrating.
The TC vulnerability is gone, the problems I mentioned before are not seen with your USB encryption, all is fine.
EirmanChief Operations ManagerCommented:
btanExec ConsultantCommented:
The closest is TCnext and CipherShed if you want a direct mount without migration. The codebase likely the same though the CS is still undergoing audit and more welcomed in future. Otherwise, VC is next choice as all others needs to migrate as shared..
janaAuthor Commented:
Ok Guys!!! Thanx!! We have homework to do in this decision!
(will proceed close question)
Dave HoweSoftware and Hardware EngineerCommented:
McKnife - it does seem to work with the pin, however that doesn't mean the TPM is flawed. If it could access the Bitlocker volume *without* the pin, that would be a significant flaw, but compare this to the HSM at the heart of the current Apple Vs FBI fight - that (given a pin) will quite happily supply the key to decrypt the media, but without the pin, your only hope is to brute-force the correct pin by exhaustive search. I can't imagine the TPM is much different?
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Encryption

From novice to tech pro — start learning today.