0

I have a question regarding the security of Truecrypt-encrypted-file containers. I know that there are security leaks in the software that allow to access an encrypted drive but can this technique be used to open an encrypted file container? I am using regular (nonhidden) containers because I like how easily they can be transported. Thank you in advance.

Seeker
  • 1
  • 1
  • 1
  • 8
    Possible duplicate of [Is TrueCrypt safe enough to store clear-text-passwords?](https://security.stackexchange.com/questions/19666/is-truecrypt-safe-enough-to-store-clear-text-passwords). See also: https://security.stackexchange.com/questions/58940/is-truecrypt-not-secure-now-and-should-i-stop-using-it and https://security.stackexchange.com/questions/29375/is-7-zips-aes-encryption-just-as-secure-as-truecrypts-version and https://security.stackexchange.com/questions/85149/truecrypt-vs-bitlocker and many other questions with the truecrypt tag. – Polynomial Mar 25 '19 at 12:33
  • No, it cannot. TC was never directly compromised. – Overmind Apr 23 '19 at 12:58

3 Answers3

2

I spent some time seriously digging into the Truecrypt/Veracrypt source code and studying the issued audit, and I would bet one of my testicles that the container format is secure.

A simple TC reimplementation exists at https://github.com/bwalex/tc-play. It uses standard Linux kernel device mapper for mounting the TC volume. It reads the volume header, derives the encryption key from your password/keyfiles and seed stored in the volume header and uses the key and linux dev-mapper to mount the volume container. It uses standard symmetric key encryption implemented in the Linux kernel. It's the pretty same code as is used by LUKS - Linux crypto. So, if LUKS is safe than TrueCrypt is safe as well.

The only difference (as mentioned) is key derivation. However, it uses just standard crypto-primitives.

The only question is, whether the particular True/Vera-crypt implementation is safe. I would bet my second testicle that the tc-play is safe. It's short, and I was able to read it and understand it completely.

You can find even another reimplementation in linux cryptosetup. Many people have been thinking about TC security which could be nother proof.

However...

If you look at the VeraCrypt sources, you realize it contains thousands of lines of code and 99% of the code is GUI. The possible backdoor could be hidden anywhere, and it would be complicated to find it.

If you compare VeraCrypt code and TrueCrypt code, you realize that VeraCrypt maintainer hasn't added anything interesting. He hasn't even fixed the known bugs discovered by the tc-play developer and noted in README. For instance:

"The keyfile pool is not XOR'ed with the passphrase but modulo-256 summed."

This is a documentation bug, which hasn't beend fixed in the VeraCrypt docs yet.

https://www.veracrypt.fr/en/Keyfiles.html (8.)

To implement new crypto-algoritm (which Vera does) is a simple task. Knowing how, you can put any new algo. within 1 hour of coding.

smrt28
  • 875
  • 6
  • 12
0

No such things as "leaks in the software". The related vulnerabilities are not that of TrueCrypt. TrueCrypt itself is as safe as anything can get.

You can transport them and mount them anywhere, as you would an .iso file.

From a security perspective, at this time, the TrueCrypt containers are 100% safe.

Overmind
  • 8,779
  • 3
  • 19
  • 28
  • 1
    Do you have any sources for the claim that "TrueCrypt containers are 100% safe"? –  Mar 25 '19 at 12:22
  • Do you have any proof of the contrary ? You can always check any CVE database or other vulnerability reports at any time. – Overmind Mar 25 '19 at 12:29
  • 1
    "100% safe" is disingenuous at best. The deniability aspect isn't safe against differencing attacks. There's no explicit malleability detection; it just returns garbled adjacent blocks when you modify the ciphertext. It's safe enough in most cases but nothing is 100% secure. – Polynomial Mar 25 '19 at 12:32
  • By that logic nothing is ever safe. With current processing power you cannot brute force a properly setup TC container. Which is infinitely better than the improper implementation of things like bitlocker which has been proven to fail. – Overmind Mar 25 '19 at 12:42
  • @Overmind can you point to source on any such fail of bitlocker? – TermoTux Jun 24 '20 at 22:24
  • Like this, passing the problem instead of solving it: https://www.howtogeek.com/fyi/you-cant-trust-bitlocker-to-encrypt-your-ssd-on-windows-10/ – Overmind Jun 25 '20 at 07:47
0

Given that TrueCrypt has been mysteriously discontinued by it's developers for security concerns and has not been maintained, it is likely to have some issues. While I'm not sure if file containers themselves are affected, it would be a much better option to use VeraCrypt. VeraCrypt is the successor of TrueCrypt once it was condemned and has passed security audits. Here is an excerpt from the TrueCrypt download page:

WARNING: Using TrueCrypt is not secure as it may contain unfixed security issues

This page exists only to help migrate existing data encrypted by TrueCrypt.

The development of TrueCrypt was ended in 5/2014 after Microsoft terminated support of Windows XP. Windows 8/7/Vista and later offer integrated support for encrypted disks and virtual disk images. Such integrated support is also available on other platforms (click here for more information). You should migrate any data encrypted by TrueCrypt to encrypted disks or virtual disk images supported on your platform.

WARNING: Using TrueCrypt is not secure
SuperAdmin
  • 320
  • 1
  • 11
  • 1
    Since the same TrueCrypt containers are still valid containers in VeraCrypt, I don’t believe this is true. Any issues with TrueCrypt were likely related to run-time vulnerabilities or key exposures. – John Deters Mar 25 '19 at 12:31
  • @JohnDeters "While I'm not sure if file containers themselves are affected" I did not say that the container is insecure, I merely advised that TrueCrypt is not used which you seem to agree with. – SuperAdmin Mar 25 '19 at 12:33
  • The original question was specifically about the security of the containers, not the app itself. Yes, I agree, use VeraCrypt instead of TrueCrypt. But you can still use VeraCrypt with TrueCrypt containers, which is why I answered that the advice to change them wasn’t valid. – John Deters Mar 25 '19 at 12:38
  • @JohnDeters But doesn't using the container with TrueCrpyt inherently make it insecure? That is why I recommended VeraCrypt. – SuperAdmin Mar 25 '19 at 13:28