66

I am looking to encrypt a few drives of mine, and my ONLY interest is security. It is OK if my VeraCrypt volumes are not compatible with TrueCrypt, and vice versa.

There is a lot of talk about "TrueCrypt is dead" and it seems there are two forks out there now gaining momentum. The one more interesting to me is VeraCrypt, and from the research I have done, this looks like the "more secure" option. But is that so?

That is why I am asking you all here. I know what VeraCrypt claims, I know they say they do more hash iterations of the password to derive the encryption keys. That sounds nice and all, but...

Does anyone have real world experience using Veracrypt and is it as good as advertised? How does it compare to TrueCrypt?

Does anyone have a security reason why they would choose TrueCrypt over VeraCrypt? Any reasons at all why TrueCrypt is preferable to you?

I'm not on the "TrueCrypt is dead" bandwagon, I am just in trying to be progressive, so I would choose a newer "better" option if it is available. But with that being said, I would also choose to go with the older option if it is actually better than the newer options. Your thoughts?

techraf
  • 9,141
  • 11
  • 44
  • 62
Radmilla Mustafa
  • 1,018
  • 3
  • 10
  • 12
  • 3
    I think this is a good question that has not been answered quite yet. It would be nice to have an update to [this question](http://security.stackexchange.com/questions/58994/are-there-any-reasonable-truecrypt-forks) with regards to TrueCrypt. – RoraΖ Nov 03 '14 at 19:54
  • What are the rest of your requisites? Maybe you could manually use a one-time pad? :) For which platforms do you need it to work? Would a single-platform solution be enough for you? – Ángel Nov 03 '14 at 21:23
  • I use Linux platforms. It doesn't need to be compatible with Windows or Mac, just as long as it works on a generic linux distro. My only requirements are stability and security. I want it to take years to brute force the encrypted volume, but at the same time, in years from now I don't want any surprise corruption that renders hundreds of gigs of irreplaceable data useless. If I lose the password/keyfile, that is one thing, I just don't want the drive to be bricked one day without a sound reason. – Radmilla Mustafa Nov 03 '14 at 22:05
  • In years from now, the basic integrity of the hard drive is likely to be suspect anyway, it does depend on drive type and model, but they all break down with time. – ewanm89 Nov 04 '14 at 00:49
  • Sounds like you're looking for a one-time pad, as per @Ángel's comment. Assuming you implement it correctly, you are guaranteed perfect security. – KnightOfNi Nov 04 '14 at 04:13
  • If you're using linux only, why not [LUKS](http://en.wikipedia.org/wiki/Linux_Unified_Key_Setup)? – CodesInChaos Nov 04 '14 at 10:10
  • 12
    @KnightOfNi WTF? Why would you even think about a one time pad for disk encryption? That makes so little sense, I don't even... – CodesInChaos Nov 04 '14 at 10:16
  • 5
    I'm with @CodesInChaos on this one. I may be ill, and it may be a coffee-less Tuesday morning, but I cannot fathom why anyone would think OTP would be even vaguely useful in FDE. – Polynomial Nov 04 '14 at 11:03
  • I'm assuming the suggestion of a one-time pad assumes that my data is text based? My data is strictly binary, so I don't think a one-time pad would be practical here. And on top of that, the volume will be written to periodically -- this is not a one time archival dump. I am aware of hardware degradation of the HDDs, but my main concern is the software algorithm. I'm guessing TrueCrypt doesn't have file corruption problems because of the widespread acclaim it recieves, but can the same be said about VeraCrypt and others? Is this concern too paranoid on my part? – Radmilla Mustafa Nov 04 '14 at 15:25
  • Heh, I wasn't seriously proposing a OTP, just asking for more info. Being Linux-only, I also recommend LUKS. You could even use the (discontinued) [FreeOTFE](http://sourceforge.net/projects/freeotfe.mirror/) for mounting them from Windows. – Ángel Nov 04 '14 at 23:00
  • @CodesInChaos Oops, didn't read the question fully :). I somehow got it into my head that the data was text. – KnightOfNi Nov 05 '14 at 00:39
  • By the way the new VeraCrypt version allows Truecrypt container or volumes to be converted to VC format. – Mobius Pizza Jan 18 '15 at 22:15
  • About drive integrity over time, also have a look on this question: https://security.stackexchange.com/questions/128197/how-robust-is-a-veracrypt-container-against-disk-errors – Marcel Aug 31 '16 at 05:39

4 Answers4

42

I would still choose TrueCrypt for a matter of trust and the "many eyes" theory:

  • After the "TrueCrypt scandal" everyone started looking at the source for backdoors.

  • The TrueCrypt audit finished on April 2, 2015. They found low-risk vulnerabilities, including some that affect the bootloader full-disk-encryption feature, though there is no evidence of backdoors.

  • If VeraCrypt start changing TrueCrypt fast, they may introduce a few vulnerabilities. Since VeraCrypt is currently less popular than TrueCrypt, there are 'less eyes' watching at the VeraCrypt source code changes.

  • I consider that TrueCrypt 7.1a have all the features I need. An audited TrueCrypt with the vulnerabilities fixed would be the perfect choice. Unless I personally watch VeraCrypt source code diffs, it would require an audit on the changes, or a high increase in popularity, or many years of maintenance and active community to make me trust them more than the good old TrueCrypt.

  • The increase in iterations to mitigate brute force attacks only affects performance. If you chose a 64-char random password, 1 million years of brute forcing or 10 million years is the same from a security stand point.

(I downloaded the public key of TrueCrypt admin years before the scandal. So I can download a copy of TrueCrypt 7.1a from any source and verify its authenticity)

This answer may change after they publish new results from the audit. Also, if you are the VeraCrypt dev, the trust argument doesn't apply (because you trust yourself).

taddy hoops
  • 247
  • 2
  • 12
b2419326
  • 560
  • 5
  • 3
  • This is the type of answer I was looking for. I don't know the VeraCrypt dev, what if he is on the fed payroll? There are other forks of TrueCrypt, would you say any of those deal with the trust issue better than VeraCrypt? – Radmilla Mustafa Nov 11 '14 at 17:55
  • I haven't check them out yet. Some might deal slightly better if they are more popular but the same argument applies. The only way one fork can gain my trust fast is if they only fix the few vulnerabilities present in 7.1a and change nothing else. Then I can read the diffs from the 7.1a and see is basically plain old truecrypt + few fixes. If the fork devs find out new vulns before the part 2 of the audit is over, that's also a good sign. The moment they start adding tons of lines of code for "new features", then I don't have the time to watch and understand the diffs and I'll stick with 7.1a. – b2419326 Nov 13 '14 at 05:35
  • follow-up question: What is the safest way to acquire the TrueCrypt source code / binaries? How can I verify the md5/sha sum of the 7.1a archive? If the new website can not be trusted, then where and how will I verify the source code? – Radmilla Mustafa Nov 19 '14 at 23:06
  • 2
    The source or binaries from everywhere. It doesn't matter as long as they are signed. The public key is other story. I have it since 2010 so I know the fingerprint is C5F4BAC4A7B22DB8B8F85538E3BA73CAF0D6B1E0. But you should get the public key from websites or people you trust, or sites that date before May 28, 2014. I personally trust archive.org but they didn't archive truecrypt website (because of robots.txt). I also trust marc.info (a mailing list archive) so [here](http://marc.info/?l=gnupg-users&m=132990608708642&w=4) I get the last bytes of the fingerprint: "F0D6B1E0". Who do you trust? – b2419326 Nov 22 '14 at 20:30
  • 7
    Truecrypt is no longer trustworthy for use on Windows. It is unmaintained and now can be used to attack your Windows system through recently discovered vulnerabilities. Upgrade to a maintained fork like VeraCrypt or change to alternate encryption technology. – Fiasco Labs Sep 30 '15 at 03:41
  • 6
    `Also, if you are the VeraCrypt dev, the trust argument doesn't apply (because you trust yourself).` Perhaps, but whether you *should* trust yourself is another story. Just because you think you fixed a bug, doesn't mean you didn't introduce a gaping security flaw that's over your head. I know nothing about the intelligence of VeraCrypt's development team, but encryption is inherently difficult and TrueCrypt's developers were clearly pretty damn smart. – Dan Jan 20 '16 at 15:15
  • 3
    Truecrypt should no longer be used; there are [escalation of privilege vulnerabilities](https://threatpost.com/veracrypt-patched-against-two-critical-truecrypt-flaws/114833/) that were patched in VeraCrypt. – Anti-weakpasswords Mar 08 '16 at 05:35
  • @Radmilla Mustafa: Steve Gibbs of GRC.com has decided to host a copy of TrueCrypt on his website. You should be able to grab a safe copy there if you are still looking. – YetAnotherRandomUser Apr 11 '16 at 02:25
  • 1
    I wasn't been able to find the article but from a recent lawsuit in The Netherlands it was stated that TrueCrypt was used by the perpetrator and the government was helped by the NSA to DECRYPT his files... It has been a while back but I know that was the case.. Also it was succeeded. – Adam Sitemap Aug 30 '16 at 21:39
  • 1
    @b2419326 do you mind addressing the points raised by `Unglued` in his answer (vulnerabilities `CVE-2015-7358` and `CVE-2015-7359`) ? – Adrien Be Oct 11 '17 at 13:40
  • TrueCrypt is currently discontinued. I consider this a worth mentioned disadvantage. – chefarov Feb 12 '18 at 17:24
  • @YetAnotherRandomUser The fact that a crackpot like Gibson hosts a copy is not very convincing. If he didn't host the signatures as well, I'd say to stay well away. – forest Feb 21 '18 at 08:02
  • @forest How is he a crackpot? – YetAnotherRandomUser Feb 21 '18 at 13:04
  • @YetAnotherRandomUser I really hope I don't have to explain that. He's the laughing stock in professional information security. There are many resources to explain it, e.g. http://attrition.org/errata/charlatan/steve_gibson/ – forest Feb 22 '18 at 01:30
  • @forest I have had more fruitful searches for porn in the early 2000s than tracking down any real data on why a few people on the net hate Steve Gibson. Circular link referrals to articles no longer online, nor on archive.org, started this search, and tons of links that lead to a site but no article and no proof. Just lots of buthurt and unsubstantiated opinion. You can have your opinion, but don't present it as fact unless it is. – YetAnotherRandomUser Feb 22 '18 at 03:10
  • @YetAnotherRandomUser Read some of the links, perhaps. It is far more than "few people". I have seen many comments even on this site where people hate him. I have walked into conversations at work where people were laughing at something he had said. His understanding of many things are fundamentally incorrect (e.g. his silly raw socket claims). As someone who has worked in this field for years and knows hundreds of other people in the field, I have not _once_ seen anyone in the professional field who does not consider Gibson to be a quack. Ask anyone at Shmoocon, DEF CON, BSides, BlackHat etc. – forest Feb 22 '18 at 03:25
  • A further example from this site showing multiple users' disdain for Gibson, as well as showing how his "genius security scheme" is fundamentally flawed: https://security.stackexchange.com/a/43375/165253. It includes even high-rep moderators poking fun at the man for his poor understanding of security. – forest Feb 22 '18 at 03:31
38

Yes. Use VeraCrypt.

As of September 26th 2015, google's security researchers found a couple of vulnerabilities that affect TrueCrypt 7.1a and VeraCrypt 1.14

they are CVE-2015-7358 and CVE-2015-7359

On September 26th, 2015 VeraCrypt released 1.15 which fixes those vulnerabilities.

On October 17th, 2016, VeraCrypt's audit by the QuarksLab has been completed and as a result, VeraCrypt version 1.19 has been released to address vulnerabilities found.

Sources:

Edit: added the October 17th, 2016 QuarksLab audit info

Unglued
  • 481
  • 4
  • 4
  • What about https://www.grc.com/misc/truecrypt/truecrypt.htm ? – D. Kovács Jul 06 '17 at 09:53
  • 2
    GRC just has copies of the regular old TrueCrypt. It hasn't been changed at all. Also please know that GRC is a snake oil vendor of the worst kind. Pretty much everything they say on their website is misleading or downright incorrect. – forest Dec 15 '17 at 09:15
  • I encourage everyone to actually read what these vulnerabilities are about. In short: because of how I am using TrueCrypt, I am Not switching to VeraCrypt. – Tony Sepia Jul 26 '19 at 15:53
6

If you do a diff on TrueCrypt and VeraCrypt, remove all of the name change and version code, you are left with a reasonable size patch to look at. VeraCrypt uses SHA256, which is better than SHA512 because of the key schedule. Besides the aforementioned iteration count, the other notable changes are NTFS support, upgraded WxWidgit support, volume format change, and inclusion of RSA's PKCS11 headers. Minor changes are things like changing .tc files to .hc, better packaging options for distribution, etc.

After applying the reduced patch set, I added Keccak to the mix for encryption and hashing. The stream cipher is nice to use in the middle of a cascade such as Serpent, Keccak (SHA3), then AES.

I was going to add support for TrueCrypt containers, but decided against it since I personally think the format change is an advantage.

Summing up, it's not that hard to audit using the above mentioned patch set.

Best practice dictates you use the verifiable TrueCrypt 7.1a distro, and download your own PKCS11 headers from RSA. If building for a Mac, use your own copy of nasm instead of the one included or download it yourself from its web page.

That's what I use and will continue to use until I have to change encryption algos when time dictates to do so.

Joe Blow
  • 69
  • 1
  • SHA256? Key schedule? Better than SHA512? Please elaborate on this. I don't believe it is true (perhaps you are thinking of the key schedule of AES128 vs AES256 in relation to related key attacks). – forest Feb 21 '18 at 08:01
4

I have been using TrueCrypt for years on Linux and Windows systems and was quite happy with it. Recently, I upgraded my Linux PCs to Ubuntu 16.04 and thought it would be the right moment to switch from TrueCrypt to VeraCrypt. I went ahead and converted TrueCrypt containers into VeraCrypt containers by simply changing the password as indicated in the documentation. I did it especially for an internal 1Tb hard disk drive formatted in two 500 Mb partitions. It appeared that whereas TrueCrypt decrypting of my partitions was previously performed within seconds, VeraCrypt decrypting now requires 4 minutes for each partition. This is unacceptable for me because I have to wait 8-9 minutes for my PC to be up and running in the morning. I therefore consider to switch back to TrueCrypt, which --all things considered-- looks like a good trade-off between improved security and convenience.

Michel Dietrich
  • 41
  • 2
  • If you are encrypting your main linux partition don't even need trucrypt, can just use the builtin linux drive encryption – Arijoon May 17 '17 at 10:49