Which TrueCrypt Algorithm is the safest?



If performance is of no concern, which TrueCrypt algorithm is the safest to use?

  • AES
  • Serpent
  • Triple DES
  • Twofish
  • AES-Twofish
  • AES-Twofish-Serpent
  • Serpent-AES
  • Serpent-Twofish-AES
  • Twofish-Serpent

Amir Rezaei

Posted 2010-11-06T11:41:12.430

Reputation: 1 443

13They're all safe, otherwise they wouldn't be in the product. But use AES, since it's the standard. – Ian Boyd – 2010-11-06T16:13:13.073

13I'd say unless there is a government agency after you, the quality of your password is more likely to be an issue than the encryption algorithm. – Col – 2011-08-17T13:43:39.843

3That’s so weird; I could have sworn the title was asking which is the fastest. ಠ_ఠ – Synetech – 2013-10-06T13:38:15.093



these are the results of the voting in the final round of the AES-contest:

Rijndael 86-10 = 76
Serpent 59-7   = 52
Twofish 31-21 = 10
RC6 23-37 = -14
MARS 13-83 = -70 

(http://csrc.nist.gov/archive/aes/round2/comments/20000523-msmid-2.pdf, linked via truecrypt serpent, read that one as well).

so, for a variety of reason Rijndael became AES, which is the successor of DES (and 3DES).

and, just because it popped up today on news.ycombinator.com, the story of AES:



Posted 2010-11-06T11:41:12.430

Reputation: 52 754


Using TrueCrypt 7.0a, the most secure method of encryption is: Use the AES-Twofish-Serpent cascading encryption with the XTS method. Use the Whirlpool hash algorithm. (SHA-512 is a very close 2nd place here... it's debatable... I'm leaning towards Whirlpool because SHA-512 is already having a successor developed because of fears that it is based on an older SHA-1 that has been compromised.) MOST IMPORTANT is to use a VERY strong password. 20 to 30+ characters, uppercase, lowercase, numbers, symbols. Use Microsoft's online password checker for a strength test. You can also use Keyfiles to further secure your password.

I recommend the AES-Twofish-Serpent over the Serpent-Twofish-AES because you want the outermost encryption (AES will be the first layer they need to break) to be the most standard in the industry. That one is the most tried and true and the most tested of all of them. Plus, if someone assumes a file is encrypted with AES, there's no way of seeing that is is then encrypted with Twofish... so they do all this work to break the AES, only to find that Twofish stands in their way now. And then again after Twofish they run into Serpent, which is the biggest beast of them all (even though it is less used / tested than AES, it still has a much higher security margin than AES)

If you do use Keyfiles, I'd recommend having TrueCrypt create 3 keyfiles for you. Create one keyfile for each hash algorithm they provide. You might also add some .jpg's and some .mp3 files as well. I would make sure to make each keyfile read-only however.

This is probably overkill though.

Charles Hepburn II

Posted 2010-11-06T11:41:12.430

Reputation: 621

2You say use 20-30 chars, but isn't that overkill? Even 10 lowercase chars would be 26^10 = 141,167,095,653,376 combinations (4 million years at one check per second). More than good enough surely? – Dan W – 2012-11-02T19:54:19.777

12@Dan W: At one check per second, surely. However, though hashing methods vary a lot in performance, consumer grade hardware comes a lot closer to testing billions of passwords per second. Your ten character lowercase password would be cracked in a matter of hours. – Marcks Thomas – 2012-12-06T19:15:59.527

7Your rationale for the cascade order doesn't make any sense. An attacker will have to break through each layer (each one using an independent key), regardless of whether AES is first or last. – jjlin – 2013-09-21T17:18:03.200


The cascaded ciphers (AES-Twofish-Serpent, etc.) should be the most secure. Your data is encrypted with one algorithm, then the output from that is encrypted with the second algorithm, whose output is encrypted with the third algorithm. According to the TrueCrypt documentation, each algorithm uses a different key, each derived from your passphrase.

If a vulnerability is found in one (or two) of these ciphers, your data should still be secure, as an attacker would still not be able to break the remaining ciphers.

Chris Acheson

Posted 2010-11-06T11:41:12.430

Reputation: 1 089

8I would like to add that if only one cipher is to be chosen, Serpent is likely to be the most secure, but is significantly slower than AES (note that the government's selection of the Advanced Encryption Standard involved performance, not just security). – bwDraco – 2011-07-13T22:22:17.603


Rijndael won the AES competition primarily because it's the fastest and easiest to implement in hardware, not because it's the most "secure." Twofish and Serpent are usually considered more secure, but since they are all extremely rock-solid, that's a very subjective claim. And of course, encrypting with multiple algorithms will be even more "secure," but will reduce the speed even further.

Again, they're all rock-solid, so my advice would be to just go with whichever is fastest on your machine (usually AES).

BlueRaja - Danny Pflughoeft

Posted 2010-11-06T11:41:12.430

Reputation: 7 183


Either AES-Twofish-Serpent or Serpent-Twofish-AES. But regular AES is sufficient.


Posted 2010-11-06T11:41:12.430

Reputation: 151


I've read that chaining algorithms together may result in weaker security due to the algorithm used to follow one with the other.

Further, the efficiency and speed will take a large hit if you used one of the combined ciphers.

I would recommend either Rijndael (AES) or Serpent and if you want it to be secure: the most crucial element is the key so make a very long key with at least one of each set of upper and lower case, number and symbol characters.


Posted 2010-11-06T11:41:12.430

Reputation: 111


Although there are some dangers in cascading multiple ciphers together, Truecrypt appears to deal with them as best it can. It doesn't add any known plaintexts to the output of the first cipher and it uses indepentant keys for each so by chaining the different algorithms together it should increase the security.

I would stear clear of 3DES though. Having read the Truecrypt page listing the choices of algorithm it doesn't even list triple DES so they may have recently removed it.


Posted 2010-11-06T11:41:12.430

Reputation: 1 217

A major liability of 3DES would be that it is painfully slow compared to more modern ciphers, while at best offering similar security. (3DES can get you to 112 bits of security due to meet in the middle attacks, whereas AES-128 currently gets you pretty close to 128 bits of security at much better throughput.) Plus, DES' use of 64-bit blocks is a liability due to the limited diffusion possible with smaller blocks. – a CVn – 2016-03-31T09:59:11.460


For those interested in a more in depth discussion of the "dangers" in cascading multiple ciphers, check this topic: http://crypto.stackexchange.com/questions/6486/is-truecrypts-multiple-cascading-encryption-safe

– Tiago – 2013-10-10T04:01:24.613


In 2001 the National Institute of Standards and Technology (NIST) launched the Advanced Encryption Standard (AES) and shortlisted five candidates (through multiple candidate conferences) with opposing algorithms to represent the standard. The Serpent cipher was one of them, garnering high security kudus, but eventually becoming a runner-up, to the Rijndael cipher. While this took place a few years ago it provides a fascinating glimpse into electronic data encryption and the trade-offs between performance and security. Interestingly, performance won!

In comparison with the other five candidates, Serpent cipher had the highest safety factor 3.56, which was quite good considering the fact that the next best one was Twofish cipher with a safety factor of 2.67. Rijndael-256 had a safety factor of 1.56




Posted 2010-11-06T11:41:12.430

Reputation: 302


You can conceivably use a shorter pass word if you are using keyfiles, and if you are not worried about performance hits, using AES Twofish and Serpent will cause much headache to those trying to get into the encrypted material. But also don't overlook that you can also take one encrypted file and place it on the inside of a larger encrypted file. In this way, you can "allow" your attackers to look at the outside container and let them think they have the entire container. When in fact, they don't have anything at all. Feel free to put something slightly shady in the outside file, but nothing that would actually cause you problems. I think a slew of pornographic photos would fit this bill nicely, here is something that someone would want to hide, and as such, you have a nice reason. The outside container does not reveal that the inside container even exists. Place your actual material inside the inner container. Even better is to make the outside container "weak" with an insufficient password, and no keyfile. Let your attackers think they broke your encryption, and shrug your shoulders and say, "Damn, you are good, you have me dead to rights."

Gene Abshire

Posted 2010-11-06T11:41:12.430

Reputation: 1


Best public cryptanalysis for each, assuming 256 bit variants (higher time complexity is better, but all kinds of caveats):

  • Rijndael: 2^254.4 time complexity (ignoring related key attacks that wouldn't be at issue here)
  • Serpent: 12 rounds of 32, 2^228.8 time complexity (but requires 2^118 known plaintexts)
  • Twofish: 6 rounds of 16 (but requires 2^51 chosen plaintexts)
  • 3DES: 2^118 (with 2^32 known plaintexts; note, 3DES uses 168 bit, so brute force is 2^168 instead of 2^256)

Undoubtedly, 3DES is the least secure, but that doesn't necessarily make it insecure (barring the usual unpublished backdoor concern). However I would avoid it. All of the other algorithms are generally considered secure. Determining the presence of an intentionally placed backdoor in any of them likely requires Snowden to release more documents. And honestly, if any of the top 3 did have a backdoor, that would be an absolute bombshell revelation. Given his track record, I'm personally happy to assume that they're still secure.

Bob Aman

Posted 2010-11-06T11:41:12.430

Reputation: 152

3DES with three independent keys (168 bits of key material) is vulnerable to a meet-in-the-middle attack which means that the effective security is that of a 112-bit key. https://en.wikipedia.org/wiki/Triple_DES#Security

– a CVn – 2016-03-31T10:00:22.803


Since there are no known attacks against AES that make brute-forcing feasible (ref: https://en.wikipedia.org/wiki/Advanced_Encryption_Standard#Known_attacks), unless you expect 3-letter agencies to devote their entire computing power for the next millennium to cracking your drive, AES is the way to go. The last version of TrueCrypt as well its forks support AES-NI, which on my Core i7 3770 provide a throughput of over 2.5 GB/sec.

Your connection to the IP address advertised by this domain uses AES encryption on most browsers (although CloudFlare holds the key seen by your browser, and decrypts and re-encrypts your data before sending it to the StackExchange servers, so don't use your TrueCrypt/VeraCrypt/CipherShed password for your StackExchange password because if said 3 letter agencies were to crack your drive, they'd intercept your password at the CloudFlare proxy and try that first long before attempting the never-going-to-work brute force).


Posted 2010-11-06T11:41:12.430

Reputation: 37



Rijndael (Currently THE AES) is the best algorithm.

From https://crypto.stackexchange.com/questions/24307/why-is-aes-unbreakable:

First, it's not said that AES is unbreakable, merely that none of the currently known attacks reduce the computational cost to a point where it's feasible. The current best attack on AES-128 takes 2^126.1 operations, if we had a computer (or cluster) several million times more efficient than any current computer and could operate at the thermodynamic Landauer limit, it would take 234 petajoules just to increment a counter through every key value. That's about half of the annual electricity consumption of Norway. Actually computing an AES round takes several times that much energy.


From Wikipedia:

Twofish is a symmetric key block cipher with a block size of 128 bits and key sizes up to 256 bits. It was one of the five finalists of the Advanced Encryption Standard contest, but it was not selected for standardization. Twofish is related to the earlier block cipher Blowfish.

Twofish's distinctive features are the use of pre-computed key-dependent S-boxes, and a relatively complex key schedule. One half of an n-bit key is used as the actual encryption key and the other half of the n-bit key is used to modify the encryption algorithm (key-dependent S-boxes). Twofish borrows some elements from other designs; for example, the pseudo-Hadamard transform (PHT) from the SAFER family of ciphers. Twofish has a Feistel structure like DES. Twofish also employs a Maximum Distance Separable matrix.

On most software platforms Twofish was slightly slower than Rijndael (the chosen algorithm for Advanced Encryption Standard) for 128-bit keys, but it is somewhat faster for 256-bit keys.


From Wikipedia:

Serpent is a symmetric key block cipher that was a finalist in the Advanced Encryption Standard (AES) contest, where it was ranked second to Rijndael. Serpent was designed by Ross Anderson, Eli Biham, and Lars Knudsen.

Like other AES submissions, Serpent has a block size of 128 bits and supports a key size of 128, 192 or 256 bits.[2] The cipher is a 32-round substitution-permutation network operating on a block of four 32-bit words. Each round applies one of eight 4-bit to 4-bit S-boxes 32 times in parallel. Serpent was designed so that all operations can be executed in parallel, using 32 bit slices. This maximizes parallelism, but also allows use of the extensive cryptanalysis work performed on DES.

Serpent took a conservative approach to security, opting for a large security margin: the designers deemed 16 rounds to be sufficient against known types of attack, but specified 32 rounds as insurance against future discoveries in cryptanalysis. The official NIST report on AES competition classified Serpent as having a high security margin along with MARS and Twofish, in contrast to the adequate security margin of RC6 and Rijndael (currently AES). In final voting, Serpent had the least number of negative votes among the finalists, but scored second place overall because Rijndael had substantially more positive votes, the deciding factor being that Rijndael allowed for a far more efficient software implementation.

SHA is alot better than MDA, Whirpool, etc. But they found a way to break SHA. There it comes SHA-2 (HMAC). Again they found a way to break it. There it comes SHA-3 (Kakee or something like this). But in TrueCrypt, VeraCrypt, CipherShed or TrueCryptNext do not exist SHA-3.---------------------------Source: Any place in my memory ;-)



Posted 2010-11-06T11:41:12.430

Reputation: 1


I recommend that you use the Whirlpool hash with these algorithms as it is the strongest.

For encryption algorithms, you should use a cascade. I recommend AES, Twofish, Serpent. AES is quite weak (compared to other algorithms but is the fastest) and is the industry standard therefore will be effective as an outer layer. Twofish is even stronger and after decrypting the AES layer, there will be another layer (Twofish) which is even stronger. Serpent is the strongest and this cascade proves effective.

Some extra info: For passwords, the NSA has a quantum computer that can decrypt very quickly. I would not trust the NSA (they designed AES). I would recommend a minimum of 40 letters, lowercase and uppercase, numbers, symbols and no dictionary words or personal information (birth dates etc.) and you could use keyfiles. If you are at risk from an adversary, use the plausible deniability features built into TrueCrypt.


Posted 2010-11-06T11:41:12.430

Reputation: 7

NSA did not design AES. AES was designed by a pair of Belgian cryptographers under the name Rijndael, reviewed (and heavily pounded on) by cryptographers worldwide during the NIST AES competition, and standardized by NIST as AES after it won the competition based on a set of very publicly known criteria. If you are going to engage in tin-foil hattery, please at least get your facts right. Additionally, AES has nothing whatsoever to do with passwords. – a CVn – 2016-03-31T11:18:50.117

As for plausible deniability, there is a compelling argument why that won't work in practice in the Linux cryptsetup FAQ, section 5.18 "What about Plausible Deniability?" which also touches on it in section 5.2 "Is LUKS insecure? Everybody can see I have encrypted data!". In a sense, it's a variation of https://xkcd.com/538/ (yay, a legitimate use for a xkcd link).

– a CVn – 2016-03-31T11:24:13.540

There are no known known Quantum Computing attacks on AES. Quantum Computers are not faster than our binary computers. They are only different. – Mark Lopez – 2014-03-04T22:13:06.487


After a quick search I'd say AES 256 bits.

I would avoid Triple AES and Triple blowfish. Running the same algorithm multiple times may result in less security then using the original algorithm one time.



Posted 2010-11-06T11:41:12.430

Reputation: 596

1Seems believable as speculation, but Triple DES is certainly enhanced by the multiple passes. (Unless the designer of the underlying implementation makes a blunder and does "EK2(DK1(EK1(plaintext)))" as Simon Singh did in his cypher challenge :P) – RJFalconer – 2010-11-06T18:19:38.557


  • Your source is a joke. A random forum post. 2) There is no reason to believe that triple encryption with different keys will weaken the encryption.
  • < – CodesInChaos – 2011-07-23T13:13:58.137