[MP-Ryan]

...has anyone else found a encryption solution capable of doing file containers like TC for the Windows environment?  My security slution is built around that functionality, and if I can't find an alternative I'm going to have to re-jig things for a per file/directory basis.

I'll likely keep using 7.1a for now, but it's a little upsetting that a project many people have relied on for a bloody decade just went *pooof*

[Bobboau]

something happen since their shutdown, or is that what you are referring to as "scorched-earth" ?

[Ghostavo]

http://truecrypt.sourceforge.net/

According to them, BitLocker seems to be your best bet.

[Kopachris]

Might not be necessary.  Best bet is probably to stick with 7.1 until the audit is complete and keep strict limits on who has access to your encrypted data.  As the source code for that version is still available, and will always be for the foreseeable future, TC 7.1 can continue to be used if the audit determines it's safe.  As audit results (including a legal analysis of the license) come in, the TCnext project will attempt to coordinate continued support and development for projects forked from TC 7.1, or if necessary due to license terms, a complete rewrite.  As TCnext is based in Switzerland, it should remain safe from interference by the US Government, which many suspect to be the cause of TrueCrypt's sudden death.

[MP-Ryan]

http://truecrypt.sourceforge.net/

According to them, BitLocker seems to be your best bet.

Ahahaha.  Yeah, read more about that.  It's among the fishier things about the shutdown.

Might not be necessary.  Best bet is probably to stick with 7.1 until the audit is complete and keep strict limits on who has access to your encrypted data.  As the source code for that version is still available, and will always be for the foreseeable future, TC 7.1 can continue to be used if the audit determines it's safe.  As audit results (including a legal analysis of the license) come in, the TCnext project will attempt to coordinate continued support and development for projects forked from TC 7.1, or if necessary due to license terms, a complete rewrite.  As TCnext is based in Switzerland, it should remain safe from interference by the US Government, which many suspect to be the cause of TrueCrypt's sudden death.

I've been following the developments too and this was my plan for now, just wondering if anyone has found another encryption solution that does more or less the same thing.

[Ghostavo]

http://truecrypt.sourceforge.net/

According to them, BitLocker seems to be your best bet.

Ahahaha.  Yeah, read more about that.  It's among the fishier things about the shutdown.

Could you elaborate?

[MP-Ryan]

http://truecrypt.sourceforge.net/

According to them, BitLocker seems to be your best bet.

Ahahaha.  Yeah, read more about that.  It's among the fishier things about the shutdown.

Could you elaborate?

BitLocker is produced by Microsoft (and as such probably contains intel/LE backdoors), and TrueCrypt's devs recommending a switch to BitLocker is something like Honda recommending you buy a Ford Pinto to replace your discontinued Honda Civic.

[Ghostavo]

http://truecrypt.sourceforge.net/

According to them, BitLocker seems to be your best bet.

Ahahaha.  Yeah, read more about that.  It's among the fishier things about the shutdown.

Could you elaborate?

BitLocker is produced by Microsoft (and as such probably contains intel/LE backdoors), and TrueCrypt's devs recommending a switch to BitLocker is something like Honda recommending you buy a Ford Pinto to replace your discontinued Honda Civic.

Let me get this straight, you are saying that Microsoft's (i.e. the same company that produces the OS you use) solution for encryption, which has no documented backdoor and the only actual concerns regarding it also exist in every single other encryption solution (e.g. cold boot attacks) is somehow less viable than truecrypt, whose own programmers seem to be saying it isn't safe...

If you are already using Windows, it seems pointless to distrust Microsoft on encryption solutions for their own operating system.

If they really wanted, they could easily make any encryption solution for their OS unsecure without people easily realizing it.

[MP-Ryan]

Like I said, do some more reading about it in the crypto community.  Googling "what happened to TrueCrypt" will get you started.

[666maslo666]

The problem is that BitLocker is not open source, not that it is produced by MS.

[MP-Ryan]

The problem is that BitLocker is closed source, proprietary, produced by the same company that produces the OS, integrated into the OS, included in base Windows installs but only activated by certain license keys authorized for certain features, and that Microsoft is based in the United States and is completely opaque about its relationship with the US intelligence and LE communities.

Now... I don't particularly give a **** if law enforcement and Western intelligence agencies can peer into my encrypted files.  I DO have a problem with the inherent business practices surrounding BitLocker which make it knowingly unreliable due to the information gaps on its production and implementation.  IF it contains backdoors - which, given the history of MS, its integration with Windows itself, and the fact that we can't actually see the source, is reasonably likely - my concern is not the people who wanted them using them, it's anyone else who discovers and exploits that.  If there's anything that the recent NSA revelations show for the non-conspiracy crowd, it's that intel/LE is very good at getting undetectable backdoors in place, but they have no way of knowing who else has access to them.

The fishy part about all of this is that the developer of TrueCrypt, who's been doing this for a decade and taking in-depth precautions to ensure their anonymity, suddenly crippled and closed their project, and recommended the one commercial encryption package that is the complete opposite of TrueCrypt's principles as an alternative.  The entire crypto community looked at that announcement and collectively said "What the ****?!" because it makes *zero* sense.... and for other OSes they simply said "Google it"?!  Yeah, that's a credible approach to IT security.  The TC dev had his/their fingers into the crypto community - these recommendations don't reflect that.

[headdie]

care to elaborate on these flaws as I am sure the corporate account I work on with which the client has US government contracts would be very keen to be aware of.

also why would MS work on security fixing its OS and then not keep its drive encryption up to the same standard?

seriously I am getting a strong whiff of conspiracy theory here, while the lack of information does promote this, the creator has hindered this by remaining anon

[MP-Ryan]

care to elaborate on these flaws as I am sure the corporate account I work on with which the client has US government contracts would be very keen to be aware of.

also why would MS work on security fixing its OS and then not keep its drive encryption up to the same standard?

  I...just...did?

Let's go over this.  Bitlocker:
1.  Is closed source and proprietary, not subject to any kind of independent verification of its security.
2.  Is produced by the same company that produces the OS and is integrated into it... meaning that its reliability is only as good as the OS its running on and which also hampers independent testing of the encryption scheme itself.
3.  As a business matter, is included (e.g. the functionality is there) in all versions of Windows, yet it is only activated in the Enterprise and Ultimate editions (of 7, not sure about 8).  One would think a more secure encryption implementation that installs with an OS would be built into it and active in all versions, seeing as BitLocker has explicit Windows dependencies...
4.   and Microsoft are subject to US law.  Now, I'm not entirely sure how closely you fellows have been following the Snowden releases, but they have demonstrated quite admirably that US LE and intel institutions have strong-armed their way into most of the major US tech companies (if not all) located there to intentionally subvert their built-in security measures for intel/LE purposes.  Once again, I don't particularly care if the international intel / LE communities want to read my tax returns.  I care, however, if my encryption software contains unadvertised ways into it.  This is not tinfoil-hat conspiracy stuff here - the number of exploits the NSA alone had access to and used revealed by Snowden is staggering.  Is BitLocker itself compromised? Unknown at present. Maybe not.  Is there an intel/LE backdoor into systems running Windows, even with BitLocker active? Chances are very good.

All of this is not to say BitLocker is an objectively bad encryption package (nor is that what I've been saying; no tinfoil hats here).  All of this IS to say that TrueCrypt was everything BitLocker was not as far as anyone can tell.  Ergo, it's bloody fishy that a TrueCrypt dev would shut down the project and refer people to, of all things, BitLocker.  There are a number of other commercial and open-source alternatives that resemble TrueCrypt's philosophy much more than BitLocker's, so... what happened?  That's the issue at hand, not whether BitLocker is good, bad, ugly, whatever... just that it doesn't follow any of the same principles so why is it being recommended by a person who dedicated a decade to TC?

[headdie]

care to elaborate on these flaws as I am sure the corporate account I work on with which the client has US government contracts would be very keen to be aware of.

also why would MS work on security fixing its OS and then not keep its drive encryption up to the same standard?

  I...just...did?

Let's go over this.  Bitlocker:
1.  Is closed source and proprietary, not subject to any kind of independent verification of its security.

Fair point, but what use is that if it isnt tested anyway? and while i Know TrueCrypt is undergoing such testing, the fact is that it is still WIP so not really done anyone much good as noy any detected flaws won't be fixed

2.  Is produced by the same company that produces the OS and is integrated into it... meaning that its reliability is only as good as the OS its running on and which also hampers independent testing of the encryption scheme itself.

I fail to see how integration with OS impedes security or the testing of the system especially when the input interface precedes loading the bulk if not all the OS.

3.  As a business matter, is included (e.g. the functionality is there) in all versions of Windows, yet it is only activated in the Enterprise and Ultimate editions (of 7, not sure about 8).  One would think a more secure encryption implementation that installs with an OS would be built into it and active in all versions, seeing as BitLocker has explicit Windows dependencies...

fair play screwy business practices strikes again at those who cant or wont fork out for the mid or top tier product

4.   and Microsoft are subject to US law.  Now, I'm not entirely sure how closely you fellows have been following the Snowden releases, but they have demonstrated quite admirably that US LE and intel institutions have strong-armed their way into most of the major US tech companies (if not all) located there to intentionally subvert their built-in security measures for intel/LE purposes.  Once again, I don't particularly care if the international intel / LE communities want to read my tax returns.  I care, however, if my encryption software contains unadvertised ways into it.  This is not tinfoil-hat conspiracy stuff here - the number of exploits the NSA alone had access to and used revealed by Snowden is staggering.  Is BitLocker itself compromised? Unknown at present. Maybe not.  Is there an intel/LE backdoor into systems running Windows, even with BitLocker active? Chances are very good.

Fair enough, and a valid concern. 

/Idle Speculation on

It would be interesting to see of the agencies use bitlocker, a "debugged" version or a whoaly proprietary system and at what levels.

/Idle Speculation off

All of this is not to say BitLocker is an objectively bad encryption package (nor is that what I've been saying; no tinfoil hats here).  All of this IS to say that TrueCrypt was everything BitLocker was not as far as anyone can tell.  Ergo, it's bloody fishy that a TrueCrypt dev would shut down the project and refer people to, of all things, BitLocker.  There are a number of other commercial and open-source alternatives that resemble TrueCrypt's philosophy much more than BitLocker's, so... what happened?  That's the issue at hand, not whether BitLocker is good, bad, ugly, whatever... just that it doesn't follow any of the same principles so why is it being recommended by a person who dedicated a decade to TC?

Its also fishy to me that the dev(s) would remain anonymous thus leaving themselves beyond reproach should anything go bad.

/anti-conspiracy hat on

As for recommending bitlocker as the goto alternative... well its already there on many windows PCs and those who dont have it available a licence upgrade while less than ideal financially would also be the least hassle way to protect yourself for the majority.  As for those who dont want/cant to pay, well im guessing they're usually the one's smart enough to figure out an alternative by themselves.

/anti-conspiracy hat off

[MP-Ryan]

Well, for one TC has always been open-source... so while it is just being audited now, the source has always been available to be checked, which does add weight to the notion that it's been kept honest.  Compare to commercial encryption, where there is really nothing keeping them honest except their reputation.  In the case of some companies who sell encryption as a primary product that might mean something; for a corporation as large and diverse as Microsoft, a hole-riddled encryption package doesn't matter much.

As for the other, points 2 and 3 are related.  If *all* Windows variants had BitLocker encryption enabled, then I'd agree that it's actually pretty secure as a core feature, even if it has some holes cloaked by its closed-sourced proprietary nature.  BUT... Windows 7 and 8 have BitLocker built in as an optional module that can only be activated with a certain level of license key.  That doesn't sound like a terribly integrated form of encryption; it's dependent on the OS, yet the OS is not at all dependent on it and it can be turned on (and the worrisome part is if it can be turned off) with nothing more than a license key upgrade.  That doesn't strike you as odd?  Other encryption schemes that run on Windows don't integrate with the OS itself, running either before it starts or as independent services.  BitLocker is a completely optional module with Windows OS dependencies.  Again, not that its completely insecure, just that its sufficiently different from TC that its odd the dev would recommend it as it is more vulnerable to tampering.

As for recommending bitlocker as the goto alternative... well its already there on many windows PCs and those who dont have it available a licence upgrade while less than ideal financially would also be the least hassle way to protect yourself for the majority.  As for those who dont want/cant to pay, well im guessing they're usually the one's smart enough to figure out an alternative by themselves.

And that may be it... but it's still strange to crash-and-burn (or try to, anyway) your existing TC project which as far as anyone can tell is secure, and recommend a swap to another enc package instead, particularly one with the issues identified for BitLocker.