I don't know if this has already be discussed. I use Truecrypt to encrypt my Windows 8.1 system partition (my bios does not support uefi). I have been Using IFL to backup & restore my drive. It works perfectly. I love that it Includes TC so that I can mount the partition and backup/restore only used space.
Now that TC is no longer being developed, I have found there are several alternatives...Veracrypt and Disk Cryptor. There are also plans for a program called Cipershed. Has anyone tried these programs? If so, are they reliable and secure? what about using imaging software?
Are there any plans to add these alternatives to IFW/IFL/IFD like Truecrypt?
Truecrypt alternatives?
Re: Truecrypt alternatives?
I moved to BitLocker and never looked back. It is superior to TrueCrypt in several important ways WRT usage in Windows. While you will give up IFL and will have to do live imaging of system partitions with IFW, it does work fine using VSS. That's the short version. I have a couple of tl;dr summaries I wrote a few weeks after moving from TrueCrypt to BitLocker shortly after the discontinuation notice was published. The first is specific to imaging; the second contains more general observations. Apparently formatting is disabled, so I will post them as separate replies.
Re: Truecrypt alternatives?
BitLocker and Imaging with Terabyte Products
As a former TrueCrypt user, here's what I've found over the last few weeks concerning BitLocker and Image for Windows for a Windows 8.1 x64 system without a TPM, using a UEFI BIOS configured for the legacy mode.
1. System images made while Windows is running are saved unencrypted. There is no way to encrypt on the fly while restoring, so the image is restored unencrypted. The restored system boots and re-encrypts fine, but auto-unlock is turned off for internal data drives previously configured for that. While they unlock just fine, attempting to turn auto-unlock back on returns an error. Do not despair, because nothing is wrong with the data drives, and the problem can easily be fixed, and auto-unlock restored, by following the simple procedure presented here:
http://www.mcbsys.com/techblog/2010/08/ ... e-restore/
If rebooting doesn't work, power down the machine. I've verified this works with several image and restore operations on a couple of machines, all non-UEFI and lacking a TPM.
2. Non-system volumes can be imaged unencrypted and encrypted on the fly when restored, so you won't need to re-encrypt after the restore as you do with system images. So far, this is much like TrueCrypt, except for the stupid auto-unlock issue.
3. The manage-bde program is available in the tbwinre environment and can be used to unlock encrypted volumes. However, I was unable to use manage-bde in tbwinre to unlock the system drive and image it unencrypted, the idea being to image it unencrypted outside a live Windows system like I had been doing with Image for Linux and TrueCrypt. IFW in WinRE apparently does not see the system partition as unencrypted, even though I can list its files from the command line. This means doing system images inside a running Windows system to take advantage of compression and pagefile/hibernation file omission, but VSS has been working all right for me, and I'm mostly over my fear of it.
4. The drive letters are kind of wacky in WinRE. For example, the "System Reserved" is C:, and my real system partition is H:, while in the booted system, "System Reserved" has no drive letter, and the system partition is C:. This has no effect on restoring system images, and it's got nothing to do with BitLocker, but I found it notable.
So, imaging is still very much viable when using BitLocker, though I have no idea if UEFI and a TPM have any effect on what I've described. BitLocker has a number of advantages over TrueCrypt, including (1) VSS and TRIM working on all volumes, not just those in the scope of system encryption, i.e. those that are on the same drive as the system partition, (2) not having to hide drive letters for RAW volumes to avoid "Do you want to format" and thus losing drive letters and labels in the "Safely Remove" menu, which is nice when you have a dual dock with independent power buttons, and (3) being able to encrypt just the used area of a system drive and not having to create a Recovery CD.
As a former TrueCrypt user, here's what I've found over the last few weeks concerning BitLocker and Image for Windows for a Windows 8.1 x64 system without a TPM, using a UEFI BIOS configured for the legacy mode.
1. System images made while Windows is running are saved unencrypted. There is no way to encrypt on the fly while restoring, so the image is restored unencrypted. The restored system boots and re-encrypts fine, but auto-unlock is turned off for internal data drives previously configured for that. While they unlock just fine, attempting to turn auto-unlock back on returns an error. Do not despair, because nothing is wrong with the data drives, and the problem can easily be fixed, and auto-unlock restored, by following the simple procedure presented here:
http://www.mcbsys.com/techblog/2010/08/ ... e-restore/
If rebooting doesn't work, power down the machine. I've verified this works with several image and restore operations on a couple of machines, all non-UEFI and lacking a TPM.
2. Non-system volumes can be imaged unencrypted and encrypted on the fly when restored, so you won't need to re-encrypt after the restore as you do with system images. So far, this is much like TrueCrypt, except for the stupid auto-unlock issue.
3. The manage-bde program is available in the tbwinre environment and can be used to unlock encrypted volumes. However, I was unable to use manage-bde in tbwinre to unlock the system drive and image it unencrypted, the idea being to image it unencrypted outside a live Windows system like I had been doing with Image for Linux and TrueCrypt. IFW in WinRE apparently does not see the system partition as unencrypted, even though I can list its files from the command line. This means doing system images inside a running Windows system to take advantage of compression and pagefile/hibernation file omission, but VSS has been working all right for me, and I'm mostly over my fear of it.
4. The drive letters are kind of wacky in WinRE. For example, the "System Reserved" is C:, and my real system partition is H:, while in the booted system, "System Reserved" has no drive letter, and the system partition is C:. This has no effect on restoring system images, and it's got nothing to do with BitLocker, but I found it notable.
So, imaging is still very much viable when using BitLocker, though I have no idea if UEFI and a TPM have any effect on what I've described. BitLocker has a number of advantages over TrueCrypt, including (1) VSS and TRIM working on all volumes, not just those in the scope of system encryption, i.e. those that are on the same drive as the system partition, (2) not having to hide drive letters for RAW volumes to avoid "Do you want to format" and thus losing drive letters and labels in the "Safely Remove" menu, which is nice when you have a dual dock with independent power buttons, and (3) being able to encrypt just the used area of a system drive and not having to create a Recovery CD.
Re: Truecrypt alternatives?
Moving from TrueCrypt to BitLocker
This message is a summary of what I had found out six weeks or so after transitioning from TrueCrypt to BitLocker, which I did back in June shortly after the publication of the discontinuation notice. I just reviewed it and have nothing to change here in November.
I've been using TrueCrypt pervasively on all three systems I have and almost a couple dozen system, data, external backup, and thumb drives, so moving to BitLocker was not something I took lightly. While I was not overly concerned that TrueCrypt had suddenly turned into a pumpkin and become unsafe to use, its detrimental effects on VSS, TRIM, drive letters, and so forth had been bugging me for a long time, and the discontinuation notice was the final motivation I needed to look at an alternative. I have both Windows 7 Ultimate and Windows 8 Pro licenses, so I was good to go for BitLocker, which I had never used before now.
Here are the advantages I've found to using BitLocker:
1. VSS and TRIM work on all drives, not just the ones in the scope of system encryption, and I don't need to mount fixed data drives as removable devices to avoid errors when using vssadmin.
2. I don't have to fool around with hiding drive letters for the RAW volumes to avoid getting the "Do you want to format" prompts when I plug in external drives. It is hiding the drive letters that has the side effect of removing the drive letters and labels from "Safely Remove", which I describe more in (3).
3. Removable drives are displayed with their drive letters and volume names in the "Safely Remove" menu, and I can just eject them, instead of having to dismount them first in TrueCrypt. Showing the letters/labels is a nice feature when using multiple drives, as I do with a dual dock having independent power buttons, and it's something I've been wanting for a long time, because with TrueCrypt, I would get two indistinguishable AS2105 items in that menu with two drives in my dual dock, which made ejecting just one of the drives a useless 50/50 proposition.
4. I don't have to create a TrueCrypt Recovery CD every time I encrypt a system volume, and in Windows 8, I can encrypt just the used space. (I know there is an obscure way around creating the Recovery CD, but it should have been straightforward when using the main UI for the program.)
5. For SSDs, BitLocker appears to issue TRIM commands when encrypting entire system drives, whereas with TC, I would have to do a manual TRIM after encrypting a system drive to observe zeroed sectors when viewing outside of Windows. For Crucial SSDs, I would have to run "sdelete -z" as Crucial doesn't provide an "optimizer" utility like Intel and Samsung do. For SSD data drives, of course, there is no remedy as TrueCrypt doesn't support TRIM on data drives, or more generally, volumes outside the scope of system encryption. (NB: Even System Favorites mounted at boot-time that are not on the system drive are outside the scope, so all "data drives" are outside the scope.)
6. SSDs (didn't test HDs) benchmark better, way better for certain operations like 4K random reads. I can't say I've noticed any difference in performance though.
Of course, TrueCrypt offers features Bitlocker lacks, such as portability, read-only mounting, and plausible deniability, and if these things are important to you, they would be reason to continue using TrueCrypt.
After using TrueCrypt pervasively for several years on system, data, and removable drives, I find BitLocker to be more than a worthy replacement. In Windows 8, Bitlocker supports passworded system drives, so you don't need to use a USB key to boot the system, which was my main gripe with Windows 7. I think TrueCrypt is almost certainly safe to continue using, but I would definitely recommend BitLocker over it unless you require features unique to TrueCrypt. BitLocker is just as seamless and can auto-unlock fixed and removable drives just as well as TrueCrypt could with its "System" and normal "Favorites". The manage-bde program is available in Windows 8 WinRE environments, so one can unlock encrypted drives in, say, a WinRE environment. OTOH, Linux CDs like PartEd Magic are left out in the cold. BTW, it's easy to add all kinds of stuff to Terabyte's Image for Windows tbwinre environment, things like WinHex, XYplorer, diagnostic tools, etc, and after doing this, I don't really miss PartEd Magic.
If you still have a Windows 7 system you must continue using, you can encrypt data drives in Windows 8 and save a lot of time for large drives by using its "used space only" option; drives encrypted by Windows 8 work fine in a Windows 7 system. You will give up the Elephant diffuser, as Microsoft removed it from Windows 8 without explanation. My understanding is that the diffuser only protects AES-CBC against targeted attacks, where someone would have to modify your system and get you to log onto it afterwards, as with Evil Maid, in which case, I don't care. I'm just worried about simple theft of my stuff. Also, the default for Windows 7 and 8 is 128-bit AES, but you can change a system policy to get 256 bit. Last I read, Schneier recommends sticking with the default, as 256 (and 192) bit are subject to an attack that doesn't apply to 128 bit.
https://www.schneier.com/blog/archives/ ... n_a_1.html
In that post, he reiterated his advice from 2009 despite a new attack that makes all AES bit lengths very slightly easier to break.
This message is a summary of what I had found out six weeks or so after transitioning from TrueCrypt to BitLocker, which I did back in June shortly after the publication of the discontinuation notice. I just reviewed it and have nothing to change here in November.
I've been using TrueCrypt pervasively on all three systems I have and almost a couple dozen system, data, external backup, and thumb drives, so moving to BitLocker was not something I took lightly. While I was not overly concerned that TrueCrypt had suddenly turned into a pumpkin and become unsafe to use, its detrimental effects on VSS, TRIM, drive letters, and so forth had been bugging me for a long time, and the discontinuation notice was the final motivation I needed to look at an alternative. I have both Windows 7 Ultimate and Windows 8 Pro licenses, so I was good to go for BitLocker, which I had never used before now.
Here are the advantages I've found to using BitLocker:
1. VSS and TRIM work on all drives, not just the ones in the scope of system encryption, and I don't need to mount fixed data drives as removable devices to avoid errors when using vssadmin.
2. I don't have to fool around with hiding drive letters for the RAW volumes to avoid getting the "Do you want to format" prompts when I plug in external drives. It is hiding the drive letters that has the side effect of removing the drive letters and labels from "Safely Remove", which I describe more in (3).
3. Removable drives are displayed with their drive letters and volume names in the "Safely Remove" menu, and I can just eject them, instead of having to dismount them first in TrueCrypt. Showing the letters/labels is a nice feature when using multiple drives, as I do with a dual dock having independent power buttons, and it's something I've been wanting for a long time, because with TrueCrypt, I would get two indistinguishable AS2105 items in that menu with two drives in my dual dock, which made ejecting just one of the drives a useless 50/50 proposition.
4. I don't have to create a TrueCrypt Recovery CD every time I encrypt a system volume, and in Windows 8, I can encrypt just the used space. (I know there is an obscure way around creating the Recovery CD, but it should have been straightforward when using the main UI for the program.)
5. For SSDs, BitLocker appears to issue TRIM commands when encrypting entire system drives, whereas with TC, I would have to do a manual TRIM after encrypting a system drive to observe zeroed sectors when viewing outside of Windows. For Crucial SSDs, I would have to run "sdelete -z" as Crucial doesn't provide an "optimizer" utility like Intel and Samsung do. For SSD data drives, of course, there is no remedy as TrueCrypt doesn't support TRIM on data drives, or more generally, volumes outside the scope of system encryption. (NB: Even System Favorites mounted at boot-time that are not on the system drive are outside the scope, so all "data drives" are outside the scope.)
6. SSDs (didn't test HDs) benchmark better, way better for certain operations like 4K random reads. I can't say I've noticed any difference in performance though.
Of course, TrueCrypt offers features Bitlocker lacks, such as portability, read-only mounting, and plausible deniability, and if these things are important to you, they would be reason to continue using TrueCrypt.
After using TrueCrypt pervasively for several years on system, data, and removable drives, I find BitLocker to be more than a worthy replacement. In Windows 8, Bitlocker supports passworded system drives, so you don't need to use a USB key to boot the system, which was my main gripe with Windows 7. I think TrueCrypt is almost certainly safe to continue using, but I would definitely recommend BitLocker over it unless you require features unique to TrueCrypt. BitLocker is just as seamless and can auto-unlock fixed and removable drives just as well as TrueCrypt could with its "System" and normal "Favorites". The manage-bde program is available in Windows 8 WinRE environments, so one can unlock encrypted drives in, say, a WinRE environment. OTOH, Linux CDs like PartEd Magic are left out in the cold. BTW, it's easy to add all kinds of stuff to Terabyte's Image for Windows tbwinre environment, things like WinHex, XYplorer, diagnostic tools, etc, and after doing this, I don't really miss PartEd Magic.
If you still have a Windows 7 system you must continue using, you can encrypt data drives in Windows 8 and save a lot of time for large drives by using its "used space only" option; drives encrypted by Windows 8 work fine in a Windows 7 system. You will give up the Elephant diffuser, as Microsoft removed it from Windows 8 without explanation. My understanding is that the diffuser only protects AES-CBC against targeted attacks, where someone would have to modify your system and get you to log onto it afterwards, as with Evil Maid, in which case, I don't care. I'm just worried about simple theft of my stuff. Also, the default for Windows 7 and 8 is 128-bit AES, but you can change a system policy to get 256 bit. Last I read, Schneier recommends sticking with the default, as 256 (and 192) bit are subject to an attack that doesn't apply to 128 bit.
https://www.schneier.com/blog/archives/ ... n_a_1.html
In that post, he reiterated his advice from 2009 despite a new attack that makes all AES bit lengths very slightly easier to break.
Re: Truecrypt alternatives?
Thanks for the info. I am really only encrypting my system partition, since it is a laptop. I have TC Containers on an external drive. I figure I can always use TC for those containers, even if I decide to switch to something else for my system partition. I am not planning on doing anything yet, since TC works just fine on my system and it continues to be part of ILF...please DON"T remove it TBU.
I will revisit when I get a new system or I upgrade to Windows 10, if TC does not work. Hopefully, one of the other projects will take off and TBU could include it in IFL in the future. I also could just go without encryption all together, but I do need to continue using containers. I could also just do a RAW backup of all sectors, but what a pain that will be.
I will revisit when I get a new system or I upgrade to Windows 10, if TC does not work. Hopefully, one of the other projects will take off and TBU could include it in IFL in the future. I also could just go without encryption all together, but I do need to continue using containers. I could also just do a RAW backup of all sectors, but what a pain that will be.