Moving from TrueCrypt to BitLocker
This message is a summary of what I had found out six weeks or so after transitioning from TrueCrypt to BitLocker, which I did back in June shortly after the publication of the discontinuation notice. I just reviewed it and have nothing to change here in November.
I've been using TrueCrypt pervasively on all three systems I have and almost a couple dozen system, data, external backup, and thumb drives, so moving to BitLocker was not something I took lightly. While I was not overly concerned that TrueCrypt had suddenly turned into a pumpkin and become unsafe to use, its detrimental effects on VSS, TRIM, drive letters, and so forth had been bugging me for a long time, and the discontinuation notice was the final motivation I needed to look at an alternative. I have both Windows 7 Ultimate and Windows 8 Pro licenses, so I was good to go for BitLocker, which I had never used before now.
Here are the advantages I've found to using BitLocker:
1. VSS and TRIM work on all drives, not just the ones in the scope of system encryption, and I don't need to mount fixed data drives as removable devices to avoid errors when using vssadmin.
2. I don't have to fool around with hiding drive letters for the RAW volumes to avoid getting the "Do you want to format" prompts when I plug in external drives. It is hiding the drive letters that has the side effect of removing the drive letters and labels from "Safely Remove", which I describe more in (3).
3. Removable drives are displayed with their drive letters and volume names in the "Safely Remove" menu, and I can just eject them, instead of having to dismount them first in TrueCrypt. Showing the letters/labels is a nice feature when using multiple drives, as I do with a dual dock having independent power buttons, and it's something I've been wanting for a long time, because with TrueCrypt, I would get two indistinguishable AS2105 items in that menu with two drives in my dual dock, which made ejecting just one of the drives a useless 50/50 proposition.
4. I don't have to create a TrueCrypt Recovery CD every time I encrypt a system volume, and in Windows 8, I can encrypt just the used space. (I know there is an obscure way around creating the Recovery CD, but it should have been straightforward when using the main UI for the program.)
5. For SSDs, BitLocker appears to issue TRIM commands when encrypting entire system drives, whereas with TC, I would have to do a manual TRIM after encrypting a system drive to observe zeroed sectors when viewing outside of Windows. For Crucial SSDs, I would have to run "sdelete -z" as Crucial doesn't provide an "optimizer" utility like Intel and Samsung do. For SSD data drives, of course, there is no remedy as TrueCrypt doesn't support TRIM on data drives, or more generally, volumes outside the scope of system encryption. (NB: Even System Favorites mounted at boot-time that are not on the system drive are outside the scope, so all "data drives" are outside the scope.)
6. SSDs (didn't test HDs) benchmark better, way better for certain operations like 4K random reads. I can't say I've noticed any difference in performance though.
Of course, TrueCrypt offers features Bitlocker lacks, such as portability, read-only mounting, and plausible deniability, and if these things are important to you, they would be reason to continue using TrueCrypt.
After using TrueCrypt pervasively for several years on system, data, and removable drives, I find BitLocker to be more than a worthy replacement. In Windows 8, Bitlocker supports passworded system drives, so you don't need to use a USB key to boot the system, which was my main gripe with Windows 7. I think TrueCrypt is almost certainly safe to continue using, but I would definitely recommend BitLocker over it unless you require features unique to TrueCrypt. BitLocker is just as seamless and can auto-unlock fixed and removable drives just as well as TrueCrypt could with its "System" and normal "Favorites". The manage-bde program is available in Windows 8 WinRE environments, so one can unlock encrypted drives in, say, a WinRE environment. OTOH, Linux CDs like PartEd Magic are left out in the cold. BTW, it's easy to add all kinds of stuff to Terabyte's Image for Windows tbwinre environment, things like WinHex, XYplorer, diagnostic tools, etc, and after doing this, I don't really miss PartEd Magic.
If you still have a Windows 7 system you must continue using, you can encrypt data drives in Windows 8 and save a lot of time for large drives by using its "used space only" option; drives encrypted by Windows 8 work fine in a Windows 7 system. You will give up the Elephant diffuser, as Microsoft removed it from Windows 8 without explanation. My understanding is that the diffuser only protects AES-CBC against targeted attacks, where someone would have to modify your system and get you to log onto it afterwards, as with Evil Maid, in which case, I don't care. I'm just worried about simple theft of my stuff. Also, the default for Windows 7 and 8 is 128-bit AES, but you can change a system policy to get 256 bit. Last I read, Schneier recommends sticking with the default, as 256 (and 192) bit are subject to an attack that doesn't apply to 128 bit.
https://www.schneier.com/blog/archives/ ... n_a_1.html
In that post, he reiterated his advice from 2009 despite a new attack that makes all AES bit lengths very slightly easier to break.