Slashdot Mirror
Open-Source or FIPS-Validated Disk Encryption?
j_crane asks: "Our company is looking for disk encryption software that runs on Windows XP/2003 and Linux. There are hundreds of commercial disk encryption programs (most are Windows-only though). Some of them are FIPS-validated by the US NIST, but none of these are open-source. On the other hand, there is an excellent open-source on-the-fly disk encryption software, called TrueCrypt, for Windows and Linux (the program even provides plausible deniability), but it does not have a FIPS-validation. Which would you prefer -- open source or FIPS-validated -- and why?"
So I think that answers your question. But why? Because it's open source. I don't trust anything that isn't, and not everything that is... But it's highly used, which suggests that it's highly scrutinized.
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
>
> What are you? A spy or something?
Naw, he's probably just a British subject or an American citizen.
Put a Truecrypt volume inside of a FIPS one.
- mboverload
OpenSSL is FIPS 140-2 validated:
t m
http://csrc.nist.gov/cryptval/140-1/1401val2006.h
Look for # 642
This was (is) the first case of open source software being validated, as opposed to a specific product.
It is important to note that FIPS 140-2 validation simply, proves that the cryptographic algorithms (the math) has been implemented correctly, it does not necessarily mean that the system actually works as advertised.
Also, if you are a government type or contractor, make sure the vendor supplied product actually uses the version that received accreditation. Many times, that was an older version, but the marketing types keep (falsely) stating that the product is FIPS certified!!!