Despite Project's Demise, Amazon Web Services Continues To Use TrueCrypt

An anonymous reader writes with an article at InfoWorld that points out that TrueCrypt may have melted down as a project, but hasn't disappeared altogether: Importing and exporting data from Amazon Simple Storage Service still requires TrueCrypt, two weeks after the encryption software was discontinued ... Amazon.com did not immediately respond to an inquiry seeking information on whether it plans to support other data encryption technologies for the AWS import/export feature aside from TrueCrypt in the future. Infrastructure can be complex to upgrade; how long is reasonable?

If it ain't broke?

Why not use it until you HAVE to find an alternative. I mean the audit of 7.1a is not even done yet.

software != fruit

AWS Email

[darkain]

13 hours ago, Amazon / AWS sent out the following email:

Dear Amazon S3 Customer,

Amazon S3 now supports server side encryption with customer-provided keys (SSE-C), a new encryption option for Amazon S3. When using SSE-C, Amazon S3 encrypts your objects with the custom encryption keys that you provide. Since Amazon S3 performs the encryption for you, you get the benefits of using your encryption keys without the cost of writing or executing your own encryption code.

Until now, in order to use your own encryption keys, you needed to encrypt your data client-side prior to uploading them to Amazon S3. With SSE-C, you now have the option to securely store your data using keys that you manage, without having to build client-side encryption infrastructure.

To use SSE-C, simply include your custom encryption key in your upload request, and Amazon S3 encrypts the object using that key and securely stores the encrypted data at rest. Similarly, to retrieve an encrypted object, provide your custom encryption key, and Amazon S3 decrypts the object as part of the retrieval. Amazon S3 doesn't store your encryption key anywhere; the key is immediately discarded after S3 completes your requests.

You can learn how to use SSE-C today by visiting "Using SSE with Customer-provided Keys" in the Amazon S3 Developer Guide.

Sincerely,
The Amazon S3 Team

Re:AWS Email

[Em+Adespoton]

With truecrypt images, you give them your public key and have authorized their private key to decrypt. With this situation, you send them cleartext data and a private key; they encrypt your private key against theirs, and then encrypt your data against your private key.

So with the first setup, you've got a chain of reputation, segmentation of authority, and only encrypted data going over the wire. In the second setup, you've got no chain of reputation, only a partial segmentation of authority, credentials in memory on the public system, and cleartext on the wire.

So this isn't about the data being decrypted as much as it is about the security of the data in transit, and the security of the credentials used to secure the data.

Think of it this way: in both cases, in order to publish data the publisher needs access to the private key. In one case, that private key is held in private by the author. In the other case, it is held on a public system, and is accessible by anyone able to scrape memory or by anyone with access to the AWS corporate key.

More NSA sponsored anti-Truecrypt FUD

Truecrypt has been the no.1 target for the NSA and GCHQ for the longest time now. Truecrypt implements encryption in the ONLY way that makes sense- known state-of-the-art mathematical algorithms used against the simplest file system driver emulation, allowing encrypted data to simply exists in monolithic data blocks. No different from Ram Disk and zip-folder technologies, with an encryption front-end. A NIGHTMARE for the full surveillance programs of the NSA/GCHQ.

Remember, Truecrypt is of no consequence for TARGETED victims of the security apparatus. If you are a true, named, subject of State surveillance, covert cameras, keyloggers, and other simple, cheap hardware solutions will be used to disable your attempts at encryption in the first place. The 'problem' with Truecrypt is that as its use spreads, large amounts of online data go 'DARK' for the security apparatus. The use of Truecrypt is like refusing to connect the NSA designed Kinect2 spy platform to your Xbox One console.

But, you argue, even so the numbers of Truecrypt users were never going to be THAT significant? Well, while this is kind of true, the reaction to Snowden's revelations was an ever growing general concern about the visibility of private data. Sheeple were rightly learning to absolutely distrust all solutions from corporations- and pressure was growing to create more publicly friendly equivalents to systems like Truecrypt. To consider a parallel, take Ad-Block. Large numbers of people ONLY began using Ad-Block, because the online ad business, even on the largest web-sites, adopted the most abusive, anti-user practices imaginable. Of late, the most mainstream sites have all been responsible for using browser exploits to deliver illegal trojan code package to unsuspecting users. And when people complain, these disgusting companies all say "don't blame us, blame the ad-serving services we use".

The consequence of the 'Wild West' of online ads is more people want to block the whole damned industry (and rightfully so). And the same now applies to encryption. More and more people want to fight back against the obscenity of the FULL SURVEILLANCE society. And the NSA wants these people to fight with 'weapons' the NSA has already ensured are useless.

It does NOT matter that Truecrypt 'could' have minor, unusual 'vulnerabilities'. All software falls into that category. What matters is that Truecrypt protected files are the greatest pain-in-the-ass for the NSA. Do not let Slashdot's NSA sponsored content tell you otherwise.

Re:And the problem is?

[BitZtream]

If you're using AWS, your data is unencrypted on their end ANYWAY. Or at least, they have to hold the decryption keys in a way that lets them decrypt it, so its irrelevant to encrypt it unless you just enjoy wasting CPU cycles.

The truecrypt container is only useful when transferring data between your end and the Amazon servers if you're not using an encrypted channel to start with for the transfer.

Considering the situation with truecrypt, ... well, theres nothing really useful to discuss since the only thing known is they stopped maintaining it in a OMGDRAMA sort of way.