TrueCrypt Alternatives Step Up Post-Cryptanalysis

msm1267 writes: What's next for TrueCrypt now that a two-phase audit of the code and its cryptography uncovered a few critical vulnerabilities, but no backdoors? Two alternative open source encryption projects forked TrueCrypt once its developers decided to abandon the project in early 2014, giving rise to VeraCrypt and CipherShed — and both are ready to accelerate growth, compatibility and functionality now that the TrueCrypt code has been given a relatively clean bill of health.

good job

[slashmydots]

So the NSA or whatever succeeded in turning one software program into two. Good job, guys. They're probably foreign-managed too so the US gov can't touch them.

So what are people using anyway?

[Resol]

I've been using TrueCrypt for a long while (in fact still do), but I'm interested in what others use and their justification for its use? (e.g why?) I'm certainly not expert enough to audit any code myself, so I eventually have to just trust something.

Re:So what are people using anyway?

[mlts]

I like having all of the above:

All disks encrypted, which is mainly so the meth-head who breaks in and grabs the hardware doesn't have access to the data. Hardware can be claimed on insurance. Data opens up blackmail, extortion, and many other avenues.

Encrypted VMs as a way to isolate programs from each other, where I can keep my Quicken/QuickBooks in a VM, move it between computers when needed. Backup? Burn the .vmdk or the .vhdx to a BD-R disk.

File based encrypted volumes as a way of stashing client projects, as well as stashing document backups by date before burning to CD.

Of course, it would be nice to have encrypted archives as well, when one doesn't need to hide the length of the files. PGP Zip covers this, but it would be nice to have a higher level of compression like xz, bzip2, or LZMA, as well as the ability to add an ECC record (similar to WinRAR), so if an archive is damaged, it has a chance of being able to be completely repaired.

Re:Better question than "what's next"

[gurps_npc]

Because they did NOT get to the original devs - they tried and FAILED. The devs refused to bow down to their orders and shut down the project.

Getting to the auditors is harder than getting to the devs, because anyone can be the auditor.

The thing about a free society is that the fact that we find out about the tyranny. That makes paranoid fools think their is more tyranny going on. But the truth is that real tyranny hides.

In North Korea, they would not have shut down the the devs, the devs would have put the back door in and kept their mouth shut.

Here in the free world, the devs say no and shut it down, because we have more freedom than they do.

Re:They can hire a lawyer ...

[youngatheart]

Yeah, they could if they wanted to, and if they had the money to get the ball rolling, but.... I'm not convinced they want to keep it from being forked. I got the feeling that TrueCrypt was basically a labor of love where the creators wanted to keep control of it and avoid exposing themselves to getting strong-armed into building in back doors.

If you could ask them and get an honest answer, I suspect they'd tell you that government agencies figured out who they were. I think those agencies came to them and told them that they had no choice but to compromise the security "for the sake of the children." I think that's when they decided it was best to just exit rather than fight. I think that if they were given a choice between compromising their work intentionally and seeing other people take over, they'd support other people taking over even if they couldn't publicly endorse the efforts.

That's all conjecture of course, but as a long time fan of their work and someone who listened to many analyses of their exit from the stage, I'm moderately confident in my guesses.

Re:Licensing?

[WuphonsReach]

Just because you can get away with something doesn't make it moral and/or legal and/or a good business decision.