Found an open source encryption software package. I’m usually quite leery of “freeware”, but everything I’m reading so far seems to feel pretty good. This is the particular package: TrueCrypt.
Questions:
Are these types of software as bulletproof as they appear?
Are there pitfalls to using them? It seems that RAM is involved in opening/closing files on the fly. My laptop is maxed at 2 Gigs RAM. Is this software going to grind me to a halt? ( My main intention here is to isolate a few key files, such as personal finance data, passwords, etc. Not video photos or audio files. )
Am I correct in being leery of “freeware” or are these types of packages solid in reputation?
What should I look out for in terms of ease of use?
Can these packages fail, locking me out for good?
Many thanks for the input in advance. On the surface, this appears to be a superb solution to my concerns and it’s mighty timely. Less than 8 hours ago, I went paperless on all statements and bills in my life. Easy to do really, and while I look forward to NO file folders and no shredding, I did have real concerns regarding the storage of my monthly bills and statements. Isolating those folders within one area using software like this seems on the surface to be a great solution.
I can, of course, back up those files onto a USB thumb drive and encrypt them as well.
What am I missing here?
Just to be very clear here, I’ve no dog in this race as far as promoting the software linked above. Of the ones I’ve seen today, it seems to have the most in-depth tutorials and such. It feels the most professional.
I am an IT professional although not a security expert. TrueCrypt is for real from everything I have read although I haven’t found the need to use it personally. The general answer to your question is that you should really focus on the term Open Source and not freeware. It is both but they don’t mean the same thing. A teenager could write a freeware security package and give it out on the web but that doesn’t mean much. Open Source means peer reviewed and lots of people collaborate and work on the project. Linux, the very powerful operating system. is open source for example and used by large companies but it isn’t always true freeware.
What that means in terms of a security project is that white-hat hackers (the good guys) try to find flaws in the code and then fix them so that it is as secure as possible against people with equivalent skills that want to do harm. Over time, that works tends to work out well if the project is well organized. Good open source projects operate the same way that corporations do but they use talented people that want to devote their skills as a hobby.
That said, something like TrueCrypt wouldn’t be the only option. They try to protect against the highest levels of threats like government intrusion and there are other options out there. I would use it if I thought that I needed it but it seems like overkill for what I need now. The most important thing for me would be ease of use and the user interface. You have to judge that for yourself. There are less secure but sufficient ways to secure data depending on your needs.
Never trust any security software that isn’t open source. You shouldn’t necessarily trust all open source software, either, but if an open source program has been around for a while and has a good reputation (like TrueCrypt does), that’s about the best you can do.
I’m not a security expert, but I have a particular interest in security issues, and from what I can tell, from reading things from security folk, TrueCrypt is considered pretty much the gold standard. It’s “freeware”, yes, but more importantly, it’s open source. And I’m an open source skeptic – open source software usually just fucking sucks, because it’s being created by people who have no idea about how to create good, usable software – and it’s up to you to decide if TrueCrypt falls in that category. But it’s also been scrutinized by people much smarter than either of us, and they have decided that it passes muster as far as security is concerned. Which satisfies me.
TrueCrypt uses widely known, widely understood encryption methods, and any security software that doesn’t do that is worthless, because any encryption algorithm that hasn’t been tested in the real world is almost certainly worthless. The encryption algorithms included in TrueCrypt have actually been studied and tested by security experts. And it’s popular enough, and widely used enough, that it would be publicly known if it were implementing those algorithms in an inappropriate, insecure way. As far as is known, it’s not. You should feel safe using it. The weak point in your data security will be you, not your software. Which is what you should look for.
As for your specific questions:
The cryptographic security is well studied. They’re using encryption systems that are well-understood and really are, short of major new mathematical discoveries, secure. TrueCrypt is widely used, so specific vulnerabilities in the TrueCrypt software would likely have been discovered if there were important ones.
In my experience, I haven’t noticed a slowdown when I have mounted a TrueCrypt encrypted volume as a separate disk drive. I have the same amount of RAM as you, although I’m not using Windows. It’s pretty fast. It won’t ever be as fast as just getting files off your hard drive, but if you’re using it for ordinary purposes, I’m guessing you’ll find it meets your needs. Test it, before deleting your original files, to decide. It’ll probably be good enough.
I’m leery of freeware because generally software given away for free fucking sucks. I use Linux, not by choice, but by necessity, and I can tell you, for hours, how fucking much it sucks to use software that was not created with the profit motive in mind.
Nevertheless, it really does make sense to use free software/open source software for your security needs. A lot of people have looked at TrueCrypt. It’s really popular, on multiple platforms, and a lot of people use it. All those extra expert eyeballs are good for people like you and me who can’t really evaluate it on our own. The fact that it’s open source – that is, that anyone can check it out for security – is a point in its favor.
There are a lot of ways to use it, but the way I’ve used it is to mount a special encrypted file as a separate drive. Once you do that, you’ll be able to treat it just like it was your E: or F: or G: drive or whatever; you can open files off of it, save files onto it, and then when you’re done, close TrueCrypt and that drive just goes back to being what appears to be a pile of complete gibberish on your hard drive.
Yes, yes they can. That’s absolutely vital to it being an adequate security system. There is absolutely no way, as far as current mathematics has found, to discover the decryption key to any file encrypted with any current, relevant encryption key. If you lose your passphrase, you are fucked. Which, if you want real security, is exactly what you’re looking for.
If you’re worried about forgetting your passphrase, write it down and stick it in your wallet. As security expert Bruce Schneider has pointed out, everyone is used to guarding the security of paper in our wallets. Try to pick a passphrase you’ll remember. If there were a way to recover a forgotten passphrase, it would be available to malicious parties, governmental agencies, etc. – and encryption systems are designed not to be accessible to people like that.
So don’t forget your passphrase. Don’t feel bad about keeping a copy in your wallet, either. As long as it’s not protecting data that could incriminate you. Current court precedent in the United States, incidentally, holds that being forced to divulge one’s password to encrypted files constitutes self-incrimination. So if there’s anything criminal, don’t store your passphrase anywhere, and just remember it. They can’t make you share it. But if it’s just your credit card history, you might as well keep your passphrase on a sticky note in your wallet. It’s a big step up in security, and it helps guarantee that if someone steals your computer, they won’t get your most important info.
By the way, if you had asked this question at Mellophant, I would have given you this same thorough and thoughtful answer.
Chronos is dead on (I’m an IT security specialist). A good example would be AES (Advanced Encryption Standard, supported by TrueCrypt) - heavily peer-reviewed prior to adoption by NISThttp://www.nist.gov/index.html as a standard for US classified materials, and currently being used by the gents at WikiLeaks.org to cause a bit of fuss. Granted, it’s been alleged that the intel community dropped some backdoors in to make it more computationally feasible to decrypt but, unless you’re dealing with Dr. Evil, good luck.
TrueCrypt is simply an application that makes it quick and easy for a layman to implement various crypto algorithms. And it kicks ass.
The software is good, but most users are bad. For instance, these popular easy to use schemes default to keeping your private key on the same disk your encrypted files are. Your private key is encrypted with conventional encryption and thats only as strong as your passphrase. So if I acquire your laptop and your private key is sitting there encrypted with a weak password. Guess what? I crack it in hours, if it isn’t unusually strong, and then get into your encrypted stuff with its super-strong large-key with ease.
In other words - protect your private key! Use a crazy long password!
Secondly, a lot of these apps will do whole disk and map drives and have the option to save your password. Most people save it because its a pain to keep typing it in. Even if you don’t the laptop will remember it until the computer is shut down, so standby mode or hibernation doesn’t unmount the encrypted share. So if I aquire your laptop, all I need to do is press the on button and take your laptop out of hibernation/standby and get to your files. Windows password? No biggie, I can reset it by changing the registry if you even bothered to put one in.
I think to use this stuff you really need to sit down with 2 or 3 books on how encryption works and how to use it and think deeply about your possible attack scenarios before you can consider yourself protected.
That’s not the holding I remember in In re: Grand Jury Subpoena to Sebastien Boucher 2009 WL 424718 (D. Vt., Feb. 19, 2009), the federal court ruling concerning the man who crossed the border from Canada into the US with a laptop with an encrypted hard drive:
Cartooniverse, why do you need to encrypt your old credit card bills? Why do you even need to store them yourself instead of letting the bank do it? It could turn out to be a big headache if you ever forget your password, and if your storage hardware fails, you’ll likely lose EVERYTHING and data recovery would be all but impossible.
Nitpick: Open-sourced could mean peer-reviewed, but doesn’t have to. There are plenty of open-source projects with only one or two hobbyist maintainers. Only the big, popular projects could be considered peer-reviewed, but even peer-reviewed doesn’t necessarily mean safe… just potentially safer.
From what I’ve heard Truecrypt is a great tool, but is it the right tool for your job? Like Reply asks - why even keep the data on your machine at all? I’ve been 90% paperless for a few years now and never found a need to store statements or bills locally.
You mention you’re using a laptop for this. Do you do bill payments and banking while traveling or only at home? If you do it while traveling and you really need the documents stored locally then Truecrypt is the way to go. If you only do your sensitive work from home then store the documents on a USB drive and leave it at home when you travel. Encrypt it if you like, or even lock it in a safe.
I’m not Cartooniverse (obviously) but I know that my credit card-issuing bank only lets me access the bills only about three years back. So I download all of the credit card bills (along with bank statements and utility bills) to my computer.
They don’t take up much room (each bill is under fifty kilobytes) and I like to know that I have detailed records going back as far as possible. Actually, I used to keep paper bills for years and years.
I suppose if you get audited, you might want to be able to review records of expenses. Also, I remember a murder trial in Westchester County, New York, where the defendant presented a phone bill as evidence, but there was suspicion that the bill was forged. Because one of the prosecutors saved all of his phone bills, they were able to present his bill to show that hers didn’t match.
In going paperless, my statements are coming via email or attached PDF’s Similarly, receipts for payment are email based. All of that data- current, not old- is what I wish to protect.
Any problem running this on a Mac and using Time Machine to back up the entire HD? The goal is to have a small area with folders that are encrypted. The rest? Meh. You wanna see pictures of my kids? Of my honeymoon? Have at it. My concern is theft of passwords and financial data.
I recall some articles about this a few years ago:
Truecrypt itself is not crackable (yet) and no obvious liklihood that it will be, barring sudden mathematical breakthroughs in long primes.
As mentioned, the password conversion is also stored on the volume, so crappy passwords (“password”) will fall quickly. The article suggested schemes like a popular phrase you like (“I’llBeBack” or “YouTalkin’ToMe123”) that stick in your mind and make the password immune to simpler cracking processes like dictionary attacks.
Truecrypt itself did not leave evidence as temp files on disk, but whatever programs you do use on its contents - like Word or Excel - may do so.
As of the article, there was no signature to a Trucrypt file - it could be named anything, and the only proof it was Truecrypt was (a) you have the program installed and (b) it doesn’t seem to be properly organized as anything else (i.e. photo jpg or a dll).
There was a technology mentioned where a Truecrypt volume could be “double entry” - one password gave you acess to one set of files, another gave you access to a different set. Thus you could, if tortured, give up the password to the second volume with just credit card info on it instead of your plans to subvert world dictatorship.
All this was designed so people in 3rd-world dictatorships could use these tools to protect data from the prying eyes of the secret police… Of course, if the secret police install a key-logger, which they likely would, you’re toast anyway.
