How can I protect my passwords and personal data without TrueCrypt?
|
Version 0 of 1. What can you recommend instead of TrueCrypt, which I use for encrypting passwords and personal data. I use the File Container approach, which is all I need and is easy to use. I haven’t encrypted a complete hard drive. Microsoft offers BitLocker but that’s only available with the Enterprise and Ultimate versions of Windows 7, and it looks as though I need a Trusted Platform Module (TPM) chip, which my old motherboards don’t have. Chris TrueCrypt was the most popular encryption program for Windows PCs but, as you know, it closed down last year under very odd circumstances. The unknown developers decided to quit, and changed their home page to say: “WARNING: Using TrueCrypt is not secure as it may contain unfixed security issues.” The page then explained how to switch to Microsoft’s BitLocker. This came just after Edward Snowden’s revelations, so there was a lot of speculation about backdoors, US government pressure, and so on. Even today, nobody outside TrueCrypt knows what happened. However, the TrueCrypt code has now been audited by the independent NCC Group, using crowdsourced funds. On 2 April, Matthew Green, research professor at Johns Hopkins University, reported that “based on this audit, TrueCrypt appears to be a relatively well-designed piece of crypto software. The NCC audit found no evidence of deliberate backdoors, or any severe design flaws that will make the software insecure in most instances.” The audit identified some glitches, but the Windows code is sound. There doesn’t appear to be an urgent need for anyone to stop using TrueCrypt. If you were starting from scratch, I wouldn’t recommend it, but I think you can continue to use it until you find a good replacement. Some other developers are continuing TrueCrypt’s development under different names. VeraCrypt is one example. I’m not sure this is allowed by TrueCypt’s license, but the original programmers would probably have to reveal their identities to bring a lawsuit. At the moment, VeraCrypt has some momentum, but we don’t know which of the forks will find widespread support. When one does, be ready to switch. On the other hand, you don’t seem to be using any of the functions that made TrueCrypt popular, so you could easily switch now. Why TrueCrypt? TrueCrypt’s main appeal was that its encrypted “virtual drives” (container files) were cross-platform, and could be used with Microsoft Windows, Mac OS X and Linux. This made it handy for dispersed groups of developers with different hardware. TrueCrypt also let you create a container file on a USB thumbdrive and plug it into a Windows PC, Mac or Linux box. Off-hand, I can’t think of another free way of doing this, though for Windows 7/8 users, Rohos Mini Drive will create a hidden encrypted partition on a thumbdrive. Another important feature was TrueCrypt’s ability to create “hidden volumes”. For example, you could have some fairly valuable data in a container while hiding much more valuable data. If government agents forced you to hand over your password, they would get the fairly valuable data but not all of it. (For this idea to work, you have to give up something worth encrypting, not cat videos.) TrueCrypt could also encrypt whole hard drives. This feature can be replaced by Microsoft’s BitLocker in Windows and Apple’s FileVault in Mac OS X, plus Cryptsetup in Linux, perhaps. (Cryptsetup installs on a LUKS or Linux Unified Key Setup partition.) However, Windows 8 and Windows 10 preview users should not use TrueCrypt, VeraCrypt and similar products to encrypt their whole hard drive. It could interfere with the UEFI Secure Boot system, leaving these PCs unable to start. If you were using all TrueCrypt’s features, then replacing it might be a challenge. But you’re only using it to protect a few files in Windows. There are dozens of ways to do this, including AxCrypt, CipherShed, PGP (Pretty Good Privacy) via GNU Privacy Guard (GnuPG has a more accessible graphical interface), and your old archiving program. Archive files Back in the 1980s, most people started to use file compression programs like PK-Zip, which made files smaller and thus saved disk space. They also allowed several different files to be combined into a single download. The zipped files were, in effect, encrypted, and if you added a password, then it would be hard for someone else to read them. Zip files were relatively easy to crack, but eventually, some archiving programs introduced strong encryption systems. For example, WinRAR added 128-bit AES encryption while the open source 7-Zip used 256-bit AES encryption. Both are theoretically impervious to brute force attacks, and reasonably secure from targeted attacks. (There’s an academic paper, On the security of the WinRAR encryption feature, but unfortunately it’s at Springer and I don’t fancy paying £29.95 to read it.) Archive programs such as WinZip, 7-Zip and WinRAR are not as secure as dedicated encryption programs, but many more people use them to protect files. First, almost everybody already uses at least one archive program to unzip file downloads. Second, they’re much easier to use than dedicated encryption programs. Third, if you choose a strong password, they are good enough for most purposes. But protecting files is harder than it sounds, for reasons that few users will think about. For example, Windows may keep earlier copies of files in its Volume Shadow Copy Service. These will be hidden but can be restored. Word processors can save documents in the background to prevent you from losing your work, but these “scratch files” are not always deleted. Windows also saves things in its own giant scratchpads, pagefile.sys and hiberfil.sys, from which experts can retrieve data. Even if you encrypt a document and delete it, some or all of the information can often be recovered using an “undelete” utility. Real security requires that the “empty” space is overwritten several times. Password managers So, rather than encrypting files of passwords and personal data, it may be better to use a password manager such as KeePass, Password Safe, RoboForm or LastPass. RoboForm may be the best option as it stores your data online, and fills in forms as well as remembering passwords. It works on all the major browsers on PCs and on mobile devices (including Windows Phone, BlackBerry, Palm and Symbian). It can also encrypt and store short notes for pins, credit card numbers etc. You just have to remember one master password. The main drawback is that the free version probably won’t handle all your passwords, but it’s reasonably priced at $19.95 a year ($9.95 for the first year). LastPass is the closest free alternative to RoboForm, and is also very good. Otherwise, KeePass and Password Safe are the best options if you want something that works as a standalone program, rather than as a web service. Have you got a question? Email it to Ask.Jack@theguardian.com |