[markant]

"Security professionals generally recommend avoiding reliance on any single encryption system and instead evaluating well-reviewed full-disk encryption alternatives such as VeraCrypt".

If they put a backdoor into FDE it would make more sense to advise people to stop using windows at all and using Linux instead. If they put a backdoor in FDE you can be sure there is not just one backdoor in the operating system itself. You shouldn't trust proprietary software at all. You shouldn't even trust open source if it isn't properly audited.

[tptacek]

I don't use Microsoft products generally but not with even with your computer would I run VeraCrypt.

[rpdillon]

Curious to see this take from you! I followed TrueCrypt for years, but always thought it was very strange that they were anonymous, and then the mysterious shutdown happened, and I have no idea what to make of VeraCrypt. It's been in my "possibly good, but too many weird flags around the whole project" bucket.

Anything in particular that makes you wary? I'm aware of the 2016 and 2020 audits (https://ostif.org/the-veracrypt-audit-results/ is the 2016 one, I believe), but those seemed to suggest things were getting better over time. Curious what other signals to look for.

[dist-epoch]

https://en.wikipedia.org/wiki/Paul_Le_Roux

[saidnooneever]

this crypto solution got their driver licence pulled afaik they cant update their program anymore / get new drivers loaded properly

[cantrevealname]

> not with even with your computer would I run VeraCrypt

This has got to be the most surprising encryption-related comment I've ever read from you. Please tell us what you're thinking about VeraCrypt. What would you say about TrueCrypt v7.1a, the last known good release?

[Panino]

I would also love to hear specific opinions about VeraCrypt because I need to get some Windows users to encrypt some of their seldom-used sensitive files, like HR for example.

They can't use age or any other "right answer" tools. I'm talking about people who don't know their own username, people who don't know that their Windows password is the one they use to log into Windows. "Is that for my email?" Just getting them to use a password manager is like arm wrestling an aligator. If VeraCrypt isn't the best option for them, then what is?

[akerl_]

What’s the use case for encrypting the files?

Generally I’d say this is what Sharepoint or Box or a more workflow-specific platform is for. You generally don’t want sensitive data living on individual people’s workstations in an enterprise context, you want it somewhere that you can enforce security settings.

[recursivegirth]

Ever since the TrueCrypt fiasco years ago, I have no trust in that brand.

[rokkamokka]

Fiasco? You mean where they voluntarily shut down rather than compromise themselves? Or are you referring to another matter?

[michaelt]

Presumably when the authors of TrueCrypt declared “Using TrueCrypt is not secure”

If I trust them to provide my FDE software, I certainly trust them when they say I shouldn’t use it.

[ndiddy]

My interpretation was that the authors received a National Security Letter and chose to shut down development rather than let their software get backdoored. IIRC the shutdown announcement cited the discontinuation of Windows XP as why the software got discontinued (when it was cross platform and supported newer versions of Windows) and included a step-by-step guide for how to migrate to Bitlocker (a red flag for anyone remotely cynical).

An independent audit of the last version of TrueCrypt was published about a year after the discontinuation. It did not find any significant security issues or backdoors.

[recursivegirth]

This. I have no trust in TrueCrypt or it's derivatives. If TrueCrypt was compromised then it stands that VeraCrypt is as well.

[Hypomixolydian]

How so? Veracrypt was independently audited, even by German BSI [1] and no serious problems were found. [1] https://www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/Publicat...

[Scaled]

One of the greatest cyber security mysteries of our time. Regardless of what actually happened, I hope the author is okay. (The story implied to me that the author was forced to post that, or was disappeared and the website was changed by someone else)

[jazzyjackson]

Is there a brand you do have trust in? I’ve kind of thrown my hands up, considered my attack surface is dude stealing my laptop and not the state department wants my 4chan history, and just use the encryption tools provided by Apple and Microsoft

[Hypomixolydian]

[citation needed]

[tptacek]

Ok. You got me. I would run VeraCrypt on your computer. The one exception.

[PyWoody]

How would one cite a personal belief?

[Hypomixolydian]

For example pointing to the research confirming that Veracrypt is not secure somehow (if such belief has any justification in facts).

[PyWoody]

Then say that.

Sorry, I just hate how overused that meme is as it's rarely helpful and doesn't add to the conversation.

[ranger_danger]

I would say being skeptical and calling out FUD is more helpful than being silent and letting people believe them.

[bawolff]

Presumably by explaining what lead to said belief.

I wouldnt of used the citation needed here meme personally, but i think its clear the poster is just asking why it should not be trusted.

[MrZander]

What? Why?

[majorchord]

They don't know why because there isn't a good reason to distrust them.

[kmoser]

Nothing against VeraCrypt, but isn't it also a single encryption system?

[paulpauper]

Or use something like veracrypt which is opensource

[sigmoid10]

Don't be so sure. Veracrypt is a fork of Truecrypt, which was famously shuttered after security rumours started spreading - all the way to NSA interventions aimed at the developers. One rumour even said they intentionally shut it down to prevent a possible backdoor compromise. Popular encryption tools for public use will always be priority targets for three letter agencies. And there's more than enough legal leeway here to compromise anyone and anything. If it is popular enough for you to see it mentioned outside of dedicated nerd forums, you can bet these agencies already target it.

[Hypomixolydian]

In my humble opinion US TLAs don't need to touch Veracrypt at all. They are already in Windows, so keymaterial exfiltration is probably a child's play for them.

[sigmoid10]

Veracrypt is in part so popular because it has excellent multi-platform support.