[y-satellite]

A lot of discussions of TrueCrypt replacements I've read today miss a major point, which is that users of the Windows version are now left with no reliable, up-to-date software with an equivalent feature set and security guarantees. I know we tend to be *nix-heavy here, but some of us used TrueCrypt because it was the best solution for Windows, not because it was cross-platform.

[dublinben]

TrueCrypt version 7.1a didn't suddenly stop working yesterday. It is still just as secure and easy to use as it ever was. Relying on TC into the future might not be wise, but there's no reason for users to immediately dump it.

[CWuestefeld]

This isn't necessarily true. If we take the TC message at face value, it seems like we should all move away from it ASAP.

[x1798DE]

If you take the TC message at face value, you should "just search for encrypt and use whatever pops up" on Linux, and use these settings for encryption on OS X: http://truecrypt.sourceforge.net/OSXNewImage.png

Needless to say, I think you can take their cryptic recommendations with a huge grain of salt.

[higherpurpose]

Don't forget to set encryption to "none" on Mac OS:

https://twitter.com/matthew_d_green/status/47199831543788339...

[Spooky23]

If you need full disk encryption, how is appropriately configured BitLocker any less reliable, or offering fewer "security guarantees" than TrueCrypt?

The knee jerk reaction here is "omg, prism, Microsoft!". But the reality is that you have no idea who the TrueCrypt people are and their level of trustworthiness --- for all you know they work for NSA or FSB!

If you are a windows user, use the manual and use BitLocker for FDE and EFS for folder and files.

[y-satellite]

The most obvious difference is that the TrueCrypt code has had at least the first stage of a formal security audit done, which uncovered no evidence of backdoors. With BitLocker being closed source and no public audits being done, you don't have the same guarantees. BitLocker may be perfectly secure, but I feel I'm justified in saying that its status is much more uncertain.

[acqq]

The most aspects of TC were never publicly audited. People were using it on blind faith only: betting that if somebody had cared to audit he'd publish his findings too.

You can have the same assumption for BitLocker.

[mapt]

Except Microsoft, for all their protest about backdoors from this project, have actually changed fundamental design aspects of their products, like Skype, Hotmail, Outlook.com, and SkyDrive, in order to enable wholesale spying while advertising 'encryption'.

You wouldn't trust the drunk driver who's crashed his last few vehicles to borrow your car. The intelligence agencies own Microsoft, as far as users are concerned, and when cryptosystems have to be crippled for their priorities, we can't expect them to hold up to other attacks.

[brute]

For TC we have this story: http://wroot.org/posts/daniel-dantas-hard-drive-encryption-w...

And for MS there is this story: http://www.geekwire.com/2013/report-microsoft-nsa/

This is of course no evidence for the (in)security of TC/Bitlocker, but I would call it indirect evidence, and certainly more than 'blind faith'.

[kaoD]

You can't audit BitLocker, its source is not available. That's a huge difference.

[acqq]

Microsoft has special licensing models where the sources for OS are available. Somebody looks at that, at least comparable to that how somebody was expected to detect the bug in OpenSSL, or to review TrueCrypt and nobody did until recently, because, well let somebody else care.

So as far as I understand, it is possible to audit Microsoft's crypto code too. I can imagine the audit of crypto code wouldn't find anything. The real problem is:

http://regmedia.co.uk/2014/05/16/0955_peter_gutmann.pdf

"Crypto won't save you either"

"Crypto Summary:

Number of attacks that broke the crypto: 0

Number of attacks that bypassed the crypto: All the rest

- No matter how strong the crypto was, or how large the keys were, the attackers walked around it"

[BuildTheRobots]

The fact that Bitlocker really wants a TPM to work properly rather than being entirely in software is a pain.

The fact the German and recently Chinese governments have specifically banned their users from trusting windows 8 + TPM doesn't thrill me with confidence.

The fact that bitlocker kindly sends a copy of your HDD recovery key to Microsoft if you have windows 8 linked to your live account doesn't strike me as brilliant, either.

Oh, and the fact I need to upgrade to the Ultimate or Enterprise editions of Windows means it doesn't help a large majority of users.

Even if truecrypt were written as part of an NSA/FBI joint project it's still works across the three main OS's and it has the source code available for scrutiny (deterministic build issues aside).

[unsignedint]

It looks like TrueCrypt and BitLocker has been trying to solve a different type of problem.

BitLocker is somewhat more business oriented -- thus they feature things like key recovery, more protection (or might be taken as limitation to some) when the hard drive is removed from one computer and ported to another machine, etc.

TrueCrypt seemed to be aimed more toward security than manageability, lacked those features above, which might have aligned with user demographies that these "business" requirements either they didn't want to have or not relevant.

[rinon]

If BitLocker was open source and verifiable, I'd have a lot more respect and trust for it.

[x1798DE]

We can always use TrueCrypt, which everyone was fine with and most people were recommending 2 days ago, even though it hadn't been updated it 2 years.

[y-satellite]

We can, as long as you believe these new warnings shouldn't be taken at face value. It adds a layer of doubt to the situation that wasn't there before.

[jmnicolas]

Yes but 2 days ago Truecrypt looked like it was backed by some serious devs (albeit anonymous).

[x1798DE]

Who hadn't updated their code in 2 years. It's stable software that's likely more secure than most things you'd switch to, whether or not it has active development. I'm not saying you don't want to keep an eye out for a new alternative, but you may want to wait for the dust to settle, since in response to this, it seems likely that we'll see a TC fork.

[cjg]

Unfortunately it doesn't support Windows 8 because of the UEFI problem.

[LaSombra]

One of the greatest TrueCrypt features, to me, was that it was multiplatform, much like GPG. Now I have no idea what to do...