[Spooky23]

If you need full disk encryption, how is appropriately configured BitLocker any less reliable, or offering fewer "security guarantees" than TrueCrypt?

The knee jerk reaction here is "omg, prism, Microsoft!". But the reality is that you have no idea who the TrueCrypt people are and their level of trustworthiness --- for all you know they work for NSA or FSB!

If you are a windows user, use the manual and use BitLocker for FDE and EFS for folder and files.

[y-satellite]

The most obvious difference is that the TrueCrypt code has had at least the first stage of a formal security audit done, which uncovered no evidence of backdoors. With BitLocker being closed source and no public audits being done, you don't have the same guarantees. BitLocker may be perfectly secure, but I feel I'm justified in saying that its status is much more uncertain.

[acqq]

The most aspects of TC were never publicly audited. People were using it on blind faith only: betting that if somebody had cared to audit he'd publish his findings too.

You can have the same assumption for BitLocker.

[mapt]

Except Microsoft, for all their protest about backdoors from this project, have actually changed fundamental design aspects of their products, like Skype, Hotmail, Outlook.com, and SkyDrive, in order to enable wholesale spying while advertising 'encryption'.

You wouldn't trust the drunk driver who's crashed his last few vehicles to borrow your car. The intelligence agencies own Microsoft, as far as users are concerned, and when cryptosystems have to be crippled for their priorities, we can't expect them to hold up to other attacks.

[brute]

For TC we have this story: http://wroot.org/posts/daniel-dantas-hard-drive-encryption-w...

And for MS there is this story: http://www.geekwire.com/2013/report-microsoft-nsa/

This is of course no evidence for the (in)security of TC/Bitlocker, but I would call it indirect evidence, and certainly more than 'blind faith'.

[kaoD]

You can't audit BitLocker, its source is not available. That's a huge difference.

[acqq]

Microsoft has special licensing models where the sources for OS are available. Somebody looks at that, at least comparable to that how somebody was expected to detect the bug in OpenSSL, or to review TrueCrypt and nobody did until recently, because, well let somebody else care.

So as far as I understand, it is possible to audit Microsoft's crypto code too. I can imagine the audit of crypto code wouldn't find anything. The real problem is:

http://regmedia.co.uk/2014/05/16/0955_peter_gutmann.pdf

"Crypto won't save you either"

"Crypto Summary:

Number of attacks that broke the crypto: 0

Number of attacks that bypassed the crypto: All the rest

- No matter how strong the crypto was, or how large the keys were, the attackers walked around it"

[BuildTheRobots]

The fact that Bitlocker really wants a TPM to work properly rather than being entirely in software is a pain.

The fact the German and recently Chinese governments have specifically banned their users from trusting windows 8 + TPM doesn't thrill me with confidence.

The fact that bitlocker kindly sends a copy of your HDD recovery key to Microsoft if you have windows 8 linked to your live account doesn't strike me as brilliant, either.

Oh, and the fact I need to upgrade to the Ultimate or Enterprise editions of Windows means it doesn't help a large majority of users.

Even if truecrypt were written as part of an NSA/FBI joint project it's still works across the three main OS's and it has the source code available for scrutiny (deterministic build issues aside).

[unsignedint]

It looks like TrueCrypt and BitLocker has been trying to solve a different type of problem.

BitLocker is somewhat more business oriented -- thus they feature things like key recovery, more protection (or might be taken as limitation to some) when the hard drive is removed from one computer and ported to another machine, etc.

TrueCrypt seemed to be aimed more toward security than manageability, lacked those features above, which might have aligned with user demographies that these "business" requirements either they didn't want to have or not relevant.

[rinon]

If BitLocker was open source and verifiable, I'd have a lot more respect and trust for it.