[tokenizerrr]

Do you have any specific examples of implementations on what you mean? I'd love to store word documents, pdfs, etc. gpg encrypted on an USB stick, without having the decrypted bytes be written to the device (Which I've previously done with TrueCrypt volumes). The concern being that I've decrypted a file, am working on it and someone pulls out the USB and leaves with it.

[tptacek]

If you're serious about protecting PDFs and stuff, encrypt them with PGP. It's much more annoying than using FDE systems like Truecrypt, but much more secure.

If you're not so serious that you're willing to manually encrypt and decrypt files (or ZIP archives of files), just use your OS's full disk encryption scheme. On a Mac, for instance, you can create virtual disks with AES-XTS and keys derived from passwords; that's built into the OS.

What people really want is some kind of transparent encrypted filesystem. That's a reasonable thing to want, and it would be more secure than Truecrypt. I don't know of a good one.

[chiph]

Exactly. While I could use PGP to encrypt individual files, that's really inconvenient for more than a handful. Putting them into ZIP-style archives introduces potential problems with data being written to temp files, etc. A container-based file system solution would be preferred.

It'd also be nice if it were cross-platform, since lots of people do use different operating systems during their day. I know I do. :)

Over the weekend I was looking at some of the commercial products that are positioning themselves as TC replacements. And most of them are a little too close to the military/govt for my comfort. I'd rather have something open source just for the ability to inspect the code, if nothing else.

[snowwrestler]

> What people really want is some kind of transparent encrypted filesystem.

Isn't that the promise of FileVault on a Mac? Is that not under discussion here because it's not good, or because it's not cross-platform? (In other words, should I not trust FileVault?)

[tP5n]

Asking if you should trust software X is like asking the internet if it'd be healthy for you to start running a marathon.

For starters, how would we know? The software in question is closed-source and has spotty docs as best - and more importantly: your trust in a software is something that only you can establish for yourself, irregardless if whatever number of people on the internet claim the product trustworthy.

Appelbaum on FileVault(1) in 2006: http://events.ccc.de/congress/2006/Fahrplan/attachments/1244...

[snowwrestler]

These are all very good points, but I guess I was think purely in architecture terms, like "does this software have a known-bad crypto design?" Tptacek answered that, but you make a good point that ultimately no one but Apple knows whether FileVault is doing exactly (and only) what Apple says it does.

[tokenizerrr]

To be fair they asked if they should not trust it. Which I think is a fair question. It could be answered with "I don't have a reason not to", or "Yes, because ...". Neither answer implies that it should be trusted.

[tptacek]

Filevault is AES-XTS sector-level crypto. It's what I use, and I like it fine, but I encrypt important stuff with PGP.

[tokenizerrr]

Truecrypt also offers a container filesystem, which is what I used to use. It's cross platform and it always served me well. It would create a virtual disk drive with the contents being stored in the encrypted container file.