It seems as if everyone who kept sensitive files secure did it with TrueCrypt. Edward Snowden depended on it. So did I.
But now that the popular disk-encryption app is effectively dead — at least for the foreseeable future — it’s time to look for a replacement.
In last week’s (June 12) Top Story, “The life and untimely demise of TrueCrypt,” Susan Bradley reviewed the application’s history and stated, “It’s a mystery that we gave TrueCrypt such an extraordinary level of trust. It had dubious legal foundations, its developers were unknown, and its support was primarily relegated to forums that are now missing.”
In this follow-up article, I’ll discuss my own approach to protecting sensitive files, and I’ll explain why I — unlike Susan — typically don’t recommend Microsoft’s BitLocker. I will recommend two file-encryption programs that might take TrueCrypt’s place.
How safe is safe enough — and for what?
Let’s use your home as an analogy. You probably keep your front door locked — at least at night and when you’re away. You might have an alarm system or even bars on the windows. But your security system most likely doesn’t match those used by New York’s Metropolitan Museum of Art or the Getty Center in Los Angeles.
Why? Well, for one thing, you can’t afford it. But mostly, it would be overkill. Few of us have anything in our homes that would attract the sort of professional thieves who might steal a Van Gogh.
To a large extent, the same rules apply to data. It takes a lot of time and skill to crack encryption, and most criminals are looking for an easy score. Even the NSA, which has the ability to crack all but the best encryption, probably won’t bother. It might soak up everyone’s cellphone metadata because that’s relatively easy. But it reserves the hard work for the few people of interest.
That doesn’t mean you shouldn’t take precautions. Going back to that house analogy, encrypting sensitive files is like locking your front door — a reasonable and generally sufficient line of defense. (And you must ensure that unprotected bits of those files don’t remain on your hard drive.) You also need to protect the encryption key with a long, complex password that’s extremely difficult to crack — and be wary of phishing scams and other deceits that might trick you into handing over the key.
Which files should be encrypted and where?
You don’t need to encrypt every file. We’ll assume that neither the NSA nor criminals are really interested in your collection of cat photos or your daughter’s term papers.
Obviously, you do need to protect files containing bank statements, credit-card information, and Social Security numbers — basic data about your personal identity. But you also might want to encrypt any information that you don’t want others to see — and anyone else’s personal information you might possess. The simple rule: If in doubt, encrypt it.
Your work might dictate different encryption procedures. For example, a small construction company might need to encrypt just a few financial and customer files, whereas nearly every file an accountant handles probably needs encryption.
The safest place for sensitive files is on an encrypted (and fully backed-up) partition or drive. File-by-file encryption can leave temporary, unencrypted copies on the hard drive. But if every sector on the drive is encrypted, these temporary copies will be unreadable as well.
I’m partial to using a virtual drive/partition — what TrueCrypt called a volume. This is typically a single, often quite large, encrypted file. When you open it with the correct password, Windows sees it as a standard drive from which you can launch files, manage them with Windows Explorer, and so on. When you’re done, you close the volume and all files inside are once again inaccessible. Temporary and “deleted” files stay within the volume, so they, too, are encrypted.
You can, of course, encrypt real partitions. In fact, you can encrypt all partitions — including C:. Booting and signing in to Windows automatically opens these encrypted, physical partitions. But if someone boots the system from a flash drive or connects your hard drive to another computer, nothing will be accessible.
Arguably, this is the safest type of data protection. Because your entire hard drive is encrypted, even Windows’ swap and hibernation files are locked. But full-drive encryption has its own problems. For example, you won’t be able to pull files off an unbootable system by using other boot media.
Also, with full-drive encryption, all data files are accessible whenever you’re signed in to the PC. They can be stolen by a remote cyber thief via malware or by a co-worker while you’re on a coffee break. By contrast, you have to consciously open an encrypted volume, which can remain locked when you’re in a not-so-safe environment — such as on a public Wi-Fi network.
Bottom line: Full-drive encryption makes the most sense if you work primarily and continuously with sensitive information — as in accounting. In most cases, an encrypted partition makes more sense; it’s nearly as secure as full-drive encryption and offers more flexibility. File-by-file encryption is the least secure but is worth considering if you can’t use drive/partition encryption, as discussed in the May 15 Top Story, “Better data and boot security for Windows PCs,” and in a follow-up in this week’s LangaList Plus.
BitLocker best for corporate environments
For many, Windows’ own BitLocker encryption tool is the obvious TrueCrypt replacement. Susan Bradley put it at the top of her short list, and the infamous TrueCrypt warning on the SourceForge download page provides extensive directions for setting it up.
BitLocker comes with Windows 7 Ultimate and Enterprise plus Windows 8 Pro and Enterprise. It can encrypt real and virtual partitions or the entire drive. In my view, BitLocker has its place — primarily when managed by a PC expert in an office scenario. BitLocker is sort of set-and-forget; non-techie office workers can simply sign in and out of Windows in the normal way without even knowing (or caring) whether their files are encrypted.
But for personal use, BitLocker’s password/key system can be overly complex or confusing. For example, when you set up BitLocker, you create an unlock password. (You can also have a BitLocker-encrypted drive unlock automatically when users sign in to Windows — or they can use a smartcard or PIN.) But you must also create a separate key-recovery password that’s stored on the system if the PC has a Trusted Platform Module (TPM; more info) chip, or on a flash drive if it doesn’t. Setting up BitLocker on a system without a TPM chip can take some time and admin skills.
Basically, if you don’t have a newer PC and an advanced version of Windows, BitLocker is simply not a viable option. For an individual maintaining his or her PC, it’s just another layer of complication.
Here are two better data-encryption applications for personal PCs.
DiskCryptor: For drives and partitions
Like TrueCrypt, DiskCryptor (info) is free. It’s also open-source, though I’m not as confident as I once was that being open-source is an advantage. (As Susan pointed out last week, “There’s even debate whether TrueCrypt qualifies as open-source.”
DiskCryptor is designed to encrypt partitions. According to the DiskCryptor site, Windows 8 isn’t supported. But it seemed to work fine encrypting a separate, nonboot partition on a fully updated Win8.1 Update system.
DiskCryptor’s user interface is somewhat unattractive, but it’s relatively easy to figure out. The program offers industry-standard AES, Twofish, and Serpent encryptions (see Figure 1). If you’re really paranoid, you can combine them, encrypting first one way and then another.
A simple wizard helps you quickly encrypt any partition — including C:. If you encrypt C:, you’ll have to enter your DiskCryptor password before Windows will load. (If C: is your only partition, you’ve effectively encrypted the entire drive. Note: As with all current, third-party encryption apps, you can’t use DiskCryptor on a Win8 system’s boot [C:] drive that has Secure Boot enabled. For more info, see “Reader disagrees with data-encryption advice” in this week’s LangaList Plus [paid content].)
Although DiskCryptor doesn’t support TrueCrypt-like virtual partitions, you can use a real partition for a similar result. Use Windows’ Disk Management program or a third-party partition tool to create a small, separate partition for your sensitive files. Then use DiskCryptor to encrypt that partition (see Figure 2). The result is much like a TrueCrypt volume, except that it’s a real partition.
But using a real partition has some disadvantages. For example, the encrypted partition is clearly visible in Windows’ Disk Management, though it’s labeled as unformatted.
And backups can be tricky. The only way to back up the files when the partition is closed is with image-backup software. Using the default settings for EaseUS Todo Backup resulted in an error message, as shown in Figure 3. After selecting the sector-by-sector backup option, both the backup and the restore worked.
You can also open the partition and use a conventional file-backup program. But make sure it’s one that has its own built-in encryption to secure your files.
On the other hand, backup is very simple with a virtual partition, which to Windows is simply another (really big) file. Keep the file in a standard folder — such as Documents — and it’ll get backed up automatically and regularly.
Cryptainer LE: The tool for virtual partitions
If, like me, you prefer a virtual partition, Cryptainer LE (also called Cypherix LE; site) is the better option. The free version doesn’t let you create a volume greater than 100MB (see Figure 4), but if you’re judicious about what you encrypt, it might be enough.
And if it isn’t enough, you can shell out U.S. $30 and get Cryptainer ME, which comes with a 2.5GB-file limit. Shell out $70, and you can create terabyte-sized volumes. But if you’re going that big, you may as well encrypt the whole drive.
Cryptainer is easy to set up and use; the buttons are big and colorful, and — more importantly — they’re easy to understand. Tabs help you use and control multiple volumes (see Figure 5).
When you set up a volume, the free version appears to offer AES 256-bit and Blowfish 488-bit encryption — but you actually get only 128-bit Blowfish. Again, for most people, that’s sufficient. Blowfish 488-bit and AES 256-bit encryption are, obviously, enabled in the paid versions.
The choice: Stay with TrueCrypt or move on
If you don’t already have TrueCrypt, either DiskCryptor or Cryptainer should do; it just depends on how you prefer to work with encrypted files. (Or, if your encryption needs are relatively simple, use file-by-file encryption as detailed in the May 15 Top Story.)
On the other hand, if you’re already using TrueCrypt, you can probably stick with it — at least for a while. As Susan pointed out, a formal code review of TrueCrypt showed that it “does not have any back doors and still provides secure encryption that can’t be easily cracked.” (Note: There’s still a downloadable version of TrueCrypt, but it’s read-only — i.e., you can open encrypted volumes to remove files, but you can’t create new ones.)
Currently, I’m still using TrueCrypt. But I don’t know for how long. TrueCrypt, like many other public encryption applications, can be cracked with some effort and the right tools. With no updates, it might become more vulnerable over time. If a new version of TrueCrypt doesn’t rise from the ashes relatively soon, I’ll seriously consider moving over to Cryptainer LE or ME.Data-encryption alternatives to TrueCrypt