Bitlocker vs truecrypt1/1/2024 ![]() ![]() Today I’m going to dive deep into the concerns about BitLocker and into Microsoft’s new responses. I’m also going to explain why more open alternatives like TrueCrypt don’t resolve these concerns, and take a brief look at proprietary products like BestCrypt, which Schneier recommends. As prominent cryptographer Bruce Schneier has written, “In the cryptography world, we consider open source necessary for good security we have for decades.” Despite all of this, BitLocker still might be the best option for Windows users who want to encrypt their disks. Significant questions remain about BitLocker, to be sure, and because the source code for it is not available, those questions will likely remain unanswered. The company told me which random number generator BitLocker uses to generate encryption keys, alleviating concerns about a government backdoor in that subsystem it explained why it removed the Elephant diffuser, citing worries over performance and compatibility that will appease some, but certainly not all, concerned parties and it said that the government-compromised algorithm it bundles with Windows to generate encryption keys is, by default, not used at all. And Microsoft has reportedly worked hand-in-glove with the government to provide early access to bugs in Windows and to customer data in its Skype and products.Įven having known about these issues, I still believed BitLocker was the best of several bad options for Windows users I’ll explain my reasoning on this later.īut in the meantime, something interesting has happened: Microsoft, after considerable prodding, provided me with answers to some longstanding questions about BitLocker’s security. BitLocker also lost a key component for hardening its encryption, known as the “Elephant diffuser,” in the latest major version of Windows. In addition, BitLocker’s host operating system, Microsoft Windows, provides an algorithm for generating random numbers, including encryption keys, that is known to have been backdoored by government spies, and which the company’s own engineers flagged as potentially compromised nearly eight years ago. For example, BitLocker’s source code is not available for inspection, which makes it particularly vulnerable to “backdoors,” security holes intentionally placed to provide access to the government or others. This advice generated an immediate backlash in the comments section underneath the post, where readers correctly pointed out that BitLocker has been criticized by security experts for a number of real and potential shortcomings. For the benefit of Windows users, I gave instructions for turning on BitLocker, Microsoft’s disk encryption technology. IMHO, anything less than that is criminal negligence on a system with important data.Recently, I wrote a guide explaining how to encrypt your laptop’s hard drive and why you should do so. ![]() I use full-disk LUKS (including root partition) on my laptop, and it's gone through many fscks without problems.Īt any rate, you are going to perform at least nightly full backups, aren't you? So a crash should not wipe out a lot of work. Encryption is always per sector, and disks are written per sector, so usually you'll lose any sectors that weren't written properly, with or without encryption. So I would recommend LUKS (though Truecrypt is a viable option as well).ĭoes TrueCrypt of LUKS offer the best stability / recovery in an event of a crash? At any rate, most Linux FS have no Windows driver anyway. But that is really only relevant for portable drives/media. The only advantage I can see for Truecrypt is that its Windows support is better, so it's easier to mount a Truecrypt partition under Windows. I'm not even sure if TrueCrypt can encrypt the root partition at all. Setting this up by hand can be a bit tricky (though doable), so distro integration helps a lot.Īt least Debian and Ubuntu offer encrypted root via LUKS in the standard installer, so that's a point for LUKS. For security reasons, you almost certainly want to encrypt all partitions (including /), which is called "encrypted root". ![]() Well, as other have pointed out, LUKS is generally better integrated into current distributions. ![]()
0 Comments
Leave a Reply.AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |