TrueCrypt alternatives for Windows, Encrypted Container Systems
A colleague recently asked me “what encryption solution should I now use instead of TrueCrypt?”. After a couple of questions back-and-forth we defined the request to :
have a simple to use, reliable encryption system for individual containers on Windows platforms in a corporate environment
Easy sharing
The containers have to be easy shareable with multiple users, preferably via a cloud storage provider.
Typically users share encrypted containers by emailing them or copying them to removable media. With the popularity of free cloud storage providers users started to share these containers via the cloud. There’s a problem with that. Most of the cloud storage providers have some sort of utility that syncs a users’ folder with the cloud storage. This works fine for individual files inside a folder.
A change in a file causes that single file to be synced to the cloud storage. With encryption however the sync utility can not differentiate between the different files, it can not look “inside” the container and considers the container as one solid file. So the slightest change to any file in the container causes a full sync of that container. This becomes problematic once you start using larger containers.
Ideally the solution has to have support for cloud storage but this feature-request is not considered as a show stopper though.
No Java
The request was extended with not allowing Java based solutions. There are a number of java based encryption solutions that provide the requested features.
However, using Java in a corporate environment (especially for a ‘security solution’) is a very bad idea. Java has a catastrophic security track record and should be avoided in corporate environments.
Test method, crypto strength and reliability
The timeframe of the request was to short to do a profound check of the implemented cryptographic systems. I also did not verify if the application logic or implementation had vulnerabilities.
The comparison focused on “ease of use for end-users”.
The applications were installed on an up to date Windows 7 and 8, various crypto containers were created and small and large files were copied to and removed from the containers.
Solutions
There are a number of different solutions on the market that position themselves as the perfect replacement for TrueCrypt. Besides the solutions already provided in Microsoft Windows you also have a number of free and non-free solutions.
BitLocker
http://windows.microsoft.com/en-US/windows7/products/features/bitlocker
BitLocker is a Windows integrated drive encryption solution but does not provide container support.
EFS
http://windows.microsoft.com/en-us/windows/what-is-encrypting-file-system
Encrypting File System (EFS) is a feature of Windows that you can use to store information on your hard disk in an encrypted format.
EFS uses the Windows logon credentials to encrypt and decrypt. This means that once you are logged in, whether or not you want access to the encrypted locations, they get decrypted.
The protection of the encrypted files depends on the strength of your password, if you use weak passwords then it’s easy to bypass the protection layer.
There is also no easy way for sharing the encrypted files with other users.
AES Crypt
“AES Crypt is a file encryption software available on several operating systems that uses the industry standard Advanced Encryption Standard (AES) to easily and securely encrypt files.”
AES Crypt is free and is multi platform but it only allows for single file encryption. The filename of the encrypted file is still visible. This might be considered as an information leak.
AES Crypt supports AES-256.
It is intuitive (right-click and encrypt) to use but the limit to single file encryption only and no filename encryption makes it not suitable for the requested purposes.
Boxcryptor
“Boxcryptor is an easy-to-use encryption software optimized for the cloud.”
Boxcryptor is a cross platform solution that is free for personal use (but with limited features). It can use a local account where you do not have shared permission management and you have to manage the security and integrity of the keys yourself. With a “Boxcryptor account” you can grant other users access and the keys are stored remotely.
Boxcryptor support AES-256, AES-192, AES-128 and RSA for keys. The non-free version supports filename encryption.
Although it’s meant to be used on a top of a cloud storage provider, you can also use it to encrypt local containers. On Windows the containers can be assigned a separate drive letter.
The Boxcryptor interface integrates smoothly into windows (tray and explorer). It does not require you to set the size of the container prior to creating the encrypted volume.
Boxcryptor has a company package with LDAP integration, policies and tracking user activities. Especially the later can be important in company environments.
BestCrypt
“Use BestCrypt Container Encryption to securely store selected files or folders on an active computer, shared workstation or network storage.”
BestCrypt is a cross platform solution that is available for trial for a limited numbers of days. It supports both containers and volumes and also supports integrated swap file encryption. BestCrypt also supports hidden containers. On Windows the containers can be assigned a separate drive letter.
BestCrypt supports 3-DES, CAST, IDEA, RC6, AES, Serpent and others. The key management can be password based and public key based.
The interface is straightforward and quite similar to TrueCrypt. The interface has a couple of interesting extras like a text encoder utility (so you can quickly encode / decode texts, this might be useful if you can not use f.e. GPG to transmit messages), an “anti-keylogger feature” (to verify that your password to unlock the volumes is not captured by malware) and an algorithm benchmark test.
BestCrypt requires you to define the size of the container prior to the creation.
VeraCrypt
https://veracrypt.codeplex.com/
“VeraCrypt is a free disk encryption software brought to you by IDRIX (https://www.idrix.fr) and that is based on TrueCrypt.”
VeraCrypt supports encryption for containers and full system drive encryption and it has all the features you can find in the old TrueCrypt.
VeraCrypt supports AES, Twofish and Serpent and different hashing algorithms.
VeraCrypt requires you to define the size of the container prior to the creation.
The interface of VeraCrypt is almost identical to the interface of the old TrueCrypt.
Source code reviews and crypto strength
There has been a lot of discussion whether TrueCrypt was “truly” open source. You could review the code but there were doubts if the binary was indeed compiled from that same source code. This compilation process has been examined at https://madiba.encs.concordia.ca/~x_decarn/truecrypt-binaries-analysis/.
If free available source code is important for you then VeraCrypt (full open source) and BestCrypt (with the development kit) are the best choices.
Having the source code available does not mean that the code has been audited though neither does it mean that people who looked at the code fully understood how the different features worked.
Boxcrypto has not open sourced its code but provides an extensive technical overview at
https://www.boxcryptor.com/en/technical-overview
There’s not a lot of difference in cryptographic strength between the three solutions in their default setup. BestCrypt and VeraCrypt provide more tunable options but the settings of Boxcrypto are acceptable.
Conclusion
The two build-in solutions for Windows, EFS and BitLocker are not a good choice. They either do not cover the needs (BitLocker) are have a questionable security setup (EFS).
AES Crypt is a very simple solution for ad-hoc encryption of individual files but it is to limited for the intended use.
This leaves three possible candidates : Boxcryptor, BestCrypt and VeraCrypt. The latter two mimic the behavior and interface of TrueCrypt. Boxcryptor and Veracrypt have the capability to hide the original filename (I could not find a similar setting in BestCrypt). As far as I could check, only Boxcryptor allows you to have dynamically sized containers. The other two solutions require you to set the size before creating the container.
| Boxcryptor | BestCrypt | VeraCrypt | |
|---|---|---|---|
| Container encryption | |||
| Volume encryption | |||
| Mobile / Traveller kit | |||
| TrueCrypt mimic | |||
| Filename encryption | |||
| Cloud support | |||
| Dynamic container length | |||
| Open Source | |||
| Free license |
Do you want to store the encrypted volumes on a cloud storage provider?
Use Boxcrypto. It provides integrated syncing with Dropbox, Google Drive and WebDAV enabled storage. Boxcrypto is not limited to cloud storage solutions only, you can also use it with local containers.
In need of a free solution that mimics TrueCrypt?
Use VeraCrypt. Although BestCrypt provides a set of extra features, there’s no real compatibility with TrueCrypt. The migration path from TrueCrypt to BestCrypt involves opening the old container, copying the files to a new container and closing the container. That can hardly be called “compatibility”.
Boxcrypto
The Boxcrypto solution seems the most flexible solution for having encrypted, shareable containers on Windows. The choice for the Company Package with policies, centralised management, Active Directory support and support for a master key is advised in a corporate environment.
Espionage for OSX
Although the scope of the request was limited to tools that are available on Windows (all proposed solutions are cross platform though) I’d like to draw the attention to a Mac OSX tool called “Espionage“.
Espionage is an encryption tool that also provides plausible deniability for your data. If you run OSX it’s worth checking out.
TrueCrypt alternatives for Windows
PPD NETWORK http://dolcefiles.org/
As for cloud support, the question is, is it the encryption or the cloud that should get smart ? Changing a few bytes in a large file, weather that’s an encrypted container or something else, a good cloud would do a differential sync and only upload / download the parts that changed.