TrueCrypt vs BitLocker

  • I would like to ask which one of these TrueCrypt or BitLocker is safer to implement and encrypt the data in a small business environment (Windows 7, 8.1 and Windows Server 2012r)

    I read about BitLocker and I am confused. Many IT professionals recommend using BitLocker however I read as well that BitLocker has an industry (Microsoft) backdoor implemented.

    Not sure about TrueCrypt. Is there a backdoor or is TrueCrypt vulnerable and safe to use for business purposes?

    I am more concerned about cyber criminals rather than IT Law enforcements.

    A report just came out today confirming that TrueCrypt does not have backdoors.

    If there *is* a back door in Bitlocker, sooner or later, word will leak out to the cybercriminals.

    Yes Bob and this is a reason why I am worried.

    If you want to use TrueCrypt you need to disable certain modern technologies it's not compatible with. For example MBR vs. GPT or EFI vs. BIOS.

    VeraCrypt (aka the next truecrypt project) does support GPT/EFI.

  • Bob Brown

    Bob Brown Correct answer

    6 years ago

    Edit: October 3, 2015 An article in IT World for September 29, 2015 reveals the existence of, but doesn't describe fully, two serious flaws in the Windows driver that TrueCrypt installed. It isn't clear from the article whether those flaws compromise the crypto or the underlying Windows OS, or both. It also isn't clear whether that driver is installed only for full-disk encryption or at any time a TrueCrypt volume is in use.

    Original answer below:

    It is unknown (except probably to Microsoft and the NSA) whether BitLocker has a back door. You cannot examine the source code to find out, either. (And even if you could, a purposeful weakness might be very difficult to spot, even for an experienced cryptographer.)

    TrueCrypt's source code is available and has (as of today) been audited. No back doors or purposeful weaknesses were found. So, speaking only in terms of back doors, TrueCrypt (the version before last) is "safer" because it can be and has been examined by experts.

    Test it on Windows 10 before you commit because TrueCrypt is no longer supported by the original authors.

    Enhancing your answer with the 2-week old official audit report showing no backdoors found in TrueCrypt: https://opencryptoaudit.org/reports/TrueCrypt_Phase_II_NCC_OCAP_final.pdf

    It wouldn't be the first time that Microsoft hides a government requested backdoor in his encryption software...

    Your claim that it is unknown whether BitLocker has a backdoor seems to contradict the one below, which claims the source code has been reviewed by large companies. (That is, unless you're claiming it is plausible that the large companies have missed the backdoors, which seems on par with missing backdoors in TrueCrypt.)

    Presumably the back door only matters if the PC is powered off? If the PC is powered on and password entered, then all files are readable to the operating system anyway (or to whatever process running with sufficient permissions) regardless of the disk encryption method used. So the surely the back door only matters if the NSA has stolen your hard drive?!

    @SharpC Or you wish to return to the United States without having Customs agents prowl through your hard drive. O'course, they might seize your laptop and detain you *because* it was encrypted.

    @Mehrdad: Unless it can be shown that the "large companies" had a team of two or more very experienced cryptographers review the code, I stand by "unknown."

    @BobBrown: I would assume if if this is important enough for them to do a code review, they are not stupid enough to have an incompetent person do it.

    @BobBrown Ah yes, I forgot about such scenarios entering "the land of the free". ;-)

    @Mehrdad: TrueCrypt was audited by career cryptographers, who did not find those flaws in the drivers. Cryptography is a subtle art and software is complicated. I *still* stand by "unknown" with respect to BitLocker. The flaws only now discovered in TrueCrypt clearly demonstrate that this stuff is hard.

    My vote goes hands down to TrueCrypt.

License under CC-BY-SA with attribution


Content dated before 7/24/2021 11:53 AM