Non-Linux FOSS: TrueCrypt

TrueCrypt is a fully open-source tool for encrypting data. That data can be on a completely encrypted hard drive, or just an encrypted image file. Thankfully, the encryption works the same regardless of your platform, so Windows and OS X users can share encrypted files between computers.

We really like to use TrueCrypt in combination with Dropbox, another cross-platform tool, to protect our data in the cloud. Pictured here is the OS X version of TrueCrypt, mounting an encrypted image as a local hard drive. Whether you are storing sensitive data or Grandma's secret recipe, TrueCrypt can keep your data private, even if it's stored on someone else's server.

For more information and downloadable binaries for Windows and OS X, visit http://www.truecrypt.org.

______________________

Shawn Powers is an Associate Editor for Linux Journal. You might find him chatting on the IRC channel, or Twitter

Comments

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

license "woes" like with original cdrtools?

XMPP beats sms's picture

What non-masochism install linux GUI tool functions like TrueCrypt that can also be used on OSX and 64bit Windows pro+ 7+ as R/W?

uploading TC volumes to the cloud is silly. Use cloud processing to generate cloud sized keyspaces or the cloud will rape your workstation keyspace! (duh?)

Mount cloud crypted place, upload into it. If you don't have at least 40 megabit/s upload rate at home you are a cheap wretch.. and possibly lazy, too.

But back to non-beowulf workstation land. How many white-crow linux articles will appear here on the many other tools that are not for linux?

:roll:

I don't quite understand what

Anonymous's picture

I don't quite understand what does it mean by **Non-Linux FOSS**, especially **Non-Linux** in the phrase.

The reason for non-Linux FOSS.

Brent Emery Pieczynski's picture

That Microsoft is terrible so methods for working around System Design Flaws is needed. People shoving Microsoft onto other people in order to improve their social status at other people's expense are Dogs. Dogs are part of the people promoting Microsoft through their personal self-promotion campaigns. I've done my part in dealing with those Dogs.

Did I miss something?

Anonymous's picture

Truecrypt is FOSS, you can download it for free, and you can download the source code. And you can download it for linux, so it's not "Non-Linux FOSS" (although you can't do a full disk encryption with it on linux)

More people who don't understand encryption...

Anonymous's picture

Suppose that you encrypt something with either truecrypt or gnupg or any other way. Suppose that you upload it to dropbox or wuala or ubuntu one or whatever else there is. You uploaded the encrypted file which we will represent as C (ciphered text). Now C is the output of Encrypt(Key, Message) or simply E(k,m)=c.

So, for your the original message that you upload this equation is E(k,m1)=c1. If you change the unencrypted file and re-uploaded the encrypted file then we have E(k,m2)=c2. The key (which is either a password or a passphrase) is the same.

Do this a few times (actually a lot of times) and you are giving clues to what the key/message might be. How? By observing the changes in the ciphered texts. For each different encryption type (block or stream) and algorithm, a 'man in the middle' can find out a lot of info on the key/mesage. After a number of bytes are decrypted then the rest can be either guessed or brute forced (or maybe the attacker is really smart and has some cool heuristic).

So, how to solve this problem? Don't reuse the same key after a number of uploads and don't reuse the same key with different files. The attacker never knows if and when you change your keys, so even if you cycle between 2 or 3 keys you are a lot safer than with a super duper hard-to-guess key.

I am not gonna comment on truecrypt being FOSS, but I am gonna comment of the OSX screenshots. This is linux journal, at least post screenshots from linux!

What is with the incorrect title?

Anonymous's picture

Truecrypt isn't FOSS! It is not open source and it's not even free software. Seriously Mr. Powers?

http://en.wikipedia.org/wiki/Free_and_open_source_software

TrueCrypt is indeed not FOSS

Anonymous's picture

However, encfs *is* FOSS http://www.arg0.net/encfs
There is even a Windows port http://members.ferrara.linux.it/freddy77/encfs.html

I use both the Linux and the Windows versions, with DropBox and Ubuntu One and it works great.

Encfs has another advantage over TrueCrypt: rather than encrypting the entire volume, encryption is done on a per-file basis. So only the changed file has to be re-uploaded rather than the *whole volume* each time you change something.

Actually, how safe it is?

Janis's picture

For some time I am seeking an answer on the question: how safe indeed are OS encryption tools/methods currently widely available?
If (NSA?, NIST?) says xxx bit long key is safe for nonmilitary encryption of govt. data - does it mean that such authority feels free to deal with such keys in case of necessity? Does it means that such public initiatives like "break the RC5" are just smoke on the water?
The same relates to TLS/SSL communications and ssh.

true crypt

Anonymous's picture

encryption

TrueCrypt = FOSS?

Jim G's picture

Arch, Debian, Ubuntu, Gentoo, nor openSUSE seem overly pleased with TrueCrypt's Lic. either.

Last I knew, none of these distributions include TrueCrypt because of the licensing issues.

This does not necessarily stop me from using it, but I like to go in with my eyes open.

SpiderOak

Robert B's picture

I use SpiderOak which is combination of both. It has encrypted communication protocol between your machine and cloud. Data are stored encrypted in cloud. It is also multiplatform application and much more possibilities than dropbox.

I like it.

SpiderOak looks like it is for cloud storage.

Anonymous's picture

TrueCrypt is for hard drives.

FOSS Licensing in General

MikeH's picture

This blind belief in license assurances reminds me a bit about the controversy which arose over Moonlight and the MONO project. Moonlight was the "open source" answer to Microsoft's Silverlight (which has been abandoned). Microsoft's response was basically, we're giving this to the world for free. Trust us! The amazing folks at Groklaw published an article about it, which is here:

http://www.groklaw.net/article.php?story=20080528133529454

My favorite line: "Rather than guess, I wrote to the Software Freedom Law Center, asking if they could answer some questions about it, and Dan Ravicher eventually answered my questions. The bottom line? I'd say this stuff is radioactive. But you can judge for yourself."

If it isn't the GPL you need to view any license with a degree of suspicion. The problem is that NO ONE reads these things, people in the Windows and Apple worlds just blindly click "I agree" - little do they know they could have just given away their first born.

Has something changed

MikeH's picture

Has something changed recently? If not I'm shocked that the Linux Journal has posted an article claiming that TrueCrypt is FOSS. According to the Fedora Community which only includes FOSS items in it's distribution Truecrypt is on the Forbidden Items list.

Just because a company claims that it's software is FOSS, doesn't make it so. Fedora has been attempting for years to work with TrueCrypt but so far they have refused to make the necessary license changes.

According to Fedora: "The TrueCrypt software is under a poor license, which is not only non-free, but has the potential to be actively dangerous to end users or distributors who agree to it, opening them to possible legal action even if they abide by all of the licensing terms, depending on the intent of the upstream copyright holder. Fedora continues to make efforts to try to work with the TrueCrypt upstream to fix all of the issues in their license so that it can be considered Free, but have not yet been successful."

If you choose to use non-free software, that is your choice, but don't claim it is FOSS when it most certainly isn't.

Looks like FOSS to me

jdea's picture

I'm no lawyer, nor have I yet looked at anything from the Fedora Community regarding TrueCrypt, but having just read through the TrueCrypt license, it looks like FOSS to me.

The Free Software Foundation's Four Freedoms:
0. "The freedom to run the program, for any purpose." - The TrueCrypt license expressly allows you to use unmodified copies {"...You may use This Product freely... on any number of computers/systems for non-commercial and/or commercial purposes."} and modified copies {"...You may use (for non-commercial and/or commercial purposes)... Your Product."}

1. "The freedom to study how the program works, and change it so it does your computing as you wish. Access to the source code is a precondition for this." - TrueCrypt provides its source code, and allows derivative works {"You may modify This Product (thus forming Your Product), derive new works from This Product or portions thereof (thus forming Your Product), include This Product or portions thereof in another product (thus forming Your Product, unless defined otherwise in Chapter I)..."}

2. "The freedom to redistribute copies so you can help your neighbor." - TrueCrypt allows distribution of unmodified copies {"You may make copies of This Product (unmodified) and distribute copies of This Product (unmodified)..."} and modified copies {"You may modify This Product... and You may... copy, and/or distribute Your Product."}

3. "The freedom to distribute copies of your modified versions to others. By doing this you can give the whole community a chance to benefit from your changes. Access to the source code is a precondition for this." - TrueCrypt allows this, see number 2.

I think this can even be described as a copyleft OSS license, since it requires that you release the source code for any modified version you make {"The complete source code of Your Product must be freely and publicly available...You must include the following items with every copy of Your Product...: a clear and conspicuous notice stating that Your Product or portion(s) thereof is/are governed by this version of the TrueCrypt License, a verbatim copy of this version of the TrueCrypt License (as contained herein), a clear and conspicuous notice containing information about where the included copy of the License can be found, and an appropriate copyright notice"}

What I'm wondering is, why is this called 'Non-Linux FOSS'? I'm using it on Linux right now.

Here is more information from

MikeH's picture

Here is more information from the Fedora community.

http://fedoraproject.org/wiki/Talk:Forbidden_items

The reason I know about this is I looked into using TrueCrypt a few years ago, couldn't find it in the Fedora repository and became curious why. Once I did my research I decided I could live without TrueCrypt. Every once in awhile I see a story like this one and think oh, TrueCrypt has changed their license. They haven't.

The bottom line is that the Fedora Project has deemed this forbidden. Fedora has lawyers and an obvious association with Redhat. The Fedora Project has been trying for years to get this resolved. It's not like they are purposely excluding the package. The fact that the Fedora Community has taken the time to post this information and mark TrueCrypt as a Forbidden item should not be taken lightly.

Not to sound harsh, but you've admitted you aren't a lawyer and you haven't researched the issues the Fedora Project has with TrueCrypt. Then you post something about TrueCrypt which uses some pretty words and then say you think it can be described as a Copyleft license. I have no idea what you posted, but it ain't the license. This is the license:

http://www.truecrypt.org/legal/license

The problem I have with this article is that it is definitely misleading and inaccurate. I expect more from the Linux Journal than spreading misinformation.

I would consider brushing off

Brian Vaughan's picture

I would consider brushing off the criticisms of the license, at least for individual use, if that were the only issue with Truecrypt. What I find more worrisome is that the Truecrypt team has failed to discuss the issue, with the Fedora team or anyone else, for several years, and for some reason the Truecrypt team insists on anonymity, so there's no real accountability. Bruce Schneier and other security experts have gone over the code, so it's not that the software is, in itself, a Trojan horse of some kind. But without an accountable team behind the software, you can't count on code maintenance and development to keep pace with other developments in software and hardware. So it seems short-sighted to depend upon Truecrypt.

I second these comments

Anonymous's picture

I second these comments 100%.

I had a look at this the other day and ran a mile when I found the license document ... http://www.truecrypt.org/legal/license

This is far, far away from being FOSS as we know it.

How does that work?

corfy's picture

"We really like to use TrueCrypt in combination with Dropbox, another cross-platform tool, to protect our data in the cloud."

How does that work, excactly? Are you able to mount the TrueCrypt volume locally while it is on Dropbox? Or are you changing the TrueCrypt volume locally and then up/downloading it to/from Dropbox? I haven't figured out how to do the former, and the latter seems extremely inconvenient.

I should add that I've used TrueCrypt for quite a while and I love it. But I haven't been able to figure out how to fully incorporate it with "The Cloud".

EDIT: I should add I'm not currently a Dropbox user, but I use a few other Cloud storage services, so if this is a Dropbox-specific feature, please let me know.

----
Laugh at life or life will laugh at you.

For dropbox I use gpg to

Anonymous's picture

For dropbox I use gpg to encrypt files individually. I have a cleartext directory on my desktop that I stick my files in. In the background I have some python scripts I wrote running that will place an encrypted copy of any new/altered file to my actual dropbox folder, and if there is a new/altered file in my dropbox directory it gets copied and decrypted to my cleartext directory. Each file is individually encrypted, so I don't get killed uploading/downloading to dropbox, and dropbox only ever sees the encrypted files. I have this running on an ubuntu computer and a mac.

You should be able to mount a

Anonymous's picture

You should be able to mount a dropbox account into the gnomevfs. A loopback or truecrypt equivalent should work fine if not a bit slowly.

You could then use a unioning filesystem like unionFS or auFS.

Write changes into a new volume and upload that. On the other side download the new volume, have the unioning filesystem read the changes, and write it's own changes to yet another new volume... and so on...

Once every so often consolidate the filesystem and begin again.

White Paper
Linux Management with Red Hat Satellite: Measuring Business Impact and ROI

Linux has become a key foundation for supporting today's rapidly growing IT environments. Linux is being used to deploy business applications and databases, trading on its reputation as a low-cost operating environment. For many IT organizations, Linux is a mainstay for deploying Web servers and has evolved from handling basic file, print, and utility workloads to running mission-critical applications and databases, physically, virtually, and in the cloud. As Linux grows in importance in terms of value to the business, managing Linux environments to high standards of service quality — availability, security, and performance — becomes an essential requirement for business success.

Learn More

Sponsored by Red Hat

White Paper
Private PaaS for the Agile Enterprise

If you already use virtualized infrastructure, you are well on your way to leveraging the power of the cloud. Virtualization offers the promise of limitless resources, but how do you manage that scalability when your DevOps team doesn’t scale? In today’s hypercompetitive markets, fast results can make a difference between leading the pack vs. obsolescence. Organizations need more benefits from cloud computing than just raw resources. They need agility, flexibility, convenience, ROI, and control.

Stackato private Platform-as-a-Service technology from ActiveState extends your private cloud infrastructure by creating a private PaaS to provide on-demand availability, flexibility, control, and ultimately, faster time-to-market for your enterprise.

Learn More

Sponsored by ActiveState