Loading
Non-Linux FOSS: TrueCrypt
TrueCrypt is a fully open-source tool for encrypting data. That data can be on a completely encrypted hard drive, or just an encrypted image file. Thankfully, the encryption works the same regardless of your platform, so Windows and OS X users can share encrypted files between computers.
We really like to use TrueCrypt in combination with Dropbox, another cross-platform tool, to protect our data in the cloud. Pictured here is the OS X version of TrueCrypt, mounting an encrypted image as a local hard drive. Whether you are storing sensitive data or Grandma's secret recipe, TrueCrypt can keep your data private, even if it's stored on someone else's server.
For more information and downloadable binaries for Windows and OS X, visit http://www.truecrypt.org.
______________________
Shawn Powers is an Associate Editor for Linux Journal. You might find him chatting on the IRC channel, or Twitter
White Paper
Fabric-Based Computing Enables Optimized Hyperscale Data Centers
Today’s modular x86 servers are compute-centric, designed as a least common denominator to support a wide range of IT workloads. Those generic, virtualized IT workloads have much different resource optimization requirements than hyperscale and cloud applications. They have resulted in a “one size fits all” enterprise IT architecture that is not optimized for a specific set of IT workloads, and especially not emerging hyperscale workloads, such as web applications, big data, and object storage. In this report, you will learn how shifting the focus from traditional compute-centric IT architectures to an innovative disaggregated fabric-based architecture can optimize and scale your data center.
Sponsored by AMD
White Paper
Red Hat White Paper: Using an Open Source Framework to Catch the Bad Guy
Built-in forensics, incident response, and security with Red Hat Enterprise Linux 6
Every security policy provides guidance and requirements for ensuring adequate protection of information and data, as well as high-level technical and administrative security requirements for a system in a given environment. Traditionally, providing security for a system focuses on the confidentiality of the information on it. However, protecting the data integrity and system and data availability is just as important. For example, when processing United States intelligence information, there are three attributes that require protection: confidentiality, integrity, and availability.
Learn more about catching the bad guy in this free white paper.
Sponsored by DLT Solutions
- New Products
- Making Linux and Android Get Along (It's Not as Hard as It Sounds)
- Drupal Is a Framework: Why Everyone Needs to Understand This
- A Topic for Discussion - Open Source Feature-Richness?
- One Hand Slapping
- Home, My Backup Data Center
- RSS Feeds
- What's the tweeting protocol?
- Readers' Choice Awards 2011
- Trying to Tame the Tablet
- Reply to comment | Linux Journal
4 hours 24 min ago - Reply to comment | Linux Journal
6 hours 56 min ago - Reply to comment | Linux Journal
8 hours 13 min ago - great post
8 hours 48 min ago - Google Docs
9 hours 11 min ago - Reply to comment | Linux Journal
13 hours 59 min ago - Reply to comment | Linux Journal
14 hours 46 min ago - Web Hosting IQ
16 hours 20 min ago - Thanks for taking the time to
17 hours 57 min ago - Linux is good
19 hours 54 min ago
Enter to Win an Adafruit Prototyping Pi Plate Kit for Raspberry Pi
It's Raspberry Pi month at Linux Journal. Each week in May, Adafruit will be giving away a Pi-related prize to a lucky, randomly drawn LJ reader. Winners will be announced weekly.
Fill out the fields below to enter to win this week's prize-- a Prototyping Pi Plate Kit for Raspberry Pi.
Congratulations to our winners so far:
- 5-8-13, Pi Starter Pack: Jack Davis
- 5-15-13, Pi Model B 512MB RAM: Patrick Dunn
- Next winner announced on 5-21-13!
Free Webinar: Linux Backup and Recovery
Most companies incorporate backup procedures for critical data, which can be restored quickly if a loss occurs. However, fewer companies are prepared for catastrophic system failures, in which they lose all data, the entire operating system, applications, settings, patches and more, reducing their system(s) to “bare metal.” After all, before data can be restored to a system, there must be a system to restore it to.
In this one hour webinar, learn how to enhance your existing backup strategies for better disaster recovery preparedness using Storix System Backup Administrator (SBAdmin), a highly flexible bare-metal recovery solution for UNIX and Linux systems.
Developer Poll
Comments
license "woes" like with original cdrtools?
What non-masochism install linux GUI tool functions like TrueCrypt that can also be used on OSX and 64bit Windows pro+ 7+ as R/W?
uploading TC volumes to the cloud is silly. Use cloud processing to generate cloud sized keyspaces or the cloud will rape your workstation keyspace! (duh?)
Mount cloud crypted place, upload into it. If you don't have at least 40 megabit/s upload rate at home you are a cheap wretch.. and possibly lazy, too.
But back to non-beowulf workstation land. How many white-crow linux articles will appear here on the many other tools that are not for linux?
:roll:
I don't quite understand what
I don't quite understand what does it mean by **Non-Linux FOSS**, especially **Non-Linux** in the phrase.
The reason for non-Linux FOSS.
That Microsoft is terrible so methods for working around System Design Flaws is needed. People shoving Microsoft onto other people in order to improve their social status at other people's expense are Dogs. Dogs are part of the people promoting Microsoft through their personal self-promotion campaigns. I've done my part in dealing with those Dogs.
Did I miss something?
Truecrypt is FOSS, you can download it for free, and you can download the source code. And you can download it for linux, so it's not "Non-Linux FOSS" (although you can't do a full disk encryption with it on linux)
More people who don't understand encryption...
Suppose that you encrypt something with either truecrypt or gnupg or any other way. Suppose that you upload it to dropbox or wuala or ubuntu one or whatever else there is. You uploaded the encrypted file which we will represent as C (ciphered text). Now C is the output of Encrypt(Key, Message) or simply E(k,m)=c.
So, for your the original message that you upload this equation is E(k,m1)=c1. If you change the unencrypted file and re-uploaded the encrypted file then we have E(k,m2)=c2. The key (which is either a password or a passphrase) is the same.
Do this a few times (actually a lot of times) and you are giving clues to what the key/message might be. How? By observing the changes in the ciphered texts. For each different encryption type (block or stream) and algorithm, a 'man in the middle' can find out a lot of info on the key/mesage. After a number of bytes are decrypted then the rest can be either guessed or brute forced (or maybe the attacker is really smart and has some cool heuristic).
So, how to solve this problem? Don't reuse the same key after a number of uploads and don't reuse the same key with different files. The attacker never knows if and when you change your keys, so even if you cycle between 2 or 3 keys you are a lot safer than with a super duper hard-to-guess key.
I am not gonna comment on truecrypt being FOSS, but I am gonna comment of the OSX screenshots. This is linux journal, at least post screenshots from linux!
What is with the incorrect title?
Truecrypt isn't FOSS! It is not open source and it's not even free software. Seriously Mr. Powers?
http://en.wikipedia.org/wiki/Free_and_open_source_software
TrueCrypt is indeed not FOSS
However, encfs *is* FOSS http://www.arg0.net/encfs
There is even a Windows port http://members.ferrara.linux.it/freddy77/encfs.html
I use both the Linux and the Windows versions, with DropBox and Ubuntu One and it works great.
Encfs has another advantage over TrueCrypt: rather than encrypting the entire volume, encryption is done on a per-file basis. So only the changed file has to be re-uploaded rather than the *whole volume* each time you change something.
Actually, how safe it is?
For some time I am seeking an answer on the question: how safe indeed are OS encryption tools/methods currently widely available?
If (NSA?, NIST?) says xxx bit long key is safe for nonmilitary encryption of govt. data - does it mean that such authority feels free to deal with such keys in case of necessity? Does it means that such public initiatives like "break the RC5" are just smoke on the water?
The same relates to TLS/SSL communications and ssh.
true crypt
encryption
read about free products , especially readers comments
http://www.linuxjournal.com/content/non-linux-foss-truecrypt
TrueCrypt = FOSS?
Arch, Debian, Ubuntu, Gentoo, nor openSUSE seem overly pleased with TrueCrypt's Lic. either.
Last I knew, none of these distributions include TrueCrypt because of the licensing issues.
This does not necessarily stop me from using it, but I like to go in with my eyes open.
SpiderOak
I use SpiderOak which is combination of both. It has encrypted communication protocol between your machine and cloud. Data are stored encrypted in cloud. It is also multiplatform application and much more possibilities than dropbox.
I like it.
SpiderOak looks like it is for cloud storage.
TrueCrypt is for hard drives.
FOSS Licensing in General
This blind belief in license assurances reminds me a bit about the controversy which arose over Moonlight and the MONO project. Moonlight was the "open source" answer to Microsoft's Silverlight (which has been abandoned). Microsoft's response was basically, we're giving this to the world for free. Trust us! The amazing folks at Groklaw published an article about it, which is here:
http://www.groklaw.net/article.php?story=20080528133529454
My favorite line: "Rather than guess, I wrote to the Software Freedom Law Center, asking if they could answer some questions about it, and Dan Ravicher eventually answered my questions. The bottom line? I'd say this stuff is radioactive. But you can judge for yourself."
If it isn't the GPL you need to view any license with a degree of suspicion. The problem is that NO ONE reads these things, people in the Windows and Apple worlds just blindly click "I agree" - little do they know they could have just given away their first born.
Has something changed
Has something changed recently? If not I'm shocked that the Linux Journal has posted an article claiming that TrueCrypt is FOSS. According to the Fedora Community which only includes FOSS items in it's distribution Truecrypt is on the Forbidden Items list.
Just because a company claims that it's software is FOSS, doesn't make it so. Fedora has been attempting for years to work with TrueCrypt but so far they have refused to make the necessary license changes.
According to Fedora: "The TrueCrypt software is under a poor license, which is not only non-free, but has the potential to be actively dangerous to end users or distributors who agree to it, opening them to possible legal action even if they abide by all of the licensing terms, depending on the intent of the upstream copyright holder. Fedora continues to make efforts to try to work with the TrueCrypt upstream to fix all of the issues in their license so that it can be considered Free, but have not yet been successful."
If you choose to use non-free software, that is your choice, but don't claim it is FOSS when it most certainly isn't.
Looks like FOSS to me
I'm no lawyer, nor have I yet looked at anything from the Fedora Community regarding TrueCrypt, but having just read through the TrueCrypt license, it looks like FOSS to me.
The Free Software Foundation's Four Freedoms:
0. "The freedom to run the program, for any purpose." - The TrueCrypt license expressly allows you to use unmodified copies {"...You may use This Product freely... on any number of computers/systems for non-commercial and/or commercial purposes."} and modified copies {"...You may use (for non-commercial and/or commercial purposes)... Your Product."}
1. "The freedom to study how the program works, and change it so it does your computing as you wish. Access to the source code is a precondition for this." - TrueCrypt provides its source code, and allows derivative works {"You may modify This Product (thus forming Your Product), derive new works from This Product or portions thereof (thus forming Your Product), include This Product or portions thereof in another product (thus forming Your Product, unless defined otherwise in Chapter I)..."}
2. "The freedom to redistribute copies so you can help your neighbor." - TrueCrypt allows distribution of unmodified copies {"You may make copies of This Product (unmodified) and distribute copies of This Product (unmodified)..."} and modified copies {"You may modify This Product... and You may... copy, and/or distribute Your Product."}
3. "The freedom to distribute copies of your modified versions to others. By doing this you can give the whole community a chance to benefit from your changes. Access to the source code is a precondition for this." - TrueCrypt allows this, see number 2.
I think this can even be described as a copyleft OSS license, since it requires that you release the source code for any modified version you make {"The complete source code of Your Product must be freely and publicly available...You must include the following items with every copy of Your Product...: a clear and conspicuous notice stating that Your Product or portion(s) thereof is/are governed by this version of the TrueCrypt License, a verbatim copy of this version of the TrueCrypt License (as contained herein), a clear and conspicuous notice containing information about where the included copy of the License can be found, and an appropriate copyright notice"}
What I'm wondering is, why is this called 'Non-Linux FOSS'? I'm using it on Linux right now.
Here is more information from
Here is more information from the Fedora community.
http://fedoraproject.org/wiki/Talk:Forbidden_items
The reason I know about this is I looked into using TrueCrypt a few years ago, couldn't find it in the Fedora repository and became curious why. Once I did my research I decided I could live without TrueCrypt. Every once in awhile I see a story like this one and think oh, TrueCrypt has changed their license. They haven't.
The bottom line is that the Fedora Project has deemed this forbidden. Fedora has lawyers and an obvious association with Redhat. The Fedora Project has been trying for years to get this resolved. It's not like they are purposely excluding the package. The fact that the Fedora Community has taken the time to post this information and mark TrueCrypt as a Forbidden item should not be taken lightly.
Not to sound harsh, but you've admitted you aren't a lawyer and you haven't researched the issues the Fedora Project has with TrueCrypt. Then you post something about TrueCrypt which uses some pretty words and then say you think it can be described as a Copyleft license. I have no idea what you posted, but it ain't the license. This is the license:
http://www.truecrypt.org/legal/license
The problem I have with this article is that it is definitely misleading and inaccurate. I expect more from the Linux Journal than spreading misinformation.
I would consider brushing off
I would consider brushing off the criticisms of the license, at least for individual use, if that were the only issue with Truecrypt. What I find more worrisome is that the Truecrypt team has failed to discuss the issue, with the Fedora team or anyone else, for several years, and for some reason the Truecrypt team insists on anonymity, so there's no real accountability. Bruce Schneier and other security experts have gone over the code, so it's not that the software is, in itself, a Trojan horse of some kind. But without an accountable team behind the software, you can't count on code maintenance and development to keep pace with other developments in software and hardware. So it seems short-sighted to depend upon Truecrypt.
I second these comments
I second these comments 100%.
I had a look at this the other day and ran a mile when I found the license document ... http://www.truecrypt.org/legal/license
This is far, far away from being FOSS as we know it.
How does that work?
"We really like to use TrueCrypt in combination with Dropbox, another cross-platform tool, to protect our data in the cloud."
How does that work, excactly? Are you able to mount the TrueCrypt volume locally while it is on Dropbox? Or are you changing the TrueCrypt volume locally and then up/downloading it to/from Dropbox? I haven't figured out how to do the former, and the latter seems extremely inconvenient.
I should add that I've used TrueCrypt for quite a while and I love it. But I haven't been able to figure out how to fully incorporate it with "The Cloud".
EDIT: I should add I'm not currently a Dropbox user, but I use a few other Cloud storage services, so if this is a Dropbox-specific feature, please let me know.
----
Laugh at life or life will laugh at you.
For dropbox I use gpg to
For dropbox I use gpg to encrypt files individually. I have a cleartext directory on my desktop that I stick my files in. In the background I have some python scripts I wrote running that will place an encrypted copy of any new/altered file to my actual dropbox folder, and if there is a new/altered file in my dropbox directory it gets copied and decrypted to my cleartext directory. Each file is individually encrypted, so I don't get killed uploading/downloading to dropbox, and dropbox only ever sees the encrypted files. I have this running on an ubuntu computer and a mac.
You should be able to mount a
You should be able to mount a dropbox account into the gnomevfs. A loopback or truecrypt equivalent should work fine if not a bit slowly.
You could then use a unioning filesystem like unionFS or auFS.
Write changes into a new volume and upload that. On the other side download the new volume, have the unioning filesystem read the changes, and write it's own changes to yet another new volume... and so on...
Once every so often consolidate the filesystem and begin again.