Good external drive for backups, but rarely used.

[Benm]

That would become quite problematic indeed.

Truecrypt is a very strange story, and the reasons support and development stopped are still unclear. It did pass some security audits though, and law enforcement reported difficulty decrypting these volumes without extracting they key for the suspect (which can be quite hard if the suspect is say, dead as a doornail).

7 zip has had some recent issues too, though they have apparently been patched (no proper proof of that).

But an important thing to notice with vulnerabilities is how bad they are, or are not. No vulnerabilities have been reported in either truecrypt or 7zip that would allow you to access a volume or file quickly as long as the passphrase is decent.

Even if there was a severe vulnerability that reduced cracking effort by 2^20 (a million times), something that would normally talk a million years to decrypt on a desktop computer would still be safe from oppurtunistic hackers (that will not spend a full year hacking into something they don't know contains something very valuable). Sure the NSA coud crack it quickly with some effort, but that's not the enemy most people have.

And in case you worry about that million years extra: make your passphrase 4 characters longer, that'd easily overcome any brute force attempt even if the encryption is compromised by 2^20.

 

[Bionic-Badger]

Yeah, the TrueCrypt story is indeed strange, with theories about him leaving encoded messages saying that it's been compromised and stuff. My personal thoughts are that he was threatened because it was too hard to crack, had measures that provided reasonable doubt (hidden volumes, etc.), and could be used for free virtually anywhere. It made it just too easy for anyone to hide their stuff.

At least with Microsoft's BitLocker, which was suggested by the TC website after the software was taken down, they might have some sort of backdoor or something, and no such thing as hidden volumes, etc. Hell, Microsoft allows the NSA to wiretap Skype and probably bought Skype at their behest.

I thought it was pretty suspicious how the TC software was just outright taken down, not even just archived and not supported anymore. They suggested using Bitlocker instead, claiming that the only reason TC was created was to provide desktop encryption, which seems like a huge stretch.

I'd probably use Truecrypt and break it down across smaller parts. Then create some PAR2 recovery volumes should parts of the set become corrupted.

 

[Benm]

I have similar thoughts on that. Law enforcement surely had a very hard time with truecrypt, both in decrypting known volumes as in discovering hidden ones as long as they were properly created.

If it was retracted because of a vulnerability we would have seen some evidence of that, like a truecrypt partition or container being decoded without access to the key with any serious length of that key. None was presented to this day.

But even if it had some vulnerability that could have been patched instead of ditching the whole product one day to the other.

I'm not too big on conspiracies, but i can't really shake the feeling that it might be at play here. Truecrypt had the hidden volumes that provided plausible deniability, something not found in bitlocker and such.

This would be hugely problematic for law enforcement since any suspect could deny the volume being there, and there would be no method to prove it actually was where to force the suspect to give up the key even in countries where law requires that.

So yeah, i'll continue using it for sensitive data until there is any prove it is not secure and other systems are better.

With that i'm not saying that bitlocker or similar systems have some kind of backdoor at all, but they do lack the plausible deniability of a hidden volume.

 

[Bionic-Badger]

Yes, "Plausible deniability" -- that was the term I was looking for!