Hidden from guests
VeraCrypt is a free encryption program from IDRIX (
Hidden from guests
), this program is based on TrueCrypt.
It increases the security of the algorithms used to encrypt the system and partitions, making them immune to new developments in brute-force attacks. For example, when encrypted system partition, TrueCrypt uses PBKDF2-RIPEMD160 with 1000 iterations, while VeraCrypt uses 327661! And for standard containers and other partitions, TrueCrypt uses no more than 2000 iterations, while VeraCrypt uses 655331 for RIPEMD160 and 500000 iterations for SHA-2 and Whirlpool.
These security enhancements only add some latency to opening partitions, with no loss of performance during the use phase. This is acceptable to the true owners, but it makes it very difficult for attackers to gain access to encrypted data.
Hidden from guests
This program can encrypt system partition and non-system partitions, supports all latest versions Windows OS, third-party bootloaders and much more. DiskCryptor supports multiple encryption algorithms and their combinations, AES hardware acceleration if supported by the system, and full support for external drives. In terms of functionality, this program is closest to TrueCrypt.
Hidden from guests
(a commercial)
Allows you to create encrypted containers. This program officially declares that it does not contain backdoors, bookmarks, because it is located in a country whose legislation cannot force it to do so. Of the interesting features - file manager(Disk Firewall) which protects data from illegal copying, viruses. It allows only authorized programs to make changes to the data on the encrypted drive.
Hidden from guests
This program cannot encrypt sections, only individual files. Although not a complete alternative to TrueCrypt, it can be used to encrypt important files on the system. The program uses the AES 128-bit encryption algorithm and also supports key files.
Hidden from guests
Available for Windows, Mac, Linux and mobile operating systems. It only supports file encryption, it only means that you can click right click by file and encrypt or decrypt it.
Hidden from guests
Bitlocker is part of Windows only in the Enterprise and Ultimate and Pro editions on Windows 8. Claims that Bitlocker has a built-in backdoor for law enforcement and other services has never been proven, but it does have key recovery functionality that can be used to decrypt disks protected by this program, which may be located on Microsoft servers, and not locally.
Hidden from guests
(as well as Boxcryptor, CryptSync and Viivo from PKWare)
Specially designed to protect the data you sync with cloud services, such as Google Drive, OneDrive or Dropbox. It uses 256bit and will detect supported providers automatically upon installation. Not available for Linux.
The service has stopped working (Sophie Hunt- thanks for the info). The website has the following inscription:
The Cloudfogger project has been stopped, Cloudfogger is not available anymore.
Current Cloudfogger users should re-encrypt their files with a new solution as we will also turn off our keyservers in the following weeks.
Looking for an alternative? How about
Hidden from guests
Might be worth taking a look at
Hidden from guests
As an alternative to Cloudfogger.
Hidden from guests
Can be used to synchronize encrypted copies of files on a cloud service.
Hidden from guests
Another program if you want to encrypt on the cloud.
Hidden from guests
(free for personal use)
This program can be used to encrypt individual files, directories or drives on Windows. The project website lacks information about the ciphers and encryption algorithms used.
Hidden from guests
Available for Linux only. Supports TrueCrypt drives and others. Source code is available.
Programs for data encryption
Of course, it will not be possible to cover all programs in one note. But if you want to continue research in this direction, then here is another list of data protection programs for you. Try it, post your results in the comments.
This is the first of five articles in our blog dedicated to VeraCrypt, it discusses the differences between VeraCrypt and its ancestor TrueCrypt, where to download VeraCrypt, portable installation and Russification.
If you are looking for encryption instructions, read:
Since the closure of the TrueCrypt project in 2014, VeraCrypt has remained its most popular fork, which not only repeats the capabilities of the original, but also fixes a number of TrueCrypt vulnerabilities, and also brings additional functionality that was missing before.
P.S
We hope our article turned out to be useful, and you encrypted your data securely, but do not forget to take care of communication security - try our
Hidden from guests
VeraCrypt is a free encryption program from IDRIX (
Hidden from guests
), this program is based on TrueCrypt.
It increases the security of the algorithms used to encrypt the system and partitions, making them immune to new developments in brute-force attacks. For example, when the system partition is encrypted, TrueCrypt uses PBKDF2-RIPEMD160 with 1000 iterations, while VeraCrypt uses 327661! And for standard containers and other partitions, TrueCrypt uses no more than 2000 iterations, while VeraCrypt uses 655331 for RIPEMD160 and 500000 iterations for SHA-2 and Whirlpool.
These security enhancements only add some latency to opening partitions, with no loss of performance during the use phase. This is acceptable to the true owners, but it makes it very difficult for attackers to gain access to encrypted data.
Hidden from guests
This program can encrypt the system partition and non-system partitions, supports all the latest versions of Windows OS, third-party bootloaders and much more. DiskCryptor supports multiple encryption algorithms and their combinations, AES hardware acceleration if supported by the system, and full support for external drives. In terms of functionality, this program is closest to TrueCrypt.
Hidden from guests
(a commercial)
Allows you to create encrypted containers. This program officially declares that it does not contain backdoors, bookmarks, because it is located in a country whose legislation cannot force it to do so. Of the interesting features - a file manager (Disk Firewall) that protects data from illegal copying, viruses. It allows only authorized programs to make changes to the data on the encrypted drive.
Hidden from guests
This program cannot encrypt sections, only individual files. Although not a complete alternative to TrueCrypt, it can be used to encrypt important files on the system. The program uses the AES 128-bit encryption algorithm and also supports key files.
Hidden from guests
Available for Windows, Mac, Linux and mobile operating systems. It only supports file encryption, it only means that you can right-click on a file and encrypt or decrypt it.
Hidden from guests
Bitlocker is part of Windows only in the Enterprise and Ultimate and Pro editions on Windows 8. Claims that Bitlocker has a built-in backdoor for law enforcement and other services has never been proven, but it does have key recovery functionality that can be used to decrypt disks protected by this program, which may be located on Microsoft servers, and not locally.
Hidden from guests
(as well as Boxcryptor, CryptSync and Viivo from PKWare)
Specifically designed to protect the data you sync with cloud services such as Google Drive, OneDrive or Dropbox. It uses 256bit and will detect supported providers automatically upon installation. Not available for Linux.
The service has stopped working (Sophie Hunt- thanks for the info). The website has the following inscription:
The Cloudfogger project has been stopped, Cloudfogger is not available anymore.
Current Cloudfogger users should re-encrypt their files with a new solution as we will also turn off our keyservers in the following weeks.
Looking for an alternative? How about
Hidden from guests
Might be worth taking a look at
Hidden from guests
As an alternative to Cloudfogger.
Hidden from guests
Can be used to synchronize encrypted copies of files on a cloud service.
Hidden from guests
Another program if you want to encrypt on the cloud.
Hidden from guests
(free for personal use)
This program can be used to encrypt individual files, directories or drives on Windows. The project website lacks information about the ciphers and encryption algorithms used.
Hidden from guests
Available for Linux only. Supports TrueCrypt drives and others. Source code is available.
Programs for data encryption
Of course, it will not be possible to cover all programs in one note. But if you want to continue research in this direction, then here is another list of data protection programs for you. Try it, post your results in the comments.
The idea for this article was born when EFSOL specialists were tasked with analyzing information security risks in the restaurant business and developing measures to counter them. One of the significant risks was the possibility of seizing management information, and one of the countermeasures was the encryption of accounting databases.
I will immediately make a reservation that consideration of all possible crypto products or solutions based on specific accounting systems is not within the scope of this article. We are only interested comparative analysis personal encryption tools, for which we have chosen the most popular free and open source solution and a couple of the most promoted commercial analogues. Let inexperienced users not be afraid of the phrase "open source"- it only means that a group of enthusiasts is engaged in the development, who are ready to accept anyone who wants to help them.
So why did we take this approach? The motivation is extremely simple.
Let's move on to comparing products, which is convenient to do on the basis of a pivot table. I have deliberately left out a lot of technical details (such as support for hardware acceleration or multithreading, multiple logical or physical processors) that give the average user a headache. Let us dwell only on the functionality from which we can really highlight the benefits.
| TrueCrypt | Secret Disc | Zecurion Zdisk | |
| Latest version at the time of review | 7.1a | 4 | No data |
| Price | For free | From 4 240 rub. for 1 computer | From 5250 rub. for 1 computer |
| operating system | Windows 7, Windows Vista, Windows XP, Windows Server 2003, Windows Server 2008: (32-bit and 64-bit versions); Windows Server 2008 R2; Windows 2000 SP4; Mac OS X 10.7 Lion (32-bit and 64-bit); Linux (32-bit and 64-bit, kernel 2.6 or compatible) | Windows 7, Windows Vista, Windows XP: (32-bit and 64-bit) | Windows 98; Windows Me; Windows NT Workstation; Windows 2000 Professional; Windows XP; Windows Vista |
| Built-in encryption algorithms | AES Serpent Twofish | No | No |
| Using Cryptographic Providers (CSPs) | No | Microsoft Enhanced CSP: Triple DES and RC2 Secret Disk NG Crypto Pack: AES and Twofish; CryptoPro CSP, Signal-COM CSP or Vipnet CSP: GOST 28147-89 | rc5, AES, KRYPTON CSP: GOST 28147-89 |
| XTS encryption mode | Yes | No | No |
| Cascading Encryption | AES-Twofish-Serpent; Serpent-AES; Serpent-Twofish-AES; Twofish Serpent | No | No |
| Transparent Encryption | Yes | Yes | Yes |
| System partition encryption | Yes | Yes | No |
| Authentication before OS boot | Password | Pin + token | No |
| Disk partition encryption | Yes | Yes | No |
| Creating container files | Yes | Yes | Yes |
| Creating hidden partitions | Yes | No | No |
| Creating a hidden OS | Yes | No | No |
| Portable Drive Encryption | Yes | Yes | Yes |
| Working with portable drives | Yes | No | No |
| Networking | Yes | No | Yes |
| Multiplayer mode | By means of NTFS | Yes | Yes |
| Password-only authentication | Yes | No | No |
| Authentication by key file | Yes | No | No |
| Support for tokens and smart cards | Supporting PKCS #11 2.0 protocol or higher | eToken PRO/32K USB key (64K); eToken PRO/72K USB dongle (Java); Smart card eToken PRO/32K (64K); Smart card eToken PRO/72K (Java); Combination key eToken NG-FLASH eToken NG-OTP Combined Key eToken PRO Anywhere | Rainbow iKey 10xx/20xx/30xx; ruToken; eToken R2/Pro |
| Emergency Disable Encrypted Drives | Hotkeys | Hotkeys | Hotkeys |
| Duress password protection | No | Yes | Yes |
| Ability to use "Plausible Deniability" | Yes | No | No |
| Contents of delivery | No boxed version - the distribution is downloaded from the developer's site | eToken PRO Anywhere USB key with a license to use the product; Quick Guide in printed form; CD-ROM (distribution kit, detailed documentation, MBR boot part; Packing DVD box | License; USB key and USB extension cable; Distribution disk; Documentation in printed form; ACS-30S Smart Card Reader/Writer |
Following the laws of the genre, it remains only to comment on individual points and highlight the advantages of a particular solution. Everything is clear with product prices, as well as with supported operating systems. I will only note the fact that versions of TrueCrypt for MacOS and Linux have their own nuances of use, and installing it on server platforms from Microsoft, although it gives certain advantages, it is completely unable to replace the huge functionality of commercial data protection systems in corporate network. Let me remind you that we are still considering personal cryptoprotection.
Crypto providers, unlike built-in encryption algorithms, are separately plug-in modules that determine the encoding (decoding) method used by the program. Why do commercial solutions use packages of crypto providers? The answers are simple, but financially justified.
Cascading encryption is the ability to encode information with one algorithm when it has already been encoded with another. This approach, although it slows down the work, allows you to increase the resistance of protected data against hacking - the more the “opponent” knows about encryption methods (for example, the algorithm used or the key character set), the easier it is for him to disclose information.
XTS encryption technology (XEX-based Tweaked CodeBook mode (TCB) with CipherText Stealing (CTS)) is a logical development of the previous XEX and LRW block encryption methods, in which vulnerabilities were discovered. Since read/write operations on storage media are performed sector-by-sector in blocks, the use of streaming encoding methods is unacceptable. Thus, on December 19, 2007, the XTS-AES encryption method for the AES algorithm was described and recommended by the international standard for protecting stored information IEEE P1619.
This mode uses two keys, the first of which is used to generate the initialization vector, and the second is to encrypt the data. The method works according to the following algorithm:
The National Institute of Standards and Technology recommends using XTS to encrypt device data with a block internal structure because it:
I also note that IEEE P1619 recommends using the XTS method with the AES encryption algorithm, however, the mode architecture allows it to be used in conjunction with any other block cipher. Thus, if it is necessary to certify a device that implements transparent encryption in accordance with the requirements of Russian legislation, it is possible sharing XTS and GOST 28147-89.
Emergency disabling of encrypted disks is an undeniably necessary feature in situations that require an instant response to protect information. But what happens next? The "opponent" sees a system on which crypto protection is installed and unreadable system means disk. The conclusion about the concealment of information is obvious.
There comes a stage of "coercion". "Opponent" will use physical or legal measures to force the owner to disclose information. The domestic well-established solution “entering a password under duress” from the category of “I will die, but I will not betray” becomes irrelevant. It is impossible to delete information that the "opponent" previously copied, and he will do it - do not hesitate. Removing the encryption key only confirms that the information is really important, and the spare key is necessarily hidden somewhere. And even without a key, information is still available for cryptanalysis and hacking. I will not expand on how these actions bring the information owner closer to a legal fiasco, but I will talk about logical method plausible deniability.
The use of hidden partitions and a hidden OS will not allow the "opponent" to prove the existence of information that is protected. In this light, disclosure requirements become absurd. TrueCrypt developers recommend to further obscure the traces: in addition to hidden partitions or operating systems, create encrypted visible ones that contain deceptive (fictitious) data. The “opponent”, having discovered visible encrypted sections, will insist on disclosing them. By disclosing such information under duress, the owner does not risk anything and relieves himself of suspicion, because real secrets will remain invisible on hidden encrypted sections.
There are a great many nuances in protecting information, but the lighted ones should be enough to sum up the intermediate results - everyone will make the final decision for himself. To the benefits free program TrueCrypt should be attributed to its functionality; the opportunity for everyone to participate in testing and improvement; an excessive amount of open information on the application. This solution was created by people who know a lot about the secure storage of information and are constantly improving their product, for people who need a really high level of reliability. The disadvantages include the lack of support, high complexity for the average user, the lack of two-level authentication before starting the OS, the inability to connect modules from third-party crypto providers.
Commercial products are full of user care: technical support, excellent equipment, low cost, availability of certified versions, the ability to use the GOST 28147-89 algorithm, multi-user mode with delimited two-level authentication. Only limited functionality and naivety in maintaining the secrecy of storing encrypted data upsets.
Although TrueCrypt 7.1a was released on February 7, 2011, it remains the last fully functional version of the product.
The mysterious story with the termination of development of TrueCrypt is curious. On May 28, 2014, all previous versions product and released version 7.2. This version can only decrypt previously encrypted disks and containers - the encryption option has been removed. From that moment on, the site and the program are calling for the use of BitLocker, and the use of TrueCrypt is called insecure.
This caused a wave of gossip on the Internet: the authors of the program were suspected of setting a “bookmark” in the code. Fueled by information from former NSA employee Snowden that intelligence agencies are deliberately weakening cryptographic tools, users began raising funds to audit the TrueCrypt code. Over $60,000 was raised to test the program.
The audit was fully completed by April 2015. Code analysis did not reveal any bookmarks, critical architecture flaws or vulnerabilities. TrueCrypt has been proven to be a well-designed cryptographic tool, although not perfect.
Now the developers' advice to switch to Bitlocker is seen by many as "evidence of a canary". TrueCrypt authors have always ridiculed Bitlocker and its security in particular. Using Bitlocker is also unreasonable due to the closed nature of the program code and its inaccessibility in the "younger" editions of Windows. Because of all of the above, the Internet community tends to believe that developers are being influenced by intelligence agencies, and they are hinting at something important by their silence, insincerely recommending Bitlocker.
TrueCrypt continues to be the most powerful, reliable and functional cryptography tool. Both the audit and the pressure of the special services only confirm this.
Zdisk and Secret Disk have versions FSTEC certified. Therefore, it makes sense to use these products to comply with the requirements of the legislation of the Russian Federation in the field of information protection, for example, the protection of personal data, as required by Federal Law 152-FZ and its subordinate regulations.
For those who are seriously concerned about the security of information, there is a comprehensive solution "Server in Israel", in which comprehensive approach to data protection enterprises.
System integration. Consulting
There are many reasons to encrypt the data on your hard drive, but the cost of data security is slower system performance. The purpose of this article is to compare performance when working with a disk encrypted by different means.
To make the difference more dramatic, we chose not an ultra-modern, but an average car. The usual 500 GB mechanical hard drive, dual-core AMD at 2.2 GHz, 4 gigabytes of RAM, 64-bit Windows 7 SP 1. No antiviruses or other programs will be launched during the test so that nothing could affect the results.
To evaluate performance, I chose CrystalDiskMark. As for the tested encryption tools, I settled on the following list: BitLocker, TrueCrypt, VeraCrypt, CipherShed, Symantec Endpoint Encryption and CyberSafe Top Secret.
This standard remedy disk encryption built into Microsoft Windows. Many just use it without installing third party programs. Indeed, why, if everything is already in the system? On the one hand, right. On the other hand, the code is closed, and there is no certainty that no backdoors were left in it for the FBI and other interested people.
The disk is encrypted using the AES algorithm with a key length of 128 or 256 bits. The key can be stored in the Trusted Platform Module, on the computer itself or on a flash drive.
If TPM is used, then when the computer boots up, the key can be obtained immediately from it or after authentication. You can log in using a key on a USB flash drive or by entering a PIN code from the keyboard. Combinations of these methods give many options for restricting access: just TPM, TPM and USB, TPM and PIN, or all three at once.
BitLocker has two undeniable advantages: firstly, it can be controlled through group policies; second, it encrypts volumes, not physical drives. This allows you to encrypt an array of multiple drives, which some other encryption tools cannot do. BitLocker also supports the GUID Partition Table (GPT), which even the most advanced TruCrypt fork VeraCrypt cannot boast of. To encrypt a system GPT disk with it, you will first have to convert it to MBR format. In the case of BitLocker, this is not required.
In general, there is only one drawback - closed source. If you're keeping secrets from the household, BitLocker is great. If your disk is full of documents of national importance, it is better to find something else.
If you ask Google, it will find interesting program Elcomsoft Forensic Disk Decryptor, suitable for decrypting BitLocker, TrueCrypt and PGP drives. In the framework of this article, I will not test it, but I will share my impressions of another utility from Elcomsoft, namely Advanced EFS Data Recovery. It was excellent at decrypting EFS folders, but on the condition that no user password was set. If you set a password of at least 1234, the program turned out to be powerless. In any case, I failed to decrypt the encrypted EFS folder belonging to the user with the password 111. I think the situation will be the same with the Forensic Disk Decryptor product.
This is a legendary disk encryption program that was discontinued in 2012. The story that happened to TrueCrypt is still shrouded in darkness, and no one really knows why the developer decided to stop supporting his brainchild.
There are only bits of information that do not allow you to put the puzzle together. So, in 2013, fundraising began for an independent audit of TrueCrypt. The reason was information received from Edward Snowden about the intentional weakening of TrueCrypt encryption tools. More than 60 thousand dollars were collected for the audit. At the beginning of April 2015, the work was completed, but no serious errors, vulnerabilities or other significant flaws in the application architecture were identified.
As soon as the audit ended, TrueCrypt was again at the center of the scandal. ESET specialists published a report that the Russian-language version of TrueCrypt 7.1a, downloaded from truecrypt.ru, contained malware. Moreover, the truecrypt.ru site itself was used as a command center - commands were sent from it to infected computers. In general, be vigilant and do not download programs from anywhere.
The advantages of TrueCrypt include open source, the reliability of which is now backed up by independent audits, and support for Windows dynamic volumes. Disadvantages: the program is no longer developed, and the developers did not have time to implement UEFI / GPT support. But if the goal is to encrypt one non-system drive, then it doesn't matter.
Unlike BitLocker, where only AES is supported, TrueCrypt also has Serpent and Twofish. To generate encryption keys, salt and header key, the program allows you to select one of three hash functions: HMAC-RIPEMD-160, HMAC-Whirlpool, HMAC-SHA-512. However, a lot has already been written about TrueCrypt, so we will not repeat ourselves.
The most advanced TrueCrypt clone. It has its own format, although it is possible to work in TrueCrypt mode, which supports encrypted and virtual disks in TrueCrypto format. Unlike CipherShed, VeraCrypt can be installed on the same computer at the same time as TrueCrypt.
TrueCrypt uses 1000 iterations to generate the key that will encrypt the system partition, while VeraCrypt uses 327,661 iterations. For standard (non-system) partitions, VeraCrypt uses 655,331 iterations for the RIPEMD-160 hash function and 500,000 iterations for SHA-2 and Whirlpool. This makes encrypted partitions much more resistant to brute-force attacks, but also significantly reduces the performance of working with such a partition. How much, we will soon find out.
Among the advantages of VeraCrypt are open source code, as well as a proprietary and more secure virtual and encrypted disk format compared to TrueCrypt. The disadvantages are the same as in the case of the progenitor - the lack of support for UEFI / GPT. It is still impossible to encrypt the system GPT disk, but the developers claim that they are working on this problem and soon such encryption will be available. But they have been working on this for two years now (since 2014), and when there will be a release with GPT support and whether it will be at all, it is not yet known.
Another clone of TrueCrypt. Unlike VeraCrypt, it uses the original TrueCrypt format, so you can expect its performance to be close to that of TrueCrypt.
The advantages and disadvantages are the same, although the inability to install TrueCrypt and CipherShed on the same computer can be added to the disadvantages. Moreover, if you try to install CipherShed on a machine with TrueCrypt already installed, the installer offers to remove the previous program, but fails to do the job.
In 2010, Symantec bought the rights to the PGPdisk program. The result was products such as PGP Desktop and, subsequently, Endpoint Encryption. That is what we will consider. The program is, of course, proprietary, the source code is closed, and one license costs 64 euros. But there is support for GPT, but only starting with Windows 8.
In other words, if GPT support is needed and there is a desire to encrypt the system partition, then you will have to choose between two proprietary solutions: BitLocker and Endpoint Encryption. It is unlikely, of course, that a home user will install Endpoint Encryption. The problem is that this requires Symantec Drive Encryption, which requires an agent and a Symantec Endpoint Encryption (SEE) management server to install, and the server wants to install IIS 6.0 as well. Isn't it too much goodness for one disk encryption program? We went through all this just to measure performance.
So, we proceed to the most interesting, namely testing. The first step is to check the performance of the disk without encryption. Our “victim” will be a 28 GB hard disk partition (regular, not SSD), formatted as NTFS.
Open CrystalDiskMark, select the number of passes, the size of the temporary file (in all tests we will use 1 Gbps) and the disk itself. It is worth noting that the number of passes practically does not affect the results. The first screenshot shows the results of measuring the performance of a disk without encryption with a number of passes of 5, the second - with a number of passes of 3. As you can see, the results are almost identical, so we will focus on three passes.
CrystalDiskMark results should be interpreted as follows:
Let's start with BitLocker. It took 19 minutes to encrypt a 28 GB partition.
Membership in the community during the specified period will give you access to ALL Hacker materials, increase your personal cumulative discount and allow you to accumulate a professional Xakep Score rating!
