Newbie question: How secure is TreuCrypt 6.3a?

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View

It obviously protects against neighborhood break-ins, but is it really
secure against all others that may want access to financial records
and writings and the like?  Are there any "back-doors?"


Re: Newbie question: How secure is TreuCrypt 6.3a?

Quoted text here. Click to load it

The short answer is: Yes, Truecrypt is secure (but see my
paranoid PS)

Truecrypt uses secure algorithms and methods and its source
code is available for inspection (although it isn't quite open

You must understand that there are some things that software
encryption, no matter how good, cannot, by its very nature,
protect against, such as hardware keyloggers, video/acoustic
surveillance, evil maid attacks, firewire attacks, etc.  And
the internet!
(Truecrypt only protects data "at rest" - if you're running
and online, you're as vulnerable as anyone else to Trojans,
viruses, etc.)

A few good practices:

1)  BACK UP everything before encrypting.  If you make a
beginner's mistake you don't want to find yourself locked out
of your own data.  With encryption, backups are even more
important than for ordinary computing. CONFIRM you can restore
the backup (You'd be amazed how many backups turn out to be
worthless because they won't restore!)  Later on when you're
experienced you will make frequent encrypted backups but at
the outset use plain unencrypted ones and keep them for a few
weeks/months at least.

2)  Pick a strong password (or passphrase - diceware is also
good).  And backup the Truecrypt header (i.e., make a rescue

3)  Whole disk encryption is superior to container encryption
but there are more possibilities to shoot yourself in the foot
until you become experienced.  Did I mention you should make a

4)  Oh, and in case I forgot to tell you: Make a backup!


PS  I (as a certified paranoid :-) have many misgivings about
how trustworthy Truecrypt is and whether it contains
backdoors, etc.  The authors are far too secretive for my
taste and I REALLY don't like the way they manage their
forums, purge code from the internet, etc.

But, at least on the face of it, Truecrypt is well done.

You only need to begin worrying about how truustworthy
Truecrypt is re backdoors, etc. if your activities are so
high-profile that you could be a target of major intelligence
agencies (NSA, etc.).  Below that, you're bombproof.

Re: Newbie question: How secure is TreuCrypt 6.3a?

Quoted text here. Click to load it

Good information, thanks.

From what you say, I don't attract any attention that is skilled
enough to crack my PC's encryption.  All my drives, including my boot
drive, are 100% encrypted.  

Re: Newbie question: How secure is TreuCrypt 6.3a?

Quoted text here. Click to load it

Pick a good password/passphrase.  For Truecrypt (and any other
well-implemnted AES encryption program) the only ways to
defeat it are 1) assorted trickery (evil maid, firewire,
trojan, video, etc.) and 2) cracking the password (NOT the
encryption algorithm).

Cracking most folks' passwords is **well within the range of
possibility** for a motivated adversary using only moderate

Full 256-bit equivalence (i.e., as strong as the underlying
AES-256 encryption) requires a password of about 45 RANDOMLY-
chosen characters (upper & lower case) - impossible for most
mortals to remember.
But don't go lower than, say, 11 random characters. (64-bit
equivalence or so).  I assume (using Moore's 24-month law)
that decrypting power will increase by one bit each 2 years so
this has some small "futurity" reserve (perhaps a few decades)
against up to ordinary-power adversaries (say, local LEAs). A
64-bit password ISN'T enough against serious adversaries (the
kind who have supercomputers :-)

Or go the diceware route for a good tradeoff between security
and memorability.


Re: Newbie question: How secure is TreuCrypt 6.3a?

Quoted text here. Click to load it

As a benchmark - the FBI will at least CLAIM they're unable t crack
Truecrypt if you're a brazilian criminal billionaire ;-) /

Juergen Nieveler

Site Timeline