Tuesday, March 10, 2009

TrueCrypt

As much as I despise the topic of computer security (and computer security people in general for that matter), I truly love TrueCrypt.  Some open source software seems unfinished, beta or kludgey.   Rarely do you get a gem like TrueCrypt that seems as good as or better then commercial software.

image

TrueCrypt is an encryption software package that encrypts static data (i.e. data on hard drive, thumb drives, etc.).  You can encrypt files, folders or even an entire hard drive.  It supports numerous software encryption algorithms (AES, Blowfish, Serpent, etc..), hashing algorithms (Whirlpool, SHA-512, etc…), operating systems (OSX, Windoze, Linux, etc…) and authentication mechanisms (smart cards, tokens, certificates, etc..).  I’m so impressed with it’s capabilities that I’ll be presenting a seminar on TrueCrypt at this year’s ILTA conference. 

This year we have to decided to encrypt all our laptops with TrueCrypt.  After looking at multiple programs, both  open source and commercial, I feel that TrueCrypt best meets our needs.  Making any decision requires trading offs.  In our case, I first looked at hardware encryption vs. software encryption.  Here are a few of the subtle differences:

Hardware:

  • Generally faster then software solutions and can usually be done at native speeds of the drive
  • Requires little effort on the part of the user
  • Can sometimes be tied in to other hardware security mechanisms like biometric fingerprint readers, usb keys and rfid keys (The BUSLink devices are really cool by the way. More on them later.)
  • Generally uses proprietary algorithms (so you’re not quite sure exactly what’s happening) and you generally don’t have a wide selection of algorithms to choose from.
  • Some enterprise tools are available for system deployment and management
  • Not available on workhorse models of Lenovo laptops

Software:

  • Numerous encryption/hashing algorithms to choose from
  • Little to no monetary investment
  • Slower to encrypt (and sometimes unencrypt) data
  • More granular control of what is and what isn’t encrypted
  • Possible plausible deniability to the existence of data (Hidden volumes and hidden operating systems)
  • Ability to encrypt external hard drives and flash drives
  • Generally requires additional software plug-ins to tie into hardware security mechanisms

I don’t really have the space to go into depth about why I liked TrueCrypt over other commercial and non-commercial packages, but suffice to it say the decision was based on simplicity for the user, cost to the organization, level of security provided by the software and ease of deployment.  After I give the presentation I’ll see if I can drop a link to it here for all to see.

No comments: