[Noisebridge-discuss] Which can I trust more: TrueCrypt or OSX FileVault?
Micah Lee
twopointfour at riseup.net
Sun Feb 13 01:11:42 UTC 2011
I trust TrueCrypt more because it's open source and you have control
over everything, like which cipher to use and the key length. But on the
other hand, I don't believe it's possible to use TrueCrypt to encrypt
your whole home folder or your whole hard drive on a Mac.
The reason FileVault isn't enough for the sufficiently paranoid is
because there are serious attacks that are easy to pull off if you only
encrypt your home folder. For example, let's say at a border crossing
they take your computer into another room for half an hour and then
return it. They might not have access to /Users/youraccount, but they
have access to everything else. They could have added a rootkit that
runs on startup, or a keylogger. They could replaced /usr/bin/ssh with a
trojan version that still works, but records and sends home all the ssh
credentials you type in. All it takes to decrypt your home folder in the
future is your user's password, so the attacker could have made a copy
of your encrypted home folder and added a malicious version of sudo that
steals your password, or any number of other things.
And I believe there are other math-based attacks against FileVault. And
FileVault has other issues too. I've heard it doesn't play nice with
Time Machine backups, and I once had a problem with it not storing my
default web browser and email client settings for some reason.
It all depends on your paranoia level, but the only way to have real
full-disk encryption on a Mac (that I know of) is PGP Whole Disk
Encryption, but it's proprietary and expensive:
http://www.symantec.com/business/whole-disk-encryption
For Windows, TrueCrypt is your best bet since it has great support for
whole disk encryption. For Linux I would suggest the built-in encryption
that comes with Debian/Ubuntu/Fedora and most other distros, luks/dm-crypt.
Micah
On 02/11/2011 11:44 PM, Sai wrote:
> Assume whatever attack profile you want. Are they equal or is one better?
>
> - Sai
>
>
>
> _______________________________________________
> Noisebridge-discuss mailing list
> Noisebridge-discuss at lists.noisebridge.net
> https://www.noisebridge.net/mailman/listinfo/noisebridge-discuss
More information about the Noisebridge-discuss
mailing list