Armouring up online: Duncan Campbell's chief techie talks crypto with El Reg

Truecrypt, PGP, GPG - but NEVER Skype

71 Reg comments Got Tips?

Beware the old "C:\Windows\Temp" catch

Truecrypt is the simplest to understand out of all these tools. Your data is protected by the password you enter when you set it up. If you use a good long password, the data it has protected for you is pretty much perfectly secure. It won’t stop you if you insist on using a short, easily attacked password – and if you forget your really awesome password then there is no magic "recovery" route available.


Truecrypt - version 7.1 considered safe, although caution is advised

Of course, Truecrypt can't help you if the files you have stored inside its robust cryptographic storage are also present in C:\Windows\Temp, or available for forensic recovery after you move them into your Truecrypt container. If you are worried about that, you can get TC to encrypt your boot partition so you have to enter your password to even get Windows to begin booting. Of course, that's still vulnerable if someone snatches your booted-and-unlocked laptop from your grasp.

Despite the recent scares, many people are still comfortable with using the previous (7.1a) release of the massively popular encrypted storage application. Now that the dust has settled a little, I am too.

I share Steve Gibson's opinion that the dire "it's insecure, stop using it" message put out by its developers should more accurately be interpreted as "we quit, there will be no support from us going forward, so please use something else".

At this point, although version 7.1a of Truecrypt is considered safe, it is appropriate to urge a little bit of caution about where you download. This would be a great opportunity for ne'er-do-wells to put up fake mirrors serving compromised, weakened or malware-addled versions of the software. I would recommend either Steve Gibson's mirror on his GRC page, or the new site hosted in Switzerland, as being appropriate and trustworthy.

Now we've got all that out of the way, here's a link to a decent tutorial to walk you through the basic setup (creating a container-file based volume).

For greater depths of background reading, Andrew Y has reconstructed the original Truecrypt website for reference purposes, including the Documentation section.

Securing email with PGP/GPG

While you certainly can use Truecrypt to send files to someone else, that would require you to either pre-arrange a shared password in advance, or have some other already-secure channel to transmit it to them. That's not hugely useful in many situations, such as a whistleblower wanting to communicate securely with a journalist they’ve never met.

That's where the clever maths of Public Key Cryptography comes in. Rather than the "symmetric" model used by Truecrypt (encrypt with a password, decrypt with the same password), Public Key tools work with a mathematically-related pair of really massive numbers. One of those can be shared freely with the entire world and is used to encrypt data (the Public Key), but that ciphertext can then only be decrypted by the other half of the pair, which you keep secret (the Private Key).

The de facto standard for this is OpenPGP, descended from the original Pretty Good Privacy created by Phil Zimmermann. The Free Software toolset GPG (GNU Privacy Guard) is the most commonly used implementation.

There are a number of possible configurations available for GPG, depending on if you would rather use it as a plugin to a local email client or use it entirely as a stand-alone app. My personal preference is to use the Enigmail plugin for the Mozilla Thunderbird mail client, whereas a more-manual approach which requires less changes to your general way of working (not needing you to use a different email client) would be to use the Gnu Privacy Assistant (GPA) standalone app from the GPG4Win bundle.

There are also Chrome extensions which implement OpenPGP in client-side Javascript inside your browser, to aid using it with webmail services. I haven't used any of these and I'm not sure if they would provide seriously top-tier protection – there are hazards like Gmail's autosaving of unsent emails that could cause your message to be sent to Google "in the clear".

This would be another "security versus convenience" trade-off. For best security, don't compose your sensitive emails in a webmail page – write them locally in Notepad, run them through GPG by hand, then copy+paste the encrypted version in to Gmail to send it.


Biting the hand that feeds IT © 1998–2020