In this post-Edward Snowden world, people are much more conscious about the security and privacy of their data than ever before. TrueCrypt, being free and open source*, is arguably the most secure solution available for encrypting your files locally.
One of the more useful features of TrueCrypt is the ability to create TrueCrypt containers –– encrypted files that can be disguised as normal files then be mounted and used just like a real disk. It is even possible to create hidden volumes within such files, that can be mounted using a different password, but which are otherwise impossible to prove exist. These hidden volumes provide plausible deniability, so that while a target may be coerced into revealing the password of the outer volume, if the correct precautions are taken then an adversary cannot know a hidden volume also exists.
Note that TrueCrypt can be used to encrypt an entire partition or storage device, or even to hide an entire operating system on that partition, but that is beyond the scope of this article.
How TrueCrypt Works
TrueCrypt containers can be uploaded to a cloud storage service, and in the author’s experience of using them with Dropbox, it works well. Although this experiment suggests that syncing large TrueCrypt containers in the cloud may be problematic, at least with some services.
If you want to keep your files secure, but also want to access them from a mobile device, then you can use a security conscious cloud service such as SpiderOak or Wuala. These have many advantages over simply encrypting your files with TrueCrypt and uploading them to the cloud, including easy syncing across a wide range of devices, file versioning, and the ability to encrypt and decrypt single files rather than entire containers.
However, the fact that neither service is open source means they are not as secure as TrueCrypt’s solutions, and some additional minor security compromises are made to allow remote syncing (see our article for a more in-depth discussion of these issues).
So this brings us back to TrueCrypt offering the best file security available. When David Miranda, partner to the Guardian’s Edward Snowden contact, Brazilian reporter Glen Greenwald, was detained and had his hard drive confiscated under the UK’s Terrorism Act, Detective Superintendent Caroline Goode stated:
“TrueCrypt renders the material extremely difficult to access.”
To open TrueCrypt containers on the go using an Android device, a couple of options are available. Cryptonite is in some ways the more elegant solution, as it allows direct manipulation of containers stored in Dropbox, but unfortunately it requires the device to be rooted in order to handle TrueCrypt files (it can handle EncFS files un-rooted however).
For those who don’t want root their devices (quite understandable), there is EDS (Encrypted Data Store). Unfortunately there are no iOS apps capable of handling TrueCrypt containers that we are aware of, although BoxCryptor works with EncFS containers.
Encrypted Data Store (EDS) Lite for Android
EDS Lite is a free and open source app that requires files to be stored locally; either transferred using USB, or downloaded from a cloud service to an Android device. Of course, once modified locally they can be uploaded to the cloud again for cross device and platform syncing. This is known as ‘normal’ mode of operation, and is the only mode supported by the free version of EDS.
The full version costs $7.30, and has a ‘mounted’ mode which supports ‘on the fly’ encryption and decryption, along with a number of other features (listed later). However, because mounted mode requires a rooted device, and because the paid-for version is not open source, we will confine ourselves to reviewing EDS Lite.
We started by creating a test 50Mb TrueCrypt container in Windows, which we then added to our Dropbox folder. For TrueCrypt files to be compatible with EDS, they must:
- Be encrypted using the AES, Serpent, or TwoFish Encryption Algorithms
- Use the SHA-512, RIPEMD-160, or Whirlpool Hash Algorithms.
- Use the FAT File System
We downloaded the container (disguised as a simple text file) locally to an Android device using the excellent ES File Explorer. We then mounted the container by clicking on the ‘pin’ icon, navigating to its location, and entering its password. It should be noted that EDS Lite does not recognize hidden volumes, but the paid-for version does.
You can then use EDS Lite as a file explorer, treating the mounted volume as a regular folder. EDS Lite also works well as a general file explorer app, although we noticed that it didn’t recognize an external SD card. Image files can be previewed in Lite, while the full version should preview most file types.
Unfortunately as far as this review is concerned (but a good thing for security in general), DRM blocks make it impossible to capture screenshots of the file explorer functions in action. Files are opened using your default Android preferences.
EDS Lite also lets you easily create TrueCrypt containers. Plus the paid for version of EDS, although not open source, does include some nifty extra features, including:
- Support for hidden containers
- Allows containers to be opened from a network share (e.g. directly from Dropbox)
- Alternatively, network share folders can be mounted on the Android device
- Files can be previewed directly
- Dropbox containers can be synchronized
- ‘Mounted’ mode supports on-the-fly encryption and decryption (requires root)
EDS Lite is a simple, secure, and robust way to decrypt and encrypt TrueCrypt containers on the go. The free version of the app does lack some of the funky bells and whistles found on the full version, which provides many of the advantages offered by much more expensive cloud based solutions such as SpiderOak or Wuala, but it loses the open source nature of its free sibling.
For heavy users of TrueCrypt the extra features of the paid version are likely worth the small trade-off in security, but for the seriously paranoid, or just those whose TrueCrypt needs are more modest, EDS Lite does its job well and without fuss.
Some elements of TrueCrypt are, strictly speaking, source available rather than truly FOSS (Free Open Source Software). It is currently being audited by a crowdfunded project to check for backdoors and other nasty surprises.