TrueCrypt is pretty dead. We need some options here, and as far as I can see, there are only two three: * CipherShed. Currently a vanilla fork of TrueCrypt. * VeraCrypt. A fork of TrueCrypt with some fixes and improvements. * Keep using TrueCrypt. Neither of the two alternatives has had an official source code audit or anything. They are both open source. I will give a quick summary of the facts on both forks, concluding that I have no clue and will probably flip a coin roll a D3. Whether these facts are pro or con is up to your discretion.

CipherShed Facts

  • They are on github.
  • They seem dedicated. Meaning, the information on their homepage sounds like they thought this through.
  • Not much has happened yet, they only forked TrueCrypt.
  • There is only a pre-alpha version available, which I won't touch.
  • They do not have any licensing information at all.
  • Longterm Plans are a bit fuzzy, according to their wiki they want to
    • Secure the code through audits, simplification, and a secure architecture.
    • Migrate towards a OSI-approved licensed codebase
    • Work closely with existing efforts such as OpenCryptoAuditProject, LUKS, GELI, and tc-play.

VeraCrypt Facts

  • According to the author in this thread, VeraCrypt was first published on June 22nd 2013, so it has already aged a bit.
  • In fixing some of the security flaws in TC, they break backwards-compatibility. There is a conversion tool available.
  • They are on CodePlex and the software is under Microsoft Public License.
  • Binaries are available for download, cross-platform.
  • Most relevant longterm plan is the ability to encrypt Windows system partitions/drives on UEFI-based computers (GPT).

So. If you have additional information, let me know in comments or by eMail. I am rattled beyond my usual level of confusion as to what I should do. Currently, I will probably give the VeraCrypt binaries a test ride on some machine.



When you have a Laptop with Windows 8.1 preinstalled, then you will find yourself having a hard time installing a clean copy of Windows 8 on said Laptop. That, however, might be desirable for various reasons and so I am telling you how it's done. In my case, I am doing it with the firm intention to encrypt the system partition with TrueCrypt Setup 7.1a, which requires me to have an MBR rather than a GPT. There are probably ways to change this in-place, but there's really no point because I want a clean install of Windows anyway. (more…)


I'm using TrueCrypt system encryption for my Windows Partition and use its chain loader to boot Linux via GRUB, which is installed on my /boot partition. However, at some point I also had GRUB installed on my root partition. Because of that the TrueCrypt boot loader — after pressing ESC when I didn't want to boot Windows — showed a list of partitions to boot from instead of directly starting the only other boot loader. That's less convenient and a little bit annoying, so I wanted to get rid of the entry. As the TrueCrypt boot loader seems to detect boot loaders on partitions automatically, I wanted to try deleting the redundant one. However, I didn't find anything on how to delete a boot loader from a partition; that's probably because it usually isn't necessary. A quick search on Wikipedia revealed that the boot loader on a partition is stored in the volume boot record (VBR) of the partition, which is just the first sector, similar to the MBR. So I first made a backup in case I got anything wrong ((make sure to backup to a different partition than the one you're going to write on :) )):
$ dd if=/dev/sda5 of=sda5.vbr bs=512 count=1
and then wrote zeros to the VBR:
$ dd if=/dev/zero of=/dev/sda5 bs=512 count=1
which did exactly what I wanted. Be aware, however, that when you want to delete the boot loader from an extended partition, this would overwrite the partition table in the extended boot record (EBR), so you may only overwrite the first 446 bytes of the sector instead of all 512. One last thing that cannot be stressed enough: Have a current and complete backup handy, and be prepared you might have to use it. I'm no expert on the subject. If the VBR is used for more purposes than just containing a boot loader as I expect, zeroing the whole sector may really go wrong.