Problem solve Get help with specific problems with your technologies, process and projects.

TrueCrypt disk encryption: A cheap alternative to BitLocker?

The latest version of TrueCrypt comes with enhanced encryption features for organizations not running Windows 7, Vista or Server 2008 R2.

Long before Microsoft introduced BitLocker for Windows, there was TrueCrypt -- an open source disk encryption system. TrueCrypt has been updated regularly with features that make it a good choice for those who can’t afford the Enterprise or Ultimate SKUs of Windows 7 and Vista or Windows Server 2008 R2 (and thus, BitLocker).

Users of TrueCrypt can create virtual encrypted volumes, encrypt entire existing disks and even encrypt an existing Windows boot volume. The boot drive encryption system is written well enough that you can even suspend and resume encrypting the boot drive -- a time-consuming process --across multiple sessions.

The newest version, TrueCrypt 7.0, adds a slew of new features and improvements to existing versions that make it all the more worthy of checking out. They include:

  • Hardware-accelerated AES -- Some new processors have built-in support for Advanced Encryption Standard (AES), which can provide a boost in encryption speed of four-to-eight times over software-only processing. TrueCrypt automatically detects whether or not the CPU on the current system supports hardware acceleration and will attempt to make use of it if it does

    Note, however, that not all of the hardware-native features provided are used. For instance, TrueCrypt doesn’t use hardware-accelerated key generation, presumably because the programmers want to use the keys generated by the program itself and not by a potentially unverifiable third party. TrueCrypt also lacks support for GPU-based acceleration, for example via NVIDIA’s CUDA extensions. This is strictly for processors that support the Intel AES-NI instruction set.

  • Windows API-based encryption of hibernation and crash dump files -- One security hole that existed if you used TrueCrypt’s system disk encryption with Windows XP or Server 2003 (and with earlier versions of TrueCrypt) was that crash dump and hibernation files could not be reliably encrypted without modifying system files. Microsoft provided an API for encrypting those files in Windows Vista, and TrueCrypt has started using that API in version 7.0 for system disk encryption.

  • Automatic volume mounting based on host device ID -- When a TrueCrypt volume is made available to the system, TrueCrypt can automatically attempt to mount it (provided the user supplies the right password and keyfile, if needed). You can also set default options for commonly used volumes, or favorites. This includes mounting them as read-only or as removable media, assigning a special label to the volume (useful if you want to address said volume from a program by label rather than drive letter), and so on.

  • Thread-based parallelization -- While this feature is not new to TrueCrypt 7.0, it’s worth a mention since it doesn’t get much attention. When thread-based parallelization is enabled, TrueCrypt will attempt to run encryption and decryption operations in parallel across each CPU core available in your system. Key generation is also sped up in this fashion. You can disable this feature as well, and set TrueCrypt to only use, say, two of four cores for this kind of parallelization.

Figure 1: TrueCrypt 7.0 (click to enlarge)
Truecrypt 7 now supports hardware-accelerated encryption/decryption when supported by the system.

Serdar Yegulalp has been writing about computers and information technology for more than 15 years for a variety of publications, including InformationWeek and Windows Magazine.

Dig Deeper on Windows administration tools

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.