
Encryption toolkit for media makers: A VeraCrypt guide - gasull
https://freedom.press/training/encryption-toolkit-media-makers-veracrypt-guide/
======
13415
I don't trust VeraCrypt very much. Mounir Idrassi's company _IDRIX_ was
founded in 2006 in Paris and it is one of the classical shady government-near
companies that could have close ties to intelligence agencies. Note that I say
_could_ not _has_.

You cannot find any extensive CV of Idrassi online and he played no noteworthy
role in international cryptography, neither as a professional nor as an
enthusiast, before he forked TrueCrypt into VeraCrypt. Moreover, France has a
long anti-cryptography tradition and a fairly extensive and powerful
intelligence apparatus.

My apologies to Idrassi for casting doubt on him, but that's how trust works.
It's a personal evaluation. From the publicly available information there are
enough reasons for me to consider the sudden cessation of TrueCrypt
development and the fast takeover by VeraCrypt suspicious.

Sure, you can compile it on your own but if you don't do that, do you also
audit and reverse-engineer the binaries?

~~~
Andre607
The article proposes a concrete solution to a problem for media makers: if you
need to protect your files, here is a tool you can use, and here is how to use
it.

Your response is 'I don't trust this tool'.

The next question from the target audience would then be: 'OK, so what are we
supposed to use?'

What would be your response?

Keep in mind, these are users most likely running Mac or Windows to do various
media production tasks. Telling them to fire up your pet distro of choice and
set up LUKS is not a pragmatic solution.

~~~
stinkytaco
I don't think saying "be aware of the trust issues" is necessarily dismissing
VeraCrypt. OP's point is that you need to keep that in mind when making a
decision. The idea that keeping yourself secure is as simple as using a tool
is a massive mistake, it's a process. With physical security, we've largely
internalized this process, but digital security is something lots of people
still don't understand.

But to answer your question, I think that the most reliable form of file
encryption remains, probably uninterestingly, GPG. It's not easy and it's not
perfect, lacking several advantages of block based tools like VeraCrypt, but
it's well tested and publicly vetted. If you are working alone BitLocker and
File Vault are both good options for solo use.

~~~
Andre607
I think there is some muddling of the issues at hand here.

Yes, security is a process and involves situation-specific threat modeling,
risk assessment, and behavioral conditioning. It is not just a 'here use %foo'
band-aid. I don't think anyone here is disputing this.

But that is not the issue here. The issue is that once you've developed your
personalised threat model, the issue of which specific tools to use is a very
real one. OP has cast ad hominem FUD on VC, and provided no reasonable
alternative, leaving someone to ask 'OK, if VC is not trustworthy, what is?'
Security is a holistic process, yes, but that by definition includes tools
alongside a valid threat model.

So back to the matter at hand: GPG does not provide the functionality that VC
does (no FDE, no deniability), and BitLocker and File Vault are closed-source
toolkits, are you really proposing them as viable trustworthy alternatives to
VC? Which brings us back full circle to the original issue: if VC is deemed
not trustworthy by OP, what is a user to use instead?

~~~
stinkytaco
Is the article proposing that you need an open source FDE solution with
deniability? Considering it refers to using Disk Utility as an option if
everyone is on MacOS, then I don't think that's what it is going for. It also
assumes that these users are using Windows/MacOS, so the need for open source
tools doesn't seem to be a primary concern for this organization. I don't
personally have a lot of problems with VeraCrypt, but I think most people this
article is aimed at would be well served by File Vault and Bit Locker since we
have no reasons not to trust those organizations and some reasons to believe
they have put their money where their mouth is when it comes to file
encryption.

But yes, if what you want is open source FDE with deniability, and cross
platform support (not sure why you need cross platform support for FDE) then
VeraCrypt is your tool.

------
a-ve
If you're not afraid of using the command line, dm-crypt is a much better
alternative: [https://wiki.archlinux.org/index.php/Dm-
crypt/Encrypting_an_...](https://wiki.archlinux.org/index.php/Dm-
crypt/Encrypting_an_entire_system)

(Needless to say, the Arch wiki is an excellent resource for those getting
started with Linux.)

~~~
golem14
Does LUKS provide plausible deniability via hidden volumes like Veracrypt does
? I imagine that this is important for the use case.

~~~
golem14
To answer my question, a web search delivers:

[https://blog.linuxbrujo.net/posts/plausible-deniability-
with...](https://blog.linuxbrujo.net/posts/plausible-deniability-with-luks/)

I have not tried this.

