You cannot find any extensive CV of Idrassi online and he played no noteworthy role in international cryptography, neither as a professional nor as an enthusiast, before he forked TrueCrypt into VeraCrypt. Moreover, France has a long anti-cryptography tradition and a fairly extensive and powerful intelligence apparatus.
My apologies to Idrassi for casting doubt on him, but that's how trust works. It's a personal evaluation. From the publicly available information there are enough reasons for me to consider the sudden cessation of TrueCrypt development and the fast takeover by VeraCrypt suspicious.
Sure, you can compile it on your own but if you don't do that, do you also audit and reverse-engineer the binaries?
Your response is 'I don't trust this tool'.
The next question from the target audience would then be: 'OK, so what are we supposed to use?'
What would be your response?
Keep in mind, these are users most likely running Mac or Windows to do various media production tasks. Telling them to fire up your pet distro of choice and set up LUKS is not a pragmatic solution.
But to answer your question, I think that the most reliable form of file encryption remains, probably uninterestingly, GPG. It's not easy and it's not perfect, lacking several advantages of block based tools like VeraCrypt, but it's well tested and publicly vetted. If you are working alone BitLocker and File Vault are both good options for solo use.
Yes, security is a process and involves situation-specific threat modeling, risk assessment, and behavioral conditioning. It is not just a 'here use %foo' band-aid. I don't think anyone here is disputing this.
But that is not the issue here. The issue is that once you've developed your personalised threat model, the issue of which specific tools to use is a very real one. OP has cast ad hominem FUD on VC, and provided no reasonable alternative, leaving someone to ask 'OK, if VC is not trustworthy, what is?' Security is a holistic process, yes, but that by definition includes tools alongside a valid threat model.
So back to the matter at hand: GPG does not provide the functionality that VC does (no FDE, no deniability), and BitLocker and File Vault are closed-source toolkits, are you really proposing them as viable trustworthy alternatives to VC? Which brings us back full circle to the original issue: if VC is deemed not trustworthy by OP, what is a user to use instead?
But yes, if what you want is open source FDE with deniability, and cross platform support (not sure why you need cross platform support for FDE) then VeraCrypt is your tool.
In crypto we trust.
Veracrypt is open source and has been audited by OSTIF. It would be best to review code before accusing someone of such a heinious act. :/
When someone attacks the messenger or developer instead of the facts or the code, there could be some kind of agenda. Hope that’s not what it is.
1.) No, cryptography does not replace the trust in people. Your dead wrong if you think so. You need to trust the maker of the cryptographic software, whether it's open source or not, and even if the software has been audited. The only exception would be that you have team of experts who continuously audit the source code and compile every executable themselves. Then, of course, you can also just fork it and develop it yourself. Other than that, you better trust the source.
2.) I was explicitly talking about the binaries. The vast majority of all users will download the binaries and never check the source code. Moreover, if you check the source code, then this gives you no reason to trust the binaries.
Here's how I would do it, if I was working for an intelligence agency supplying bogus open source software: I'd put audited and correct sources on the web, but would make them hard to compile (e.g. complicated dependencies, tool chain setup). Then I would put binaries on the web page, too. And then I would check who downloads the software and based on some heuristics either deliver a perfectly fine web page+binary or a compromised web page+binary to the recipient, depending on whether I want to collect intelligence from that person or not.
Another, simpler method is to ensure that there is always some exploitable bug in the software. If that is found by external auditors, just introduce a new bug. The underhanded C contest shows you how it's done.
In any case, before you start talking about encryption again, we're talking about side channel attacks, of course.
(Needless to say, the Arch wiki is an excellent resource for those getting started with Linux.)
I have not tried this.