RSSCan Linux do BitLocker better than Windows 7?
By Angela Gunn | Published July 3, 2009, 5:43 PM
(continued from previous page)
Installation BitLocker drive preparation has been a notorious pain under Vista, with the necessary BitLocker Drive Preparation Tool available through Ultimate Extras and for Vista Enterprise and Windows Server 2008. (BitLocker has been incorporated into Windows 7 for machines with TPM.) Installation is notoriously cranky, and woe betide the user who doesn't partition the drive correctly -- two partitions are required -- before installing the OS.
On Linux, Debian has for years included the ability to set up a fully encrypted system right from the installer, if that how you prefer to go about it. TrueCrypt, on the other hand, has a wizard allowing you to create an encrypted file container, encrypt a non-system partition or drive, or encrypt an entire system partition or drive. The volume or drive must be empty of files before installation, but one needn't flush the entire OS.
I asked Jeremy Garcia if he would characterize ease of installation as a major concern for the community. "While I've never used BitLocker, it looks quite a bit more difficult to setup than TrueCrypt," he responded. "As you note though, most distributions now offer the ability to set up an encrypted partition right from inside the installer. Ubuntu uses dm-crypt behind the scenes. I actually wrote an article about TrueCrypt for Linux Magazine a while back, and the feedback I got did not indicate many people had install issues."
Extra protection The problem with FDE is that once the disk is legitimately accessed, it isn't protected at all from attacks by someone who has access to the unlocked machine. If your laptop is swiped while it's up and running, or if a file is plucked from the machine while it's unlocked, you're out of luck. However, TrueCrypt allows one to set up a "hidden" volume within the larger encrypted volume; in case access is gained to the drive, the volume appears to be simply a collection of random data. Individual files can also be encrypted.
BitLocker also allows encryption of secondary volumes, though if you're not yet running Vista SP1 it's a command-line setup process that even Microsoft's documentation says is for advanced users only. And the volumes aren't hidden. BitLocker cannot be used to encrypt individual files.
Thumb-drive protection Both BitLocker and TrueCrypt allow you to encrypt an entire storage device, such as a USB flash drive. Drives are encrypted in BitLocker must as any other drive would be; they'll work seamlessly with the machine on which they were originally configured, but to use them on any other BitLocker-enabled machine, you'll need to "Unlock Volume" and use the recovery key to gain access again. (If the machine doesn't have BitLocker, you're out of luck.) TrueCrypt allows you to encrypt an entire thumb drive, but you won't be able to actually run TrueCrypt from that drive. Instead, you'd create a file container on the USB drive, then store TrueCrypt alongside that container, after which you should be able to operate on any machine.
"You can't run BitLocker from that drive either, can you?" asked LinuxQuestions.org's Garcia. "It's really just a matter of having TrueCrypt on each machine you use, and as you mention, you can easily store a copy on an unencrypted partition on the drive."
Protection during hibernation Hibernation is not a great idea for machines running FDE for various reasons, including the threat of "cold-boot attacks" (see below). However, BitLocker does make a point of encrypting a hibernation file if one is present. TrueCrypt does not.
Key recovery When things go wrong, unless the administration has set up the system to store the private key on a removable drive, BitLocker users will need access to the local administrator account. With the individual user's account password, the key can be recovered -- it's stored on the local system. (This can lead to problems if the would-be intruder knows the admin password, obviously.) It's trickier with TrueCrypt -- under Linux, if the password or keyfile is truly gone, your data's locked on the disk forever. On the other hand, you've gained a lovely paperweight about which you can tell pitiful stories for years to come.
The TrueCrypt FAQ notes there is no "back door" provided for administrative users who need to find a way into users' encrypted drives when they've lost the password. However, there is a way for admins to enable themselves to reset the volume password and/or pre-boot authentication password.
Support On one hand, Microsoft. On the other hand, the TrueCrypt user forums. Choose your poison.
What about that freaky hard-drive attack with the canned air? As we learned last year, the "cold boot attack" can affect any FDE scheme that doesn't authentication before booting, whether it's coming back from a power-off or from mere hibernation. Researchers were able to reconstruct the all-important encryption key by switching on a shut-down machine fast enough to grab the residual electrical changes in RAM -- a time window which as it turned out lasts rather longer if you simply chill the chps to subzero temperatures. Almost no one was spared -- BitLocker, FileVault, dmcrypt, and TrueCrypt were all vulnerable.
Any interesting outliers in the FDE space? If you're seriously comparing Windows to Linux, it's a fair bet you're not too worried about whether a particular piece of software is free as stipulated by the GNU General Public License. But if you are looking for a GNU-compliant Windows package on the level of a TrueCrypt or a BitLocker, there is, of course, TrueCrypt for Windows itself. Also check out DiskCryptor, which bills itself as "the only truly free solution." DiskCryptor criticizes TrueCrypt for placing limits on what developers may do with that program's source code, and derides other packages as "fully proprietary ones, which makes them unacceptable to use for protection of a confidential data." And if, at the other philosophical extreme, your organization prefers to utilize TPM technology, Linux FDE options supporting the chip include CheckPoint and eCryptfs.
All that having been said, what's the verdict? With respect to being able to use full disk encryption functionality in Linux the way Microsoft intends for its customers to use it in Windows, the answer to this Can Linux Do This question...is yes.
so what if linux created something and microsoft utilized the same concept but different technology to implement it "and" vice versa.
though it is true, that credit is due to those who deserve it, technology is fluid and fleeting.
because when it all comes down to the finish line, the question is "who or what" made "it" better, stronger or easier to use.
as in the article's conclusion and because of my first hand experience, i am not impressed with microsoft's bit locker as well.
rhetorically, we might ask what is the "real" reason for microsoft to include bit locker in their recent o.s.'s?
what we can be assured is that if drive encryption was a serious issue for microsoft, they would provide the download for "all" of their windows customers.
drive encryption does has its strong benefits as it has the propencity to protect personal and financial information from thieves and spies.
for now, microsoft is only providing the service to their highest paying customers.
Score: 0
|MacOS' filevault works quite well, as long as you dont shutdown the system. Theres a silly bug where it doesnt load your customised file launch actions for different file types (ie if you want to use VLC to play avi files instead of Quicktime). No word on when this will be fixed, there are workarounds but still it is very annoying!
But the only good news is that because it only encrypts your home folder the rest of the system runs very fast. So on a notebook you dont have to waste battery life decrypting static system files for the sake of security.
Score: 0
|Volume and Disk level encryption have been around for a long long time.
It is available in almost all OSes either with inherent support, 3rd party $$, or OSS...
Why is this an issue again?
Bitlocker is NOT designed for the average user market, nor is it designed to compete with specific types of encryption technologies. It is designed to be easy, hand off administator control, and be implemented in large corporate environments with lots of computers and laptops in the field. The only thing necessarily 'better' about bitlocker is the ease of implementation from an IT administrator standpoint, as you can literally flip a few policies and have it be seamless for new computer installation brought into the environment.
If you are looking for good volume level encryption, there are tons of solutions out there, this is not the point.
Linux 'being able to do' something is also not the point.
If you want to look at something Linux can't do in comparison to Windows, pick a real subject like GPU scheduling, or other WDDM fetures.
Heck you could even do several articles on the object model of the NT kernel in comparison to Linux - especially the Linux's UNIX generic I/O textual model compared to the Object Orieinted I/O model.
Next even look at API abstraction, and the 'subsystem' technology of the NT kernel that makes it a client/server kernel. This is how you can run Win32 or Win64 side by side with a full implementation of BSD all on the NT kernel and sharing the IPC and NT Object Manager. This is something Linux cannot do as well.
In terms of arcitecture Windows often gets a bad repuatation from the psuedo geeks, but when OS engineers and theorists look at the NT Kernel and what it is doing and can do, there are many levels of technology that it is doing and can do that Linux, OpenBSD, and Darwin/OSX do not have the architectural plumbing to pull off.
Take the NVidia hybrid GPU technologies... Vista is the only consumer OS that can flip the GPU and GPU drivers on the fly without a hiccup or even the user noticing, where on Linux, XWindows has to be restarted and OS X the user has to log off to restart the Mac GUI as well.
There are 100s of things like his that as technology demands, shows some of the real strengths of the NT kernel design that you could do a debate on between Linux and Windows, rather than something as obscure as BitLocker.
(Heck even an article on Superfetch technologies and using idle RAM for intelligent user based data prefetching.)
So why BitLocker?
Unless you are the FBI or corporate America's top 500 Inc. that are using this feature that has need for it, why do you care?
Most people need and use file level encryption, and that is inherent in NTFS and has been for years.
If you are a home user, and you NEED to use Bitlocker, then you probably are storing data you shouldn't be on your home computer. Or you don't realize you can already use NTFS encyrption on a file/folder level and not have to encrypt the entire volume and pretend your entire HD has nuclear secrets on it.
Score: 1
|i think that regular users can benefit by the encryption service.
it has the propensity to protect private and financial information from people in the event the computer is accessed without the knowledge or consent of the owner "and" from thieves who may take the machine away from you.
i think we can all agree that user level passwords only keep the honest people out of systems.
Score: 0
|Just to be clear..
NTFS Encyrption is enough, volume level BitLocker encryption is just over the top for average users 99.9% of the time.
If anyone has stuff they want to protect, encrypt it or put it in a folder that is encrypted. You don't need to encrypt the entire hard drive and it isn't worth the overhead.
(* Yes there are legit reasons to use a Bitlocker type technology, but for most average consumers, no...)
Score: 1
|You can safely hibernate Linux systems with full disk encryption - complete with properly encrypted hibernation and swap partitions - as long as it's all correctly set up. Not sure which Linux installers actually get this right, though. Debian appears to be able to, Ubuntu doesn't, and I have no idea what TrueCrypt supports. (TrueCrypt is mainly aimed at Windows users; the Linux support is very much second-class. Linux FDE is usually done with LUKS, which works better.)
Score: 0
|First of all I agree with bousozoku, who would even question this, Linux has had integrated encryption for as long as I can remember, even if it meant enabling a non default package, it was always just a click away. Second, I know it is not encryption in itself but SE Linux, endorsed by the NSA, the code people. I personally use Fedora 11 set up with FDE, all you have to do is check a box during install. There is also a built in encryption key manager which can find people's public PGP keys from MIT's database, once you have the key it just takes a simple right click --> encrypt. Of course all of this is integrated with the default mail client so it will automatically (after authentication) decrypt any messages sent to your public key. [I know this is different than file encryption for storage, just demonstrating the encryption integration and attention to security found in Linux]
Score: 0
|Linux? Windows? Mac?... I use all of them... TrueCrypt is the best option.
Score: 0
|a bit more info on this topic http://theinvisiblething...icrosoft-bitlocker.html
Score: 0
|now that's a stupid question...
take a look at fedora's install setup
disk encryption is optional
Score: -1
|Was there any doubt that it could be done in a Linux distribution? I'd also think that OpenBSD, the security conscious version of *BSD would do this by default. Mac OS X on the other hand, only has inbuilt encryption for the user area and after all the various but early problems, I'd be afraid to use it.
Score: 1
|How about more basic protection such as user surfing the internet and the computer IS NOT infected?
Score: -1
|Angela, the other picture of you with the pink sweater favors you much more.
Score: -1
|I don't recall a pink sweater (I'm not a sweater
see-er) (or artistic) but the pic is showing the
jpeg artifacts of to much compression.
And I haven't read the article yet--I crashed
into Medical Examiner (M.E.) and, uhm, like.
Happy Holidays and pretty explosions to those
who like them and really good earplugs to those
who don't.
Score: -1
|If I ever start even remotely resembling the photo above, my next of kin have been instructed to remove the feeding tube. Seriously, that photo looks almost nothing like me; it's a still image from a project I did a while back, and if it had a thought bubble above it it would say "$*()@!#@ this %(@)!_! outfit and double-%()@)! the %)(@)($_@ electrician's tape holding down the collar in back." But go ahead, ask any columnist if they even notice their photo after the first week or two...
(The pink-sweater photo is a lot closer to recognizable, except for the hair -- can't figure why it looks so short!)
Score: 0
|"Drives are encrypted in BitLocker must as any other drive would be"
I'm thinking that should be "much"
Aside from that, an interesting read.
Score: 0
|