Jump to content

Encryption options? TrueCrypt has been discontinued


Recommended Posts

  • Level 5*
Posted

Well, if you have been using TrueCrypt to encrypt your Evernote database folder, you need to find another way. If you google the news on this, there are some decent tech sites that think the US Govt got to them and demanded the encryption keys. Of course, that is speculation, but the reason given, that XP was dead, is a lame excuse, especially since the site used to have info on further Win8 enhancements.

 

I suppose you can continue to use it as long as you aren't thinking your data is safe from the NSA, but in software like this, I'd be scared something would change to the OS that might affect how TC operates and it could wind up trashing your data, a likely scenario as time moves on.

  • Level 5*
Posted

Well, if you have been using TrueCrypt to encrypt your Evernote database folder, you need to find another way. If you google the news on this, there are some decent tech sites that think the US Govt got to them and demanded the encryption keys. Of course, that is speculation, but the reason given, that XP was dead, is a lame excuse, especially since the site used to have info on further Win8 enhancements.

I suppose you can continue to use it as long as you aren't thinking your data is safe from the NSA, but in software like this, I'd be scared something would change to the OS that might affect how TC operates and it could wind up trashing your data, a likely scenario as time moves on.

I am a little confused, probably because I am not an encryption expert, but even if TrueCrypt was the most powerful and unbreakable encryption option in the world it wouldn't have any impact on your online security, right?

When the data leaves your computer to sync with any online service, including the Evernote servers, it is sent using regular ssl protocols and stored in plain text, right? TrueCrypt only protects your data from physical attacks while it is on your drive, so we our only talking about theft, loss, or confiscation. I think it is pretty unlikely the NSA will show up at your door asking to borrow your computer when they (or other state-sponsored hackers) can just get the data from Evernote or capture it in transit without lifting a finger. Nothing has changed (for most of us) if the NSA got the keys.

Not that I am trying to diminish the significance of the story, which was a worrying development, but I don't think this changes much for Evernote users, I'm afraid. TrueCrypt still remains a useful tool (assuming you aren't battling the NSA) and I expect we'll see a fix and/or an alternative soon. Mac users still have FileVault (as far as I know, it is considered reliably secure), so changing operating systems is also an option.

In regards to your warning about file corruption, I strongly recommend everyone regularly backup their data (I recommend a system with versions). It's easy to do, inexpensive, and good insurance against just these kinds of things.

Posted

Encrypting a folder is not just against physical attacks on your hard drive. The idea of encryption is also that, when you store the data in the cloud, it is inaccessible for others. Thus when the Evernote database folder is stored on Evernote's server the data is inaccessible. If a hacker broke into the server, or the NSA demanded Evernote to hand over those files, they would be inaccessible & thus useless to the "recipient".

But I don't see any point in storing an encrypted folder on EN's server, you might as well store it in the cloud with a 3rd party to give you some extra privacy in addition to the encryption.

Posted

But if you encrypt your database, why not make all the notes in there "local" & then store encrypted with a 3rd Party?

  • Level 5*
Posted

Sure, if you encrypt something and put that in a note, then it is encrypted on Evernote's servers. But, I think the OP was talking about the entire drive or the partition where EN resides. In that case, encrypted with TrueCrypt or not, it is essentially irrelevant unless you expect to have your laptop lost, stolen, or confiscated.

As for local notebooks, you could put them in Spideroak or some other more secure cloud service, but it doesn't seem very practical in terms of daily use. Of course, the problem here (from my perspective) is that private and public is all mixed up in my notes and there is actually relatively little these days that I can sync to Evernote's servers. Hopefully, Evernote will begin encrypting its databases (at least in the cloud, but perhaps even on our devices).

  • Level 5*
Posted

Sure, if you encrypt something and put that in a note, then it is encrypted on Evernote's servers. But, I think the OP was talking about the entire drive or the partition where EN resides. In that case, encrypted with TrueCrypt or not, it is essentially irrelevant unless you expect to have your laptop lost, stolen, or confiscated.

 

That is the point. All communication between your client and the servers are over SSL, so that is secure. EN has whatever security it has on its servers (info at its site), and you can also encrypt specific text in a notes.

 

However, your .exb file on your machine is open. It isn't password protected, and is not much better than clear text. So it isn't if, but when, someone's laptop or PC is stolen, and a simple removal of the HD will allow someone to read tons and tons of data in your EN account by simply installing EN and opening up your .exb file.

 

Now with Truecrypt off the table, something that has been advocated for years by various sites, your data just became a bit less secure. You can use bitlocker for your whole HD if you have Windows and you have the right version. I think Win8 can do it no matter the version, but with Win7 or Vista, you have to have Ultimate or Enterprise, and XP cannot do it at all, though all three can encrypt folders. Regardless of Windows based encryption versions, TrueCrypt was the only solution I am aware of that people could use to keep Evernote on their PC at work but keep the data private and out of reach from anyone in the IT department. I think a lot of people used it for that purpose.

  • Level 5*
Posted

 

Sure, if you encrypt something and put that in a note, then it is encrypted on Evernote's servers. But, I think the OP was talking about the entire drive or the partition where EN resides. In that case, encrypted with TrueCrypt or not, it is essentially irrelevant unless you expect to have your laptop lost, stolen, or confiscated.

 

That is the point. All communication between your client and the servers are over SSL, so that is secure. EN has whatever security it has on its servers (info at its site), and you can also encrypt specific text in a notes.

 

However, your .exb file on your machine is open. It isn't password protected, and is not much better than clear text. So it isn't if, but when, someone's laptop or PC is stolen, and a simple removal of the HD will allow someone to read tons and tons of data in your EN account by simply installing EN and opening up your .exb file.

 

Now with Truecrypt off the table, something that has been advocated for years by various sites, your data just became a bit less secure. You can use bitlocker for your whole HD if you have Windows and you have the right version. I think Win8 can do it no matter the version, but with Win7 or Vista, you have to have Ultimate or Enterprise, and XP cannot do it at all, though all three can encrypt folders. Regardless of Windows based encryption versions, TrueCrypt was the only solution I am aware of that people could use to keep Evernote on their PC at work but keep the data private and out of reach from anyone in the IT department. I think a lot of people used it for that purpose.

 

 

SSL is (sometimes) secure (assuming a lot of things like the security of the wifi service you are using), but the NSA (or other hackers) can apparently circumvent SSL (perhaps they are obtaining the keys -- I don't think anyone really knows yet), surreptitiously hack the data on the Evernote servers (they apparently have a database of people linked to their known passwords), or (with the proper paperwork) access the data. That level of hacking would seem to me a pretty unlikely for most of us (do they really want to know what I am up to with sixteenth-century Japan?), but in terms of the "likelihood" of a TrueCrypt user's data getting accessed without their permission, this is much more likely.

 

After all, unless I am misunderstanding the news about TrueCrypt, no one has broken into anyone's data, so it is a theoretical exploit that only someone like the NSA seems capable of doing. Unless your average computer thief is also on the NSA payroll or the NSA is chasing you, your data is probably fine for the moment. I certainly doubt any IT department that I have ever seen could hack your data. That capability is probably some time (many years) in the future. In the meantime, I imagine another alternative solution will be coming for Windows users. 

  • Level 5*
Posted

I'm not worried about the NSA or hackers. I am worried that now that the app has been discontinued, and as Windows continues to change through security patches, service packs, etc. that TC will at some point break. It will absolutely break - I just don't know when. Probably not this week. Very likely within a few years. How likely in the next 12 months? I don't know. And having an app like this that gets so into the details of how the system works, when it breaks, it will likely take all of the data in the TC volume with it. 

  • Level 5*
Posted

I'm not worried about the NSA or hackers. I am worried that now that the app has been discontinued, and as Windows continues to change through security patches, service packs, etc. that TC will at some point break. It will absolutely break - I just don't know when. Probably not this week. Very likely within a few years. How likely in the next 12 months? I don't know. And having an app like this that gets so into the details of how the system works, when it breaks, it will likely take all of the data in the TC volume with it. 

 

Indeed. I'd consider an u-encrypted backup copy somewhere safe, because it would be awful to have it go bad. Fortunately, there'd be a lot of people interested in making sure stuff was recoverable, so I wouldn't sweat it for now. A Mac with FileVault can run both Windows and OSX. Just sayin :)

  • 5 months later...
Posted

I had Notes on my Droid and one day it "upgraded" to Evernote. Now all of my original notes won't pull up. It says they are "broken." I had a lot of notes on there that I don't want to lose. I am not highly tech saavy and really would like to get them back. Any help out there? Thanks!

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...