Blog Post

TrueCrypt 5.0 Brings Plausible Deniability To OS X Users

TrueCryptWhile I’m not trying to only focus on security topics, they just seem to pop up more often than not, including today’s serendipitous discovery that TrueCrypt is available for OS X. Security isn’t just about maintaining system integrity (loosely defined as keeping malicious code from getting onto/running on your system). A critical component is ensuring that your valuable data is protected according to your risk appetite (loosely defined as confidentiality). Macs already have FileVault and secure disk images to handle basic encryption needs, so you may be asking why we need yet another utility for protecting information our systems (a fair question).

If you need/desire cross-platform compatibility, then TrueCrypt is a perfect choice. You can encrypt a virtual disk image onto a USB drive and take it from Windows to Linux to OS X and gain access to your all your secret data, something that is not possible with OS X secure disk images.

The other big “selling point” (difficult to use that term with a free & open source product) is the concept of plausible deniability. Until you go through the process of decrypting/mounting a volume, TrueCrypt file or disk volumes appear to consist of nothing more than random data (i.e. there is no “signature”). It is impossible to prove that a file, a partition or a device is a TrueCrypt volume or that it has been encrypted. This is an important point since we’re going down a very slippery slope (at least in the United States) where folks are now being forced to give up their secrets with full legal backing. You can rename a TrueCrypt file to “Family” and be able to claim that it’s just a corrupted transfer from your video camera with no way for the authorities to prove otherwise. Similarly, non-boot volumes (which is not an option for OS X yet) have no identifiable tags, making it look like an unformatted partition with random data.

Sadly, one of the coolest features – creating a hidden volume within an encrypted volume – is also not available on OS X yet. This option would allow you to give up your keys/passphrase to an outer-encrypted volume, but have another hidden, encrypted volume within it that uses a separate set of keys/passphrase. This lets you give up some of your secrets but not all of them.

My attempts at downloading and installing TrueCrypt were woefully unsuccessful with Safari under Leopard (the download file was corrupted). It worked fine in Firefox and is available for 10.4 and 10.5, Intel or PPC. I’ll be putting the software through some tests over the next few days, so drop a note in the comments or forums if you have any questions or want to share your experiences with the product.

3 Responses to “TrueCrypt 5.0 Brings Plausible Deniability To OS X Users”

  1. Hello Folks:

    About downloading TrueCrypt and verifying the authenticity of the downloaded file – on Mac OSX, the TrueCrypt official website does not provide clear information on how to verify the downloaded file and the How to use the provided PGP digital signature to verify the DMG file. Even thought, they do provide the fingerprint too, they don’t provide the Checksum which is more commonly used.

    The checksum is supposed to be: 0dfb1e09b337d92dd7a90095bc29d909

    I did use the MD5 App the get the above checksum, and then I goole it to see if I will find it somewhere and I found it on The Chip Magazine download section, so it looks enough reliable for me to consider the TrueCrypt file that I downloaded directly from the TrueCrypt website.

    Anyway, the point of all this is that TrueCrypt should also include the Checksum on their own site.

    Now, About TrueCrypt for Mac I would prefer not to see a port, but an actual Mac App who does not use or depend on MacFuse, simply because everything that Google makes these days is not security and privacy conscious. Per example: Google Earth and Picasa Software heavily uses Google Analytics and phones home when installing it and on every update, see article below:

    So, Why someone would like to use a fine security tool like TrueCrypt along side a utility developed by privacy – blood sucker – Google?

    Sorry, I just don’t trust MacFuse, it could and may be used to mount remotely anything you have on your Mac.

    So, in the mean time, Encrypted Disk images (DMG) created with Disk Utility on a Mac seems to be a little more secure than using TrueCrypt on a Mac. Too bad that Apple does not allow you to copy and paste long and strong passwords from passwords managers to open an Encrypted Disk Image, so remembering and using a 40 digits alphanumeric password, with sign and dashes, to open an encrypted container is just unpractical.


  2. I love TruCrypt, I use it on by my Windows and Linux OS’s and I’m glad to hear that it’s available for Mac’s! Also, I have also encrypted my flash drive, with Portable Thunderbird (with all clients set up with IMAP) for a true portable office!