Can Linux do BitLocker better than Windows 7?
Installation BitLocker drive preparation has been a notorious pain under Vista, with the necessary BitLocker Drive Preparation Tool available through Ultimate Extras and for Vista Enterprise and Windows Server 2008. (BitLocker has been incorporated into Windows 7 for machines with TPM.) Installation is notoriously cranky, and woe betide the user who doesn't partition the drive correctly -- two partitions are required -- before installing the OS.
On Linux, Debian has for years included the ability to set up a fully encrypted system right from the installer, if that how you prefer to go about it. TrueCrypt, on the other hand, has a wizard allowing you to create an encrypted file container, encrypt a non-system partition or drive, or encrypt an entire system partition or drive. The volume or drive must be empty of files before installation, but one needn't flush the entire OS.
I asked Jeremy Garcia if he would characterize ease of installation as a major concern for the community. "While I've never used BitLocker, it looks quite a bit more difficult to setup than TrueCrypt," he responded. "As you note though, most distributions now offer the ability to set up an encrypted partition right from inside the installer. Ubuntu uses dm-crypt behind the scenes. I actually wrote an article about TrueCrypt for Linux Magazine a while back, and the feedback I got did not indicate many people had install issues."
Extra protection The problem with FDE is that once the disk is legitimately accessed, it isn't protected at all from attacks by someone who has access to the unlocked machine. If your laptop is swiped while it's up and running, or if a file is plucked from the machine while it's unlocked, you're out of luck. However, TrueCrypt allows one to set up a "hidden" volume within the larger encrypted volume; in case access is gained to the drive, the volume appears to be simply a collection of random data. Individual files can also be encrypted.
BitLocker also allows encryption of secondary volumes, though if you're not yet running Vista SP1 it's a command-line setup process that even Microsoft's documentation says is for advanced users only. And the volumes aren't hidden. BitLocker cannot be used to encrypt individual files.
Thumb-drive protection Both BitLocker and TrueCrypt allow you to encrypt an entire storage device, such as a USB flash drive. Drives are encrypted in BitLocker must as any other drive would be; they'll work seamlessly with the machine on which they were originally configured, but to use them on any other BitLocker-enabled machine, you'll need to "Unlock Volume" and use the recovery key to gain access again. (If the machine doesn't have BitLocker, you're out of luck.) TrueCrypt allows you to encrypt an entire thumb drive, but you won't be able to actually run TrueCrypt from that drive. Instead, you'd create a file container on the USB drive, then store TrueCrypt alongside that container, after which you should be able to operate on any machine.
"You can't run BitLocker from that drive either, can you?" asked LinuxQuestions.org's Garcia. "It's really just a matter of having TrueCrypt on each machine you use, and as you mention, you can easily store a copy on an unencrypted partition on the drive."
Protection during hibernation Hibernation is not a great idea for machines running FDE for various reasons, including the threat of "cold-boot attacks" (see below). However, BitLocker does make a point of encrypting a hibernation file if one is present. TrueCrypt does not.
Key recovery When things go wrong, unless the administration has set up the system to store the private key on a removable drive, BitLocker users will need access to the local administrator account. With the individual user's account password, the key can be recovered -- it's stored on the local system. (This can lead to problems if the would-be intruder knows the admin password, obviously.) It's trickier with TrueCrypt -- under Linux, if the password or keyfile is truly gone, your data's locked on the disk forever. On the other hand, you've gained a lovely paperweight about which you can tell pitiful stories for years to come.
The TrueCrypt FAQ notes there is no "back door" provided for administrative users who need to find a way into users' encrypted drives when they've lost the password. However, there is a way for admins to enable themselves to reset the volume password and/or pre-boot authentication password.
Support On one hand, Microsoft. On the other hand, the TrueCrypt user forums. Choose your poison.
What about that freaky hard-drive attack with the canned air? As we learned last year, the "cold boot attack" can affect any FDE scheme that doesn't authentication before booting, whether it's coming back from a power-off or from mere hibernation. Researchers were able to reconstruct the all-important encryption key by switching on a shut-down machine fast enough to grab the residual electrical changes in RAM -- a time window which as it turned out lasts rather longer if you simply chill the chps to subzero temperatures. Almost no one was spared -- BitLocker, FileVault, dmcrypt, and TrueCrypt were all vulnerable.
Any interesting outliers in the FDE space? If you're seriously comparing Windows to Linux, it's a fair bet you're not too worried about whether a particular piece of software is free as stipulated by the GNU General Public License. But if you are looking for a GNU-compliant Windows package on the level of a TrueCrypt or a BitLocker, there is, of course, TrueCrypt for Windows itself. Also check out DiskCryptor, which bills itself as "the only truly free solution." DiskCryptor criticizes TrueCrypt for placing limits on what developers may do with that program's source code, and derides other packages as "fully proprietary ones, which makes them unacceptable to use for protection of a confidential data." And if, at the other philosophical extreme, your organization prefers to utilize TPM technology, Linux FDE options supporting the chip include CheckPoint and eCryptfs.
All that having been said, what's the verdict? With respect to being able to use full disk encryption functionality in Linux the way Microsoft intends for its customers to use it in Windows, the answer to this Can Linux Do This question...is yes.