How to share an encrypted storage on Windows, Mac OS X and Linux in a secure way
I got a 2 TB drive that I have to use with both Windows 8.1 / Windows 10 and Yosemite to OS X / OS X El Capitan and maybe even on Linux.
I need to encrypt the volume. Or rather, I want to create two partitions: a 1.7 TB encrypted and unencrypted the remaining space.
Now I use Windows BitLocker to 512bit. On Mac and Linux nothing, obviously.
What do you recommend?
I saw TrueCrypt (and I read about all the confusion created after May 2014), of VeraCrypt, of GNUPG, Disklocker to read BitLocker on Unix.
But I feel lost and without a good idea.
And if I use TrueCrypt 7.1a waiting for new solutions such as precautions to prevent memory dumps and other potential crack?
And then how should I use TrueCrypt to format the drive? In GPT? MBR? Journaled? FAT?
If the drive is a self-encrypting drive (SED), mostly available on SSDs but some business-oriented regular drives have the feature as well, using a User+Master ATA password (in BIOS/UEFI, or via hdparm tool on Linux) you can set up the encryption keys and either unlock the drive during boot if the BIOS/UEFI prompts you for unlocking it, or at least in Linux unlock it manually via hdparm. This way the encryption is done by the hardware of the drive, and managed by the ATA commands independent on the operating system. The OS will see such drive as an unencrypted one.
The problem is that some drives (such as Crucial MX100/MX100 SSDs and others) had critical flaws in the implementation of the SED and earlier firmwares allowed to leak the keys.
Another problem is that many BIOS/UEFI implementations were/are bad and do not implement the ATA password feature properly, therefore either keeping a backdoor by not allowing to enter the Master password (and entering there some public secret), or not allowing to enter the full range of characters, or full length of password, or even worse, not writing the password directly but applying some intermediate step, making such password-encrypted drive incompatible with any other brand of laptop/BIOS (such drive cannot be unlocked at all on hardware implementing this feature differently). Lenovo Thinkpads, Fujitsu Lifebooks, and some HP Probooks/ELitebooks and Dell Latitudes/Precisions behave more or less correctly (and desktops oriented to business uses in general as well). Cheaper machines for home use or entertainment had very poor BIOS/UEFI implementations (older generations of InsydeH20 UEFI etc.) rendering the use of ATA password a really bad idea (if not directly impossible).
NTFS & BitLocker can actually be accessed from Linux via Dislocker (and it allows to save data from partitions corrupted in such a way that it reliably induces BSOD on any Windows machine trying to open such partition), but I would not recommend running Dislocker & mounting NTFS on Linux regularly to actually use a disk for regularly reading&writing data.
Veracrypt-encrypted container is one of the reasonable ways to access data from multiple OS. Encrypted virtual disk via Virtualbox if it can be mounted from both OS may be another option. Basically a way to transparently decrypt a block device and mount it on both systems should work. Encrypted Virtualbox virtual drives, Veracrypt containers/partitions are perhaps quite a well-tested and standard, reliable ways of achieving this.