Forums Community AxCrypt 2 makes me sad… Reply To: AxCrypt 2 makes me sad…

#6566 Reply



7-Zip is riddled with various vulnerabilities because the only developer is a sole Russian guy with no viable funding model and not enough time on his hands. It’s very sad because the compression of 7-Zip is fantastic but nobody wants to fund his hard efforts.

Cisco found multiple severe vulnerabilities which, amongst other things, undermined the security of 7-Zip. These flaws were fixed (in 16.04 and 17.00 (beta)) but many others security problems remain and not all have been disclosed.

There is an abundance of commercial cracking software available for Zip/7-Zip files because the original format [ZipCrypto] was not designed with security in mind. Subsequent implementations have improved but recovery can still be effectuated by those in the know.

AxCrypt 1 and 2 were designed with the same use-cases: file level encryption. The fact AxCrypt 2 remembers your password is irrelevant and Brian has explained some of these.

If you’re going to keep an archive then either use PGP or use a BitLocker Virtual Hard Drive. The problem you’ll have is synchronising to the cloud because of data de-duplication and a very large file (not individual files) which needs to be uploaded on the fly. You said you don’t utilise cloud services so a Virtual Hard Drive will serve you better than 7-Zip. Individual files can be encrypted with AxCrypt.

You need to configure virtual hard drives correctly using the new block cipher mode with a non-escrowed external recovery key and augmented key length if you want top security. Properly configured it surpasses what is currently offered by VeraCrypt and is more stable in the Windows environment.

You spoke about being an “advanced user” but from your posts you come across as an novice user who knows how to use basic out-of-the-box encryption. It’s good that you’re interested but with computer security you’ve got to realise that unless you really understand the subject (and all its pitfalls) you’re likely to fail when presented with too many options. This is not the same as calling you stupid (or the “lowest common denominator” as you suggested AxCrypt’s user-base must be); it’s recognising that you don’t have the cryptographic, mathematic and engineering skills to make an informed choice.

About GPG4Win you can symmetrically encrypt from the GUI via using the GPGee extension. I’ve put a picture below. GPG is extremely secure software but the defaults aren’t good because they’re designed to be backwards compatible with older versions and to conform to the PGP standard. Therefore you’ve got to know what you’re doing to use it safely. There is lots of good technical information out there.