Open-Source or FIPS-Validated Disk Encryption?

j_crane asks: "Our company is looking for disk encryption software that runs on Windows XP/2003 and Linux. There are hundreds of commercial disk encryption programs (most are Windows-only though). Some of them are FIPS-validated by the US NIST, but none of these are open-source. On the other hand, there is an excellent open-source on-the-fly disk encryption software, called TrueCrypt, for Windows and Linux (the program even provides plausible deniability), but it does not have a FIPS-validation. Which would you prefer -- open source or FIPS-validated -- and why?"

Re:FIPS != Government

[steveparkinson]

NSS (the crypto library used in Firefox, and some Red Hat and Sun products) is open-source, and FIPS-140 level 2 certified: http://www.mozilla.org/projects/security/pki/nss/f ips/ [mozilla.org] If you implement an application such as disk encryption using NSS for crypto, you'd be able to claim that it was FIPS 140 compliant. But, as far as I know, no such application currently exists. FIPS 140 is a US goverment standard for cryptographic implementations. Federal agencies/departments purchasing software with cryptography are required to buy FIPS-140 validated solutions if they exist. But, it's not only federal government. It's really the only such standard in the US, and so anyone looking for some product which has gone through some type of validation (such as financial industry) will probably require FIPS-140 valdiation.

Re:FIPS == Government

[ocelotbob]

In addition to the aforementioned NSS libraries, OpenSSL also has FIPS-certified builds. While in the past OSS crypto was tradtionally not usually certified, that's changed in the past year or two.