Why TrueCrypt Is No Longer A Choice

There is really no getting around the fact that staying secure on the Internet is hard, if not impossible, to achieve. Yes, users can do more to keep themselves safe by adopting good security practices. They can choose strong passwords that they don't reuse for different sites. They can avoid disclosing personal details online and for users that are particularly security conscious, can encrypt the contents of their hard disks. Ultimately however, users have to rely on the software they are using to be secure, especially security software. If this isn't the case, then no end of good habits will prevent others from secretly siphoning information they can later exploit.

Keys picture from Shutterstock

The problem here is that the past year has shown that it is simply not possible to explicitly trust the major software companies who have been forced into providing US security services with access to their customers' information. After the revelations about the NSA, people started looking for what they believed to be reliable approaches to keeping their data secure. This has never been a particularly easy task because security is actually hard to do properly and especially hard to do in a way that is actually easy to use.

One such product that seemed to fit the bill however, was open source software called TrueCrypt.

TrueCrypt allows a user to create encrypted disks that can hold files that you want to protect. It was especially good for protecting information stored on cloud storage services like DropBox or Google Drive. It even had high profile advocates like Edward Snowden who had recommended its use. Security analyst Bruce Schneier also recommended its use even though he had some concerns about particular aspects of the product. To him, any lingering doubts about TrueCrypt paled into insignificance compared to the risk of trusting "large U corporations".

To further bolster people's faith in TrueCryp two researchers Matthew Green and Kenneth White raised money through an IndieGoGo campaign to conduct a security audit on TrueCrypt to try and resolve whether there were any hidden issues. That audit had recently completed a first phase and hadn't uncovered any problems in the software code.

But it seems that faith in even this product was misplaced. In an announcement that has greatly surprised the security world, the developers behind TrueCrypt declared that the product could no longer be trusted.

The unknown developers of TrueCrypt have recommended that people not continue to use the product and to rely on the encryption functionality built into Windows and Mac OS instead.

Nobody is quite sure why the developers have decided to shut the project down. It is possible that they knew it was compromised and understood that this would be revealed eventually through the audit. Or it could have been that they were simply not interested in maintaining the product any further and called it a day. There are large numbers of open source projects that are essentially abandoned and so this latter explanation wouldn't be unreasonable. The problem is however, that they way that the project was shut down suggests a very hasty decision rather than something that was planned.

For those who were using TrueCrypt, the only real alternative is to now switch to using the encryption abilities of their computer operating system software as detailed on the TrueCrypt site. This incident serves as a further reminder that there is no perfect solution to computer security and what approach you take to security involves deciding who you are trying to protect your information from.

If it is the most common case that the concern is with cyber-criminals, then using Microsoft of Apple's provided security is probably a good idea. If you are trying to protect yourself from spying by your own or other government agencies, then the truth is that using these products may not help very much in the end.The Conversation

David Glance is Director of Innovation, Faculty of Arts, Director of Centre for Software Practice at University of Western Australia. He does not work for, consult to, own shares in or receive funding from any company or organisation that would benefit from this article, and has no relevant affiliations.

This article was originally published on The Conversation. Read the original article.


    There is a third, very likely possibility - TrueCrypt may have been issued a National Security Letter and ordered to divulge any potential weaknesses in TrueCrypt's algorithm. Courts in the USA have indicated that service providers do have the option to shut down their services rather than comply (see Lavabit).

    The fact that TrueCrypt was Edward Snowden's encryption platform of choice, makes this a likely possibility. His insurance policy, and with it a million-plus top secret documents, are likely secured in a TrueCrypt volume. Gaining any insights to how to decrypt that insurance policy, is likely relevant to NSA's interests.

    If TrueCrypt or its authors were issued an NSL, it was a dumb move. It's unlikely TrueCrypt's authors could help there. And, now, the open source community will spawn fully-peer-reviewed TrueCrypt alternatives that will be equally functional.

    It will become a war cry of the OSS community to replace TrueCrypt with a cross-platform, equally-functional, and peer-reviewed alternative.

      My thoughts exactly. Sounds like the NSA with a fake moustache "Oh no, please don't use truecrypt, it's insecure..."

    Crap, secret service is after your naked ladies collection.

      Yeah, cos that is what Edward Snowden is famous for. What's that? No he isn't a full forward for Collingwood you dropkick.

    I've used truecrypt since 2005 on several Windows machines and one still uses v6.x. Never once has any version crashed or failed. No versions have been cracked, as publicly acknowledged. In 9 years, while rare windows updates and Firefox updates cause a major problem fixable by a system roll back, truecrypt has not once, experienced the same, and this on the Win platform at that, from XP to 7. While I am not a security expert, I spent 1 month reading the 2005 source code and was convinced of its integrity to give it a try; that is its real claim to stability, not their announcement because skilled folks can check claims against their source code. Since then, professional security folks have released partial studies confirming the integrity of its code. However, like XP, once a platform is not supported, its prudent to announce its not secure because a future bug will not be fixed and that can theoretically come immediately. In the past versions, the Truecrypt team examined flaws in the OS they supported and quickly provided updated software to counter these holes. However, since v6x there have been no holes I can recall that caused concern so that by 2011, most updates were mostly enhancements rather than security issues.

    I agree that the NSA option, as suggested by Christopher Price in his comment above, is the most likely, or something along those lines. Why else would the Truecrypt authors actually say their product was not secure if a weakness or back-door hadn't been identified?

    It looks like it is a thinly veiled warning telling users that the NSA (or other government spies) know how to crack Truecrypt.

    Finding another encryption solution or using the built-in Windows "BitLocker" are not the only options. Until someone comes forward with an explanation for what the problem is, and you're not paranoid, TrueCrypt versions 7.1 and below still work perfectly well. It was never a program that was dependent upon an internet connection or cloud storage. I'm waiting to find out what's what before changing everything.

    There's NO NEED to panic!

    TrueCrypt works just as well today as it did before the sudden announcement. Just because they stopped development, it does not mean you must now quickly migrate to another encryption method. The last update was released back in February 2012 after all.

    The website may be down, but you can download it repositories like http://www.techarp.com/showarticle.aspx?artno=818

    Even if you trust Bitlocker and FileVault, TrueCrypt offers cross-platform access, which neither Bitlocker nor FileVault supports.

    Why not just use EncFS. EncFS can also work with cloud storage like Dropbox. http://ninjatips.com/encrypt-dropbox-using-encfs/

    For people who are using Win 7 Ultimate or Enterprise or Win 8 OS, one of the solution is to use BitLocker to encrypt drives, and for people who are on other Windows OSes, they can use other file encryption software such as Kakasoft Folder Protector to protect files.

    Encryption: Because you're paranoid, but are you paranoid enough.

Join the discussion!

Trending Stories Right Now