On 28 May 2014, the developers of the reasonably infamous encryption software Truecrypt apparently announced that the program was over and that the risk of security weaknesses meant people should stop using it.
Since this announcement, the Truecrypt website at http://truecrypt.org now redirects to the Sourceforce page (http://truecrypt.sourceforge.net/) which reports that development ended in “5/2014” following Microsoft moving Windows XP out of support.
It also contains an ominous warning:
WARNING: Using TrueCrypt is not secure as it may contain unfixed security issues
(screenshot of the page below)
Taken at face value, this is certainly a shame for millions of users across the world. Truecrypt, although never a profitable bit of software, has been used by countless reporters, dissidents and others wishing to protect their sensitive & private data. We frequently recommend Truecrypt to personal users and the only thing preventing it being an enterprise class tool was the lack of centralised management.
Most famously, Truecrypt was used by Edward Snowden and the journalist Glenn Grenwald to protect the NSA reports Snowden was trying to make public. Snowden’s continued use of Truecrypt has been taken by many to imply that the NSA hadn’t been able to compromise its encryption technology.
Unusually, as part of its closure notice, Truecrypt is encouraging users to migrate to Bitlocker (on Windows platforms), a whole disk encryption tool. This is only available to Ultimate, Pro and Enterprise licence holders, preventing this being an option for most non-Enterprise users.
Additionally, while it provides whole disk encryption, Bitlocker is not an exact alternative for Truecrypt as it lacks the following:
- Cross platform encryption.
- The ability to provide encrypted containers on removable media.
- Hidden partitions allowing for deniable containers and mitigating the risks of “rubber hose cryptanalysis“
For some people, the ultimate issue is that Bitlocker is provided by Microsoft and there have long been accusations that backdoors or other covert accesses have been established to allow the US Government / Law Enforcement the ability to decrypt data. This has never been proven and is frequently denied by Microsoft. Bitlocker does have an option to place the encryption key in Escrow which may have led to these worries, but this is not mandatory.
As a result of the Snowden / NSA leaks casting doubt about a lot of security products, a crowdfunded audit of Truecrypt was set up. This produced its first set of reports on 14 April which found a total of 11 vulnerabilities, of which four were medium, four were low and three were informational-only (full copy of the report is available online).
If you have ever had any software, especially a complex one, audited & tested, you will agree this is a very positive set of findings and the report concludes that the bugs appear to be the result of code errors rather than intentional backdoors or malicious activity.
While a follow up report is due in the second half of 2014, overall this audit appears to be saying that Truecrypt version 7.1a is an acceptable product.
Truecrypt site – dire warnings and a new version
The audit findings and the warning notice on the Truecrypt page are actually pretty compatible. The notice says it may contain unfixed security issues and, assuming the developers never intend to change another line of code this is true.
Bugs in software sometimes only come to light years after they were coded (Heartbleed is a good example of this) and if the developers are planning to retire from this project, then any future bugs will not only remain unfixed but may be backwards compatible enough to compromise data containers people create today.
However, the unusual thing here is that the site also provides a “new” version of Truecrypt (version 7.2) to enable users to decrypt their containers and migrate to Bitlocker (or their chosen encryption tool). This makes sense in the context that someone might find an encrypted container in the future and have no other way of accessing the data.
So, What happened to Truecrypt, and what is the future?
At the moment, the short answer is “Nobody except the developers really know.”
The way the development ended has, unsurprisingly, stirred up huge amounts of theories ranging from it being sulky pout when the developers realised that they were getting very little in the way of donations but the audit project exceeded its crowdfunding goals – to the conspiracy theories that this is a “canary” warning Truecrypt users that they have been subjected to something similar to a National Security Letter by the US Government, forcing them to hand over secrets which compromise the software.
With this notification, the development teams have pulled the binaries and source code bundles for all the older versions of Truecrypt, meaning the hobbled version 7.2 is the only one you can get now. This version will not allow you to create new encrypted containers and is simply there to help you migrate to a different platform.
Unfortunately there doesn’t seem to be one that currently matches the feature set of Truecrypt so, for most people, this will mean moving to a variety of tools.
As a brief checklist for home users / small businesses you might want to consider the following:
- Something which provides you with whole disk encryption. This is essential for portable devices (laptops) and prevents people accessing your data if they steal your device.
- Something which allows you to encrypt files or folders and move them on portable devices. This means you can create an encrypted object and move it from one place to another on portable devices such as USB sticks.
- Something which works the same on all the platforms you use. This is essential if you have more than one operating system – such as Windows and Apple devices.
- Something which allows plausible deniability. This means if you are ever threatened with violence or punishment, you can surrender one key and still protect the important data.
Unfortunately this can be a very complicated topic and we aren’t in a position to make blanket recommendations in a blog post. The choice of encryption tools will depend very heavily on your personal circumstances and reasons for protecting the data.
You can get a comparison of different encryption software packages online and if you want to discuss this further, or engage our security specialists for an in depth review of your needs then get in touch.