Good news – there’s probably no need to stop using TrueCrypt. Not only should it keep its status as the top encryption software for the general user, if not for business purposes, but in spite of the fact that the developers have apparently shut down the project, it continues – same code, different name.
There has been much wild speculation recently about the sudden and apparently suspicious demise of TrueCrypt, including some interesting conspiracy theories. The closure of the project was all the more unexpected because an initial audit of the code has recently been completed (“iSEC Completes TrueCrypt Audit“) culminating in a report (iSec TrueCrypt Audit Report) which gave it a clean bill of health in most of the major areas in which it was examined – no backdoors, no dodgy code, just a few minor weaknesses and a certain untidiness about the code organisation, readability, and version control. This is no more than is to be expected from non-commercial volunteer developers. The audit has been funded by Indiegogo and FundFill campaigns which in the case of Indiegogo has raised over double the target amount, $46,420 of the $25,000 goal, showing the keen interest in the user and business community in establishing TrueCrypt’s status.
The Open Crypto Audit Project has stated: “We are continuing forward with formal cryptanalysis of TrueCrypt 7.1 as committed, and hope to deliver a final audit report in a few months”. If all goes well the report will reassure the software community that the application can be trusted. That outcome would mean that the last-released full version, 7.1a, could be regarded as safe and fit for purpose. The most recent version, 7.2, currently available at the TrueCrypt site, will only decrypt volumes, pending their transference to another product or system – for full-disk encryption, the developers are recommending BitLocker, unfortunately only available on high-end versions of Windows (Windows 7 Ultimate and Enterprise, Windows 8.1 Pro and Enterprise).
At the moment, the TrueCrypt site redirects to its SourceForge project page, with the heading: “WARNING: Using TrueCrypt is not secure as it may contain unfixed security issues”.
Intriguingly, the TrueCrypt project appears to have been forked in June 2013 by a French developer, Mounir Idrassi, who has obtained the full TrueCrypt source code, going by his changelog. It has now become VeraCrypt, available here on SourceForge, and also as a free download from Idrix, which is presumably Idrassi’s company. VeraCrypt is claimed to be an enhanced version of TrueCrypt, with further development planned. There is a slight disadvantage in that VeraCrypt volumes are not compatible with TrueCrypt volumes, because of the changes in the encryption implementation, but presumably the implementation will now remain fixed for the foreseeable future. The VeraCrypt interface is essentially the same as TrueCrypt’s, and the application even retains the TrueCrypt licence in the source code listings at SourceForge and at installation. Forking the project has been seen as a problem by many because of the implications of its non-standard licence.
In spite of the licensing issues, there is yet another team, in Switzerland, determined to keep TrueCrypt going: TrueCrypt Must Not Die! The site is hosting downloads of TrueCrypt 7.1a for Windows, Linux and Mac, so get yours now while you still can!
Security professionals seem now to be coming to a consensus that there is nothing wrong with TrueCrypt; it appears never to have been broken, and is well on the way to becoming thoroughly evaluated. It has even effectively been endorsed by Edward Snowden, who seems confident about its use by himself, Glenn Greenwald, Laura Poitras, and others. The problem for users is really what it always has been; can you depend on it in a business context, or is it suitable only for personal and private use?
The answer to this comes down to assurance of the product. For software to be accredited for business and government use, it has to go through a formal assurance procedure to show that it meets the criteria specified for those uses. To illustrate this, consider its complementary partner, insurance. Insurance is making sure that if your hotel accidentally burns down, you can obtain financial compensation to support building a new one. Assurance is convincing the insurance company, before it will underwrite your policy, that you have done what it specifies as necessary to prevent a fire, or combat it if one does break out. This would include independent certification that you have installed fire extinguishers, that you have proper fire exits in the right places, that you have used non-flammable furnishings, and so on. Software assurance provides validation that the product meets certain criteria and standards. In the case of TrueCrypt, it is believed to have been taken informally through FIPS and equivalent compliance procedures, but it has no formal certification.
The current audit of TrueCrypt (see IsTrueCryptAuditedYet?) will provide some degree of assurance about its performance, but whether that will be sufficient to underpin its implementation in a commercial or professional context is another matter. Windows, for instance, has to undergo a formal evaluation and assurance process before corporate users will deploy it. However, one’s perception of the value of this may be coloured by the knowledge that, for Windows at least, the NSA has a hand in that process. With that in mind, one’s view of BitLocker may take on a different aspect.
What of the conspiracy theories? The nervousness of security experts over TrueCrypt’s withdrawal (see e.g. Graham Cluley, The Register, The Register, Bruce Schneier), leading to advice to discontinue its use, promptly led to speculation that the NSA is involved in some way. Perhaps they have become concerned about its increasing use and their inability to crack it, and have therefore discouraged the developers, or threatened them with sanctions, so that they have felt obliged to desist. Or maybe the team has been approached by the NSA to engineer a back door into it and have terminated the project rather than agree. There is even a superb theory based on the first letters of the termination notice above:
Taking the first letter of each word results in: UTINSAIMCUSI, or uti NSA im cu si. It looks a little like Latin, so using Google Translate for Latin to English, you get: “If I wish to use the NSA”. Could this be an intimation that the NSA has subverted TrueCrypt? Er – probably not. Coincidences like this pop up all the time (see “No Coincidence – Statistics and the Outrageously Unlikely“, New Scientist). Still, for all you enigma lovers out there, this is quite a good one.
Others, like security consultant Philip Le Riche, take the more sensible view that the secretive team has probably simply become tired of the work and responsibility involved, including the audit, after years spent on it for little reward, and just want to move on to other projects (see Leo Notenboom, and Steve Gibson [here, and here]). Faced with providing full support for Windows 8, and developing the ability to encrypt Windows system partitions/drives on UEFI-based computers, they may have balked at the prospect of the work involved. Le Riche, Notenboom, Gibson, and others tend towards the view that TrueCrypt itself is probably uncompromised.
As far as I can make out, there is no evidence to suggest that version 7.1a of TrueCrypt is unsafe to use in its basic form, save that whole-drive encryption may not be fully secure because of potential weaknesses during the boot process. As I said above, quite the opposite is true; what we know suggests that it has never been broken.
I make no secret of the fact that I consider TrueCrypt to be a brilliant piece of work which is as secure as anything available, and likely to be unbreakable. If you were a security agency with a long reach, what would you do to try to reduce the general use of a security encryption tool that resisted all your efforts to compromise it? Precisely; you would endeavour to discredit it publicly, so that people believe it is unsafe and stop using it; and encourage the use of products which you could subvert more easily.
I have examined the TrueCrypt manual and various referenced papers, all of which strongly suggest that great care has been put into both making sure the program is as secure as possible, and warning of the circumstances in which it may be weak. I admit that I am not a cryptography expert, but I have never seen any evidence to suggest that TrueCrypt volumes have been decrypted without the key. If there were, it would certainly have leaked by now.
In my opinion, the bottom line is that if you use TrueCrypt, you can continue to do so with confidence. The most recent version (7.1a, released in 2012) is fine for now. It works well on Windows 8.1, where I have used it to encrypt my data partition. No immediate development work seems to be needed – if it ain’t broke, don’t fix it. However, you may eventually wish to consider changing over to VeraCrypt, and going through the one-time conversion process. I will continue to use and recommend TrueCrypt, subject to the assurance of the ongoing audit.
Weaknesses during the boot process can be avoided by simply not encrypting the system partition, but instead encrypting another partition or volume on which you keep all your data (say DATA (D:)). The standard system folders, i.e. Documents, Music, Pictures, Videos, can all readily be redirected to new folders on the separate partition, which can be mounted after system start by TrueCrypt, when given the correct passphrase. This also provides a measure of “plausible deniability”, in that you can boot the system for border control or law enforcement so that it will come up apparently normally, and superficial examination will not reveal the presence of the DATA partition, which does not appear in the File Manager when dismounted. E-mail folders and Office files can also be redirected to the data partition without much difficulty.
This configuration of separate system and data partitions has several other advantages, including ease of backup of both the data and the system, and easy re-installation of Windows if necessary without having to move data files. I will cover all this in a later series of articles.
In the end, it comes down to how much you trust the mysterious authors of the software (who seem originally to be Czech, with USA connections). In this case, rightly or wrongly, my gut feeling is that I can trust them, and I will continue to use the program with enthusiasm.
I strongly believe that TrueCrypt will eventually be found to be sound, but I admit no responsibility if it does turn out to be fatally flawed and the NSA reads all your secrets! As always, the final decision is yours. And always remember – just because you’re not paranoid, it doesn’t mean they’re not out to get you!