Important Information If You Use TrueCrypt

toggle-button

TrueCrypt has been the freeware encryption software of choice for millions of users for more than a decade.  However, some time yesterday, the TrueCrypt web site which hosts the download was replaced with a page warning that TrueCrypt is no longer secure, that development has ceased, and that you should stop using it. 

A new version of the software was also released, which no longer supports encryption.  It simply allows you to read your current encrypted files so that you can switch to alternative software.

At present, the reasons for the abrupt ending of TrueCrypt development are not known.  Various rumours persist, including NSA involvement, the web site being hacked, a spat among the developers, and more besides.

If you are currently using TrueCrypt, here's what you need to do:

1.  Continue using it as normal for the time being.
2.  Do NOT download the newly-released version.  It can't be trusted for now.
3.  Don't consider switching to alternative encryption software for the moment.  Your existing TrueCrypt installation will suffice, until the facts are known.

 

 

 

Please rate this article: 

Your rating: None
4.6875
Average: 4.7 (32 votes)
toggle-button

Comments

This whole story is highly suspicious.

1. I don't recall it was ever mentioned before, that the life of TC depends on whether WinXP is still supported my MS or not. Besides, the end of support does not mean that all the users of XP will migrate to something else overnight.

2. Security problems (sometimes gaping holes) in OSes and in all kinds of software are discovered daily.
If we stopped using every piece of them that MAY contain security issues, we would not be sitting here (reading or writing stuff) because Windows, Linux, iOS, Android, etc. all very likely contain unfixed security bugs.
If the history of Microsoft's OSes is any indication, Bitlocker itself is very likely to contain unfixed and also undiscovered security problems as well.
So this is surely not the cause here.

3. Developers of software, which is one of the best and/or most popular in its class, VERY RARELY shut down their website and development literally overnight, just because there are alternatives to their product.

You do the math.

(I think it is now official: TrueCrypt has proven to be unbreakable... , for certain authorities at least, therefore it had to disappear.

I read all the comments but all this makes me uneasy. I have been using TrueCrypt for several years now and I think it's great. The only caveat is when backing up my data my software doesn't recognize the volume because of the volume date. I knew that going in though. You stated that nothing should be done at this time until we know all the facts. I am running V7.1a since 2012. Should I be concerned? Any suggestions for other "virtual drive" software that can be used? I like the virtual drive software because no one can see any file name within the drive. Tks

Actually, there's an option in TrueCrypt to update the date on the container file! Have a look through, and you'll find it.

The audit process continues and is due for completion in about 3 months, so it's certainly worth waiting until then.

Others have pointed to the strange wording of the warning and wonder if it might be a canary message.

"Using TrueCrypt is 'N'ot 'S'ecure 'A's . . ."

This initially worried me about what I would use as an alternative for Truecrypt virtual drives, given that my applications use them. However, VirtualBox creates virtual drives from the source drive (or folder) outside the virtual machine, and defines them within the VM as virtual drives.

The answer, then, could be to create ordinary virtual drives, and encrypt them. Within VB it is possible to give the virtual drives the required drive letter by creating empty drives (within the VM).

My theory, and that is all it is with no testing or backup whatsoever, is that Truecrypt was TOO good, NSA wants it off the scene, and the replacement will have an NSA backdoor in it.

^^pure speculation

That's a nuisance. I've stored all of my data in numerous Truecrypt volumes for years (before that PGPDisk). In view of these developments I can't help wondering if the developers have been reading it all along. I suppose we should be wary of software provided free by people who remain anonymous. Thank you for the information. What would we do without TechSupportAlert?

Thanks again for the information Rob - you are so invaluable with your up to date information. Would never have known about this news otherwise !

I have used TrueCrypt without a problem over 7 years, and continue to use version 4.3a, which is from 2007
I didnt upgrade TrueCrypt to a more recent version, as I read that later versions wont read older created volumes
It will be interesting to know exactly what the breach is, and if the older versions are more secure
Regardless, I will continue to use an older version of TrueCrypt until further information becomes available

So far as all my firewalls have informed me over the years, my version of TrueCrypt has never tried to "phone home". I dont know about more recent versions, and I certainly will never trust the current version !

I have downloaded all previous versions from the reliable filehippo.com site just to ensure I always have alternative versions for personal use

As an aside, I wonder if commencement of audits of TrueCrypts code has anything to do with the TrueCrypt statement ?

"Matthew Green, a cryptographer and research professor at the Johns Hopkins University Information Security Institute and a longtime skeptic of TrueCrypt, last year helped spearhead dual crowdfunding efforts to raise money for a full-scale, professional security audit of the software. That effort ended up pulling in more than $70,000 (after counting the numerous Bitcoin donations) - I’m a little worried that the fact the we were doing an audit of the crypto might have made them decide to call it quits"

This thread already contains a few alternatives - http://softwarerecs.stackexchange.com/questions/4539/alternatives-to-tru...

Personally, I would be unwilling to use a closed source solution, so that rules out BitLocker for Windows.

If I were paranoid, I might also wonder if the NSA cloud put pressure on whomever is providing my encryption.

YMMV

Appreciate the heads up and look forward to any updates regarding the situation. Once again I'm shown as logged in on some tabs of the Gizmo page but not on others....any explanation for that?

In this case you might need to refresh the pages on those tabs crosseyedlemon.