The status of TrueCrypt

  2014-05-30

The status of TrueCrypt

  07:40, by Hagai Bar-El   , 564 words
Categories: IT Security, Products

I wish I knew where TrueCrypt stands now, but I don't. I follow TrueCrypt and regularly endorse it  ever since I discovered it and wrote this post nine years ago. TrueCrypt was, and may still be, the most sensible and presumably-secure volume and full-disk encryption software for Windows; also supporting Linux and Mac. A few days ago the project discontinued, and users were directed to alternative, non-open-source solutions.

The claim on the new TrueCrypt page stating that TrueCrypt is not secure is probably unsubstantiated. TrueCrypt has undergone an independent source-level security review just a short while ago, and this review turned up with no back-doors or glaring holes. The review is not complete yet (when writing these lines), but the results are so far optimistic, in terms of the code. One should also notice that the new TrueCrypt page states "insecurity" due to the absence of future "security fixes" resulting from the end of the development; it does not hint at a major flaw that is known to exist today.

The option that the page was simply hijacked by a hacker is less likely, since the new TrueCrypt that was released only for the purpose of decrypting old drives and migrating their content, is signed by the same key used to sign all previous releases. Unless the developers were hacked real bad, the new page and release seem authentic. The option of being hacked by bad guys is valid, but unlikely. If I were a bad guy with a TrueCrypt developers' key, I would have installed a back-door, redistributed the binary, and waited for my loot, rather than just shut the project down. Shutting the project down for the bad guys is counter-productive.

There are many speculations on what might have happened, and nothing is known for sure. One option is that the NSA took them down, resembling the Lavabit case. By this scenario the developers may have faced a request to implement a back-door, and preferred to shut the business down rather than comply. Personally, while the story is plausible, I doubt the NSA would have tried such a trick at this day. If I were them, I would have waited a year or two. Still, this is probably the most likely scenario for now.

Another option still is that the developers just got tired of maintaining TrueCrypt, not being able to secure enough donations, in spite of trying hard to do so. What still seems awkward is that it is not "natural" for an open source security developer to point users to commercial alternatives such as BitLocker, that the security community largely treats with many grains of salt. The page, in my opinion, also seemed too pragmatic and unemotional to be written by an open source developer who discontinues his masterpiece development after more than a decade and presumably after saving many lives.

I can only hope that time tells us more. In the meantime, I still use the 7.1a version of TrueCrypt. There is no reason to suggest its insecurity, and that is the most trustworthy solution for Windows today. If indeed the way of TrueCrypt comes to an end, I would certainly hope for a new team of savvy security addicts to come up, take over the source code, and revive this essential project.

On July 24th, 2014, I published an update discussing the current status and advice on alternatives: Truecrypt alternatives?

1 comment

Comment from: ronys [Visitor]

Hi Hagai,

“The page, […] seemed too pragmatic and unemotional to be written by an open source developer who discontinues his masterpiece development after more than a decade […]”

You’re assuming that the developer who took down the project is the same one that accompanied the project from the start. Ain’t necessarily so.
This thread’s the most reasonable I’ve read so far:
http://it.slashdot.org/comments.pl?sid=5212985&cid=47115785

A Lavabit scenario seems to me less likely than programmer fatigue, especially since we’ve no idea if the developers are in the US or not.

Could be that we’ll never know, though.

2014-05-30 @ 16:39