The status of Truecrypt (2nd edition)


The status of Truecrypt (2nd edition)

  18:22, by Hagai Bar-El   , 419 words
Categories: IT Security

It has been a while since Truecrypt was discontinued. While it still works on most platforms, including new Windows machines (except for the full-disk-encryption on some of them), and while there still is no evidence to indicate that it is insecure, users of Truecrypt find the situation bothersome; and for a good reason. By now it seems obvious than an alternative has to be found.

Ever since my first post on the topic, not much has changed. Truecrypt did not return, and it is not likely to ever. The real reason for its abandonment is still not known for fact, but there are a few clever plausible ideas. Nonetheless, this reason does not really matter all that much. There is no firm reason to believe Truecrypt is insecure, there are a few reasons to believe it is secure, such as the review it has undergone, but basing your security strategy on a discontinued product does not make sense.

TCnext, the team that appointed itself to look after Truecrypt, does not seem to have made any progress on maintaining the tool in the past 1.5 years (approximately) of its existence.

Truecrypt does have alternatives, however. Most alternatives suffer from shortcomings such as: not supporting Windows, and/or not supporting file-based volumes (only encrypted partitions), and/or not supporting full-disk-encryption, etc. Some of those alternatives are discussed in this post of mine, that was written more than a year ago.

As of now, the most viable alternative seems to be VeraCrypt. VeraCrypt is essentially a Truecrypt fork and so it retains its entire feature set. The code was only lightly modified to improve some security properties of the original Truecrypt, such as the number of iterations used to derive keys from pass-phrases. It does not formally enjoy the perceived assurance provided by the security review that Truecrypt has undergone, but it is reasonable to believe that its security level is comparable. The most important feature of VeraCrypt that makes it a worthy replacement is the fact that it seems to be maintained. I do not see a stream of new features coming in, but timely releases do address issues that come up, indicating that development is not dormant. The lack of new features by many security engineers will be considered as a plus rather than a minus, anyway.

 I am currently unaware of any substantiated reasons to distrust VeraCrypt. Until such reasons surface, I tend to see it as the most adequate Truecrypt replacement for people who need the exact same feature-set of Truecrypt.

No feedback yet

Form is loading...