TrueCrypt alternatives?

  2014-07-24

TrueCrypt alternatives?

  22:23, by Hagai Bar-El   , 660 words
Categories: IT Security, Products

It has been a while since the announcement of the demise of TrueCrypt (which I reported), and an equivalent replacement for all those people who rely on it is not yet evident. TrueCrypt did not revive yet, but the situation is not time-wise critical as it may have seemed. There are a few options, for the time being.

Keep on using TrueCrypt

First, let us note that there is no reason to assume that TrueCrypt is insecure. It has gone through some security evaluation with its last fully functional release and no major findings were brought up to discredit its security. It is true that software that is not maintained might be less secure because it is not patched. This is what the statement at the top of truecrypt.org suggests. However, I suggests we remember that software that is maintained also gets its share of security bugs added in the process. A security program that is assumed clean of bugs at point T0, and for as long as no security bugs are found, can only become less secure at point T1, if it is maintained. As long as TrueCrypt has no known security flaws, there is no reason to be bothered by its lack of updates; on the contrary.

Truth be told, I do not like using abandoned software (also called "abandonware"). I like features that are added over time to make the program more useful. However, in the case of security software that serves a very specific purpose, there is just not as much expectation for a steady flow of additions to its functionality. After all, TrueCrypt did not change substantially for years before its discontinuation, and it seemed to have bothered no one.

The one and only reason to be alarmed by the lack of maintenance of TrueCrypt is support for upgraded operating systems. This is mostly critical for Windows, since TrueCrypt, to the best of my knowledge, is the only open source FDE solution for this platform.

As far as I can tell, TrueCrypt works with most of its features also on Windows 8.1. The only case where TrueCrypt fails in Windows 8 is when using FDE, if the system supports UEFI. If one cannot use TrueCrypt FDE with his Windows 8 machine, he can always use a combination of Microsoft BitLocker and TrueCrypt volume encryption. I do not encourage to use BitLocker as the only line of defense. But protecting the system using BitLocker and the data using protected volumes, along with the usual precautions pertaining to temporary and swap files, should bring an imperfect-yet-adequate bottom line for the average user.

Alternatives

Some alternatives are available, such as BestCrypt volume encryption, by Jetico. It is not open source, and comes at a significant price tag if you have multiple computers, but it probably works. Source is closed, so the paranoids of us might not agree to trust it, but the company is Finnish, which may make some people feel relatively comfortable.

Open source alternatives also exist, such as VeraCrypt and  GostCrypt, but these seem to be TrueCrypt forks that merely change some cryptographic aspects of the algorithms used by TrueCrypt. Not knowing the maintainers at all, I tend to doubt that these software packages will be maintained to run on platforms where TrueCrypt does not.

Lastly, there is the promised TCnext, which promises to keep TrueCrypt alive. It has not made any progress other than making the TrueCrypt source and binaries available, but it did promise that "serious development to start soon", and that was just a month ago. We need to wait and see how this turns out.

Bottom line

There is no reason to stop using TrueCrypt while the OS supports it. If your Windows 8 installation uses UEFI, and you do not wish to convert to non-UEFI, you may use a combination of BitLocker and TrueCrypt; not optimal but tolerable.

In parallel, be on the watch for development of any of the open source alternatives mentioned above.

 Permalink

No feedback yet


Form is loading...