Establishing Digital Trust: Don't Sacrifice Security for Convenience
The anonymous developers of the free and hugely popular TrueCrypt disk encryption program dropped a bombshell at the end of May when they abruptly abandoned the project.
The top of TrueCrypt's website was emblazoned with the following message in red: "WARNING: Using TrueCrypt is not secure as it may contain unfixed security issues." It also said development of TrueCrypt had ended after Microsoft terminated support for Windows XP and recommended that users of Windows 8, 7 and Vista migrate to Microsoft's BitLocker disk encryption utility.
The site provides instructions for migrating to BitLocker. The only version of TrueCrypt that is available for download on the site, version 7.2, is only good for decrypting existing data to carry out the migration process.
Why Was TrueCrypt Abandoned?
The unanswered question is why TrueCrypt was abandoned. The reason given - that Microsoft has terminated support for Windows XP - appears to be a non sequitur unless you conclude that TrueCrypt was only intended to provide full disk encryption for operating systems that do not have it built in; since Windows, OS X and versions of Linux (such as Ubuntu) do, the end of support for XP means that TrueCrypt is no longer needed.https://o1.qnsr.com/log/p.gif?;n=203;c=204650394;s=9477;x=7936;f=201801171506010;u=j;z=TIMESTAMP;a=20392931;e=i
Many other possibilities have been suggested including:
- The developers simply no longer wanted to continue the project
- The developers were approached by the NSA or some other government agency to introduce a backdoor into the software, and decided to stop the project instead without breaching any gagging orders. (Something similar happened to secure email provider Lavabit, resulting in that company abruptly shutting down.)
- A code audit that is being carried out, using $60,000 that was raised on Indiegogo and Fundfill, revealed one or more serious security flaws that have not yet been revealed. (An initial report into just the bootloader and Windows kernel driver of the program identified 11 vulnerabilities, said the quality of the source code was bad, and concluded that "overall, the source code for both the bootloader and the Windows kernel driver did not meet expected standards for secure code."
So what should current or potential TrueCrypt users do now?
Let It Ride?
One possibility, as advocated by security expert Steve Gibson, is simply to carry on using it. That may sound reckless given that the project has been abandoned by its original authors, but Gibson calls the belief that stopping support for a product renders it immediately untrustworthy "perverse and wrongheaded."
He points out that version 7.1a of TrueCrypt, the version that was offered before the project was canceled and which was replaced by the crippled version 7.2, had been successfully used by millions of people since its release in February 2012. "Suddenly, for no disclosed reason, we should no longer trust it?" he asks.
For those who want to follow Gibson's advice, version 7.1a of TrueCrypt is still available from a new site, truecrypt.ch, which is based in Switzerland to guarantee no interruption due to legal threats from the United States. The site styles itself as a gathering place for up-to-date information on TrueCrypt and for people who want to fork the code and continue its development.
In the meantime, the security audit of the original code is continuing, so there is a good chance it will discover any fatal weaknesses.
If you decide to take the developers' advice and avoid using TrueCrypt, then you are faced with the choice of moving to an open source or a proprietary alternative encryption program.
One of the key attractions of TrueCrypt to many was that it was open source. So in theory any inadvertent weaknesses or deliberate backdoors that may have been placed in it could be detected by inspection of the source code.
But if there is one thing that the Heartbleed SSL fiasco has taught us, it's that there is no guarantee that a sufficient number of skilled people are inspecting code of open source applications for weaknesses.
That being the case, it would appear there is little security benefit from choosing an open source project rather than a proprietary application (or indeed the reverse). The only way to be reasonably certain that code is secure is to audit it in a systematic fashion in the way that the TrueCrypt code is being audited.
Here are some of the best known alternatives to TrueCrypt that are worth considering:
BitLocker Most businesses use Microsoft's Windows operating systems, and the good news is that many versions of Windows - both for servers and end-user machines - include Microsoft's BitLocker encryption software.
FileVault 2 OS X Lion and later versions include FileVault 2 disk encryption as part of the operating system.
Symantec Drive Encryption This uses encryption technology that Symantec acquired following the purchase of PGP. The product provides full disk encryption for Windows, OS X and Linux machines.
McAfee Complete Data Protection (Windows 2000 or later) Full disk encryption is included as part of a security suite that includes file and removable media encryption for PCs running Windows 2000 or later.
BestCrypt BestCrypt offers container encryption storing selected files and folders in encrypted containers which can be moved between Windows, OS X and Linux. It also offers full disk encryption for Windows only.
AxCrypt AxCrypt is an open source filed encryption program that integrates with Windows to encrypt individual files (not an entire disk). The software enables self-decrypting files to be created so they can be sent to others and decrypted with a password, but without the need to install AxCrypt to decrypt.
The irony of all of this is that once the independent security audit of TrueCrypt is complete, it will likely be the only mass storage encryption solution to have been audited in its current version. As Gibson pointed out. "This will likely cement TrueCrypt's position as the top, cross-platform, mass storage encryption tool."
Paul Rubens has been covering enterprise technology for over 20 years. In that time he has written for leading UK and international publications including The Economist, The Times, Financial Times, the BBC, Computing and ServerWatch.