Is TrueCrypt dead?

That was the question circulating on internet support and security forums and discussions after the TrueCrypt site was unexpectedly replaced with a message that presented several potentially dire, and yet very vague warnings.

Like many, I’ve recommended using TrueCrypt for years, and in fact I’m a very heavy user of it myself.

Is it dead? I honestly don’t know yet. I hope not.

I’ll review what we do know, what I’m doing, and what I recommend most people do. I’ll also try to answer common questions, and keep this article updated as new information comes in.

Become a Patron of Ask Leo! and go ad-free!

But first, the bottom line

I believe TrueCrypt, specifically TrueCrypt 7.1a, remains secure.

In my opinion you do not need to stop using TrueCrypt.

IMPORTANT On September 30, 2015, it was reported that a serious security vulnerability had been discovered in TrueCrypt. Not a fault in its encryption, but rather a more traditional vulnerability that malicious software could use to gain administrative privileges on your Windows machine.

Since TrueCrypt development has halted and no fix is likely forthcoming, I can no longer recommend its use.

My tentative understanding is that VeraCrypt is a free, compatible, and supported alternative, based on a fork of the original TrueCrypt code. And yes, these most recent vulnerabilities are supposedly fixed therein.

As we’ll see shortly, what little evidence there is points to the developers (who remain unknown, or at least unconfirmed) simply having grown tired of maintaining it, and having no interest in moving it forward to new operating system versions and new disk formats.

I believe that the claim that Truecrypt is “not secure” is in all likelihood simply the developers’ attempt to distance themselves from any potential responsibility so that they can move on with their lives.

What happened

On May 28, 2014 the TrueCrypt website was altered to present the following message:

WARNING: Using TrueCrypt is not secure as it may contain unfixed security issues

This page exists only to help migrate existing data encrypted by TrueCrypt.

The development of TrueCrypt was ended in 5/2014 after Microsoft terminated support of Windows XP. Windows 8/7/Vista and later offer integrated support for encrypted disks and virtual disk images. Such integrated support is also available on other platforms […]. You should migrate any data encrypted by TrueCrypt to encrypted disks or virtual disk images supported on your platform.

The page then goes on to give detailed instructions on how to migrate data from TrueCrypt encryption to Microsoft’s Bitlocker.

At the bottom of the page in big red letters the page also says “WARNING: Using TrueCrypt is not secure“, and presents a link to the 7.2 version of TrueCrypt which can only decrypt.

TrueCrypt_LogoThe speculation

All of the above happened without warning and without explanation. No one has come forward to take responsibility or explain exactly why TrueCrypt appears to be shutting down.

The internet being what it is, this has lead to rampant speculation, much of it completely unfounded. Theories include:

  • The developers simply deciding to quit. As odd as this sounds, this appears to be the most likely scenario.
  • The developers quitting in the face of some government threat. There is zero data to support this.
  • The product having failed some crucial part of a security audit. This is unlikely, as the first phase of the audit has completed and it passed with flying colors. The second phase has not yet begun.
  • The account used by the TrueCrypt developers was hacked and this was not their work. Several pieces of information such as domain registration and code signing of the new 7.2 release would indicate that this is highly unlikely.
  • Some kind of “dead man switch” – an automated process that kicks in if the developers fail to perform certain activities for a period of time; a sort of “safety net” for the world should the developers ever simply disappear.

Other speculation includes a spat between developers, the developers feeling under-appreciated, or other outside influences.

This page – What happened to Truecrypt – May 2014 – contains a relatively good list of all current speculation with references.

The likely scenario

As I mentioned above, the likely scenario is that the developers were simply tired of working on TrueCrypt and decided to call it quits.

Steve Gibson quantifies this scenario excellently in his article: An Imagined Letter from the TrueCrypt Developer(s). Yes, it’s speculative fiction, but based on what little we do know, it feels very, very plausible.

Perhaps most telling is a Twitter report of a conversation between one of the audit team members and a TrueCrypt developer. One key takeaway from that conversation is that protecting Windows systems was the original goal of TrueCrypt, and that the developer also considers Bitlocker to be”good enough” (a point with which I, and many others, disagree).

Perhaps most telling was this quote: “I were [sic] happy with the audit, it didn’t spark anything. We worked hard on this for 10 years, nothing lasts forever.”

The future of TrueCrypt

The developer also expressed concern that forking (making a copy of) the open-source source code and having others continue development is a bad idea. My expectation, however, is that this is exactly what will happen.

It remains to be seen who will do this (sadly, I predict several will try), what they may call it, and ultimately how successful they might be.

Fortunately we will have time to see what happens.

Should you stop using TrueCrypt?


In my opinion the average user should not stop using TrueCrypt if it’s working well for them now.
No. In my opinion the average user should not stop using TrueCrypt if it’s working well for them now.

At this time there is no evidence whatsoever that there is any kind of a security issue with TrueCrypt. Yes, the developers left a snarky “TrueCrypt is not secure” comment, but I and many others believe that simply refers to the fact that they will no longer be supporting it or adapting it to new environments.

I will continue to use TrueCrypt, as I have for years, until a concrete reason not to appears.

On the other hand, if you are in a particularly sensitive environment (i.e. if you are the NSA 🙂 ), or you’re simply completely distressed by this turn of events or just plain paranoid, then perhaps it is time for you to look for an alternative.

What alternatives to TrueCrypt are there?

That’s the million dollar question. TrueCrypt has been unique in terms of it’s security, functionality, and most importantly for many, its cross-platform capabilities. That’s a hard mix to replace, and at this time I’m not aware of a single tool that will do everything that TrueCrypt does.

Depending on your needs you may not need all that TrueCrypt does, and other tools may be sufficient.

Platform-specific tools like Bitlocker might be appropriate, if used properly, though not all versions of Windows include it. (One safety note if you go the BitLocker route: export and save the encryption certificate – it may be the only way to recover your data should something go wrong. And backup your data somehow, ideally secured via a different method.)

More focussed tools like AxCrypt or 7-zip may meet your needs.

If I were forced to make a change today without any additional research, my current alternative might be BoxCryptor. While targeted at transparently encrypting the files you place in cloud services like DropBox – which is what I use it for – it can also be used in ways that mimic some of TrueCrypt’s functionality.

The near future

As I said, this all happened unexpectedly and with a serious lack of clarity. It’s unfortunate, and I think everyone wishes it had been handled more clearly and openly, but it is what it is.

What that means is that everything is subject to change as more information comes out.

But I suspect we have 90% of the answer.

And to me that means:

  1. It’s safe to keep using TrueCrypt.
  2. The existing developers are quitting.
  3. Someone else may pick it up, but it’ll probably take a while.

Bottom line: for most people no action is required at all.

Footnotes & references

grc.com – TrueCrypt Final Release Repository – More than a repository, this includes more information from Steve Gibson on what happened, potential reasons why it happened, and whether or not we need to panic (spoiler: no).

36 comments on “Is TrueCrypt dead?”

  1. “Yes, the developers left a snarky “TrueCrypt is not secure” ” This doesn’t sound much different than the language Microsoft is using when talking about XP. There is a slight parallel as TrueCrypt is no longer being patched. The main difference is that the code for TrueCrypt is exponentially smaller, so the odds of vulnerabilities would be exponentially smaller. One potential risk would be if a vulnerability is found in the encryption algorithms used. (After all, mathematicians are working feverishly to crack these.) This may or may not ever happen, but I imagine the developers don’t want to risk being responsible for any problems like that. And since they don’t plan to deal with TrueCrypt anymore, that message is expected to be up for years to come and may eventually become insecure.

  2. Yikes. My fear with all types of backup/encryption/DRM formats is that someday they will be unsupported, and then you may lose access to all the data.

    • TrueCrypt has never been hacked AFAWK. For most security conscious users that is good enough to keep using. If the NSA targets you, you are F’d no matter your framework.

  3. Someone pointed out that if your take the first letters of the message on the Truecrypt site “WARNING: Using TrueCrypt is not secure as it may contain unfixed security issues” which are “uti nsa im cu si” (minus the ‘w’ in warning) and put them into google translate from Latin to English you get “If I wish to use the NSA”. Interesting.

    • You have far too much time on your hands….

      Take any sentence, play around with the characters in a variety of languages, and you’ll find something that interests a conspiracy nut.

  4. That some of the best security developers on the planet would recommend using questionable security alternatives must mean that they cannot talk for certain reasons. Why are no foreign developers talking of of taking over the oss code? Warning not to do this is another hint that something serious happened to the current developers.

  5. I think users storing their encrypted files in the cloud is the NSA’s wet dream: plenty of real files to try to crack.

    • I’m not so sure about that. It might be their worst nightmare. Before encryption became so popular, spies could assume that everything encrypted was of interest to them. Now a haystack of encrypted files has grown up around those needles and the NSA might end up spending several hours of computer time to crack an old lady’s shopping list.

    • My concern is that we’ll see a LOT of clones of TrueCrypt, building on the TrueCrypt source code, created by a wide variety of people ranging from the qualified to the not qualified to government and other entities masquerading as legit. It’s going to be a mess for a while, and I see no reason at this time to switch away from TrueCrypt at all.

    • I would find a few reasons to stay away from something like this –
      1. It hasn’t been as peer reviewed as TrueCrypt, so there’s no way of knowing about back doors or accidentally added vulnerabilities.
      2. If it really is based on TrueCrypt, any vulnerabilities are found in TrueCrypt, they would also show up in this one as it’s based on TrueCrypt.
      3. If its only based on TruecCrypt functionality, there’s no way of knowing how well the encryption is done.

  6. I tried TrueCrypt many years ago and it failed miserably at whole disk encryption. I switched to BitLocker and have had no issues over the last 5+ years. I use BitLocker To Go on my external disks that need to be encrypted. It’s worth the few extra bucks to upgrade your OS.

    • GNUPG is great for encrypting files especially if you are sending those files to another GPG user as you can encrypt it with a key they send you which encrypts it in a way only you they can (and other specified recipients) decrypt. It’s not designed to work with encrypted folders and volumes. PGP from Symantec is a good replacement for TrueCrypt, but it is not free. PGP also lets you exchange encryption keys like GPG. GPG copied the functionality of PGP.

  7. How about skycrypt? i started using it 3-4months ago and it works fine for me…. does anyone have experience with this??

  8. I took my TrueCrypt files with me when I moved from Windows XP to Ubuntu 12.02 in March and it ran perfectly. Last month I updated to Ubuntu 14.04 and last week found I couldn’t encrypt anymore with my TrueCrypt version. That means that somwhere between 12.04 and 14.04 Ubuntu has added a kill switch to specifically target Truecrypt. My bottom line: TrueCrypt just ran to damn good for the NSA to tolerate.

    • I know this post is five months old, but:

      Perhaps the version of the software in your new Ubuntu is 7.2, which the article mentions is only capable of decryption?

  9. I have used truecrypter 7.1, very nice application! Hope, it is possible to change the encryption algoritm to be save. Now it is possible to find some free applications with the same functions: Disk Cryptor, Rohos Mini, etc. I think Rohos Mini – is a good alternative. It can create encrypted volumes on USB and hard drives. It pastes the portable application along with container on USB drive, so, it is possible to use it on another computer without administrative rights.

  10. I doubt the developers quit. Otherwise, why not just say “we are tired now, so we are quitting”? There is nothing wrong with saying that and ending it. What really happened? The truecrypt people found out that the NSA had identified them and were spying on them. The NSA does shit like this. They track people, use gangstalking techniques to harass and intimidate targets. They use microwave technology to eavesdrop on targets without the need for bugs. They use Van Eck Phreaking to spy on peoples computers that are not connected to the internet. They have listening devices that allow them to listen in on a person’s subvocalizations. I caught a neighbor doing ALL of these things to me back in 2008. The NSA goons probably {Removed}ed up and got caught with their pants down, the same way that I caught my neighbor spying on me. It took me years of research to realize this is real. I am still being targeted and tracked. If a nobody like me is targeted (so far in the 5th year) what makes you think that the NSA would not go to extremes to target the truecrypt developers? The quote: “I were [sic] happy with the audit, it didn’t spark anything. We worked hard on this for 10 years, nothing lasts forever.” only tells us that the developers were not American, which we probably already knew.

  11. 1. Is BoxCryptor or VeraCrypt better?

    2. Which software style is more similar like TrueCrypt? I do not like to learn a new software all over again.

    3. Is there some way to convert the TrueCrypt container to become a BoxCryptor/VeraCrypt container? Is the only moving way by manual cut the files inside the TrueCrypt container and paste into BoxCryptor/VeraCrypt container?

    Thanks

    • 1. Both operate differently. VeraCrypt encrypts all the files into one large container, whose size you must determine when setting it up. It is one file which holds all of the encrypted files. BoxCryptor encrypts all of the files individually and keeps them in one folder. There is no predetermined size. I personally prefer BoxCryptor, because it only has to update the changed files when synchronizing with the Cloud (Dropbox, One Drive etc.), whereas with VeraCrypt, the whole container is uploaded and downloaded each time a file is changed. Also the size of the BoxCryptor folder is dynamic. It’s size is the combined size of each of the files. VeraCrypt’s container is the size you set at creation time. If you need more space, you need to create a new container large enough to hold the new data.
      2. VeraCrypt is a continuation of TrueCrypt. It is a project which is based on the original Truecrypt source code.
      3. To migrate from TrueCrypt to BoxCryptor, it requires copying the unencrypted files to the BoxCryptor folder. VeraCrypt, on the other hand, supports conversion.
      https://veracrypt.codeplex.com/wikipage?title=Converting%20TrueCrypt%20volumes%20and%20partitions

    • 1. Depends on your needs. Sorry. They’re both good.

      2. VeraCrypt. It’s based on TrueCrypt source code and looks VERY familiar.

      3. You shouldn’t need to. VeraCrypt will operate on TrueCrypt volumes. (But only way to convert is to create a new volume and manually copy the contents, yes.)

      • QA. “VeraCrypt will operate on TrueCrypt volumes” > Does it mean that I can use VeraCrypt and mount a TrueCrypt file to open the TrueCrypt container and add/delete files inside the container?

        QB. Is it okay if I do not do anything to the old TrueCrypt files I have created? I mean I will use VeraCrypt software and mount a TrueCrypt file to use the TrueCrypt container. I did not create a new VeraCrypt file (container), and I did not manually copy the contents from TrueCrypt file to a VeraCrypt file.

        QC. Your article says “On September 30, 2015, it was reported that a security vulnerability had been discovered in TrueCrypt.”. If I use VeraCrypt software to mount a TrueCrypt file, would it still have a security vulnerability?
        Thanks

        • A: yes
          B: it’s OK, but as I understand it some issues have been resolved with VeraCrypt that may make a VeraCrypt created container slightly more secure. No idea how big an issue it might be. If it were me, I’d create the new container and copy over.
          C: No one knows what that security vulnerability is – some believe it’s a red herring to scare people away from TrueCrypt original. Regardless, it’s successors – like VeraCrypt – are the only place that any fixes will appear.

  12. I just discovered the issue with TrueCrypt. (Because I’m just finally moving off XP to WIN 10.)

    I’ve used TrueCrypt for years and have been VERY happy with it. In my opinion, BitLocker is not even similar. With TrueCrypt I keep files on my PCs encrypted. If someone steals my dev system(s), they get nothing useful. Also with TrueCrypt, my backups are encrypted. I can lose my backup DVDs or have them get stolen with little concern that anyone will get anything useful from them.

    I want encrypted folders on my hard drives and encrypted backups.

    I think a professional, skilled, group should take a known clean copy of TrueCrypt and carefully manage it going forward; releasing expertly crafted, peer reviewed, patches as necessary. VeraCrypt seems to be overly patched and tinkered with so it scares me.

    I think the BitLocker concept is flimsy. My backup media must be encrypted as well as selected hard drive folders. Also consider that MS apps are no more robust than anything else you find on the street. (See what happens to your Outlook data if you use MS export / import tools to migrate – you lose data and all they do is give you a message to the effect that not everything could be transferred. What if encryption is similarly imperfect? So disappointed that MS was never very good – just wildly popular and embraced by a not-so-discerning user audience.)

    I would appreciate your best suggestions about what to do as I move to WIN 10 to encrypt folders on my drives AND my backup media.

Leave a reply: