That was the question circulating on internet support and security forums and discussions after the TrueCrypt site was unexpectedly replaced with a message that presented several potentially dire, and yet very vague warnings.
Like many, I’ve recommended using TrueCrypt for years, and in fact I’m a very heavy user of it myself.
Is it dead? I honestly don’t know yet. I hope not.
I’ll review what we do know, what I’m doing, and what I recommend most people do. I’ll also try to answer common questions, and keep this article updated as new information comes in.
Become a Patron of Ask Leo! and go ad-free!
But first, the bottom line
I believe TrueCrypt, specifically TrueCrypt 7.1a, remains secure. In my opinion you do not need to stop using TrueCrypt.
Since TrueCrypt development has halted and no fix is likely forthcoming, I can no longer recommend its use.
My tentative understanding is that VeraCrypt is a free, compatible, and supported alternative, based on a fork of the original TrueCrypt code. And yes, these most recent vulnerabilities are supposedly fixed therein.
As we’ll see shortly, what little evidence there is points to the developers (who remain unknown, or at least unconfirmed) simply having grown tired of maintaining it, and having no interest in moving it forward to new operating system versions and new disk formats.
I believe that the claim that Truecrypt is “not secure” is in all likelihood simply the developers’ attempt to distance themselves from any potential responsibility so that they can move on with their lives.
On May 28, 2014 the TrueCrypt website was altered to present the following message:
WARNING: Using TrueCrypt is not secure as it may contain unfixed security issues
This page exists only to help migrate existing data encrypted by TrueCrypt.
The development of TrueCrypt was ended in 5/2014 after Microsoft terminated support of Windows XP. Windows 8/7/Vista and later offer integrated support for encrypted disks and virtual disk images. Such integrated support is also available on other platforms […]. You should migrate any data encrypted by TrueCrypt to encrypted disks or virtual disk images supported on your platform.
The page then goes on to give detailed instructions on how to migrate data from TrueCrypt encryption to Microsoft’s Bitlocker.
At the bottom of the page in big red letters the page also says “WARNING: Using TrueCrypt is not secure“, and presents a link to the 7.2 version of TrueCrypt which can only decrypt.
All of the above happened without warning and without explanation. No one has come forward to take responsibility or explain exactly why TrueCrypt appears to be shutting down.
The internet being what it is, this has lead to rampant speculation, much of it completely unfounded. Theories include:
- The developers simply deciding to quit. As odd as this sounds, this appears to be the most likely scenario.
- The developers quitting in the face of some government threat. There is zero data to support this.
- The product having failed some crucial part of a security audit. This is unlikely, as the first phase of the audit has completed and it passed with flying colors. The second phase has not yet begun.
- The account used by the TrueCrypt developers was hacked and this was not their work. Several pieces of information such as domain registration and code signing of the new 7.2 release would indicate that this is highly unlikely.
- Some kind of “dead man switch” – an automated process that kicks in if the developers fail to perform certain activities for a period of time; a sort of “safety net” for the world should the developers ever simply disappear.
Other speculation includes a spat between developers, the developers feeling under-appreciated, or other outside influences.
This page – What happened to Truecrypt – May 2014 – contains a relatively good list of all current speculation with references.
The likely scenario
As I mentioned above, the likely scenario is that the developers were simply tired of working on TrueCrypt and decided to call it quits.
Steve Gibson quantifies this scenario excellently in his article: An Imagined Letter from the TrueCrypt Developer(s). Yes, it’s speculative fiction, but based on what little we do know, it feels very, very plausible.
Perhaps most telling is a Twitter report of a conversation between one of the audit team members and a TrueCrypt developer. One key takeaway from that conversation is that protecting Windows systems was the original goal of TrueCrypt, and that the developer also considers Bitlocker to be”good enough” (a point with which I, and many others, disagree).
Perhaps most telling was this quote: “I were [sic] happy with the audit, it didn’t spark anything. We worked hard on this for 10 years, nothing lasts forever.”
The future of TrueCrypt
The developer also expressed concern that forking (making a copy of) the open-source source code and having others continue development is a bad idea. My expectation, however, is that this is exactly what will happen.
It remains to be seen who will do this (sadly, I predict several will try), what they may call it, and ultimately how successful they might be.
Fortunately we will have time to see what happens.
Should you stop using TrueCrypt?
In my opinion the average user should not stop using TrueCrypt if it’s working well for them now.
At this time there is no evidence whatsoever that there is any kind of a security issue with TrueCrypt. Yes, the developers left a snarky “TrueCrypt is not secure” comment, but I and many others believe that simply refers to the fact that they will no longer be supporting it or adapting it to new environments.
I will continue to use TrueCrypt, as I have for years, until a concrete reason not to appears.
On the other hand, if you are in a particularly sensitive environment (i.e. if you are the NSA 🙂 ), or you’re simply completely distressed by this turn of events or just plain paranoid, then perhaps it is time for you to look for an alternative.
What alternatives to TrueCrypt are there?
That’s the million dollar question. TrueCrypt has been unique in terms of it’s security, functionality, and most importantly for many, its cross-platform capabilities. That’s a hard mix to replace, and at this time I’m not aware of a single tool that will do everything that TrueCrypt does.
Depending on your needs you may not need all that TrueCrypt does, and other tools may be sufficient.
Platform-specific tools like Bitlocker might be appropriate, if used properly, though not all versions of Windows include it. (One safety note if you go the BitLocker route: export and save the encryption certificate – it may be the only way to recover your data should something go wrong. And backup your data somehow, ideally secured via a different method.)
More focussed tools like AxCrypt or 7-zip may meet your needs.
If I were forced to make a change today without any additional research, my current alternative might be BoxCryptor. While targeted at transparently encrypting the files you place in cloud services like DropBox – which is what I use it for – it can also be used in ways that mimic some of TrueCrypt’s functionality.
The near future
As I said, this all happened unexpectedly and with a serious lack of clarity. It’s unfortunate, and I think everyone wishes it had been handled more clearly and openly, but it is what it is.
What that means is that everything is subject to change as more information comes out.
But I suspect we have 90% of the answer.
And to me that means:
- It’s safe to keep using TrueCrypt.
- The existing developers are quitting.
- Someone else may pick it up, but it’ll probably take a while.
Bottom line: for most people no action is required at all.