In May of 2014, the TrueCrypt project unexpectedly shut down. There’s been no official word on exactly why, but the fact is, it’s dead.
Like many, I’d recommended using TrueCrypt for years, and had at times used it extensively. I’ll review a little of what happened and look at available alternatives.
Become a Patron of Ask Leo! and go ad-free!
- TrueCrypt is dead.
- Years later, TrueCrypt’s death is still shrouded in mystery.
- VeraCrypt is a more or less direct replacement for TrueCrypt.
- Other alternatives exist as well.
- It’s time to stop using TrueCrypt.
But first, the bottom line
If you’re still using TrueCrypt (and it remains available via an archive hosted by grc.com: TrueCrypt Final Release Repository), it’s time to stop and switch to one of the alternatives I’ll discuss below.
TrueCrypt may be safe. Some claim there was never a problem. But the fact is, we don’t really know, and the code is no longer being maintained.
It’s time to move to a successor or alternative.
On May 28, 2014, the TrueCrypt website was altered to present the following message:
WARNING: Using TrueCrypt is not secure as it may contain unfixed security issues
This page exists only to help migrate existing data encrypted by TrueCrypt.
The development of TrueCrypt was ended in 5/2014 after Microsoft terminated support of Windows XP. Windows 8/7/Vista and later offer integrated support for encrypted disks and virtual disk images. Such integrated support is also available on other platforms […]. You should migrate any data encrypted by TrueCrypt to encrypted disks or virtual disk images supported on your platform.
The page goes on to give detailed instructions on how to migrate data from TrueCrypt encryption to Microsoft’s BitLocker.
At the bottom of the page, in big red letters the page also says “WARNING: Using TrueCrypt is not secure“, and presents a link to the 7.2 version of TrueCrypt, which can only decrypt.
The likely scenario is that the developers were simply tired of working on TrueCrypt and decided to call it quits.
Perhaps most telling is this quote from the developer’s Twitter account: “I were [sic] happy with the audit, it didn’t spark anything. We worked hard on this for 10 years, nothing lasts forever.”
TrueCrypt alternative #1: VeraCrypt
VeraCrypt is a fork (copy) of the TrueCrypt source code that’s been taken over and continues to be maintained. As a result, its functionally extremely similar to TrueCrypt — so much so that it’s easy to mistake it for TrueCrypt itself.
It can read and write TrueCrypt containers, and can also convert them to its own format. VeraCrypt has also made some improvements to the encryption algorithms used.
If all you are looking for is a plug-and-play replacement, VeraCrypt is my recommendation.
TrueCrypt alternative #2: BitLocker
This is the alternative recommended by the original TrueCrypt developers on their way out. At the time, BitLocker had enough issues that I essentially dismissed it.
That’s no longer true. Particularly for whole-disk encryption, using BitLocker (if it’s available in your edition of Windows) is a fine solution. The conversion is some work, of course.
BitLocker is included in all but the Home edition of Windows 10, in which case you’ll need to upgrade or choose an alternative.
TrueCrypt alternative #3: BoxCryptor
These days, my encryption tool of choice is BoxCryptor. While targeted at transparently encrypting the files you place in cloud services like DropBox (which is what I use it for), there’s nothing that says it must be used with cloud services.
Even as a stand-alone encryption tool, it can be used in ways that mimic some of TrueCrypt’s functionality.
TrueCrypt alternative #4: manual encryption
It’s certainly possible that you don’t need the seamless approach offered by most of the alternatives listed above. If that’s the case, stand-alone tools like 7-Zip or WinZip can be used.
Care must be taken to create zip archives using a password to enable encryption. Care must also be taken to clean up any decrypted files, and possible wipe free space as files are manually decrypted, altered, and re-encrypted.
The bottom line, again
In the original version of this article, I stated:
- It’s safe to keep using TrueCrypt.
- The existing developers are quitting.
- Someone else may pick it up, but it’ll probably take a while.
Number 1 may be true, but there’s no hard data that supports the assertion. It’s safer to move on and stop using TrueCrypt.
Number 2 is absolutely true.
Number 3 came to pass. VeraCrypt exists and continues to be supported. If you need a direct TrueCrypt replacement, it’s my recommendation.