In May of 2014, the TrueCrypt project unexpectedly shut down. There’s been no official word on exactly why, but the fact is, it’s dead.
Like many, I’d recommended using TrueCrypt for years, and had at times used it extensively. I’ll review a little of what happened and look at available alternatives.
Become a Patron of Ask Leo! and go ad-free!
- TrueCrypt is dead.
- Years later, TrueCrypt’s death is still shrouded in mystery.
- VeraCrypt is a more or less direct replacement for TrueCrypt.
- Other alternatives exist as well.
- It’s time to stop using TrueCrypt.
But first, the bottom line
If you’re still using TrueCrypt (and it remains available via an archive hosted by grc.com: TrueCrypt Final Release Repository), it’s time to stop and switch to one of the alternatives I’ll discuss below.
TrueCrypt may be safe. Some claim there was never a problem. But the fact is, we don’t really know, and the code is no longer being maintained.
It’s time to move to a successor or alternative.
What happened
On May 28, 2014, the TrueCrypt website was altered to present the following message:
WARNING: Using TrueCrypt is not secure as it may contain unfixed security issues
This page exists only to help migrate existing data encrypted by TrueCrypt.
The development of TrueCrypt was ended in 5/2014 after Microsoft terminated support of Windows XP. Windows 8/7/Vista and later offer integrated support for encrypted disks and virtual disk images. Such integrated support is also available on other platforms […]. You should migrate any data encrypted by TrueCrypt to encrypted disks or virtual disk images supported on your platform.
The page goes on to give detailed instructions on how to migrate data from TrueCrypt encryption to Microsoft’s BitLocker.
At the bottom of the page, in big red letters the page also says “WARNING: Using TrueCrypt is not secure“, and presents a link to the 7.2 version of TrueCrypt, which can only decrypt.
The likely scenario is that the developers were simply tired of working on TrueCrypt and decided to call it quits.
Perhaps most telling is this quote from the developer’s Twitter account: “I were [sic] happy with the audit, it didn’t spark anything. We worked hard on this for 10 years, nothing lasts forever.”
TrueCrypt alternative #1: VeraCrypt
VeraCrypt is a fork (copy) of the TrueCrypt source code that’s been taken over and continues to be maintained. As a result, its functionally extremely similar to TrueCrypt — so much so that it’s easy to mistake it for TrueCrypt itself.
It can read and write TrueCrypt containers, and can also convert them to its own format. VeraCrypt has also made some improvements to the encryption algorithms used.
If all you are looking for is a plug-and-play replacement, VeraCrypt is my recommendation.
TrueCrypt alternative #2: BitLocker
This is the alternative recommended by the original TrueCrypt developers on their way out. At the time, BitLocker had enough issues that I essentially dismissed it.
That’s no longer true. Particularly for whole-disk encryption, using BitLocker (if it’s available in your edition of Windows) is a fine solution. The conversion is some work, of course.
BitLocker is included in all but the Home edition of Windows 10, in which case you’ll need to upgrade or choose an alternative.
TrueCrypt alternative #3: BoxCryptor
These days, my encryption tool of choice is BoxCryptor. While targeted at transparently encrypting the files you place in cloud services like DropBox (which is what I use it for), there’s nothing that says it must be used with cloud services.
Even as a stand-alone encryption tool, it can be used in ways that mimic some of TrueCrypt’s functionality.
TrueCrypt alternative #4: manual encryption
It’s certainly possible that you don’t need the seamless approach offered by most of the alternatives listed above. If that’s the case, stand-alone tools like 7-Zip or WinZip can be used.
Care must be taken to create zip archives using a password to enable encryption. Care must also be taken to clean up any decrypted files, and possible wipe free space as files are manually decrypted, altered, and re-encrypted.
The bottom line, again
In the original version of this article, I stated:
- It’s safe to keep using TrueCrypt.
- The existing developers are quitting.
- Someone else may pick it up, but it’ll probably take a while.
Number 1 may be true, but there’s no hard data that supports the assertion. It’s safer to move on and stop using TrueCrypt.
Number 2 is absolutely true.
Number 3 came to pass. VeraCrypt exists and continues to be supported. If you need a direct TrueCrypt replacement, it’s my recommendation.
“Yes, the developers left a snarky “TrueCrypt is not secure” ” This doesn’t sound much different than the language Microsoft is using when talking about XP. There is a slight parallel as TrueCrypt is no longer being patched. The main difference is that the code for TrueCrypt is exponentially smaller, so the odds of vulnerabilities would be exponentially smaller. One potential risk would be if a vulnerability is found in the encryption algorithms used. (After all, mathematicians are working feverishly to crack these.) This may or may not ever happen, but I imagine the developers don’t want to risk being responsible for any problems like that. And since they don’t plan to deal with TrueCrypt anymore, that message is expected to be up for years to come and may eventually become insecure.
Yikes. My fear with all types of backup/encryption/DRM formats is that someday they will be unsupported, and then you may lose access to all the data.
Unsupported simply means no more changes or fixes. It does NOT mean that somehow decryption stops working.
TrueCrypt has never been hacked AFAWK. For most security conscious users that is good enough to keep using. If the NSA targets you, you are F’d no matter your framework.
Someone pointed out that if your take the first letters of the message on the Truecrypt site “WARNING: Using TrueCrypt is not secure as it may contain unfixed security issues” which are “uti nsa im cu si” (minus the ‘w’ in warning) and put them into google translate from Latin to English you get “If I wish to use the NSA”. Interesting.
You have far too much time on your hands….
Take any sentence, play around with the characters in a variety of languages, and you’ll find something that interests a conspiracy nut.
Ha ha. You are so right and you don’t have to be a conspiracy theorist nut either.
What about Free OTFE? could this can be considered as True Crypt alternative?
No as it is not cross-platform. I use TrueCrypt on Mac, Linux, Win32/64.
That some of the best security developers on the planet would recommend using questionable security alternatives must mean that they cannot talk for certain reasons. Why are no foreign developers talking of of taking over the oss code? Warning not to do this is another hint that something serious happened to the current developers.
I think users storing their encrypted files in the cloud is the NSA’s wet dream: plenty of real files to try to crack.
I’m not so sure about that. It might be their worst nightmare. Before encryption became so popular, spies could assume that everything encrypted was of interest to them. Now a haystack of encrypted files has grown up around those needles and the NSA might end up spending several hours of computer time to crack an old lady’s shopping list.
All things TrueCrypt from now on: http://truecrypt.ch/
Too bad not https force.
My concern is that we’ll see a LOT of clones of TrueCrypt, building on the TrueCrypt source code, created by a wide variety of people ranging from the qualified to the not qualified to government and other entities masquerading as legit. It’s going to be a mess for a while, and I see no reason at this time to switch away from TrueCrypt at all.
VeraCrypt is TrueCrypt-based but enhances its functionality up a few notches!
It can be found here: http://sourceforge.net/projects/veracrypt/
i
I would find a few reasons to stay away from something like this –
1. It hasn’t been as peer reviewed as TrueCrypt, so there’s no way of knowing about back doors or accidentally added vulnerabilities.
2. If it really is based on TrueCrypt, any vulnerabilities are found in TrueCrypt, they would also show up in this one as it’s based on TrueCrypt.
3. If its only based on TruecCrypt functionality, there’s no way of knowing how well the encryption is done.
I tried TrueCrypt many years ago and it failed miserably at whole disk encryption. I switched to BitLocker and have had no issues over the last 5+ years. I use BitLocker To Go on my external disks that need to be encrypted. It’s worth the few extra bucks to upgrade your OS.
Bitlocker is supplied by MS. That alone is enough for me to avoid it.
Hello,
Been trying to find an alternative, as I had not previously used TrueCrypt before its demise & you are correct… nothing out there like it & very few that meet my needs.
Anyway, found a couple that may work & if anyone has any experience with either, would love to hear about it.
http://www.kruptos2.com/index.html
https://www.gnupg.org/
Thanks!
GNUPG is great for encrypting files especially if you are sending those files to another GPG user as you can encrypt it with a key they send you which encrypts it in a way only you they can (and other specified recipients) decrypt. It’s not designed to work with encrypted folders and volumes. PGP from Symantec is a good replacement for TrueCrypt, but it is not free. PGP also lets you exchange encryption keys like GPG. GPG copied the functionality of PGP.
How about skycrypt? i started using it 3-4months ago and it works fine for me…. does anyone have experience with this??
I took my TrueCrypt files with me when I moved from Windows XP to Ubuntu 12.02 in March and it ran perfectly. Last month I updated to Ubuntu 14.04 and last week found I couldn’t encrypt anymore with my TrueCrypt version. That means that somwhere between 12.04 and 14.04 Ubuntu has added a kill switch to specifically target Truecrypt. My bottom line: TrueCrypt just ran to damn good for the NSA to tolerate.
I know this post is five months old, but:
Perhaps the version of the software in your new Ubuntu is 7.2, which the article mentions is only capable of decryption?
I have used truecrypter 7.1, very nice application! Hope, it is possible to change the encryption algoritm to be save. Now it is possible to find some free applications with the same functions: Disk Cryptor, Rohos Mini, etc. I think Rohos Mini – is a good alternative. It can create encrypted volumes on USB and hard drives. It pastes the portable application along with container on USB drive, so, it is possible to use it on another computer without administrative rights.
On a new computer running Windows 8, would you see any conflict with installing TrueCrypt?
There shouldn’t be any problem with that. I have it installed on my Windows 8 computer and it’s fine. I’ll keep using it until I read of any discovered vulnerabilities.
Nope. I run it on Win 8 myself.
I doubt the developers quit. Otherwise, why not just say “we are tired now, so we are quitting”? There is nothing wrong with saying that and ending it. What really happened? The truecrypt people found out that the NSA had identified them and were spying on them. The NSA does shit like this. They track people, use gangstalking techniques to harass and intimidate targets. They use microwave technology to eavesdrop on targets without the need for bugs. They use Van Eck Phreaking to spy on peoples computers that are not connected to the internet. They have listening devices that allow them to listen in on a person’s subvocalizations. I caught a neighbor doing ALL of these things to me back in 2008. The NSA goons probably {Removed}ed up and got caught with their pants down, the same way that I caught my neighbor spying on me. It took me years of research to realize this is real. I am still being targeted and tracked. If a nobody like me is targeted (so far in the 5th year) what makes you think that the NSA would not go to extremes to target the truecrypt developers? The quote: “I were [sic] happy with the audit, it didn’t spark anything. We worked hard on this for 10 years, nothing lasts forever.” only tells us that the developers were not American, which we probably already knew.
1. Is BoxCryptor or VeraCrypt better?
2. Which software style is more similar like TrueCrypt? I do not like to learn a new software all over again.
3. Is there some way to convert the TrueCrypt container to become a BoxCryptor/VeraCrypt container? Is the only moving way by manual cut the files inside the TrueCrypt container and paste into BoxCryptor/VeraCrypt container?
Thanks
1. Both operate differently. VeraCrypt encrypts all the files into one large container, whose size you must determine when setting it up. It is one file which holds all of the encrypted files. BoxCryptor encrypts all of the files individually and keeps them in one folder. There is no predetermined size. I personally prefer BoxCryptor, because it only has to update the changed files when synchronizing with the Cloud (Dropbox, One Drive etc.), whereas with VeraCrypt, the whole container is uploaded and downloaded each time a file is changed. Also the size of the BoxCryptor folder is dynamic. It’s size is the combined size of each of the files. VeraCrypt’s container is the size you set at creation time. If you need more space, you need to create a new container large enough to hold the new data.
2. VeraCrypt is a continuation of TrueCrypt. It is a project which is based on the original Truecrypt source code.
3. To migrate from TrueCrypt to BoxCryptor, it requires copying the unencrypted files to the BoxCryptor folder. VeraCrypt, on the other hand, supports conversion.
https://veracrypt.codeplex.com/wikipage?title=Converting%20TrueCrypt%20volumes%20and%20partitions
1. Depends on your needs. Sorry. They’re both good.
2. VeraCrypt. It’s based on TrueCrypt source code and looks VERY familiar.
3. You shouldn’t need to. VeraCrypt will operate on TrueCrypt volumes. (But only way to convert is to create a new volume and manually copy the contents, yes.)
QA. “VeraCrypt will operate on TrueCrypt volumes” > Does it mean that I can use VeraCrypt and mount a TrueCrypt file to open the TrueCrypt container and add/delete files inside the container?
QB. Is it okay if I do not do anything to the old TrueCrypt files I have created? I mean I will use VeraCrypt software and mount a TrueCrypt file to use the TrueCrypt container. I did not create a new VeraCrypt file (container), and I did not manually copy the contents from TrueCrypt file to a VeraCrypt file.
QC. Your article says “On September 30, 2015, it was reported that a security vulnerability had been discovered in TrueCrypt.”. If I use VeraCrypt software to mount a TrueCrypt file, would it still have a security vulnerability?
Thanks
A: yes
B: it’s OK, but as I understand it some issues have been resolved with VeraCrypt that may make a VeraCrypt created container slightly more secure. No idea how big an issue it might be. If it were me, I’d create the new container and copy over.
C: No one knows what that security vulnerability is – some believe it’s a red herring to scare people away from TrueCrypt original. Regardless, it’s successors – like VeraCrypt – are the only place that any fixes will appear.
I just discovered the issue with TrueCrypt. (Because I’m just finally moving off XP to WIN 10.)
I’ve used TrueCrypt for years and have been VERY happy with it. In my opinion, BitLocker is not even similar. With TrueCrypt I keep files on my PCs encrypted. If someone steals my dev system(s), they get nothing useful. Also with TrueCrypt, my backups are encrypted. I can lose my backup DVDs or have them get stolen with little concern that anyone will get anything useful from them.
I want encrypted folders on my hard drives and encrypted backups.
I think a professional, skilled, group should take a known clean copy of TrueCrypt and carefully manage it going forward; releasing expertly crafted, peer reviewed, patches as necessary. VeraCrypt seems to be overly patched and tinkered with so it scares me.
I think the BitLocker concept is flimsy. My backup media must be encrypted as well as selected hard drive folders. Also consider that MS apps are no more robust than anything else you find on the street. (See what happens to your Outlook data if you use MS export / import tools to migrate – you lose data and all they do is give you a message to the effect that not everything could be transferred. What if encryption is similarly imperfect? So disappointed that MS was never very good – just wildly popular and embraced by a not-so-discerning user audience.)
I would appreciate your best suggestions about what to do as I move to WIN 10 to encrypt folders on my drives AND my backup media.
VeraCrypt is the continuation of the TrueCrypt project. It is recommended by Leo. Here is a recent article on disk encryption from Ask Leo!:
https://askleo.com/how-do-i-encrypt-a-disk/
Check out VeraCrypt.
Full disclosure: I work for GhostVolt – but also a long time follower of Ask Leo
I’d encourage anyone interested in a full-featured encryption product to check us out. We’ve worked long and hard to create an easy to use encryption platform that also allowed for the special needs of collaborative teams. Having said that its also great for single users.
I use VeraCrypt and Axcrypt. Axcrypt works like Boxcrypt.
Vera is just like trucrypt, Have had no probs w it, other than you need to set up a container with enough space. AxCrypt works on individual files/folders. It has a freeware mode and a paid mode. Axcrypt.net
The CIA cracked truecrypt as it was used to encrypt god knows what sort of data they were after… Which meant it was no longer secure…
There’s no actual confirmation that TrueCrypt was cracked by anyone. If you have objective/authoritative resources that you can cite proving otherwise, I’d love to see them, but without that we simply don’t know and shouldn’t make random assumptions. Nonetheless, use VeraCrypt as its replacement.
In addition to what Leo said, if the CIA or NSA has cracked Truecrypt, it would be a highly classified national secret, and we wouldn’t have a clue as to whether they hacked it or not. And that applies to any kind of encryption.