Actually, what you describe happens more often than one might think.
Typically, it’s nothing as attention-grabbing as the TrueCrypt shutdown, but I do regularly hear from people who have been using an application of some sort for some time and suddenly find that the company’s no longer in business and there’s no way to get an update. In some cases, that means they can’t migrate to current versions of their operating system if they want to keep running that now-unsupported software.
It’s something I consider when using important software. Depending on exactly what software it is we’re talking about, there are often approaches that you can use to protect yourself from potential obsolescence or disappearance.
I’ll give you one hint: it’s one of the reasons I moved from Roboform to Lastpass.
Export as backup
For utilities that keep important data in proprietary formats, like password safes such as RoboForm, LastPass and others, I believe it’s critical that they also support the ability to export your data into a common and simple file format. They should support exporting everything to a text file, or CSV file that can be read by Excel, or a PDF file that can be read just about anywhere.
That way, if something ever does happen to the utility or its ability to provide its functionality, you have – say it with me now – a backup.
Not only that, but a backup that’s in a standard file format that you might be able to use, or that could be imported into a replacement utility.
This is one reason I stopped using RoboForm. It’s a fine password management utility, and I still support using it, but when last I tried exporting it was exceptionally difficult. In LastPass, on the other hand, exporting to CSV is a menu item.
Unencrypted files as backup
With encryption utilities like TrueCrypt, the approach is a little different. TrueCrypt and utilities like it are tasked with encrypting or providing encrypted storage for important data files.
The approach to protecting yourself from the program “going away” is fairly simple:
- Keep a copy of the program that works. Presumably you can always use your older version to access your data. This has proven true with TrueCrypt.
- Backup your unencrypted data separately, using a different tool or mechanism. In the case of TrueCrypt, that means backing up the contents of a TrueCrypt drive or volume, not the encrypted volume itself.
As long as you have a copy of the files you need outside of the utility – albeit perhaps in a significantly less convenient format or location – then it’s no disaster if the utility actually stops working some day.
And as we’ve seen, the chances of it actually not working are slim-to-none as long as you keep a working version of the utility around.
Backups as security risks
“But Leo!”, I hear you saying, “We use tools like TrueCrypt and LastPass to keep things secure. Doesn’t keeping those unencrypted exports leave us just as vulnerable as not using the utilities at all?”
Well, sure, if you leave those unencrypted files where anyone can get at them.
Don’t do that.
To be clear: you must somehow secure those unencrypted backups. That could mean storing them offline in a secure location. It could also mean encrypting them with a different tool. If you, for example, encrypt your LastPass export using a tool like AxCrypt, then:
- everything remains secure
- you only lose access to your information if both tools become completely unusable (unlikely, as we’ve seen) at the same time (even more unlikely)
What I do
I follow my own advice, and do what I’ve described.
The unencrypted contents of my TrueCrypt and BoxCryptor encrypted files are backed up nightly. Some are backed up on servers that only I have access to. Others – the most secure information – is bundled into a .zip-like archive which is then encrypted using PGP public key encryption. (Those encrypted files are taken one step further and uploaded to backup storage in the cloud.)
You could do something very similar by just creating a password-protected .zip file of your TrueCrypt container’s contents.
I also periodically export my LastPass database1. That gets placed into a folder encrypted by BoxCryptor, which in turn gets backed up again using the technique I just mentioned above.
The practical risk
When it comes to popular and pervasive software like TrueCrypt or LastPass, my belief is that the risks are actually minimal. You probably don’t have to take the steps I’ve listed. (I do because my needs are probably above average, and I’m somewhat obsessive about backing up. 🙂 )
If the utility is destined to die, there’ll be lots of notice and you’ll be able to make other plans. Even though TrueCrypt’s demise was sudden, existing copies of the tool keep working, giving those so inclined plenty of opportunity to research and move to alternatives.
The real risks, in my opinion, are the smaller operators or software destined for a smaller market. There may not be an equivalent “common format” to export to, or the export functionality might not be a priority2. In cases like this, there’s little to be done, other than to stay on top of upgrades, if practical, or possibly keep a copy of the utility and an operating environment in which it works for as long as possible.