Latebreaking news (2 weeks in fact – so much for being someone on the bleeding edge of technology).
TrueCrypt is no more.
If you’re a fan of the disk drive volume encryption software, you may have visited their SourceForge page and seen the new ‘goodbye’ message, complete with detailed instructions about migrating over to Microsoft’s BitLocker security.
As someone who has used and recommended TrueCrypt over the years, I’m sad to see them go. The software was a way to secure data and gave me warm fuzzies when transferring files (for example on a USB key).
Of course, if I was in a business that used it regularly I might have different views, and might be angered (as some were online, despite it being a high quality program that no one had to pay for). For those, here’s some points to remember:
- If you have a whole drive encrypted, decrypt it and use another solution – or keep it encrypted, but make many (and frequent) backups in case there is a problem.
- Don’t panic. The fact is, the program is as useful as it every was, and until significant parts of Windows change, should still be usable.
- Get a backup copy. You can continue to get the project via Steve Gibson’s site, and of course the source is included. The last version is 7.1a, from 2012.
- See it for what it is, secure, but not absolute. Cryptographic security is a really, really, complicated field. It is hard to get everything ‘just right’. Caution alone should have said to treat a program like TrueCrypt carefully with our secrets. In fact, there is apparently a security audit being done right now, only 10 years from its start – proof that too many people just went along with it without questioning.
It’s this last item that is important to remember. Start with the assumption that most security is compromised and behave that way, not relying on it too much. And this is actually close to the truth: As the New York Times reported, the NSA is actively trying to break all encryption. In fact, some online commentary has even suggested the shutdown of TrueCrypt has something to do with refusing incursions from U.S. government agencies seeking to ‘ease’ the security in the program, much like LavaBit’s shutdown when asked to hand over data (my favorite paranoid comment on this blog was that the TrueCrypt final signoff “WARNING: Using TrueCrypt is not secure as it may contain unfixed security issues” spells out the letters NSA in “not secure as”, and was deliberate).
Frankly, any security chain is only as strong as its weakest link. All the time and effort making TrueCrypt secure is nothing if for example the operating system is stealing a peek during reads and writes, or viewing the program code and data while it runs. Not that I know of that happening; I get my info reading other people’s opinions on the topic.
It’s likely too soon to see what the alternatives are going to be. Already there is talk of a Swiss version where privacy laws are different than America’s, but even they are not absolute. And of course there’s BitLocker – but just remember, if the NYT article is true, then its security is not absolute, either.