TrueCrypt

Recent events at TrueCrypt.org have led to panic and confusion as to the security of using TrueCrypt to encrypt sensitive files and folders. But all is not lost, and TrueCrypt is still basically safe to use. Here's why. (See also: How to stay private online: encrypt files, emails and browse the web anonymously.)

What is TrueCrypt?

TrueCrypt is a popular, and free on the fly encryption software program. When it is working well TrueCrypt can create a virtual encrypted disk within a file. Or it can encrypt a partition or an entire storage device. Put simply, TrueCrypt is a free way to secure information you want to keep from prying eyes. And don't just take our word for it: the easy-to-use data-protecting utility is favored by NSA whistleblower Edward Snowden. And there is a man who puts a value on data security.

TrueCrypt is an open-source project run by a highly secret group of anonymous developers.

Why would TrueCrypt not be safe?

Funny story. At the end of May the TrueCrypt website disappered, and was replaced with a message. A warning not to use TrueCrypt, in fact. (For the full story, see: TrueCrypt's abrupt demise 'puzzling, bizarre' and TrueCrypt now encouraging users to use Microsoft's Bitlocker.)

The message read, in part:

"WARNING: Using TrueCrypt is not secure as it may contain unfixed security issues.

"The development of TrueCrypt was ended in 5/2014 after Microsoft terminated support of Windows XP. Windows 8/7/Vista and later offer integrated support for encrypted disks and virtual disk images. Such integrated support is also available on other platforms (click here for more information). You should migrate any data encrypted by TrueCrypt to encrypted disks or virtual disk images supported on your platform."

The message recommends that users switch to Microsoft's BitLocker encryption.

At the same time the site began distributing a new version of the TrueCrypt software, TrueCrypt 7.2. 7.2 only allows decryption. And according to The Register, inside a binary TrueCrypt 7.2 installer for Windows, downloaded from the TrueCrypt SourceForge site, could be found the same warning text. So that version of the software at least has been interfered with.

The concern is that TrueCrypt has been hacked, and is now unsafe to use. Whatever is going on doesn't look good. But because TrueCrypt's developers are such a secretive bunch, it is difficult to know what to think. (The message was digitally signed by the TrueCrypt developers, but even that could have been hacked.)

And you don't want to use for encrypting sensitive data any software in which you don't have total faith. (See also: Amazon AWS continues to use TrueCrypt despite project's demise.)

Is TrueCrypt safe to us?

Nothing is absolutely certain, so you may choose to use alternatives. But the evidence does suggest that TrueCryt is indeed secure.

It appears that for some reason TrueCrypt's developers decided to stop supporting TrueCrypt. And rather than turn it over to the open source community, they chose to attempt to kill it by releasing a final version that allows users to decrypt existing encrypted folders, but doesn't allow for the creation of new encryted files and folders.

This is entirely reasonable. But unfortunately, it's also not how the web works. And many users of free open-source software expect to be able to use those products long after the originators have stopped developing them.

For one thing, the older version of TrueCrypt that you have - TrueCrypt 7.1a - remains fit for purpose. The insecurity referred to in the TrueCrypt developers' message is this: it may in time become vulnerable to hack because it is no longer being developed. But in all probability it will remain secure for a long time yet.

In the mean time there is a formal audit of TrueCrypt code that predates this event. It is ongoing, but should produce definitive answers as to the long-term security of TrueCrypt.

I would suggest that TrueCrypt 7.1a is perfectly safe to continue to use. But if you are all in doubt, follow the developers' instructions and try BitLocker. See also: So long, TrueCrypt: 5 alternative encryption tools that can lock down your data.