Security Alert! The TrueCrypt Debacle

The single best assessment I have seen of the ongoing TrueCrypt debacle is the page put together by Steve Gibson at Gibson Resear

1245 2
1245 2

May 30, 2014

The single best assessment I have seen of the ongoing TrueCrypt debacle is the page put together by Steve Gibson at Gibson Research. Steve has done a great service to the community by summarizing the confusing situation surrounding TrueCrypt, and by providing a trusted archive of the final release of TrueCrypt 7.1a. You can access Steve’s page here:

https://www.grc.com/misc/truecrypt/truecrypt.htm

In addition to Steve’s work, there is also a group in Switzerland that is aiming to take the pieces of the TrueCrypt project forward. It is obviously at a very early stage so we shall have to wait and see how that effort plays out. See here for more info:

http://truecrypt.ch/

In spite of the recent upheaval, the TrueCrypt auditing project appears to be moving forward with Phase 2 of it’s audit of the TrueCrypt 7.1a code. You can keep tabs on that effort here:

http://istruecryptauditedyet.com/

So, in spite of everything, it seems TrueCrypt may yet have a future. At this point, it’s anyone’s guess as to how bright that future might be?

My Assessment
As anyone can see from this blog, I have been a big proponent of TrueCrypt over the years. No other encryption software I have seen has worked as smoothly and easily as TrueCrypt to enable the average Windows user to plug their single biggest security hole, and to do so with minimal cost, effort and technical knowledge. Indeed, with TrueCrypt around, there really was no excuse for NOT encrypting your hard drive!

Now all that has changed!  The funeral pyre the TrueCrypt developers lit on Wednesday has put a cloud of distrust over TrueCrypt and to some extent the broader world of open source codes in general. The job of selling the average user on the value of using full disk encryption has always been difficult, but with Truecrypt it was possible to change some minds because the cost, level of effort, and level of expertise required to implement it were within reach of just about everyone. There really were no excuses. The events of Wednesday however vaporized my “no excuses” argument and made it at least 10x more difficult to convince anyone to adopt and use full disk encryption. I can already here the excuses:

“But to use BitLocker I have to upgrade all my machines and that’s going to cost me money I don’t have right now!”
“I don’t see the point, Microsoft is already in cahoots with NSA anyway.”
“If someone wants my stuff there gonna get it no matter what I do!”
“TrueCrypt? My friend told me that it wasn’t to secure.”
“I don’t trust open source. How can you trust something if you’re not paying for it?”

Sadly, even if TrueCrypt does somehow manage to rise like a Phoenix from the ashes, I don’t see these issues going away anytime soon.

What to do?

The bigger problem right now though is what advise to dispense to those who drank the FDE / TrueCrypt Kool Aid?

Steve Gibson is a smart and trustworthy guy. He seems to think that version 7.1a is just fine. He might be right and I would really like to believe that too! Unfortunately, there’s a nagging voice inside my head that keeps saying that maybe there’s more to this than we know? Maybe it isn’t secure after all?

So, how long should TrueCrypt users hold out? Should they migrate now or wait until we know more? Maybe you should hold off until the TrueCrypt security audit is finished in the fall? Or perhaps until one of the new TrueCrypt based projects takes off? No matter how you cut it, it’s a tough decision. From my vantage point, there is no clear answer right now and it comes down to an individual judgment call. I’ve written out a few considerations below to help you make your call.

If you are using TrueCrypt to protect your own personal files, and you have no reason to believe that there is a serious adversary (e.g. NSA) after you, then you might be well served by continuing to use TrueCrypt 7.1a until such time as we have more definitive information. I would advise diligence in staying abreast of the latest developments however. You should also have a migration plan worked out so that you’re ready to move if things go even further south.

If you are using TrueCrypt to protect data that belongs to others, and for which you might hold some legal liability, then, in my opinion, you might want to consider switching to something else sooner rather than later. Yes, it may take time and money to make the switch, but in the big scheme of things you may be better off spending that money than having it argued in court that you continued to use a piece of software that was suspect. Here, a vetted solution such as a FIPS-197 or FIPS-140-2 validated hard drive would make a lot of sense! Similarly, use of something like Microsoft BitLocker or Apple FileVault will get you away from the cloud of TrueCrypt uncertainty and likely leave you in better shape with the legal system should the worst happen. Please note, I’m not an attorney so don’t take any of this as legal advise. It is just my best guess as to how to approach the problem.

If you are one of the millions of users still using Windows XP, then it’s time to completely jump ship and fast! Yes, TrueCrypt was the best friend Windows XP users ever had, but there is now a cloud over both systems. I don’t care whether you buy a new PC or Mac, upgrade to Windows 7 or 8, or make a dive into Linux. The time to do something is now! Just make sure to use whatever disk encryption system is available on your new setup, and properly deal with the remaining data on the old PC. In other words, don’t just shuffle it off to the thrift shop or the trash without securely wiping or completely destroying the drives!

That’s all for now. This situation is very fluid so stay on top of it! Thanks for reading!

JR

May 31, 2014 – Full Disclosure

In the interest of full disclosure, I thought that should mention that I am no longer a TrueCrypt user, and I haven’t been one for several years now. The reason for this is that my primary operating system is Linux. I use Linux native tools (dm-crypt/LUKS/LVM) to encrypt all my information and swap space. Additionally, I only use  Microsoft Windows operating systems within a virtual machine running under Linux. Because the Linux drives are encrypted, there is no need for Windows native encryption such as TrueCrypt or BitLocker.

That said, up until 3 days ago, if I had been using Windows on “bare metal” hardware I would have most definitely been using TrueCrypt as well. That statement then begs the hypothetical question: “Would I continue to use TrueCrypt today, given what has transpired this week?” The short answer is “No! I would not!” The longer answer would be “No, I would not use TrueCrypt, but then again, I am fully aware of, and comfortable using, an alternative solution (e.g. encrypted Linux with VMs as described above). And, I am also confident that this solution solves both my computing needs and my need to keep information secure using open source encryption algorithms.”  I sincerely doubt that this would be the case for the majority of TrueCrypt refugees! Indeed, not all computers are powerful enough to run multiple operating systems, and not all programs run well, or at all, in a Virtual Machine. Furthermore, not all users are knowledgeable enough, or motivated enough, or have the time to learn a second OS and associated virtualization software. In short, just because I would stop using TrueCrypt doesn’t mean that you should too!

 

 

In this article

Join the Conversation

2 comments

  1. Software or hardware encrypted hard drives? - Security Beacon

    […] Please see my post here for the latest on the TrueCrypt debacle. […]

  2. Security Alert! Truecrypt Site Changes - Updated! - Security Beacon

    […] Please see my post here for the latest on the TrueCrypt debacle. […]