Security Alert! Truecrypt Site Changes – Updated!

Update May 30, 2014 Please see my post here for the latest on the TrueCrypt debacle.   Update 7:41 PM MDT May 28, 2014 The Truecrypt situation is...

818 5
818 5

Update May 30, 2014

Please see my post here for the latest on the TrueCrypt debacle.

 

Update 7:41 PM MDT May 28, 2014

The Truecrypt situation is still incredibly murky, but it seems that there is a very real possibility that the Truecrypt project might really be dead. Even it it’s not dead, at this there is a huge trust deficit so, sadly, one must conclude that the days of Truecrypt are pretty much over.

If you are currently using Truecrypt, I recommend that you begin working on a migration strategy immediately. I don’t have a slam dunk alternative to Truecrypt because none exists. Some options you might consider would include hardware encrypted hard drives, migrating to Linux and using dm-crypt/luks, or taking the advise on the Truecrypt site and using Microsoft Bitlocker or Apple FileVault. Your choice will depend on what you do and who you trust. Any of them are likely better than opting to go without disk encryption.

 

Original Post

Synposis

As of this afternoon, May 28, 2014, the site www.truecrypt.org and it’s associated project at source forge have changed significantly. It is unclear if the changes are legitimate or the result of a compromised account.

At the top of the page on the site there is the following warning:

WARNING: Using TrueCrypt is not secure as it may contain unfixed security issues

This page exists only to help migrate existing data encrypted by TrueCrypt.

The development of TrueCrypt was ended in 5/2014 after Microsoft terminated support of Windows XP. Windows 8/7/Vista and later offer integrated support for encrypted disks and virtual disk images. Such integrated support is also available on other platforms (click here for more information). You should migrate any data encrypted by TrueCrypt to encrypted disks or virtual disk images supported on your platform.”

 

The page goes on to give instructions for migrating from Truecrypt to alternative disk encryption methods such as BitLocker, Filevault, etc. There link at the bottom of the page to download version 7.2 of the Truecrypt code.

The situation is murky at this point, but the most likely explanation is that the site and/or one of the developers has been hacked. I note that the Truecrypt code passed Phase 1 of a security audit being performed by an independent 3rd party in April. I find it difficult to believe that the developers would suddenly abandon ship and point users to closed source commercial codes.

Our Recommendations

1. Do NOT panic!

2. Wait until we have further information that has been confirmed by multiple sources before taking any action. Meanwhile, do NOT follow the instructions on the truecrypt website, and do NOT download and install any code from the site.

3. Stay tuned! If you use Truecrypt and it turns out there is a problem you’ll want to know about it. Look for more information here or on twitter @securitybeacon as we try to sort out what’s happening!

 

 

 

 

In this article

Join the Conversation

5 comments

  1. Software or hardware encrypted hard drives? - Security Beacon

    […] Truecrypt website is in a state of flux. We do NOT recommend using Truecrypt at this time. Please check back often until we have more […]

  2. Apricorn Aegis Secure Key - USB Flash Drives now FIPS 140-2 and HIPPA Compliant - UPDATED! - Security Beacon

    […] Truecrypt website is in a state of flux. We do NOT recommend using Truecrypt at this time. Please check back often until we have more […]

  3. Encrypted Backup with Microsoft Small Business Server - Security Beacon

    […] Truecrypt website is in a state of flux. We do NOT recommend using Truecrypt at this time. Please check back often until we have more […]

  4. Some thoughts on Backups - Redundancy, RAID, Testing and Encryption - Security Beacon

    […] Truecrypt website is in a state of flux. We do NOT recommend using Truecrypt at this time. Please check back often until we have more […]

  5. Step-by-step guide to installing TrueCrypt and encrypting Windows XP system partition - UPDATED! - Security Beacon

    […] Truecrypt website is in a state of flux. We do NOT recommend using Truecrypt at this time. Please check back often until we have more […]