Update May 30, 2014
Please see my post here for the latest on the TrueCrypt debacle.
Update 7:41 PM MDT May 28, 2014
The Truecrypt situation is still incredibly murky, but it seems that there is a very real possibility that the Truecrypt project might really be dead. Even it it’s not dead, at this there is a huge trust deficit so, sadly, one must conclude that the days of Truecrypt are pretty much over.
If you are currently using Truecrypt, I recommend that you begin working on a migration strategy immediately. I don’t have a slam dunk alternative to Truecrypt because none exists. Some options you might consider would include hardware encrypted hard drives, migrating to Linux and using dm-crypt/luks, or taking the advise on the Truecrypt site and using Microsoft Bitlocker or Apple FileVault. Your choice will depend on what you do and who you trust. Any of them are likely better than opting to go without disk encryption.
As of this afternoon, May 28, 2014, the site www.truecrypt.org and it’s associated project at source forge have changed significantly. It is unclear if the changes are legitimate or the result of a compromised account.
At the top of the page on the site there is the following warning:
“WARNING: Using TrueCrypt is not secure as it may contain unfixed security issues
This page exists only to help migrate existing data encrypted by TrueCrypt.
The development of TrueCrypt was ended in 5/2014 after Microsoft terminated support of Windows XP. Windows 8/7/Vista and later offer integrated support for encrypted disks and virtual disk images. Such integrated support is also available on other platforms (click here for more information). You should migrate any data encrypted by TrueCrypt to encrypted disks or virtual disk images supported on your platform.”
The page goes on to give instructions for migrating from Truecrypt to alternative disk encryption methods such as BitLocker, Filevault, etc. There link at the bottom of the page to download version 7.2 of the Truecrypt code.
The situation is murky at this point, but the most likely explanation is that the site and/or one of the developers has been hacked. I note that the Truecrypt code passed Phase 1 of a security audit being performed by an independent 3rd party in April. I find it difficult to believe that the developers would suddenly abandon ship and point users to closed source commercial codes.
1. Do NOT panic!
2. Wait until we have further information that has been confirmed by multiple sources before taking any action. Meanwhile, do NOT follow the instructions on the truecrypt website, and do NOT download and install any code from the site.
3. Stay tuned! If you use Truecrypt and it turns out there is a problem you’ll want to know about it. Look for more information here or on twitter @securitybeacon as we try to sort out what’s happening!
In this article
- Linux and Open Source
- Microsoft Windows
- 28 2014
- data encrypted
- data encrypted by truecrypt
- disk encryption
- disk images
- encrypted by truecrypt
- encrypted disks
- integrated support
- may 28
- may 28 2014
- truecrypt code
- using truecrypt
- virtual disk
- virtual disk images