I’m playing catch-up with this one, but if you’ve been relying on the quasi-open source Truecrypt encryption solution, you need to migrate to Veracrypt as quickly as possible.
For some reason, it doesn’t seem to be common knowledge that Veracrypt is derived from Truecrypt and is, for all intents and purposes, the successor to Truecrypt.
Security-minded open source software has taken a beating in the last year, as numerous projects have had holes exposed, or, in the case of Truecrypt, got audited heavily. This fanned the flames of the old debate whether open or closed source software was more secure.
This past week I heard a plausible theory about the state of open source security: It’s all about the money.
I’ve written about Truecrypt before. If you need cross-platform full-disk crypto, here’s an alternative I found recently. Veracrypt is based on Truecrypt, but since you can’t fork it without a name change, it has a different name.
I haven’t messed with it yet myself–yet–but if you need this, you probably already know it. And, for the record, I don’t believe there was any conspiracy against Truecrypt.
In the wake of Truecrypt’s sudden implosion, someone sent me a link to this curious blog post. I can see why many people might find the timing interesting, but there are a number of details this particular blog post doesn’t get correct, and it actually spends most of its time talking about stuff that has little or nothing to do with Truecrypt.
What’s unclear to me is whether he’s trying to say the industry is deliberately sabotaging Truecrypt, or if he’s simply trying to make a list of things that are making life difficult for Truecrypt. His post bothers me a lot less if it’s just a laundry list of challenges, but either way, the inaccuracies remain. Read more
Dan Bowman sent me this link to Steve Gibson’s analysis of Truecrypt, a suddenly dear departed piece of full disk encryption software.
The important thing to remember right now is that we still don’t know what’s going on.
Johns Hopkins cryptography professor Matthew Green is heading up an effort to audit the Truecrypt code. Last month he said the code could be of higher quality, but at that point he hadn’t found anything truly horrible in there either.
That said, his analysis of the cryptography itself is phase 2. Cryptography is notoriously difficult to do–even when cryptography is your specialty, you can get it wrong.
So it’s premature to declare Truecrypt 7.1 as the greatest piece of software ever written. Green did find some flaws that need to be fixed. As far as we know, right now Truecrypt is better than nothing, but the most important part of Green’s work isn’t finished yet. Green has said he is going to finish his audit of the code. He probably won’t find perfection. He may find a fatal flaw that makes it all come crashing down. More likely, he’ll find something in between. But until those findings come out, it’s all speculation.
Truecrypt’s license allowed someone else to come along, take the existing code, act on Green’s findings, and make it better. It’s called Veracrypt. But going open source doesn’t guarantee people will work on it.
Gibson’s page on Truecrypt is a good reference page, but his cheerleading is premature. Gibson is a talented software developer in his own right, but cryptography isn’t his specialty. At the company where I work, we use Truecrypt for some things, and until we know otherwise we are going to continue to use it, but we haven’t made any final decisions on it yet.
Update: Here’s an analysis by Mark Piper, a penetration tester by trade, who explains the history and the issues today.
Last week, the free full-disk encryption program Truecrypt was abruptly discontinued, for reasons that made no sense, and making equally nonsensical recommendations about substitute products to use.
There’s speculation that the creators of Truecrypt received a National Security Letter, but can’t say anything about it. Right now we have to take it as a rumor–it’s bad if governments are cracking down on encryption, but we’ll save that discussion for another day, when we know whether they actually are. Let’s talk instead about why you need encryption if you own a computer, just like you need locks on your front door.
I spent some time this week with a coworker looking into the AES-128 encryption in current Sandforce and upcoming Intel 320 SSDs, and we’ve concluded it’s no substitute for software full-drive encryption.
This is important, so we’ll talk about it further.