Yes, TrueCrypt is Secure But…

I received an email message today from a reader asking about TrueCrypt, the now discontinued freeware utility used for on-the-fly encryption (OTFE). TrueCrypt can create a virtual encrypted disk within a file or encrypt a partition. A recent article stated that TrueCrypt “turned out to be not-so-secure.” My email correspondent is still using TrueCrypt and asked if he should switch to something else.

My answer is, “TrueCrypt is secure but you probably should switch anyway.”

TrueCrypt was a leading, perhaps THE leading, encryption product that is used to secure part or all of a hard disk drive, a flashdrive, or other file storage device. I wrote briefly about TrueCrypt about a year and a half ago at https://privacyblog.com/2015/01/01/nsa-can-decode-most-vpns/.

On 28 May 2014, the TrueCrypt website announced that the project was no longer maintained and recommended users to find alternative solutions. Though development of TrueCrypt has ceased, an independent audit of TrueCrypt has since concluded that no significant flaws were present as of March 13, 2015.

The independent audit is described at https://opencryptoaudit.org/reports/TrueCrypt_Phase_II_NCC_OCAP_final.pdf and clearly states there are no significant security issues in the last supported version of TrueCrypt. In other words, it was safe to use to securely encrypt your data as of March 13, 2015. No further security audits or verifications are planned. After all, it is now an unsupported product.

Having said that, we also must realize that the folks who created and supported TrueCrypt then stopped maintaining the program and recommended users to find alternative solutions. The reasons for the abrupt termination were never given although all sorts of speculation has been posted on various message boards. Whatever the reason, the fact is that TrueCrypt was once deemed to be very secure but if any future security problems are discovered, nobody will fix them. Therefore, I would suggest you move to a similar or perhaps even better product that is being actively supported.

No security product is ever perfect. Security researchers and various hackers occasionally find new problems in even the best such products. If the product is being supported, a fix is usually made available by the developers before the problem becomes well known. Sadly, that will not be true of any new problems that might be discovered in TrueCrypt.

Which newer product should you use? You can find a number of products that seem to perform similar tasks as TrueCrypt. Some cost money while others are free. The free ones appear to be at least as good as the paid ones so I would suggest not wasting money on a paid program.

VeraCrypt

VeraCrypt for Windows, Macintosh, and Linux is the most popular replacement for TrueCrypt. After all, it is based upon TrueCrypt but supposedly is even better.

Developer Mounir Idrassi has explained the differences between TrueCrypt and VeraCrypt. In summary, the developers claims he’s fixed “all the serious security issues and weaknesses found so far in the source code” by the Open Crypto Audit Project, as well as various other memory leaks and potential buffer overflows.

VeraCrypt is available free of charge although donations are encouraged. You can find VeraCrypt at https://veracrypt.codeplex.com/.

FileVault 2 for Macintosh

If you are a Macintosh user, you already have a top-notch disk encryption product installed in your computer. FileVault for Macintosh uses XTS-AES 128 encryption. FileVault 2 is believed to be at least as good as TrueCrypt or VeraCrypt if not even better. Best of all, you can be assured that Apple will continue to support FileVault 2 for a long, long time.

FileVault is included with every Mac built in recent years; you don’t have to pay anything to use it. However, you do have to enable it to encrypt your sensitive data. When the Mac shipped from the Apple factory, FileVault was installed but not enabled.

FileVault version 2 is available in OS X Lion or later. Like most things on a Mac, enabling it or turning it off is super simple. Full instructions are shown in the Macintosh support pages at https://support.apple.com/en-us/HT204837.

NOTE: This article was written on a Macintosh with FileVault 2 installed and operational.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s