0

TrueCrypt, Still Viable, Still Relevant

Let me start of by defining what TrueCrypt is. TrueCrypt is a piece of software that has been developed to allow fairly advanced file and disk encryption operations across a wide variety of systems and media. The beauty of TrueCrypt is that it could go, and be used, almost anywhere. That is why it certainly took center stage as the premier open-source encryption tool.

Unfortunately, earlier this year, the development team of TrueCrypt made the announcement that development was stopping and TrueCrypt could no longer be trusted as a secure way to store your data. Initially, little was known about why the development stopped and even less about why the claim that it's not secure was made. However, it looks like it mostly has to do with the fact that the development team is no longer interested in moving forward with the project and there is little confidence that others will be able to appropriately maintain the software.

In some ways they have a very valid point. With the serious gap in disk/file based encryption created by the exit of TrueCrypt, it creates a vacuum that many other people and products are now bound (and already trying) to fill. Until time passes and other solutions are vetted by code review and user feedback it is bound to be a challenge determining what a good alternative is.

Now, on to my main point. TrueCrypt is as relevant and valid as it ever has been and I'm going to try to explain why…

Widely Reviewed, Stable, Audited (ongoing): This software was developed with the idea of keeping private files private, it has gone through many versions, years and a serious amount of user acceptance. For many, it was the default go-to for open-source encryption solutions. With this announcement, there have been no bug announcements, security flaws or other things that would definitively make the software no longer viable. In addition, the code has already gone through a very in-depth audit, that audit is still ongoing today (results link) (Open Crypto Audit).

Known vs. Unknown: Further two this point, with the waters muddied are you really going to hand over the keys to your encrypted or sensitive data to an unknown, unvetted entity? I argue that given the lack of serious flaws found so far in TrueCrypt, it is actually safer to continue to use TrueCrypt rather than changing to an unknown software.

Feature Set: TrueCrypt has probably the most flexible and useful toolset out of available software (baring the new up and coming software, which I will refer back to my last point on those…). TrueCrypt can handle internal system and data drives, external drives like USB flash and USB disk drives. It can use a variety of encryption schemes and authentication methods. It is also easy to move it between different computers and different operating systems.  For instance, a USB disk encrypted using TrueCrypt on Windows will open just fine under TrueCrypt on Linux.

Good Enough is Good Enough: Most users and businesses are looking for a way to keep other users out. A great example of this is a business needing to transfer internal files from office to office on a USB drive through a shipping company. Truecrypt offers a great feature set that makes this type of transfer both secure and easy to do. What makes TrueCrypt a bad solution for this today? You still have encryption, you still have passwords, you still have the fact that even if someone gets a hold of the encrypted disk today there is no current way for them to crack it (outside of a hopefully very lengthy brute force attempt).

Now, some users are looking for more advanced capabilities and a higher level of security because they're trying to keep state actors and government entities out. I would argue that if you're doing that, you're going to be at risk regardless of the encryption software you're using, granted, maybe some are better than others. So unless you're a government entity or protecting files from a government entity, then what's the deal? Even then, again, there has not been any indication so far that anyone, including governements, have the ability to outright exploit TrueCrypt to access data.

Furthermore, I think XKCD (image link goes to original source) has an apt comic that puts a lot of this in perspective…

In summary, think about this logically for just a moment. While security is certainly the goal through as good of encryption as you can get, at what point are you secure enough for your needs? I argue that even today, TrueCrypt meets those needs. Happy encrypting!

Follow Up Reading:
Gibson Research Corporation on TrueCrypt
Committee to Protect Journalists TrueCrypt Advisement
How To Geek on TrueCrypt and Alternatives
 

Torry Crass

Leave a Comment