Open source has been popular for over 10 years due to its independence from major vendors. The creators of the program are publicly unknown. Among the most famous users of the program are Edward Snowden and security expert Bruce Schneier. The utility allows you to turn a flash drive or hard drive into a secure encrypted storage in which confidential information is hidden from prying eyes.
Mysterious developers of the utility announced the closure of the project on Wednesday May 28, explaining that using TrueCrypt is unsafe. “WARNING: Using TrueCrypt is unsafe because the program may contain unresolved vulnerabilities ”- such a message can be seen on the product page on the SourceForge portal. Then another appeal follows: "You must transfer all data encrypted in TrueCrypt to encrypted disks or virtual disk images supported on your platform."
Independent security expert Graham Cluley made a logical comment on the situation: "Now is the time to find an alternative solution for encrypting files and hard drives."
I'm not kidding!
Initially, there were suggestions that the program's website was hacked by cybercriminals, but now it is becoming clear that this is not a hoax. SourceForge now offers an updated version of TrueCrypt (which is digitally signed by the developers) that prompts you to upgrade to BitLocker or another alternative tool during installation.
Matthew Green, professor of cryptography at Johns Hopkinas University, said: "It is highly unlikely that an unknown hacker identified the TrueCrypt developers, stole their digital signature, and hacked their site."
What to use now?
The website and pop-up notification in the program itself contains instructions on how to transfer files encrypted by TrueCrypt to Microsoft's BitLocker service, which comes with Microsoft Vista Ultimate / Enterprise, Windows 7 Ultimate / Enterprise and Windows 8 Pro / Enterprise. TrueCrypt 7.2 allows you to decrypt files, but does not allow you to create new encrypted partitions.
BitLocker is the most obvious alternative to the program, but there are other options. Schneier shared that he is returning to using PGPDisk from Symantec. ($ 110 per user license) uses the well-known and proven PGP encryption method.
There are other free alternatives for Windows like DiskCryptor. A computer security researcher known as The Grugq last year compiled a whole that is still relevant today.
Johannes Ulrich, Science Director at SANS Institute of Technology, recommends that Mac OS X users take a look at FileVault 2, which is built into OS X 10.7 (Lion) and later. FileVault uses XTS-AES 128-bit encryption, which is used by the US National Security Agency (NSA). According to Ulrich, Linux users should stick to the built-in Linux Unified Key Setup (LUKS) system tool. If you are using Ubuntu, then the installer of this OS already allows you to enable full disk encryption from the very beginning.
However, users will need other portable media encryption applications that are used on computers with different operating systems. Ulrich said that in this case it comes to mind.
The German company Steganos offers to use the old version of its encryption utility Steganos Safe (the current version is currently 15, but it is proposed to use version 14), which is distributed free of charge.
Unknown vulnerabilities
The fact that TrueCrypt may have security vulnerabilities raises serious concerns, especially considering that the audit of the program did not reveal such problems. Users of the program have raised $ 70,000 for an audit following rumors that the US National Security Agency could decode significant amounts of encrypted data. The first phase of the study, which analyzed the TrueCrypt downloader, was carried out last month. The audit did not reveal any backdoors or intentional vulnerabilities. The next phase of the study, in which the cryptographic methods used were to be tested, was planned for this summer.
Green was one of the experts involved in the audit. He said that he had no preliminary information that the developers were planning to close the project. Greene said, “The last thing I heard from the TrueCrypt developers was,“ We're looking forward to the results of Phase 2 of the trial. Thanks for your efforts! " It should be noted that the audit will continue as planned, despite the shutdown of the TrueCrypt project.
Perhaps the creators of the program decided to suspend development, because the utility is outdated. Development stopped on May 5, 2014, i.e. after the official end of support for Windows XP. SoundForge mentions: "Windows 8/7 / Vista and later have built-in encryption for disks and virtual disk images." Thus, data encryption is built into many operating systems, and developers may find the program no longer necessary.
To add fuel to the fire, we note that on May 19, TrueCrypt was removed from the secure Tails system (Snowden's favorite system). The reason is not completely clear, but clearly you should not use the program - said Cluley.
Cluley also wrote, "Whether it's trickery, hacking, or the logical end of the TrueCrypt lifecycle, it's clear that conscious users won't feel comfortable trusting their data to a program after a fiasco."
Found a typo? Press Ctrl + Enter