TrueCrypt is gone. Maybe for good. It’s gone not in the sense that it got hit by a missile and was destroyed but that the service was discontinued.
Most of us know TrueCrypt as a great free and more importantly open-source utility for disk encryption. The service was launched for the first time in 2004.
The company could not survive its ten year anniversary and was discontinued in 2014. As of now, the freeware is still available for download but is no longer being maintained and that means you should stay away from it because it will probably have a lot of security issues.
Software like TrueCrypt are mostly used to create encrypted partitions on any given hard drive. Moreover, they are also used to create virtual encrypted disks which exist within a given file.
Once a user has performed the encryption process, the encrypted data stored on any given partition cannot be accessed by anyone without the required password.
And it was exactly this process for which TrueCrypt became famous for. It was probably the most popular method of encrypting hard disk on any given platform. Be it Windows or Mac OSX, TrueCrypt commanded millions of users on both systems.
At this point, readers should know that TrueCrypt’s developers were mostly anonymous. And that is one of the reasons why no one really knows what happened to TrueCrypt when its developers decided to let the software go in 2014.
Quite frankly, the circumstances and the speed in which it all happened were a bit mysterious. There are a lot of theories out there that try to explain what happened to TrueCrypt but mostly are related to some security flaws which put user’s private data at risk and hence prone to being compromised.
Google’s Project Zero security team also had their part to play in the downfall of TrueCrypt as it unearthed vulnerabilities which were not publicly known at the time.
One of the found vulnerabilities was particularly interesting in the sense that it allowed the application that was running on a given operating system with normal user rights to modify those same privileges to the administrative level and that was a huge problem, to say the least.
Table of Contents
What About TrueCrypt Now? Is It Still Secure
To answer this exact same question, an audit was conducted by the Fraunhofer Institute for Secure Information Technology in 2015. It carried out a formal audit of TrueCrypt’s latest stable version which had been released at the time.
As expected, the report found various bugs in TrueCrypt’s latest version. You can read the report for yourself by clicking on this link.
With that said, the report also said that TrueCrypt was still secure to use if the user for using the software for its primary function i.e use case.
What does that mean?
That means that TrueCrypt was secure as long as the user for using it to encrypt data that was at rest on a device such as a USB stick or external hard disk.
The Fraunhofer Institute for Secure Information Technology also confirmed that the potential security flaws expose by the Google team did indeed exist but they were not serious enough to give access to the encrypted data if a hacker or a team of hackers tried to exploit the bug.
Though this statement has to be understood in its proper context. What the institute really said was the encrypted data was pretty safe if present on an external hard drive. It did not give TrueCrypt the all-clear call if the encrypted data existed on a mounted drive or on a computer’s main memory.
To understand it further, know that if a given drive on a computer machine is mounted, the key that is specifically used to encrypt the data is actually stored in the machine’s memory itself.
That particular key can be, if a need arises, recovered and then utilized to decrypt the encrypted data at any given moment in time.
But again, we’re talking about small percentages here. The chances of a hacker using the same technique to decrypt data stored in similar circumstances are pretty slim, if not non-existent.
The only two ways a hacker can gain access to the encrypted data is if the encrypted container is mounted or if the computer machine is in a hibernation state and the encrypted container is still mounted.
In the first case, the decrypted data is open to access to anyone in any case so it does not matter if it is mounted or not because if the hacker gains access to a computer machine and the user of that machine has the encrypted container open, then the encrypted data is as good as stolen.
The user can guard against these problems by now hibernating the computer machine when the encrypted container is in an open state. If the user allows the computer machine to go into hibernation while the encrypted data drive is mounted, then the data is as good as decrypted.
What About Use? Can We Still Use TrueCrypt or Not?
If you’re using one of the original versions of TrueCrypt (it’s installed on your system) and you aren’t using it to encrypt data that is on unmounted drives and given that your system is reasonably old, then you should not have any problems.
Of course, that doesn’t take into account one of the scenarios which we have discussed above.
As mentioned earlier as well, TrueCrypt isn’t such as secure option anymore if you’re encrypting data that is on a mounted drive then you’re in trouble for the same reasons as mentioned above.
However, if you haven’t installed or tried to use TrueCrypt till now and want to download it and then install it on your system, then that is probably not a good idea.
TrueCrypt has not been updated in the past two years and officially, it is not even available for download. There are some piracy sites and other ones that offer users an authentic copy of TrueCrypt but their download file is not legitimate.
No one really knows if that download file has been infected with malware or a virus. If you’re not an expert in software and other computer stuff then you should stay away from TrueCrypt.
And don’t fall for those guys who tell you that there are archived copies of TrueCrypt available for audit and use on Github.
The first thing note about that is that these repositories have not been looked at by experts because that would be really time-consuming. Not to mention the costs it would involve.
But if it’s any worth, then The Open Crypto Project and recently said that the Github repository, which is actually a copy of TrueCrypt version 7.1, is verified.
If you want evidence for that claim then you’re out of luck. No one can ensure if that copy is safe for use. There are some people who are of the opinion that TrueCrypt version 7.1 actually has a backdoor in its security which allows government officials in at any time they want. But of course, these are just rumors and hence are as likely to be true as they are to be false.
In short, don’t go for TrueCrypt anymore. It’s not safe for normal users.
If you must use TrueCrypt, even after what we have told you so far, then use the Github repository one.
However, there are lots of other alternatives. The best five of all those have been mentioned below for your convenience.
You can think of VeraCrypt as a fork of TrueCrypt in the sense that it is considered to be its rightful successor. It offers new users all the functions that TrueCrypt offered and then adds to them some of its own.
One of those functions is its ability to add security to algorithms that are used to encrypt files for systems and partitions.
Of course, this is just one of the improvements, but it does give VeraCrypt a kind of immunity to brute-force related attacks. New developments don’t have much effect on VeraCrypt either.
You can go to the official website of VeraCrypt and read about all the new features that it offers. There is also a special page where the staff behind VeraCrypt explain how their software is better than TrueCrypt.
For example, according to official sources, VeraCrypt makes use of 30 times more iterations than TrueCrypt when it encrypts containers and hard disk partitions.
Now, although that means that VeraCrypt is slightly slower than TrueCrypt in terms of starting up and opening containers, but it does not deteriorate application use.
Just like TrueCrypt, VeraCrypt is also open source and free. The developers behind the encryption software say that it will remain so forever. We’ll see about that.
For what it’s worth, the code behind VeraCrypt has been audited by independent researchers on a regular basis and the reports have been very similar to the ones that came out when TrueCrypt got audited itself. This just shows how similar VeraCrypt is to TrueCrypt.
The only problem with BitLocker is that it is Windows-only encryption software. It can encrypt entire volumes and uses an AES encryption algorithm along with a 256-bit (sometimes 128-bit) key.
Can it compete with the likes of VeraCrypt and TrueCrypt when it doesn’t have the feature of creating encrypted containers? Maybe. Read on for more.
As mentioned before, Bitlocker only encrypts entire volumes. And that should not be misunderstood to mean that there are other options as well. In fact, that is the only option available with BitLocker.
This approach isn’t bad because a lot of people want to, only, encrypt the whole of their volumes/partitions.
Another potential problem with BitLocker is that if you leave your computer unlocked and there is a certain someone who comes to use your computer, then all of your encrypted files are visible to that user.
Unlike TrueCrypt and VeraCrypt, Windows has a different encryption system for BitLocker called EFS which stands for Encrypted File System. It is able to encrypt single files and folders but the same problem exists, that is, if someone else gets a hold of your computer while you’re logged in, then all your stuff is visible.
Moreover, BitLocker is also not open source.
CipherShed, just like VeraCrypt, had its beginnings as a fork of now-defunct TrueCrypt. You can download CipherShed for various operating systems such as Windows, Linux, and Mac OS X. Though if you want to use it for Linux and Mac OSX then you will first have to compile the program before use.
CipherShed non-alpha version was released in 2016 and it’s still going strong depending on how you look at it because there hasn’t been an official release after v1.0
That doesn’t mean it is the same thing as TrueCrypt. Luckily, enough work has been done for it to have fixed everything that was wrong with TrueCrypt.
DiskCryptor is another top option that is only available for Windows. In short, it is a full disk encryption solution.
The only downside to DiskCryptor is that even though it is open-source very few people or entities have performed any sort of security analysis on it.
There isn’t much to tell about DiskCryptor for the same reason. You might be wondering that if not much is known about DiskCryptor or its author or its developers or even the motives behind its creation then how come is it so popular?
Well, the reason is that it is extremely fast and extremely easy to use. It doesn’t consume a whole lot of computer resources and encrypts files much faster than TrueCrypt.
It uses 256-bit AES along with Twofish and Serpent (sometimes uses a combination of the three for increased effectiveness) to perform encryption.
It also makes use of cascaded algorithms while in XTS mode in order to really tighten up the encryption process.
The Serpent technique is the fastest of them all.
Moreover, it can encrypt hard drives along with external hard drives, USB sticks, DVDs, and CDs as well. There are some boot options available as well.
LUKS is a blessing for users on Linux. It is based on cryptsetup and makes use of dm-crypt as the backend for disk encryption.
For those interested, LUKS stands for Linux Unified Key Setup.
It is used in various tools and to make integration easier it specifies an on-disk format standard that is platform independent.
You can use LUKS on Windows with LibreCrypt but to fully experience its power, you should only use it on Linux.
A Final Note
We have deliberately left out the part where we tell users about the different plausible deniability features in the above-mentioned encryption tools. The reason for that is simple: plausible deniability mechanism sucks. It doesn’t hold well if someone does end up in court and any expert checking a hard drive for encrypted files can figure out if encryption was used and hence plausible deniability doesn’t work there either.
In short, it isn’t worth it to rely on plausible deniability and hence we would like users to pick their software based on other features and not on the basis of plausible deniability feature.