TrueCrypt’s dramatic shutdown in May, 2014 left everyone shocked. TrueCrypt was the go-to recommendation for full-disk encryption software, and the developers suddenly said the code was “not secure” and halted development.
We still don’t know exactly why TrueCrypt was shut down — perhaps the developers were being pressured by a government, or perhaps they were simply sick of maintaining it. But here’s what you can use instead.
TrueCrypt 7.1a (Yes, Still)
Yes, TrueCrypt development was officially halted and its official downloads page was taken down. The developers have made statements saying they’re not longer interested in the code, and that third-party developers can’t be trusted to maintain and patch it properly.
However, the Gibson Research Corporation argues TrueCrypt is still safe to use. TrueCrypt 7.1a is the last real version, released in February, 2012 and used by millions of people since then. TrueCrypt’s open-source code is currently undergoing an independent audit — work that started before the abrupt shutdown — and Phase 1 of the audit has been completed without any big problems being found. TrueCrypt is the only software package to ever undergo an independent audit like this one. When it’s finished, any problems found can be patched by the community in a new fork of the TrueCrypt code and TrueCrypt can continue. TrueCrypt’s code is open-source, which means even the original developers don’t have the ability to stop it from continuing. That’s the Gibson Research Corporation’s argument, anyway. Others, such as the non-profit Committee To Protect Journalists, also advise that the TrueCrypt code is still safe to use.
If you do opt to continue using the standard TrueCrypt code, be sure to get TrueCrypt 7.1a. The official site is offering TrueCrypt 7.2, which disables the ability to create new encrypted volumes — it’s designed to migrate your data away from TrueCrypt to another solution. And, most importantly, be sure to get TrueCrypt 7.1a from a trustworthy location and verify the files haven’t been tampered with. The Open Crypto Audit Project offers their own verified mirror, and the files can also be acquired from the GRC website.
If you go this route, the old advice for using TrueCrypt still applies. Be sure to keep an eye on the results of the TrueCrypt audit. One day, there will likely be consensus around a successor to TrueCrypt. Possibilities might include CipherShed and TCnext, but they aren’t ready yet.
VeraCrypt is a fork of TrueCrypt that’s now making the rounds online. VeraCrypt is a fork of TrueCrypt, being based on the TrueCrypt code.
Developer Mounir Idrassi has explained the differences between TrueCrypt and VeraCrypt. In summary, the developers claims he’s fixed “all the serious security issues and weaknesses found so far in the source code” by the Open Crypto Audit Project, as well as various other memory leaks and potential buffer overflows.
Unlike the CipherShed and TCnext projects mentioned above, VeraCrypt has broken compatibility with TrueCrypt’s own volume format. As a result of this change, VeraCrypt can’t open TrueCrypt container files. You’ll have to decrypt your data and re-encrypt it with VeraCrypt.
The VeraCrypt project has increased the iteration count of the PBKDF2 algorithm, adding additional protection against brute-force attacks by making them slower. However, this still won’t help you if you use a weak passphrase to encrypt your volume. This also makes it take longer to boot and decrypt encrypted volumes. If you’d like more details about the project, Idrassi recently spoke to eSecurity Planet about it.
So far, so good. However, let’s not get too ahead of ourselves. When it comes to encryption software like this, a healthy dose of paranoia is a good thing to have. While the TrueCrypt 7.1a code has been independently audited (at least partially), VeraCrypt’s code has not and this is a rather new project. There’s no evidence that VeraCrypt is malicious, but it may not be a good idea to leap from the stable ground of TrueCrypt into the unknown of VeraCrypt.
Your Operating System’s Built-in Encryption
Current operating systems practically all have built-in encryption — although the encryption build into standard, or Home, editions of Windows is fairly limited. You may want to consider using your operating system’s built-in encryption rather than relying on TrueCrypt. Here’s what your operating system has for you:
- Windows 7 Home/Windows 8/Windows 8.1: Home and “core” versions of Windows 8 and 8.1 don’t have a built-in full disk encryption feature, which is one of the reasons why TrueCrypt became so popular.
- Windows 8.1+ on New Computers: Windows 8.1 offers a “Device Encryption” feature, but only on new computers that come with Windows 8.1 and that meet specific requirements. It also forces you to upload a copy of your recovery key to Microsoft’s servers (or your organization’s domain servers), so it’s not the most serious encryption solution.
- Windows Professional: Professional editions of Windows — Windows 8, and 8.1 — include BitLocker encryption. It isn’t enabled by default, but you can enable it yourself to get full-disk encryption. Note: Windows 7 Ultimate is required for BitLocker, as the Pro version doesn’t include it.
- Mac OS X: Macs include FileVault disk encryption. Mac OS X Yosemite offers to automatically enable it when you set a new Mac up, and you can choose to enable it later from the System Preferences dialog if you haven’t.
- Linux: Linux offers a variety of encryption technologies. Modern Linux distributions often integrate this right into their installers, offering to easily enable full-disk encryption for your new Linux install. For example, modern versions of Ubuntu use LUKS (Linux Unified Key Setup) to encrypt your hard disk.
Mobile devices have their own encryption schemes, too — even Chromebooks have some encryption. Windows is the only platform that still requires going out of your way to protect your data with full-disk encryption.