Microsoft Subnet An independent Microsoft community View more

Encryption canary or insecure app? TrueCrypt warning says use Microsoft's BitLocker

Open source encryption TrueCrypt, which was endorsed by Snowden, quit with a warning that it is insecure and users should encrypt with BitLocker.

If you attempt to visit truecrypt.org, you will be redirected to truecrypt.sourceforge.net and see, "WARNING: Using TrueCrypt is not secure as it may contain unfixed security issues."

Using TrueCrypt is not secure so turn on BitLocker

The development of TrueCrypt was ended in 5/2014 after Microsoft terminated support of Windows XP. Windows 8/7/Vista and later offer integrated support for encrypted disks and virtual disk images. Such integrated support is also available on other platforms (click here for more information). You should migrate any data encrypted by TrueCrypt to encrypted disks or virtual disk images supported on your platform.

That announcement is followed by a step-by-step guide to help people migrate existing data encrypted by TrueCrypt. This includes how to enable BitLocker if you don't see it when right-clicking on a drive, or what to do if BitLocker reports a Trusted Platform Module (TPM) error. There's also a how-to for non-system drives encrypted by TrueCrypt and creating a new virtual hard drive (VHD). At the bottom of the page there is another warning that states, "Using TrueCrypt is not secure."

There's a link to download TrueCrypt version 7.2, along with a warning to do so only "if you are migrating data encrypted by TrueCrypt." There are extensive changes when comparing source code for the two versions. You can now no longer encrypt, but only decrypt with TrueCrypt 7.2. It's also commented with things like "INSECURE_APP."

Was this the work of the TrueCrypt team, and is it insecure? The first phase of auditing TrueCrypt source code found "no evidence of backdoors or intentional flaws." There were a few security vulnerabilities found, but nothing severe. Yesterday, the TrueCrypt Audit Project added a "p.s. We hope to have some *big* announcements this week, so stay tuned."

Yet cryptographer Matthew Green, who helped start a crowdfunding effort to raise $70,000 so TrueCrypt could be professionally audited, said he had started "to have warm and fuzzy feelings about the code, thinking [the developers] were just nice guys who didn't want their names out there." Green told Brian Krebs, "I think the TrueCrypt team did this. They decided to quit and this is their signature way of doing it. They set the whole thing on fire, and now maybe nobody is going to trust it because they'll think there's some big evil vulnerability in the code."

Was the change legitimate? The Register pointed out that "on Wednesday, a Wikipedia user going under the handle 'Truecrypt-end' tried repeatedly to update the TrueCrypt page with similar text, but these changes were swiftly reverted by moderators."

There is the possibility that TrueCrypt's abrupt end-of-life is actually a warrant canary, triggered by a secret subpoena or National Security Letter (NSL) and resulting in a Lavabit-like end.

The flipside...."I've long suspected that a government was behind TrueCrypt," stated Jake Williams, SANS Instructor and Principle at Rendition InfoSec. "The code base is hugely complicated with lots of dependencies and is anything but easy to build, particularly for the Windows version. It's a great way to obfuscate what is in the binary packages (which 99.9% of Windows users use) that may or may not be in the source code."

Who knows if it was a government, a canary, or simply as stated....Microsoft ended XP and all other supported versions of Windows include integrated support for encryption.  Or maybe the people behind the free and open source TrueCrypt, people who have safeguarded their identities, are sick to death of being burnt in flame wars.

As it stands now, you should give up TrueCrypt in favor of Microsoft's BitLocker. The TrueCrypt team also left directions for what to do if you have files encrypted by TrueCrypt on Mac OS X or Linux.

Like this? Here's more posts:

Follow me on Twitter @PrivacyFanatic

From CSO: 7 security mistakes people make with their mobile device
Join the discussion
Be the first to comment on this article. Our Commenting Policies