Is TrueCrypt, Snowden’s favourite, no more?

The anonymous team supporting the popular open source encryption software seems to have suddenly ceased their work with no prior announcement, and are suggesting users should move to Microsoft’s BitLocker, leaving uncertainty behind them 

  • 10 years ago Posted in

So, is TrueCrypt no more or not? The open source encryption software favoured by many security professionals – including that `eminence gris’ of security circles, Edward Snowden – appears to have shut down. But while warning potential users that the software may no longer be secure to use and pointing users to move to Microsoft’s BitLocker as an alternative, its website is said to also contain a link to where a new Windows version may be found.

The official reason for the move is the fact that, with Microsoft having now abandoned Windows XP, and that TrueCrypt was developed with XP in mind, there is no reason to continue developing it. That does seem to duck the issue that, regardless of what Microsoft might want, there are still many businesses sticking with their commitment to using XP

Official advice from the anonymous developers is that security professionals should no longer use TrueCrypt. This will no doubt come as a shock to many of them as it has built a solid reputation. The mere fact that it was Snowden’s favoured encryption tool tended to speak volumes for its capabilities. So security teams would now seem to face the options of accepting the recommendations of moving to BitLocker, or starting the search for another alternative.

It also does raise the issue of the one weakness of open source that often hangs at the back of the mind of users who favour company-produced products – that the teams of individuals that create open source products have that risk of simply `vapourising’ and abandoning projects to which a business may have committed.

This view is taken up by Brendan Rizzo, technical director at Voltage Security. “TrueCrypt has long been seen by its users as a good open source technical option for encrypting data - especially for personal use.  The apparent move by the TrueCrypt team to completely abandon the project without any warning highlights a very real risk companies face when choosing solutions to meet their requirements: even if TrueCrypt was found to still be technically sound, a technical solution alone is not enough.

“While some start-up companies may choose a more risky approach in order to try and save money, larger companies know that attempting this approach at scale is a fool's errand.  Especially when it comes to something as critical to their business' success as encrypting their most sensitive information.  It is imperative for companies to choose a solution provider who offers both an openly validated technical solution as well as the reliability offered by a commercial company who will stand behind a product and provide support and updates for years to come."

The anonymity of the development team has also been identified byAmichai Shulman, CTO at Imperva, as problem for security professionals.

"There is a place for a disk encryption solution independent of operating system type and operating system provider in general. Whether TrueCrypt is the right solution, given the anonymous nature of its developers, I’m not sure. Whether this is a trend for other businesses? I don’t think so. TrueCrypt was never a `business’. Most businesses should have moved on from XP software a long time ago.

TrueCrypt was created in order to provide disk encryption for operating systems that does not have built-in support for it. Currently the only one is Windows XP and since it is “no longer safe” to use it there’s no point in maintaining an encryption solution for it.”

Talent and training partner, mthree, which supports major global tech, banking, and business...
On average, only 48% of digital initiatives meet or exceed business outcome targets, according to...
GPUaaS provides customers on-demand access to powerful accelerated resources for AI, machine...
TMF Group, a leading provider of critical administrative services for global businesses, turned to...
Strengthening its cloud credentials as part of its mission to champion the broader UK tech sector...
Nearly all UK IT managers surveyed (98%) state cloud investment is an organisational priority for...
LetsGetChecked is a global healthcare solutions company that provides the tools to manage health...
Node4 to the rescue.