POSTED BY: Dave B (Staff Writer)
…that is the question.
Recently, I’ve noticed a surge of topics on reddit and the like that continue to perpetuate the rumor that Truecrypt (a popular volume encryption utility) has been compromised or is otherwise unsafe to use.
According to an audit conducted on the Windows version of Truecrypt 7.1a, Truecrypt does not contain any backdoors or serious flaws that would compromise confidentiality under normal circumstances.
Does this also rule out the Truecrypt site itself serving up bad executables to selected IPs/blocks of IPs? No, but using the Github mirror does (find it at: GRC) and verifying all signatures are the same as used in the Open Crypto Audit Project (here: OCAP). Alternatively, you could build it from source using code from the above listed locations.
Still feeling a little uneasy about Truecrypt? That’s OK – a little paranoia can be healthy!
Sadly, in the digital age, it is much easier to ruin a reputation than the decade it takes to build one. There have been instances where the government admitted they were unable to crack Truecrypt (as of 2010 at least: according to this article). That being said, one case stands out (here) where the FBI was able to gain access to a TC volume – although it is unclear whether this was accomplished with technical means or otherwise. Also, see A long list of instances where police weren’t able to decrypt volumes from various popular applications.
Linux is your friend
If TrueCrypt has lost your trust for good, then I’d suggest migrating to Linux and using a tool called “GnuPG.” It is based on the open-PGP standard and makes managing asymmeric keypairs simple.
Also, a special Linux distro called Ubuntu Privacy Remix is available as a .iso for use on a live CD. It creates encrypted TrueCrypt volumes that you can place your super-secret PGP ciphertexts in.
I’d recommend the following settings for UPR volumes:
- Use the TWOFISH-SERPENT algorithms for the wrapper volume (the one you’ll place your asymmetric ciphertexts in)
- Use Whirlpool for your hashing algorithm
- Use a passphrase that is at least 30 chars long, and make it random
- Use DSA-Elgamal 4098 bit keys for GnuPGP
- Again, a long, random and secure passphrase is required here
This set up provides you with a margin of safety.
Since UPR saves nothing to the local disk, it is safe to work with files on its desktop. For instance, you could first encrypt the sensitive file with your public key. Next, mount the TrueCrypt volume and place the ciphertext (encrypted file) in it. TrueCrypt will never have access to the plaintext, so even if it is somehow secretly compromised, the ciphertext is safe.
Its simple. TrueCrypt is 99% likely to be safe. Its been verified several times and even passed a bonafide audit with a pretty decent score considering TrueCrypt was not created by a multi-million dollar corporation or state actors. The developers invested a pretty good chunk of their lives into this, and any future discovery of malicious intent withstanding, recieved a lot of flak and permanent damage to their reputations that was probably not deserved.
TrueCrypt is most likely perfectly safe to use, provided that you fully understand what it can and can not do. If your end-point is compromised: it won’t help. If you have the volume mounted when an armed attacker busts into your home: it won’t help. If your powered down machine is stolen by a burglar: it will do its job. There are plenty of other limitations too, and those were just a few examples that people tend to forget. Overall? I’m still using it. But, then again, my threat model doesn’t include state actors (at least not from this country). But I’m sure others’ do.
One last thought: you’d better not even be obessing about this unless you have end-point security handled!