Truecrypt is done, move on now

[REVISED] For as long as it remains up, the Truecrypt project site on Sourceforge now shouts the following warning:

“WARNING: Using TrueCrypt is not secure as it may contain unfixed security issues”.

The sudden collapse of the Truecrypt project is personally upsetting to me because I’ve been using it for so long as a decent cross-platform solution for securing data with something less than full disk (or partition) encryption.

But, truth be told, doubts about the reliability of both the software and the team developing it have been around for a long time too.

Here’s what you need to know about the sudden and mysterious death of Truecrypt is a good technical level article about the now breaking news aspect of the story, as well as the history of Truecrypt and recent efforts to audit the software. I agree with the article’s basic conclusion that the message posted is not a hoax, but a genuine warning from the developers for people to get off Truecrypt.

There are alternatives, although none that work on both Unix and Windows. One option for Windows users is the one suggested by Truecrypt’s site, Microsoft’s BitLocker. But BitLocker is only available on enterprise editions of Windows, is closed source, and published by Microsoft (a company that was frightfully eager to assist both the Chinese and U.S. governments in their efforts to spy on their own citizens).

AxCrypt is a free, open source alternative to Truecrypt that will run on consumer Windows that integrates with Windows Explorer. It has received some positive reviews over the years. AxCrypt volumes are not compatible with Truecrypt volumes, so any data previously encrypted on Windows using Truecrypt would need to be extracted and then re-encrypted with AxCrypt.

Some have suggested using 7-zip encrypted files or folders (p7zip is a Unix fork of the Windows 7-zip code). Here is a discussion thread where 7-zip encryption is compared to Truecrypt (the consensus seems to be that they’re equally resistant to cracking, but Truecrypt has been vetted more thoroughly).

There are a number of alternatives to Truecrypt on Unix variants, including Linux. One is tcplay, a little command line utility out of the Dragonfly BSD world that can create and manage classic Truecrypt volumes. You can find a nice article describing a nifty bash shell wrapper for tcplay here.

Again, p7zip (the Unix fork of 7-zip) has been available on Linux for a while so it might be a good alternative, especially for less-than-full-disk-encyption use cases. It is also fully integrated into the Gnome Shell’s Nautilus file manager, making it as easy to create, view and manage archives. Nautilus will also will encrypt files and folders using gpg (folders are converted into a zip archive).

A Linux-only solution would be folders/volumes/disks encrypted with the native ecryptfs kernel module and associated utilities. This article provides some guidance for using it on Arch/Ubuntu Linux. The Security Guide for Red Hat’s Enterprise Linux 7 contains guidance on encrypting partitions using LUKS (Linux Unified Key Setup). LUKS, a successor to ecryptfs, has become the de-facto standard for full disk/partition encryption in recent years. Unfortunately it does not provide a means of securing files and folders on an unencrypted disk/partition.

There’s a terrific wiki article over on the Arch Linux Wiki that thoroughly reviews all the file, folder and disk encryption options available on Linux.

This entry was posted in Security, System Administration, Systems Analysis on by .

About phil

My name is Phil Lembo. In my day job I’m an enterprise IT architect for a leading distribution and services company. The rest of my time I try to maintain a semi-normal family life in the suburbs of Raleigh, NC. E-mail me at philipATlembobrothersDOTcom. The opinions expressed here are entirely my own and not those of my employers, past, present or future (except where I quote others, who will need to accept responsibility for their own rants).