Page 1 of 2
TrueCrypt - volume encryption [discontinued]
Posted: Tue Sep 19, 2006 5:57 pm
[Moderator note: this is the primary TrueCrypt program thread. View database entry]
truecrypt v4.2a has been released 3 July 06
Posted: Tue Sep 19, 2006 10:02 pm
Database updated. Thanks!
Posted: Thu May 29, 2014 5:38 am
EDIT: after the demise of TrueCrypt
, Veracrypt is pretty much regarded nowadays as its successor: https://www.portablefreeware.com/?id=2703
Old topic udpate: in view of current news coverage of a possible TrueCrypt
hack, here are a few pointers for relevant reading -- for current info, browse links posted in the latest database entry's comments (see http://www.portablefreeware.com/index.p ... addcomment
Related TPFC forum posts:
Posted: Fri May 30, 2014 3:11 pm
I'm split on whether or not to put a disclaimer up on the entry since the security piece of this is really unclear. I mean, insecure to who? Huge organizations with loads of money? It probably wasn't secure against them before either. Maybe we recommend using the version before the current one?
Having seen very large, very well-funded organizations make very dumb security decisions, I'm wondering if not bad isn't more than enough. Shneier for example was still using it as of two weeks ago
Also, someone in the comments of the link above noted the following:
Those who fear that TrueCrypt is subverted might profit from spending a few minutes pondering that there are Computer Science departments all over the world with many hundreds of professors and thousands of graduate students, some of whom specialize in infosec/crypto.
Because TrueCrypt is so widely used and relied upon, the first CompSci department to announce that they'd proved a backdoor in TrueCrypt would be world-famous, attract rivers of funding, and have the best imaginable prospects for their future careers.
It's certainly a better prospect to work with an open program that has seen this kind of scrutiny rather than closed systems like FileVault and BitLocker for whom serious analysis relies upon their company of origin (Apple and Microsoft).
Posted: Fri May 30, 2014 5:05 pm
@Aaron you are aware of recent discoveries about NSA and commercial companies cooperation, aren't you? I can't imagine any sane person, who have followed news, using closed source encryption tools made by a "Fortune 500 company" and expect it's not backdoored. That's why a suggestion by TC developers to use one of such tools would be strange at least. It looks much more like red herring or warrant canary.
This doesn't make sense [not referring to the quote]. And for the time being I'wouldn't migrate data just yet.
Posted: Fri May 30, 2014 5:58 pm
Open TrueCrypt alternatives
- definitely portable but not cross platform and doesn't seem to be under development any longer. Still, might be more secure than TrueCrypt.
* encfs4win (Encrypted File System for Windows) http://members.ferrara.linux.it/freddy77/encfs.html
... based on encfs for Linux, it's probably cross-platform. No clear idea of the program maturity.
* DiskCryptor https://diskcryptor.net/
The program has a much better license than TrueCrypt's (GPL) but not very portable. Quoting the FAQ
> How can I create portable version of DiskCryptor and use it from USB flash drive?
Portable mode will be realized together with container's support as they can be mounted without driver installation. Currently DiskCryptor supports volumes and driver installation is obligatory (administrator rights required) and the following restart (it is possible to load driver without rebooting, however in this case filter can be assigned with volume class only by hacks, which I do not want to use).
The FAQ goes on to say that the driver installation (and admin access requirement) isn't something they could remove without a substantial rewrite. I'm also going to go ahead and guess that this makes the program difficult to take beyond Windows.
Posted: Fri May 30, 2014 9:28 pm
WARNING: Using TrueCrypt is not secure as it may contain unfixed security issues
I don't believe this shit! Why a security software programmer would say that his software "may" contain security issues? Does it or doesn't it? Is this sourceforge page hacked? TC wasn't updated for many months, so I think that 7.1a version is secure enough. I won't switch to any other software until I have real proof that TC is trash. I'll keep an eye on this: https://twitter.com/OpenCryptoAudit/sta ... 4977131520
More here: http://www.pcworld.com/article/2143841/ ... found.html
Posted: Sat May 31, 2014 10:16 am
Sorry for the double post, but this is important:
Posted: Sat May 31, 2014 9:40 pm
I am using TrueCrypt myself and I will simply wait for the code audit to be out.
This whole affair is really fishy but since it is open-source, I think the source code can stand for itself.
Posted: Sun Jun 01, 2014 6:40 am
While the source code is available, it is worth pointing out that it is not 'open source' by the common definition (according to the FSF, OSI, Ubuntu, Debian, etc). It's more like 'freeware with source available' in many ways. TrueCrypt is under a one-off license called the TrueCrypt license designed to specifically discourage forks. It's incompatible with other open source licenses (limiting code re-use), doesn't permit use of the TrueCrypt name, requires an advertising clause (like the old, frowned-upon, 4-clause BSD license), and specifically allows the original authors to sue you. All of this seems put in place to allow the original authors to shut down the project if they see fit. And to disallow anyone to continue development of 'TrueCrypt' as is without changing the name even if the authors have no interest in continuing.
Realistically, someone could probably continue it as TrueCrypt, but they'd always have the possibility of a lawsuit hanging over their head. And anyone wishing to utilize the code or binaries in other projects will have a similar worry. We still don't know why it was shut down, though several folks in the community are theorizing they they received a National Security Letter and this was their way of letting the world know without stating that they did and being thrown in jail.
Posted: Mon Jun 02, 2014 2:17 am
JohnTHaller wrote:We still don't know why it was shut down, though several folks in the community are theorizing they they received a National Security Letter and this was their way of letting the world know without stating that they did and being thrown in jail.
- In support of that theory one of the best explanations I came across is at http://en.wikipedia.org/wiki/Warrant_Canary...
And before anyone shouts "conspiracy theory alert", reputable sources confirm that this is not entirely unheard of: some US public libraries setup similar strategies to defend patron privacy in case of user record subpoenas under provisions from so-called "Patriot Act"...
Posted: Thu Jun 05, 2014 4:18 pm
Haller wrote:TrueCrypt is under a one-off license called the TrueCrypt license designed to specifically discourage forks.
I always assumed that the Truecrypt license was there so that they could eventually start a company surrounding that program. This frankly would have protected them better than staying anonymous. After all, Microsoft just successfully defended themselves
against an NSL
Regardless, I much prefer standard, tested licensing.
Hopefully someone will run a kickstarter or something similar and stand the server up in Germany, Switzerland, or whatever country that would be friendly to an effort like this. I don't expect it would ever offer iron clad security, but access to open, reasonably strong security measures shouldn't be revolutionary or strange.
Someone suggested over on Schneier's site
would be a much better base to start with than forking TrueCrypt. FreeOTFE lists support for them, though I don't know what version since it's evidently no longer under development.
Posted: Thu Jun 05, 2014 4:53 pm
webfork wrote:I'm split on whether or not to put a disclaimer up
Given that the website now offers a crippled version of TrueCrypt, I went ahead and added a something
Posted: Thu Jun 19, 2014 12:52 am
webfork wrote:Open TrueCrypt alternatives
* DiskCryptor https://diskcryptor.net/
The program has a much better license than TrueCrypt's (GPL) but not very portable.
- On the wake of TrueCrypt debacle, here's a recent article reporting on DiskCryptor use:
... And here's another on VeraCrypt:
Posted: Wed Jul 02, 2014 2:55 pm
For whom it may concern, the Open Crypto Audit Project has this posted at their site: