Thursday, May 29, 2014

What's up with TrueCrypt?

If I try to go to the TrueCrypt website I am redirected to a page at sourceforge: with this ominous warning:

WARNING: Using TrueCrypt is not secure as it may contain unfixed security issues

The page then tells the reader how to migrate to Bitlocker (Microsoft) and has a link to a page for other platforms.

Bruce Schneier has a blog entry on this but there is little information as to why this has happened. The comments section has some ominous speculation including that there was a Lavabit-like "request" from the US Government and the TrueCrypt developers just decided to shut down. Another is that the code review would reveal one or more backdoors in the program and the NSA wants to shift everyone over the a compromised but closed source option like Bitlocker. Bitlocker can do key escrow with Microsoft and, as I recall, nudges the user in that direction. It could just a easily do a key escrow without permission.

On the other hand, it could just be a hoax.

I use LUKS (Linux Unified Key Setup) and DMcrypt for all my encrypted drives so any compromise of TrueCrypt is not directly threatening to my data or privacy. Still, given the number of people who rely on TrueCrypt for data security, this is a little disturbing. My employer's policy is that all company provided laptop are supposed to have their hard drive encrypted with TrueCrypt so this may still hurt a little.

No comments:

Post a Comment

Off topic comments will be deleted. Comments with spelling or grammar errors may be deleted unless they have hoplophobic or statist content in which case they will be highlighted and ridiculed.