TrueCrypt: 15 days on and still no real solution

Business users need to start looking for alternative options, say experts, and choose solutions that will continue to be supported.

TrueCrypt: 15 days on and still no real solution
TrueCrypt: 15 days on and still no real solution

The mystery surrounding the demise of TrueCrypt's servers - along with support for the freeware on-the-fly-encryption software - on May 28 shows no sign of being resolved.

The freeware - which originally appeared in early 2004 - has proven popular with security enthusiasts over the last decade, and has also been adopted as a mainstay encryption protocol by various third parties, most notably Amazon for several of its cloud computing services.

This success is due to the software's ability to create a virtual encrypted disk within a file or encrypt a partition (or complete storage device) on most Windows platforms.

On May 28, the TrueCrypt Website started displaying a page featuring a warning that the software may contain unfixed security issues - and that development of TrueCrypt was ended in May after Microsoft terminated support of Windows XP.

Since then, two researchers have set up an alternative Web site in Switzerland to support the freeware, although Chester Wisniewski, a senior security advisor at Sophos, says this site is operating in violation of TrueCrypt's licence.

Sophos has just published the results of a survey of more than 100 IT professionals regarding their use of encryption — including TrueCrypt — and found that a third of respondents who use cryptography are using TrueCrypt in some fashion, whilst 68 percent of those TrueCrypt users have used the software for business and 46 percent for both business/personal usage.

The security vendor also reports that the news surrounding the TrueCrypt mystery has made almost two-thirds of respondents think critically about encryption.

Wisniewski says that many of TrueCrypt users appear to have been unaware of its unclear pedigree.

"Considering that 68 percent of TrueCrypt users use it in a business environment, it appears this situation has been a bit of a wake-up call," he said, adding that Apple, Microsoft and other commercial players are unlikely to stop supporting integrated encryption moving forward.

Because of these issue, he advises that users should be using vetted and trusted operating system-level encryption like Microsoft BitLocker and Mac FileVault 2.

TrueCrypt, he explained, was not using the latest technology, so now is a great time to move to compliant encryption standards.

Existing users

Although it is perfectly possible to install TrueCrypt - as well as tweak existing versions of the freeware encryption software - most users will see pop-ups warning them that the code is no longer secure.

According to Professor John Walker, a Visiting Professor with Nottingham Trent University's School of Science and Technology, two things come out of the TrueCrypt saga, the first of which is that several vendors have used the freeware software's near-demise to tell everyone how wonderful their alternative product is - despite the fact that TrueCrypt is arguably one of the best applications of its type.

"The second issue is that we find ourselves in a world of encryption products that do not completely fulfil the needs of their users, as they do not always do what it says in the tin - namely encrypt to a high standard," he explained.

Walker – a veteran consultant in IT security since the 1990s - says that, because of these issues, users should no longer be looking at the vendor or the source of encryption software, but should look closely at the standards which the software supports.

Taking this approach, he adds, means that users can have a far better understanding of what the software does - and does not - do.

Brendan Rizzo, technical director with Voltage Security, an encryption specialist, says that TrueCrypt has long been seen by its users as a good open source technical option for encrypting data - especially for personal use.

"The apparent move by the TrueCrypt team to completely abandon the project without any warning highlights a very real risk companies face when choosing solutions to meet their requirements. Even if TrueCrypt was found to still be technically sound, a technical solution alone is not enough," he said.

"While some start-up companies may choose a more risky approach to try and save money, larger companies know that attempting this approach at scale is a fool's errand. Especially when it comes to something as critical to their business' success as encrypting their most sensitive information,” he added.

Against this backdrop, Rizzo says it is imperative for companies to choose a solution provider which offers both an openly validated technical solution, as well as the reliability offered by a commercial company who will stand behind a product and provide support and updates for years to come.