Boxcryptor IT Security Blog

Time to drop TrueCrypt

The internet community is alarmed. The website of the popular encryption software TrueCrypt was replaced by a vague and mysterious announcement stating that TrueCrypt "is not secure as it may contain unfixed security issues" and recommending to stop using it. The announcement suggests to instead migrate to other disk encryption solutions (e.g. Bitlocker on Windows). There are huge speculations why the unknown TrueCrypt developers took this action and users and experts speculate about possible reasons: Maybe the developers simply do not want to continue the unsalaried work, maybe they have been forced by the US government or maybe their site has been hacked. Regardless of the true reason for this unexpected event: it's a good opportunity to drop TrueCrypt - especially if you are using it to protect your data in the cloud. You want to know why? We can see at least two reasons:

1. TrueCrypt was not built for the cloud era

The initial 1.0 version of TrueCrypt has been released in 2004 - years before the first cloud storage provider opened his doors and Truecrypt was never designed to be used for any cloud storage. TrueCrypt's container files cause a lot of trouble when using them with Dropbox or other similar services:

  • Containers are large, which makes them hard to sync. Even a marginal change in a small file can cause a full re-sync of the whole big container file.
  • Collaboration with co-workers on encrypted files in a TrueCrypt container is not possible because it causes sync conflicts.
  • Files are not available on mobile devices TrueCrypt is - or was - only available for the desktop.

Instead of struggling with a software designed in the pre-cloud era, you should use an encryption solution which was initally built for the cloud and which is optimized to seamlessly work with your cloud storage of choice - Dropbox, Google Drive, Microsoft OneDrive, Box or any other of the plenty providers available.

2. TrueCrypt is not trustworthy (and maybe not really open source)

From the beginning until today, the TrueCrypt developers have stayed completely anonymous and nobody really knows who they are. There might be good reasons for this move (e.g. to hide from a government) but at the same time this leaves a lot of open questions. We here at Boxcryptor are real people with a real office:

Werner-von-Siemens-Str. 6
86159 Augsburg
Germany

You can even talk to us!

A big argument brought up in any discussion about TrueCrypt is that it is an open source software. We agree that security software should be open source whenever possible and that it can be an important way to build trust. But though in general TrueCrypt is described as "open source software", there is the legitimate question if TrueCrypt is really open source. Probably not, at least not 100% of it. The source code may be public, but the build process is so complex and hard that nobody could prove until now that the binary and setup program you can - or could - download from the TrueCrypt website was really built from the publicly available source code. TrueCrypt is not even considered "Open Source" by many of the important Linux distributions, including Debian, Ubuntu or openSUSE.

Even if the source code matches, it is extremely hard to tell if the software is "safe" and does not contain any "unfixed security issues" - regardless of the available souce code. There have been prominent examples that also open source software can contain severe security flaws - even if everybody could theoretically inspect the source code for potential problems: OpenSSL's Heartbleed bug or the random number bug in Debian are just two of them. Currently there is a crowd-funded project "IsTrueCryptAuditedYet" started by popular cryptographers Kenneth White and Matthew Green which raised $70.000 to conduct a security audit on TrueCrypt - because they don't fully trust it.

Time to drop TrueCrypt

If you are still using TrueCrypt to protect your data in the cloud, take this opportunity to drop TrueCrypt and choose a cloud-optimized encryption solution. With Boxcryptor you can encrypt your files and still benefit from all advantages of the cloud: Multi-platform availability, collaboration and ease of use. To make the switch easy for you, we offer you a 20% discount on all of our yearly licenses. Just use the discount code DropTrueCrypt20, valid until 1st of June, 2014.

We are open to any opinions, feedback or discussions on this issue, so please contact us anytime.

Best regards,

Andrea and Robert
Founders of Boxcryptor

Teilen Sie diesen Artikel

Weitere Artikel zum Thema

Ransomware 2

Die jüngsten Datenlecks bei Uber und Rockstar Games' GTA6

Eine weitere Serie von Cyberangriffen auf große Unternehmen hat im September für Aufsehen gesorgt. Lesen Sie weiter, um zu erfahren, was schief gelaufen ist und was Sie aus den Fehlern dieser Unternehmen lernen können.

Das neue Boxcryptor für macOS

Die neue Boxcryptor-App für macOS ist da

Das neue Boxcryptor für macOS ist endlich da – und es hat sich eine Menge getan! Lesen Sie über unsere Beweggründe, die Vorteile dieser neuen Version und warum sie Boxcryptor in eine hervorragende Position für die Zukunft bringt.

Microsoft 365 Checker

Microsoft 365 – behalten Sie die Kontrolle!

Für Betriebsräte: Automatischer Check der TOMs zum Schutz personenbezogener Daten durch den Microsoft 365 Checker von Konverion. Jetzt kostenlos 30 Tage lang testen.