I admit being a holdout for TrueCrypt. I wrote about it in my Your Ultimate Security Guide: Windows 7 Edition. I encouraged it’s use among my friends and family. I have used it myself. I have stood so strongly beside TrueCrypt for two reasons. The first is The Audit. Being independently audited is incredibly rare among encryption tools and I placed a great deal of trust in the audit which was only recently completed, and the results of which were mostly good. There were some minor vulnerabilities but nothing to be overly concerned about, and certainly no backdoors. The other reason I held onto TrueCrypt for so long (and it pains me to admit this) was nostalgia. TrueCrypt was the gold standard for years and it had been with me through thick and thin, protecting my data on half a dozen personal laptops and across scores of international borders. Letting go of TrueCrypt felt like letting go of an old friend.
But, I didn’t hold onto it out of misplaced loyalty or nostalgia alone. The audit was huge, and until I had a good reason to believe TrueCrypt was insecure there was no reason to switch. But audits are not perfect, and now we have that reason. A new privilege escalation vulnerability was discovered in Windows versions of TrueCrypt (almost two months ago now) that allows the compromise of your full system. For this reason I am moving, and recommend moving to VeraCrypt as soon as possible.
Going back to an un-audited program feels like a huge step backward to me. I don’t think the developers have maliciously inserted a backdoor, but code is complex and getting encryption right is hard. But there is a very big silver lining. First, vulnerabilities like the one affecting TrueCrypt can be (and will be, and in this case, already have been) patched. TrueCrypt’s vulnerabilities will never be patches. Next, an audit is planned for VeraCrypt that will probably be undertaken after the program is in its next version and has added some new features. Finally, by increasing the number of iterations from a maximum of 2,000 in TrueCrypt to as many as 500,000 in VeraCrypt, the newer program is significantly stronger against brute-force attacks. Using VeraCrypt requires almost no learning curve for anyone familiar with TrueCrypt as the two programs are almost identical in up-front operation.
Unfortunately (or fortunately, depending on how you look at it), VeraCrypt and TrueCrypt volumes are incompatible. This means that if you are using volume-level encryption you will have to create a new VeraCrypt volume, mount your TrueCrypt volume, and drag files into the new one. If you are using full-disk encryption (which you should be) this will mean fully decrypting your machine and re-encrypting with VeraCrypt. While it’s decrypted would be an ideal time for a clean install, too.
11/23/2015: Shortly after this post was published this Ars Technica article was published indicating TrueCrypt is still safer than we thought. This is good news, but the clock is still ticking on the aging encryption application.
VeraCrypt URL and Checksums: