Truecrypt users here?

mlts22 wrote:
For Windows, I use BitLocker because it is available, and very easy to deal with. However, for cross platform compatibility, I may end up moving back to Jetico's BestCrypt (a program I used before TrueCrypt was out for both containers and system encryption.) It isn't open source, but it does have hidden container protection.

Another option I might do is look at Symantec's Encryption Desktop (formerly PGP Desktop.) It works on Mac, Windows, and Linux, and offers the only public key protection on data volumes out there. This is an excellent product, but not cheap, although the source code is downloadable.

Before using either BitLocker or BestCrypt, etc I suggest reading the reader comments on Bruce Schneier's blog - https://www.schneier.com/blog/archives/2014/05/truecrypt_wtf.html

Bottom line: any closed proprietary product is suspect and may in fact have a backdoor to the NSA, FBI, et al. Caveat Emptor.

Regardless of the why the end result is the same - Truecrypt is dead. It can never be trusted again after this incident. Hopefully something will take its place, though.

And although their source was available it was never open source. Just compiling your own version to verify the binaries was exceedingly difficult.

Lavabit's fate is my worst fear. What TrueCrypt has that no other programs don't is the fact that all the code is out there to be compiled, and unlike other programs, someone has paid $70,000 to audit every single line of the code.

I have used Diskcryptor in the past. However, the audit of Truecrypt code continues, and so far has not revealed any major vulnerabilities. Unless it does so, I see no reason not to continue using Truecrypt?

The cryptic message on their website makes me think that the current devs identities were compromised, and subject to a similar situation as Lavabit.

It would be nice if the TC devs said that the system level encryption was a no-go, and still kept a product that could maintain file/disk encryption, similar to how TC was created initially. That way, once a dev that could work on boot level encryption was found, the feature could be re-added.

In another forum (The Krebs one), there were claims by the SecurStar people about TC having licensing issues, as it also originated from a product called E4M. So, maybe the fact that there were doubts cast on the source code, the auditing, lack of funding, a lot of demands on their forums, and many other items, this might have been the straw that broke the camel's back and the people running the TC Foundation just dropped their cards on the table and moved on to other things. I was worried when I had permission issues when attempting to run TC under Windows 8 and 8.1, no updates were made to address this, so I had to run TC in a VM so I could decode existing containers, while new files went into BitLocker protected .VHD files.

What TrueCrypt brought to the table was the ability to use hidden containers. This way, truly confidential data (business accounts payable/receivable) would be on the hidden volume while decoy stuff (like false spreadsheets) would be on the outer volume. A friend of mine who travels overseas learned to do this when the government on the other side not just demanded his laptop, but demanded all passwords to all E-mail accounts and containers, and refusing to give access was a life sentence in prison. (The way they would give a life sentence was clever. Every time one refused to answer a question, they would get 3-4 years in the slammer. So the interrogator would ask them 20-30 times in a row, tacking on the years each time.)

For Windows, I use BitLocker because it is available, and very easy to deal with. However, for cross platform compatibility, I may end up moving back to Jetico's BestCrypt (a program I used before TrueCrypt was out for both containers and system encryption.) It isn't open source, but it does have hidden container protection.

Another option I might do is look at Symantec's Encryption Desktop (formerly PGP Desktop.) It works on Mac, Windows, and Linux, and offers the only public key protection on data volumes out there. This is an excellent product, but not cheap, although the source code is downloadable.

I did read the Krebs article early on, and he does seem to be accurate in his reporting. Here's a comment I read on Slashdot which appears to support his assumption that the Truecrypt developers may have decided to end the project:

They probably just decided to end the project. My experience is that it has been slowly dieing for a long time. I have been heavily involved with truecrpyt and its source code for many years. I make programs to custom edit the boot screen and otherwise customise TC's appearance. My programs are not forks, rather they edit the actual binary code installed, so that users can easily use it on existing installations. What you have to understand is that truecrypt has added very little functionality for a very long time. In particular they seem to have lost the key developers who did the code in the boot sectors. For those who don't know, along time ago the program was to big to fit into the boot sectors, and a special deflate algorithm was added to decompression the boot sector code. My code to unzip the boot program and edit its string display strings is still the same code from tc 5.0, and it still works on the latest edition. The guys who code this section appear to be long gone from the project, hence absolutely nothing done over UEFI. The changes that have occured look questionable, in that the people making them seem to have very limited assembly understanding and were hacking on bits instead of properly modifing the programs flow. Secondly getting TC to work with operating systems is extremely complicated, especially for windows. It was micorosoft who eventually released the API's that were used to make truecrypt properly handle sleep/hibernate. These API's are not forthcoming to Win8 or beyond, and in all honesty - windows is the only market that matters. I am going to guess that one of the last known developers knows there is a bug that they can not longer believe they have the experience or skill to fix properly, and hence has decided to shut it down.

Source: Slashdot.org.

I don't see where there are any non-proprietary cross-platform solutions. BestCrypt is cross-platform, but proprietary.

I guess it also depends on if you're looking for FDE (full disk encryption) solutions or container solutions since Truecrypt offered both.

Mini wiki war
https://en.wikipedia.org/w/index.php?title=TrueCrypt&action=history

Sure is a fun mystery to watch. Speculation all over the board, the team behind TC were so secretive it makes it difficult to verify anything. Outside influence, or internal team strife, hmmm :h Looking at the DiskCryptor website they seem to only support Windows.

Edit: I liked this write up, just passing it along
http://krebsonsecurity.com/2014/05/true-goodbye-using-truecrypt-is-not-secure/

Fastfwd75 wrote:
Maybe they got into trouble with the government for not wanting to add a backdoor.

Lavabit had a similar problem when they were asked to hand over the confidential keys to owner's email.
http://lavabit.com

This seems like the most likely scenario given their opposition to proprietary encryption in the past. Recommending BitLocker is about as out of character for the Truecrypt folks as possible, almost as if it's so unbelievable as to be a message. But who knows? No one even knows who the developers are.