TrueCrypt has shut down: Alternatives

By on May 31, 2014 9:41:02 AM from JoeUser Forums JoeUser Forums

DrJBHL

Join Date 04/2002
+2162

 

Because MS has ended support for XP (unless you’re the IRS), the devs of TrueCrypt has ended development of its software. When this notification came out, the wisely suspicious of hackers surfaced, but it’s true…TrueCrypt is dead. You can still get it, but it’s digitally signed with the warning (SourceForge). It will allow you to decrypt your encrypted files/disk, but you won’t be able to encrypt new files. The warning has instructions on how to move to MS’s BitLocker services.

There are alternatives. One is PGPDisk (Symantec $110).

Free tools? DiskCryptor, Tomb,  and a list you can obtain here.

You can also use the integrated support for encryption in Vista, 7, and 8.

So…if you’re using TrueCrypt whether “the end” is true or false, You should probably migrate to another encryption software.

Source:

http://securitywatch.pcmag.com/security/324131-truecrypt-shut-down-what-to-use-now-to-encrypt-your-data

15 Replies
Search this post
Subscription Options


Reason for Karma (Optional)
Successfully updated karma reason!
May 31, 2014 3:06:54 PM from Elemental Forums Elemental Forums

TrueCrypt was about providing a safe alternative that you could be reasonably sure NSA and cronies hadn't touched. Why would they recommend bitlocker? Makes no sense to me.

Reason for Karma (Optional)
Successfully updated karma reason!
May 31, 2014 3:41:21 PM from JoeUser Forums JoeUser Forums

My system is encrypted with TC already.  Would it not continue to function and be adequate as long as I have the password?  I'm not clear why I would need to change to something like DiskCryptor, unless what TC's announcement means is that my existing encryption is vulnerable.

Reviewed the tute video on DiskCryptor, BTW, and it's actually an easier setup than TC was.  If I were to decide to change to DiskCryptor, I assume the system would need to be decrypted first.

 

Thanks for the post, Doc.

Reason for Karma (Optional)
Successfully updated karma reason!
May 31, 2014 3:42:29 PM from WinCustomize Forums WinCustomize Forums

Quoting Heavenfall,

TrueCrypt was about providing a safe alternative that you could be reasonably sure NSA and cronies hadn't touched. Why would they recommend bitlocker? Makes no sense to me.

 

yeah, their farewell message is so absurd that it looks suspicious.

i'd rather recommend to use the previous version of TrueCrypt and avoid updating. it is probably too secure for it's own good. :/

Reason for Karma (Optional)
Successfully updated karma reason!
Sign Up or Login and this ad disappears!
There are many great features available to you once you register. Sign Up for a free account and browse the forums without ads.
May 31, 2014 3:50:34 PM from WinCustomize Forums WinCustomize Forums

Quoting Daiwa,

My system is encrypted with TC already.  Would it not continue to function and be adequate as long as I have the password?  I'm not clear why I would need to change to something like DiskCryptor, unless what TC's announcement means is that my existing encryption is vulnerable.

Reviewed the tute video on DiskCryptor, BTW, and it's actually an easier setup than TC was.  If I were to decide to change to DiskCryptor, I assume the system would need to be decrypted first.

 

Thanks for the post, Doc.

Welcome.

You can still get it, but it’s digitally signed with the warning (SourceForge). It will allow you to decrypt your encrypted files/disk, but you won’t be able to encrypt new files.

Reason for Karma (Optional)
Successfully updated karma reason!
May 31, 2014 4:04:56 PM from JoeUser Forums JoeUser Forums

My question wasn't clear.  As long as I don't update to the new version of TC, my existing TC encryption should be unaffected should it not?  Does the warning apply only to version 7.2 or to all versions of TC?  In what I've read, some seem to be generalizing the warning, some not, but this appears to be based on assumption not fact.

Reason for Karma (Optional)
Successfully updated karma reason!
May 31, 2014 4:09:41 PM from JoeUser Forums JoeUser Forums

Quoting moshi,
it is probably too secure for it's own good.

That crossed my mind, too, moshi.

With medical information, so-called PHI, I'm required by the feds to use encryption that is unbreakable... except by them, apparently.

Reason for Karma (Optional)
Successfully updated karma reason!
May 31, 2014 4:45:19 PM from JoeUser Forums JoeUser Forums

Reviewing the SourceForge TrueCrypt page (how to migrate an encrypted volume/drive), it certainly implies that all versions of TrueCrypt are not secure (otherwise, why would migration be necessary?), but doesn't explicitly declare that to be the case.  Sad that we're left to puzzle that out.

My guess is the feds would consider TrueCrypt to be 'inadequate' now in the event of an audit, whatever version, but damn, the process of decrypting & re-encrypting is a pain.

Reason for Karma (Optional)
Successfully updated karma reason!
May 31, 2014 6:49:45 PM from WinCustomize Forums WinCustomize Forums

I think it isn't secure...or won't be shortly...

I would think at least to avoid the Federal idiocy you could ask them which is ok for use, since TC has crapped out, no? 

Reason for Karma (Optional)
Successfully updated karma reason!
May 31, 2014 10:39:08 PM from Stardock Forums Stardock Forums

Worth noting that the TrueCrypt security audit is going to proceed regardless. So it should be known before too long if there really is some major issue that is not feasible to fix, or if it would be practical for someone else to fork or take over the project.

 

My guess is the feds would consider TrueCrypt to be 'inadequate' now in the event of an audit, whatever version, but damn, the process of decrypting & re-encrypting is a pain.

Do the HIPAA rules actually specify acceptable ciphers and key lengths, key management requirements, etc? In the financial world the big one is GLBA, which only stipulates that measures must be planned, documented, and implemented to protect NPI but do not specify what those measures need to be.

Though even if there isn't a strict requirement, if there is a known vulnerability (there isn't at this point) that you are disregarding that could be a civil liability should a breach occur. I'd expect that any vulnerability that does exist would be in the realm of key strength or security, since they are using standard ciphers.

Reason for Karma (Optional)
Successfully updated karma reason!
May 31, 2014 11:56:08 PM from JoeUser Forums JoeUser Forums

The HIPAA rules are like GLBA (it appears):

A covered entity must, in accordance with §164.306… Implement a mechanism to encrypt and decrypt electronic protected health information.” (45 CFR § 164.312(a)(2)(iv))

While the Feds don't specify which OS's are acceptable, the OS must be regularly maintained with security updates & patches to remain HIPAA & HITECH compliant.  Which is why we had to replace all our XP workstations in March.  My suspicion is that if the encryption software is abandoned by its developer, we might face a similar 'non-compliance' issue.  Only matters if audited or breached, but penalties are ridiculous if they decide (after the fact, of course) that you should or could have taken steps to mitigate the risk and didn't.  Not clear to me what the risk is yet, so I'm going to let the dust settle a bit & review the issue in due time with the tech who maintains our network & machines.

Reason for Karma (Optional)
Successfully updated karma reason!
June 1, 2014 12:15:15 AM from JoeUser Forums JoeUser Forums

On a slightly OT note, CMS has a 'helpful tool' for use as a sort of template for conducting a security risk analysis for practices using EHR's, which all covered entities are required to do annually.  I downloaded and started through the assessment.  After an hour and a half of mind-numbing questions on all sorts of minutiae (Have you created an action plan for a lightning strike within 200 yards of your facility?  And distributed it to all appropriate personnel?  Had them review and sign off on the plan?  Designated a Responsible Party to initiate and implement the plan? You get the drift.) I glanced up at the progress bar & saw I was only half way through.

I got up, called my dentist and asked for an emergency root canal.  So I'd feel better.

Reason for Karma (Optional)
Successfully updated karma reason!
June 7, 2014 4:05:18 PM from JoeUser Forums JoeUser Forums
Reason for Karma (Optional)
Successfully updated karma reason!
June 7, 2014 4:48:53 PM from WinCustomize Forums WinCustomize Forums

While it's still ok to use, it won't let you encrypt new files.

Also, as time goes on, it will become less secure. I believe it's better to find something reliable now, since your real concern is the security of the patients' data.

Reason for Karma (Optional)
Successfully updated karma reason!
June 7, 2014 5:56:25 PM from JoeUser Forums JoeUser Forums

7.1a still encrypts.  I think it's reasonable to wait & see what the audit reveals before switching.  YMMV.

DiskCryptor looks like a really good alternative, but the process of creating the bootable LiveCD prior to encryption is a bit over my head and I'm not what you'd call a novice (not to mention requires media not available to me).

Reason for Karma (Optional)
Successfully updated karma reason!
Reason for Karma (Optional)
Successfully updated karma reason!
Stardock Forums v1.0.0.0    #108431  walnut1   Server Load Time: 00:00:00.0000344   Page Render Time:

Home | About | Privacy | Upload Guidelines | Terms of Service | Help
WinCustomize © 2014 Stardock Corporation. All Rights Reserved.