Is TrueCrypt still secure?

„The 77-page report (download report mirror: bsi.bund Security Analysis of TrueCrypt 2015-11-16.pdf) found several other bugs in TrueCrypt, but ultimately determined that the software is secure when used for its primary use case. That is, to encrypt data at rest such as on an external hard drive or USB drive. The Institute acknowledged that the bugs uncovered by Google do exist, but they can not be exploited to give attackers access to encrypted data.

If a drive is mounted, the key used to encrypt data is stored in the computer’s memory. That key can be recovered and used to decrypt data at a later time.

Still, the likelihood of a hacker taking advantage of these circumstances is pretty slim. Either the encrypted container must be mounted, in which case the decrypted data is available anyway, or the computer must go into hibernation with the encrypted container mounted. If someone accesses a computer while an encrypted container is open, then that’s game over anyway. Otherwise, users must not allow computers with encrypted, mounted drives to hibernate while an encrypted container is open.“ (src)

successor: VeraCrypt

manpage: veracrypt.man.txt

download it here: https://sourceforge.net/projects/veracrypt/files/

„VeraCrypt is a fork of TrueCrypt and is widely considered its successor. It performs all of the same functions as TrueCrypt and then some. VeraCrypt adds security to the algorithms used for system and partitions encryption. These improvements make it immune to new developments in brute-force attacks, according to developers. You can find a full list of improvements and corrections that VeraCrypt made on TrueCrypt here.

VeraCrypt uses 30 times more iterations when encrypting containers and partitions than TrueCrypt. This means it takes a bit longer for the partition to start up and containers to open, but does not affect application use.

VeraCrypt is free and open source, and it always will be. The code is routinely audited by independent researchers. Because it is, at its core, very similar to TrueCrypt, audits of the original software still apply to VeraCrypt.

VeraCrypt supports two types of plausible deniability–the existence of encrypted data is deniable because an adversary cannot prove that unencrypted data even exists. Hidden volumes reside in the free space of visible container volumes–space which would otherwise be filled with random values if the hidden volume did not exist. Hidden operating systems exist alongside visible operating systems. If an adversary forces you to hand over a password, you can just give them the password for the visible OS.“ (src)

  1. grab/download yourself a copy of truecrypt binaries from here: https://dwaves.org/2016/02/26/is-truecrypt-insecure/
wget https://dwaves.org/software/truecrypt/truecrypt-7.1a-linux-x86.tar.gz; # if you are running 32Bit Linux

wget https://dwaves.org/software/truecrypt/truecrypt-7.1a-linux-x64.tar.gz; # if you are running 64Bit Linux

sha256sum truecrypt-7.1a-linux*; # generate checksum
# should be 32Bit: 9d292baf87df34598738faef7305cddaa15ea9f174c9923185653fb28f8cfef0 and
# should be 64Bit: 43f895cfcdbe230907c47b4cd465e5c967bbe741a9b68512c09f809d1a2da1e9

tar fxvz truecrypt-7.1a-linux*; # unpack

chmod u+x truecrypt-7.1a-linux*; # make executable

./truecrypt-7.1a-linux*; # execute setup... rest should be self-explaining

install-truecrypt-gui-under-linux

if you then fireup

truecrypt

you should get that gui:

truecrypt_gui

admin