2015 October

October 2015

Death of TrueCrypt R.I.P.

Those of you in the security industry may have remembered the security issue that came out with TrueCrypt back about 2 years ago when the TrueCrypt team stopped supporting the source code? Well a new researcher with Google just announced a serious security flaw with TrueCrypt that affects the security of the OS that TrueCrypt is installed on. It does not compromise the data contained inside the TrueCrypt vault, but does leave the system vulnerable that TrueCrypt is installed on (for Windows systems only). The full advisory and information can be read on the link below:

http://motherboard.vice.com/read/encryption-program-truecrypt-has-a-critical-vulnerability

The good news is that if strong encryption (AES-256) was used when creating the vaults, the previously created TrueCrypt vaults are all still protected. There is no need to go back and re-encrypt any prior data. The bad news is that we as security professionals should stop using software with known security vulnerabilities since it would require our clients, partners, and associates to use software with known security flaws to read our encrypted data.

The way forward

I have been playing around with VeraCrypt this week, and it is the new open source tool that has replaced TrueCrypt. It is fully supported and there are new releases being made available for Mac, Linux, and Windows. I downloaded the latest stable version of VeraCrypt (version 1.15) for Mac OSX, and installed it on my MacBook Pro.

VeraCrypt 1.15

https://veracrypt.codeplex.com/releases/view/616110

If you want it to be able to open previously made TrueCrypt vaults, and you are running a MAC OS, then you will also need to download and install the latest version of FUSE for Mac OSX. I downloaded and installed version 2.8.1.

FUSE for OSX

http://sourceforge.net/projects/osxfuse/files/osxfuse-2.8.1/osxfuse-2.8.1.dmg/download

Once you have VeraCrypt 1.18 and FUSE for MAC 2.8.1, then you can open VeraCrypt and either create new volumes or even open previously made TrueCrypt volumes (as long as you check the right check box. When you are in the process of mounting previous TrueCrypt vaults, before you click the MOUNT button, first select the box “TrueCrypt Mode” and it will successfully mount the old legacy TrueCrypt file vault. I was able to write new files back to the original TrueCrypt file vault, dismount the vault, and then reopen the vault in VeraCrypt to see the vault still intact with the new files that I added through VeraCrypt.

In my opinion, I believe that VeraCrypt is backward compatible with TrueCrypt, still offers strong encryption, and is now supported by the open source community. You may want to keep the last stable release of TrueCrypt handy just in case you need to use it to open old vaults as a plan B for redundancy purposes, but I don’t see any reason why we can’t move forward with VeraCrypt as our new encryption tool moving forward.

Thanks,

Jonathan