TrueCrypt Getting a New Life
TrueCrypt will stay alive, thanks to devotees who are forking the encryption program's code. 'Cleaned up' code will get a new name, CipherShed, and a different open source license.
By Paul Rubens | Posted September 18, 2014
When the developers of TrueCrypt delivered the bombshell that they were abandoning their popular open source encryption program, it left many organizations in a hugely difficult position. Should they continue to use it, or heed the developers' advice that it was no longer secure and switch to another encryption product?
On the face of it, the decision should be an easy one: If the developers of something as security sensitive as an encryption program say that their program is no longer secure, surely it would be rash not to heed the warning.
But with TrueCrypt, nothing is quite as simple as it seems.
Keep Using TrueCrypt?
So should organizations that have been using TrueCrypt stop using it, as its authors advise?
Mario de Boer, a Gartner security analyst, believes they should - eventually. "Unsupported software eventually leads to issues. However, I don't think there is a reason to rush. At this moment there is no reason to assume there is a major security issue. I also assume that if the audit reveals a flaw, it will be solvable and someone will fix it," said de Boer, who noted he had not yet seen the results of the cryptographic code review.
An obvious solution is for another group of developers with suitable cryptography expertise to fork the TrueCrypt code and continue to maintain and develop it, but it's an option that the original authors are against. One of the authors said in an email: "I don't feel that forking truecrypt (sic) would be a good idea, a complete rewrite was something we wanted to do for a while. I believe that starting from scratch wouldn't require much more work than actually learning and understanding all of truecrypt's current codebase. I have no problem with the source code being used as reference."