You’ve no doubt seen the press by this point. The TrueCrypt developers updated their sourceforge website with a somewhat cryptic note “WARNING: Using TrueCrypt is not secure as it may contain unfixed security issues” but provides no other explanation. They also recommended moving to BitLocker for any needs that TrueCrypt would have previously fulfilled. The developers tied the end of support to the termination of Windows XP. All of which caught the attention of all sorts of people - security pros as well as general industry types. At the same time a version update, 7.2, removed all functionality other than the ability to decrypt existing volumes or drives. After the initial flare there’s been no further communications from the TrueCrypt developers on the subject leaving all TrueCrypts fans to speculate wildly in the vacuum that's been left unfilled.
But what does all this mean to those of us that must continue on in a world where TrueCrypt’s future is uncertain? The use of this toolset is widespread as it solves a significant number of encryption challenges in a neat, tidy package. It’s easily distributed given its open source heritage. It handles encrypted volumes and disk encryption to point out a few of the more popular features that had/has many organizations as large as Amazon.com using TrueCrypt.
There are alternatives, but finding one that has similar versatility at the same price point and ease of distribution that TrueCrypt brought to the table is challenging. 7Zip, BitLocker to Go, WinRAR, and PGP are a few alternatives and there are many others, but each has its limitations. How to handle this revelation comes down to your firm’s concern for the claim that TrueCrypt is indeed somehow vulnerable, which ties to the risk appetite of the firm, and ultimately what clients’ are willing to accept.
A new group of developers and interested persons have picked up TrueCrypt, vowing “TrueCrypt must not die”, and moving the software to Switzerland. The last fully functional version, 7.1a, may be found at their new site. There’s not much else to go on at this point, so having alternatives identified for the foreseeable future is important. If a client decides they do not want to use TrueCrypt proffering an alternative certainly helps keep compatibility working between and across organizations.
#Bitlocker #FutureandEmergingTechnologies #CommunicationsTechnologies #InformationGovernanceorCompliance #TrueCrypt #PracticeManagementandPracticeSupport #Microsoft #Encryption #HelpDeskandUserSupport #BusinessandFinancialManagement #ProfessionalServices #KnowledgeManagementandSearch #OpenSourceSoftware#LegalSEC #LitigationSupportoreDiscovery#RiskManagement
Recently, a cross-funtional group from ILTA came together to discuss this topic and some of the things they are seeing in their firms. Check out the podcast to hear insight from members of the Litigation and Practice Support Group, and LegalSEC on how a few firms are dealing with this concern today.