TrueCrypt is no longer secure. Just ask its makers.
As of May 2014 TrueCrypt’s official website began redirecting visitors to a SourceForge page with the ominous message “WARNING: Using TrueCrypt is not secure as it may contain unfixed security issues.” For anyone who is not familiar with TrueCrypt these words may barely register, but for a large population of security-minded organizations, analysts, and personal users this announcement was an unwelcome surprise. TrueCrypt was a hugely popular open source freeware application that provided encryption options to protect the data housed on a computer’s disks. Industries that are charged with protecting personal information, including the financial industry, embraced the software enthusiastically. TrueCrypt was a major player in the encryption world, so what happened?
Originally released during the height of Windows XP’s popularity in 2004, TrueCrypt provided a level of encryption features above and beyond the Microsoft operating system’s capabilities. When Windows Vista was released a few years later, Microsoft began offering a built-in encryption tool named BitLocker that satisfied some of the same security needs as TrueCrypt. Microsoft support for Windows XP ended on April 8, 2014, and it’s no coincidence that TrueCrypt support ended a month later. In fact, the TrueCrypt download website (http://truecrypt.sourceforge.net) officially cites newer versions of Windows offering integrated support for encrypted disks as a reason software support was terminated.
A story like this normally doesn’t cause any waves. After all, TrueCrypt was a freeware application built and maintained by a largely-anonymous team of volunteers. This type of project is abandoned all the time, often without any fanfare. The difference with TrueCrypt is it worked well and had a loyal following. Despite Windows XP’s retirement, TrueCrypt remained popular among users of more recent Windows versions. That popularity fueled speculation as to why its makers abruptly pulled the plug on an application still riding high on a swell of support. One popular conspiracy theory suggests TrueCrypt developers shuttered the program to prevent the NSA from compelling them to disclose encryption weaknesses; after all, infamous NSA-leaker Edward Snowden was a vocal TrueCrypt advocate. A more realistic theory is that TrueCrypt was a victim of its own success. Many users did not consider TrueCrypt as merely a high quality free option, but as the best encryption solution on the market. As the user base continued to grow, so did the potential for a high-profile hack (and subsequent public backlash). Individuals and businesses relied on the software to protect sensitive information. If that protected data had been compromised, TrueCrypt’s users might have become litigious. In short, a wonderful hobby had turned into a high-pressure job – one for which the developers did not get paid.
It is important to note that there was no news of any major flaw in TrueCrypt encryption, so the security of the software as of the date of the last release remains intact. However, like any other software available, its security is only as strong as the most recent update. The simple fact that TrueCrypt will no longer be updated to fix bugs or address security holes means the software can no longer be considered secure. While current TrueCrypt users should plan to replace their encryption solution soon, the lack of a widely known exploit means data protected by TrueCrypt remains secure for now.
If you were a TrueCrypt user, then you must now choose a replacement solution based on your financial institution’s specific needs. This period of transition is an opportunity to reassess which devices require encryption. As a general rule, if a device is portable – like a laptop – and likely to leave the protection of the network, then it should have some level of encryption. Depending upon your financial institution’s information security policy, some stationary devices may require encryption as another layer of security to protect especially sensitive data. The following is a brief description of the encryption options available:
Full Disk Encryption (FDE): Protecting the entire disk on a computer provides the most comprehensive level of security by protecting all files contained on the computer, including the boot partition and temporary files. Generally, FDE solutions require a passphrase or PIN be entered each time a device is powered on – if the appropriate submission or key is not entered, then all files on the disk remain unreadable and Windows will not start. If a user forgets or misplaces their passphrase, PIN, or token, then this FDE protection has the potential to cause data loss or lost productivity during recovery efforts. Critics also note that FDE products cause unnecessary processing overhead. However, performance degradation should be well less than 10% with proper configuration. This aspect of FDE solutions is most concerning for older laptops with slower processors and less available RAM. Microsoft’s BitLocker is classified as a full disk encryption solution and is built-in for devices running the premium Windows Vista and Windows 7 Ultimate or Enterprise editions. This feature is also available for Windows 8 Pro devices. If your devices are not running an operating system with BitLocker, or simply require additional management features, there are a variety of third-party offerings available for purchase. Of these, Symantec’s PGP Whole Disk Encryption is perhaps the best known and most widely used.
File Level Encryption: While not as all-encompassing as using an FDE solution, File Level Encryption is typically lighter weight and less intrusive. File Level solutions protect individual files or folders rather than the entire disk. This requires less processing overhead for the computer, but the tradeoff is generally greater administrative overhead in order to configure and maintain this security feature. There is also a risk that sensitive data may be written to an unprotected folder, potentially leaving it open to exposure should the device become compromised. While there are third-party tool available to provide File Level Encryption, Microsoft offers an integrated tool names Encrypted File System. This feature can be managed at the individual workstation level or more widely enforced through group policy, but configuring EFS widely is no simple task. Financial institution administrators that wish to implement EFS should consider 3rd party software or services that provide a layer of enhanced central management capabilities. As an added bonus, third-party encryption services may also provide supplementary features that remotely disable laptops or lock down data on devices reported as lost/stolen.