Is TrueCrypt Audited Yet? NO.

It is used all over the world by people that consider their data to be properly encrypted. Unfortunately I cannot recommend it as the project has never been audited…there is a campaign to make this happen.

Along with the strange license and the (understandable) lack of public profiles for the creators, we simply have no idea if the software is working as claimed. I think that the license review should be a reasonable goal as all that requires is a proficient license attorney to review. The need for a verified repository can also be met with reasonable resources. The actual crypto audit could cost a bit of money on the other hand. I encourage you to donate to the project to see a professional crypto audit on TrueCrypt as soon as possible.

I’m not sure why the TrueCrypt project hasn’t supported a deterministic build platform but we need to see that before the software can be trusted. How can we know what is going on if we can’t see the binaries built from source? As mentioned this is a precondition to everything else that needs to be done.

There are some alternative TrueCrypt implementations. Check out the Tomb project. They have separated the key from the container and support cool things like steghide. It’s also been built from open source and is easy to review and build so you know exactly what’s going on.

If you are using TrueCrypt you may want to consider changing encryption softwares.

Leave a Reply

Your email address will not be published. Required fields are marked *