Recently, I posted three articles of a four-part series showing how to encrypt an external drive with TrueCrypt on Fedora 20. As-of today, May 28th, TrueCrypt may not be secure after-all.
The truecrypt.org website now redirects to truecrypt.sourceforge.net. A warning is displayed that reads, “WARNING: Using TrueCrypt is not secure as it may contain unfixed security issues” and it directs users to alternative encryption packages for Windows, Mac, and Linux.
Ars Technica, Hacker News, and The Register have a good articles, so I won’t repeat everything they’re saying. Initially, it appeared that the TrueCrypt website was hacked. However, in addition to the website updates, new binaries were released that display warnings like INSECURE_APP when users try to encrypt data. The binaries, however, are signed with the developer’s key. In addition, a Wikipedia user named Truecrypt-end attempted to update the Wikipedia page with the same messages, but it was rejected by moderators. TrueCrypt was recently going through an independent security audit, and it passed Phase 1 in April. However, this doesn’t seem to be related.
A thread on r/crypto offers up a couple explanations:
- The website was hacked, and the keys are presumed to be compromised. The last working version is 7.1a and version 7.2 is a hoax/malware/spam
- Something bad happened to the developers (Lava-bit style extortion or major bug/flaw found in code) and this version is legitimate
We’ll have to see how this one plays out.