TrueCrypt is perhaps one of the best known and widely used open source freeware encryption utilities there was. TrueCrypt was initially released as version 1.0 in February 2004 and based on E4M (Encryption for the Masses). Several versions and many additional minor releases have been made since then, with the most current and last version being 7.1a, released 7 February 2012.
June 2013 the world would bare witness to what what would be known simply as the “Snowden disclosures” (The implications of these disclosures are discussed elsewhere). How this relates to TrueCrypt is the next focus of controversy: Is TrueCrypt Secure or has it been compromised? Questions and unrest began to flourish when TrueCrypt publicly announced in June 2014, with this dramatic direct statement:
With a conspiratorial spin, some noted possible veiled messages within TrueCrypt’s ending statement and beyond.
…TrueCrypt is Not Secure As… Explained here.
To put an end to the questions, the TrueCrypt community launched the TrueCrypt crowd fund audit which is managed by the Open Crypto Audit Project (OCAP). As of September 2015, iSEC Partners, Inc (NCC) for Open Crypto Audit Project released the following statement in their Phase 1 Audit Report:
iSEC found no evidence of backdoors or otherwise intentionally malicious code in the assessed areas. The vulnerabilities described later in this document all appear to be unintentional, introduced as the result of bugs rather than malice.
TrueCrypt’s Phase 2 audit has been completed and the initial determination still stands. TrueCrypt appears to be relatively well written cryptographic software. The NCC audit found no evidence of deliberate backdoors, or any severe or malicious design flaws that would make the software insecure in most instances. Some of the issues are discussed by Professor Matt Green but overall everyone’s initial concerns over the software they entrusted with their data were laid to rest. But now TrueCrypt needs a replacement. Several projects now have stepped up in attempt to fill the vacuum left by TrueCrypt. So far there appears to be two main contenders. These are:
VeraCrypt. VeraCrypt is a fork of TrueCrypt and is gaining in popularity with those which are familiar with the functionality and navigation of TrueCrypt. VeraCrypt is a fork of TrueCrypt, which is based on the TrueCrypt source code.
“VeraCrypt not only enhances security over the original TrueCrypt through an increased iterations count, but it also solves all the serious security issues and weaknesses discovered so far in the source code.”
The security issues and weaknesses mentioned are referenced in the OCAP reports listed above, as well as various other memory leaks and potential buffer overflows.
CipherShed is free and open source encryption software. It started as a fork of the TrueCrypt Project. CipherShed is still in development and will be available for Windows, Mac OS and GNU/Linux.