Time to drop TrueCrypt

The internet community is alarmed. The website of the popular encryption software TrueCrypt was replaced by a vague and mysterious announcement stating that TrueCrypt "is not secure as it may contain unfixed security issues" and recommending to stop using it. The announcement suggests to instead migrate to other disk encryption solutions (e.g. Bitlocker on Windows). There are huge speculations why the unknown TrueCrypt developers took this action and users and experts speculate about possible reasons: Maybe the developers simply do not want to continue the unsalaried work, maybe they have been forced by the US government or maybe their site has been hacked. Regardless of the true reason for this unexpected event: it's a good opportunity to drop TrueCrypt - especially if you are using it to protect your data in the cloud. You want to know why? We can see at least two reasons:

1. TrueCrypt was not built for the cloud era

The initial 1.0 version of TrueCrypt has been released in 2004 - years before the first cloud storage provider opened his doors and Truecrypt was never designed to be used for any cloud storage. TrueCrypt's container files cause a lot of trouble when using them with Dropbox or other similar services:

Containers are large, which makes them hard to sync. Even a marginal change in a small file can cause a full re-sync of the whole big container file.
Collaboration with co-workers on encrypted files in a TrueCrypt container is not possible because it causes sync conflicts.
Files are not available on mobile devices TrueCrypt is - or was - only available for the desktop.

Instead of struggling with a software designed in the pre-cloud era, you should use an encryption solution which was initally built for the cloud and which is optimized to seamlessly work with your cloud storage of choice - Dropbox, Google Drive, Microsoft OneDrive, Box or any other of the plenty providers available.

2. TrueCrypt is not trustworthy (and maybe not really open source)

From the beginning until today, the TrueCrypt developers have stayed completely anonymous and nobody really knows who they are. There might be good reasons for this move (e.g. to hide from a government) but at the same time this leaves a lot of open questions. We here at Boxcryptor are real people with a real office:

Werner-von-Siemens-Str. 6
86159 Augsburg
Germany

You can even talk to us!

A big argument brought up in any discussion about TrueCrypt is that it is an open source software. We agree that security software should be open source whenever possible and that it can be an important way to build trust. But though in general TrueCrypt is described as "open source software", there is the legitimate question if TrueCrypt is really open source. Probably not, at least not 100% of it. The source code may be public, but the build process is so complex and hard that nobody could prove until now that the binary and setup program you can - or could - download from the TrueCrypt website was really built from the publicly available source code. TrueCrypt is not even considered "Open Source" by many of the important Linux distributions, including Debian, Ubuntu or openSUSE.

Even if the source code matches, it is extremely hard to tell if the software is "safe" and does not contain any "unfixed security issues" - regardless of the available souce code. There have been prominent examples that also open source software can contain severe security flaws - even if everybody could theoretically inspect the source code for potential problems: OpenSSL's Heartbleed bug or the random number bug in Debian are just two of them. Currently there is a crowd-funded project "IsTrueCryptAuditedYet" started by popular cryptographers Kenneth White and Matthew Green which raised $70.000 to conduct a security audit on TrueCrypt - because they don't fully trust it.