TrueCrypt is Not Secure; Use Bitlocker or FileVault Instead


4-Step Computer Security Upgrade

Learn to encrypt your files, secure your computer when using public Wi-Fi, enable two-factor authentication, and use good passwords.

Yesterday, TrueCrypt started warning users that its software is no longer secure, and urged them to migrate to Bitlocker (Windows) or FileVault (Mac) as soon as possible. According to the page, TrueCrypt decided to stop development after Microsoft finally ended support for Windows XP, since later versions of Windows offer Bitlocker as an integrated option.

Here’s the warning, displayed on TrueCrypt’s SourceForge page ( now redirects to its SourceForge page, as well):

The development of TrueCrypt was ended in 5/2014 after Microsoft terminated support of Windows XP. Windows 8/7/Vista and later offer integrated support for encrypted disks and virtual disk images. Such integrated support is also available on other platforms (click here for more information). You should migrate any data encrypted by TrueCrypt to encrypted disks or virtual disk images supported on your platform.

If you are currently using TrueCrypt, you should probably switch to Bitlocker or FileVault as soon as possible. To migrate off of TrueCrypt, follow the instructions in our post on enabling encryption for client files, or check out the step-by-step tutorials on TrueCrypt’s SourceForge page.

Note that if you use Windows, you may have to upgrade your version. Bitlocker is only available on the Ultimate and Enterprise versions of Windows Vista and 7, and on the Pro and Enterprise versions of Windows 8.

(Thanks, William Chuang, for reminding me about this today!)


Get Lawyerist in Your Inbox, Daily

Current Articles
Current Lab Discussions
  • Mark Lyon

    This is a misleading article given the current state of what’s known. The recommendation to use BitLocker is a particularly bad one, and is what is causing many to speculate that the TrueCrypt “alert” is a result of a forced turnover of the private key used to sign the code. Microsoft’s proprietary, closed source tool (available only on select versions of their OS) is not the answer. Recent information about their level of coziness with the US Government is certainly sufficient to suspect an intentional method to circumvent BitLocker. If you’re not running on a domain, it also uploads a copy of the key to Microsoft’s servers for added convenience ( ).

    At the moment, I don’t have a firm position on an alternative, though there are some options worth considering. I do hope to see a fork of TrueCrypt and a continued audit of the 7.1a codebase.

    • Which part is misleading? There’s no indication that the notice was faked, which means that according to the developers, TrueCrypt is not secure. That means it’s time to find something else. And while you can argue that Bitlocker isn’t secure enough to be the alternative, misleading is the wrong word. It may be bad advice to recommend Bitlocker, in your opinion, but that is also the advice of the TrueCrypt developers, after all, and that ought to be worth something.

      In any case, it’s not misleading; you just don’t agree with it.

      As far as Bitlocker goes, I think people have to judge for themselves whether the possibility that Microsoft has given the NSA a back door is a dealbreaker. It’s not for me, but it’s certainly a valid reason to look elsewhere for an encryption solution.

      • Mark Lyon

        It would be more accurate to provide context around the announcement and the potential reasons this notice may have appeared at this time. There is a reasonable case to be made that this declaration of insecurity is one of the few ways for the anonymous team of developers to protect users from future versions if they were forced to hand over the private key used to sign the code.

        • Well I’ve featured your comment, so you’ve effectively done that yourself. Thanks!

      • I agree with Mark on this. From discussion I’ve seen on HackerNews and other IT forums, no one trusts Bitlocker. I wouldn’t use it for anything that needs to be secure. At this point people are best off just sticking with TrueCrypt 7.1a (last secure audit) until something new springs up from the Open Source community.

        • UncleBiscuits79

          Ok, I have to ask. Why does no one trust Bitlocker? I have read forums too, and everyone thinks there is a back door in the software (the belief of which is totally unfounded imo) but I can’t see how Truecrypt wouldn’t have the same suspicion. In fact, couldn’t you suspect an NSA Backdoor for ALL encryption software? When does it end?

          After looking at the big picture here, I happen to feel better about bitlocker, given that large corporate clients use it (including the large HR outsourcing company I work for), and large corporate clients do get access to the source code). Could you imagine the HELL Microsoft would catch if anyone was able to actually find a backdoor in software that corporations use to protect their data? Leaves Microsoft with alot of accountability. Let’s be real, bitlocker was really designed and marketed for corporate clients, not the average tech saavy guy at home. That’s why it’s only included in Pro and Enterprise versions of Windows. Basically, Microsoft CANNOT afford a scandal like that.

          I don’t feel as good about TrueCrypt, a program that was created by two ANONYMOUS guys probably in a garage in Russia somewhere (who knows, they could work for the Taliban or be part of NSA itself for all we know, but that’s the point though, NO ONE KNOWS WHO THESE GUYS ARE).

          Does anyone really know if what we are using is actually exe’s generated from the source code provided? Is anyone out there savvy enough to be able to look at the code and know that it’s not bogus, weak, or broken (I do know that a review is in progress now)? NO ONE currently knows if Truecrypt is actually legit or not. That is the problem. The creators of truecrypt are NOT accountable for their product because they are ANONYMOUS!!

          • Mark Lyon

            Microsoft is rather explicit that if you use BitLocker without being connected to a domain, the keys for your volumes are backed up to Microsoft’s servers. With closed-source applications, there’s no opportunity to audit or verify how the system works. With open-source tools, it is possible to “look under the hood” and see what’s happening. Granted, a proper evaluation requires someone with far more expertise than most users will have, but the possibility of an audit still exists.

            Fortunately, the True Crypt 7.1a audit will continue. A good result from that effort may help work toward a new branch of development (or spur fresh development of TC-compatible tools with replacement features). With the amount of money raised for the audit, I suspect a similar fundraising effort could help create a new tool as well.

            The efforts of the developers to remain anonymous is seen as reasonable in light of the context in which the development took place. With the US and other governments restricting development of encryption, it makes a lot of sense to minimize one’s exposure.

            • UncleBiscuits79

              Hi Mark. Thanks for your input. But can you please provide a source for the statement that you made concerning:

              ‘Microsoft is rather explicit that if you use BitLocker without being connected to a domain, the keys for your volumes are backed up to Microsoft’s servers”

              I find this troubling, yet I have been trying to do my due diligence to find information confirming that, but I can’t find where Microsoft explicitly says that as you noted. When you create a volume, You are given the OPTION to backup keys to your microsoft account, something that I never do (I just save the file offline, encrypt with AES using PGP and then upload to my dropbox in case I ever need it). The company that I work for is on a domain and bitlocker keys are indeed backed up to a secure server on the network.

              On the rest of your comments I agree to an extent about the anonymous developers. Regardless of why the developers want to remain anonymous, if for noble reasons or not, I think it has the side effect of removing accountability for the software that is being made.

              Also, I find it troubling that governments and other organizations are trying to restrict and undermine encryption. I mean, people go out of their way to secure their cars, houses, and children, but will just leave their tablet computer open so anyone can go through it. Really funny if you ask me. EVERYONE should use encryption, but most people don’t, and that troubles me too.

              • Mark Lyon

                Of course. Take a look at the 8.1 update notes:

                “…device encryption is enabled automatically so that the device is always protected. The following list outlines the way this is accomplished:

                ” … If the device is not domain-joined a Microsoft Account that has been granted administrative privileges on the device is required. When the administrator uses a Microsoft account to sign in, the clear key is removed, a recovery key is uploaded to online Microsoft account and TPM protector is created. Should a device require the recovery key, the user will be guided to use an alternate device and navigate to a recovery key access URL to retrieve the recovery key using their Microsoft Account credentials.

                • UncleBiscuits79

                  Hmm, this is an interesting read Mark and I stand corrected, but it seems that this automated encryption is only done in a VERY particular set of circumstances that you can control.

                  I haven’t seen this or had to deal with this at my organization. For one, most of our computers are on our domain, but we do have a few that aren’t and those have 8, not 8.1. They also don’t have TPMs, aren’t typically clean installs (we usually use drive images), and don’t have a microsoft account setup on them.

                  My own computer does have 8.1, but I actually started with windows 8 and then updated later, does not have a TPM, and does not have a microsoft account associated with it, (this is not required to run a windows 8.1 machine). My machine definitely didn’t kick off encryption and key uploading automatically – you have to specifically tell bitlocker to upload the key to their servers if you want, but I will definitely watch for that as I am working with other PCs at my job.

                  While it does irritate me that encryption could automatically be enabled on a system that I am setting up for someone, I don’t think this is some sort of subversive method for MS to have access to or keep control of data.

                  • UncleBiscuits79

                    But now that I think about this more, I guess there are some broader implications with allowing MS to cache your pass keys. I guess it would just give the State/law enforcement another way to obtain your data (supposedly with a warrant). I guess now if you refuse to give up your password for a drive to the courts in litigation (I am not sure if there is a precedent for the courts to be able to force that out of you, fifth amendment and all), they now have another avenue to get that key.

                    I guess the moral here is to MAKE DAMN SURE you are not uploading keys to a third party ‘escrow’ unless you really, REALLY trust them.

    • If they were forced to hand over their key then i guess they weren’t very anonymous. But I have to admit that TrueCrypt’s recommendation of BitLocker was a little weird considering it doesn’t have a good rep among crypto experts.
      While this entire issue is a little above my tech pay grade I did notice the timing of this announcement coming as a group was working on an audio of the crypto side of the code. Some have theorized that the entire program might have been a government operation with a built-in back door (which gov’t? Who knows.)

      There is no way to know anything for sure, however, I think it points to a larger issue for us all to keep in mind in selecting our tech setup. Is it really wise to trust any of our confidential data or critical systems to anonymous, open-source or quasi-open-source projects?

  • Great discussion, guys. I’m going to have to look into BitLocker or an alternative.

  • Michael

    Thanks Sam. Despite what TrueCrypt’s own developers have said, they don’t necessarily have the last word regarding its security. Veteran security researcher Steve Gibson offers his analysis and unambiguously declares “Yes, TrueCrypt is still safe to use.”