Following the sudden and bizarre announcement that popular encryption software Truecrypt ‘may contain unfixed security issues’ and the equally bizarre recommendation by the Truecrypt developers to use Microsoft’s Bitlocker program (source of much derision from security professionals who assume it must be backdoored by the NSA), there has been a great deal of speculation as to firstly, why this has happened, and secondly what to use as a replacement if Truecrypt is indeed compromised. The most common theory to explain the announcement seems to be that the TC devs were put in the same impossible situation as Lavabit had been – pressured to install a backdoor to the software, the leaders decided to close down the project rather than give in to the US government’s demands, and in the case of TC, the recommendation of software presumed to be insecure is a coded message of some sort.
However it could be that an ongoing audit of the TC code had found multiple vulnerabilities and faced with the exhausting prospect of fixing them, the developers decided to throw in the towel instead. However this does not explain the recommendation of Bitlocker.
As to the second question, it appears there is not too much out there in the way of trusted open source software which could replace Truecrypt – proprietary non-open software must be presumed to be insecure as the code cannot be audited. One option might be Tomb, written by Jaromil of the excellent dyne.org.
“Tomb aims to be an 100% free and open source system for easy encryption and backup of personal files, written in code that is easy to review and links commonly shared components.”
Tomb does not appear to be super-complicated to set up, however it is definitely less user-friendly than Truecrypt, and unlike TC it does not work on Windows machines, the advice from the website being:
“…we strongly encourage people in need of strong encryption to not use Winslows, or at least to not generate encrypted partitions with it, since it can contain backdoors in the random number generation…”
Meanwhile we await more details to fill in the background on the Truecrypt announcement…