TrueCrypt is a discontinued source-available freeware utility used for on-the-fly encryption. It can create a virtual encrypted disk within a file or encrypt a partition or the entire storage device.
Since TrueCrypt is dead, what is the purpose of auditing it?
Is there an official team that is ready, willing and able to take over maintenance and development?
If anything should be audited I would think it should be one of the forks.
But the author makes the following comment on the other thread:
----------------------------------
Also: speaking in no "official" capacity whatsoever, I'd advise you to stay away from the forks of Truecrypt.
Unless something new has come to light since last I looked, the licensing situation on the TC code is weird:
http://lists.freedesktop.org/archives/distributions/2008-Oct....
... which means there is a pretty strong disincentive for people with serious crypto and systems expertise to invest their time and energy building on it. You don't want to trust crypto platforms with built-in adverse selection problems.
---------------------------
So the forks have issues and the main project is dead??
But we needz more money to audit it more?
I am also unclear what the first expensive audit accomplished if it did not cover encryption. Sounds like having an inspection on a house that covers part of the
roof and two rooms and nothing else like the foundation. Does anyone have a link
to the original campaign to raise money?
Where do you see them asking for more money? They talk about how they're going to make what they have last longer, but they don't ask for additional donations.
> Since TrueCrypt is dead, what is the purpose of auditing it?
To access existing volumes. All my backup CDs were TC encrypted.
And I haven't found a replacement that is all of easy to use, stable, and cross-platform. New encrypted volumes I make are LUKS but the Windows FreeOTFE is even deader than TrueCrypt. It still works, mostly, but could be a lot better.
If someone needs to access existing truecrypt volumes in order to migrate data, I dont see how the audit helps since the only way to get the data is to use truecrypt.
I guess the alternative is to just lose all the data.
If the audit found any problems then it would most likely mean that further use was problematic, not that migrating existing volumes was problematic.
> Since TrueCrypt is dead, what is the purpose of auditing it?
It makes sense to audit the common ancestor rather than a single one of the derivatives because you'll cover more bases. If TC is found to have a critical vulnerability then you'll know all forks have the problem. If one fork is found to be vulnerable then you'll need to figure out whether it's a TC vulnerability or some subtle dependency on the new code.
> Since TrueCrypt is dead, what is the purpose of auditing it?
Because people still use it. There are no good, cross-platform alternatives at the moment. And even though they said it "might" have vulnerabilities none have ever been found despite the project being open-source. So yeah, it's a great thing that the audit is still going ahead.
TrueCrypt is a discontinued source-available freeware utility used for on-the-fly encryption. It can create a virtual encrypted disk within a file or encrypt a partition or the entire storage device.
Since TrueCrypt is dead, what is the purpose of auditing it? Is there an official team that is ready, willing and able to take over maintenance and development?
If anything should be audited I would think it should be one of the forks.
But the author makes the following comment on the other thread:
---------------------------------- Also: speaking in no "official" capacity whatsoever, I'd advise you to stay away from the forks of Truecrypt. Unless something new has come to light since last I looked, the licensing situation on the TC code is weird: http://lists.freedesktop.org/archives/distributions/2008-Oct.... ... which means there is a pretty strong disincentive for people with serious crypto and systems expertise to invest their time and energy building on it. You don't want to trust crypto platforms with built-in adverse selection problems.
---------------------------
So the forks have issues and the main project is dead?? But we needz more money to audit it more?
I am also unclear what the first expensive audit accomplished if it did not cover encryption. Sounds like having an inspection on a house that covers part of the roof and two rooms and nothing else like the foundation. Does anyone have a link to the original campaign to raise money?