Why people still believe Truecrypt is much better than Veracrypt?

I saw many prefer TrueCrypt as a “more trusted” application than Veracrypt.

There have been multiple cases where they couldn’t unlock Veracrypt volumes.

VeraCrypt have been also audited multiple times.

the goal of VeraCrypt is not only to fix the public vulnerabilities of TrueCrypt, but also to bring new features to the software. The innovations introduced by VeraCrypt include: … Security Assessment of VeraCrypt: fixes and evolutions from TrueCrypt - Quarkslab's blog (2016)

BSI - Bundesamt für Sicherheit in der Informationstechnik - Security Evaluation of VeraCrypt (2021)

Improvements and fixes have been addressed after the reports

Some attempts were introduced into VeraCrypt to protect against forensics attacks Passware 2023 version Decrypts Veracrypt RAM Encryption

TrueCrypt is literally unmaintained. So, if there have been any vulnerabilities found in the future, everyone will be backdoored forever.

2 Likes

I’ve ever encountered anyone making that claim. Where have you encountered people saying this, do you have a link to the discussion? Is it possible you were reading old discussions (Truecrypt was highly recommended for many years, but that was a long time ago, I haven’t seen it recommended for years)

3 Likes

From Mental outlaw latest video. And probably a lot of 4chan users.

1 Like

Since Ive jumped into this privacy and security madness, I’ve only heard it called as veracrypt, granted I was only in this thing for half a decade or so

I believe Veracrypt forked from Truecrypt about ~10 years ago.

Up to that point, my recollection is that Truecrypt had a reputation at least as good as Veracrypt currently has, basically the gold standard for cross platform encryption, and had been for many years (at least that is my recollection).

But people were understandably confused and lost confidence in Truecrypt when its developers abruptly and unexpectedly shut it down. The unexpectedness of it and lack of a clear reason, and somewhat cryptic and kind of weird announcement of the closure which some perceived as a veiled warning, led people to feel suspicious and unsure whether the software could be trusted, despite it having just past the first phase of a crowdfunded audit.

There were many theories as to what happened and why, many people at the time felt the abrupt shutdown was evidence that the developers may have been being leveraged or threatened by a national security agency or the like, and shutdown to avoid having to backdoor or undermine their software. It seemed a credible suspicion (especially at the time, this was right around the time of Lavabit being forced to make a similar choice, and not too long after the Snowden Revelations).

However to my knowledge that suspicion was never substantiated and no evidence of a backdoor has been found (and both Truecrypt and Veracrypt have been audited). Here is an article written at the time that goes into more detail, And here is a Bruce Schneier blogpost from back then with lots of links from the time including articles and a hacker news discussion from that time

4 Likes

Hi there Jerm!

I was in a similar position to you as TrueCrypt was working great even after it was shut down. However, Steve Gibson is considered an expert on Truecrypt and he even hosted Truecrypt installers on his site that were 100% secure. He was one of the few sources that could be trusted when you needed to download a Truecrypt installer. However, even he recommends Veracrypt:

https://www.grc.com/misc/truecrypt/truecrypt.htm?ref=linuxandubuntu.com

Also, check out the amount of user views on that link: 2,524,886 views

Ah yes, the “This is compromised, let me show you 0 evidence other than my opinion” crowd. A very serious bunch.

1 Like

1 Like

I appreciate your replies!

Steve Gibson has been around for an eternity and his specialty is computer security. I trust him.

Also, it seems like a bad idea to keep using an app that hasn’t been updated since 2014??? 10 years is a long time!

He hosts a security podcast here that’s extremely popular and has been running a long time.

He was hosting a Truecrypt installer that was considered the safest Truecrypt installer online but even he has taken it down because it’s no longer secure.

This is the best user manual and the most trustworthy source I could find for Truecrypt but it was released in 2012… :disappointed: :disappointed: :disappointed: :disappointed::

Anyway, I hope it’s of some help if you insist on using Truecrypt.

So literally the dumbest people on the planet.

Wouldn’t consider him an expert. A lot of what he says is pretty dated and stuck in the 90s around some products he sells. What he says or doesn’t say about Truecrypt, is as irrelevant as anyone else as he isn’t a cryptographer nor does his background give him any special knowledge on the topic.

There have been a number of issues with TrueCrypt, the most well known one that I can remember is the weak number of rounds RIPEMD-160 used in the PBKDF function. The other security related issues, if i remember correctly related to the TrueCrypt Boot Loader.

If you don’t trust VeraCrypt, (which has had audits) and are on Linux why not use LUKS and be done with it, it uses the same crypto code in the Linux kernel as Wireguard, IPSec and other things like that and uses Argon2 for it’s key derivation function.

For modern Windows and macOS systems you’re still better off using the respective native encryption Bitlocker, FileVault etc, as both of those make use of the security processors on those platforms.

5 Likes

I would pick VeraCrypt over Bitlocker anytime.

1 Like

I think the main problem with Bitlocker is that Microsoft provides you with a lot of footguns at every step of the setup process. Very easy to unintentionally upload all your encryption keys to the cloud for example :confused:

I’d probably still prefer it for OS drives, and VeraCrypt for data drives.

2 Likes

Seems like a harsh characterization of Mr. Gibson to me. He has narrow knowledge/expertise when it comes to Windows, HDDs and SSDs. He was one of the pioneers of early Windows security and while the current climate and landscape has changed, his podcast has some value, even if its a bit rambly.

On the other hand, I agree on this.

1 Like

It makes sense to use Bitlocker on Windows for the boot volume as you can use it with your TPM. Just make sure to enable the PIN option. It’s easy enough not to back up the master key to the cloud.

If you’re using Windows you already trust Microsoft to some degree, and having the advantages of the TPM is worthwhile as it is a lot harder to steal the key out of memory than it is with True/Veracrypt.

I’m not really confident with the True/Veracrypt situation from the possibility of a supply chain attack either. There was also the miss step of adding GOST 28147-89 (not sure why they ever bothered to add that…

I did a large study on this whole ordeal, multiple times. Here is what I can say about it.

The takedown of TrueCrypt was indeed very “weird”. I surely wouldn’t rule out the “feds” having something to do with it. It was sudden and with very little explanation.

Not only was TrueCrypt the first really SOLID piece of encryption software that made high-grade encryption accessible to the masses (by accessible, i mean, easy to use cross platform, not GPG or LUKS linux-only command line stuff lol), also, the devs tried be sneaky and anonymous. These two things would make them an easy target for the feds.

The underlying reason of why people think VeraCrypt is backdoored or more insecure than TC is because VeraCrypt is left alone, compared to TC who was (apparently) attacked and shutdown, if you believe this story. The image in one’s mind is that they don’t attack things unless they are genuinely good software that they can’t break or backdoor.

I remember reading some stories about a guy who used TC and the police who got him were so upset that they couldn’t break it without the password, and the story was extensive and believable, seemed legit. Just something interesting.

Here is the story, i found the link:

But the VeraCrypt team did things much differently. They have an open team with a proper org and everything, everything is done out in the open. Plus, assuming the TC takedown was feds, I think they know they couldn’t try it again without raising tons of eyebrows. Plus with soooo much encryption software out in the wild now, it wouldn’t do anything good. All these together are why I think Veracrypt is left alone. So essentially, the feds hated TC with a passion, and got it taken down, but now realize that doing so again is futile. That’s my personal consensus.

I put on my tinfoil bias cap when I did my research, I really tried very hard to find any evidence that Veracrypt was unsafe, but I couldn’t find anything other than the timing of Veracrypt’s rise itself, which seems pretty standard given the passion surrounding TC and the need to replace it.

A lot of the reason I gave above was directly from the Veracrypt team, and I agree with them:
https://sourceforge.net/p/veracrypt/discussion/general/thread/bace7ff6/#6237

2 Likes

Okay I did a lot of searching and finally found the MP3 where Steve Gibson talks about Truecrypt:
https://www.grc.com/sn/sn-458.htm

mp3 link: http://media.grc.com/sn/SN-458.mp3

It took me so much time to search through the archives to find this so I hope it helps someone!

1 Like

I have a strong trust in Steve Gibson’ opinion as he’s revered in the security circles.

Veracrypt seems like the best choice for the future.

This seems like a great article that sums up between using Truecrypt or Veracrypt:

1 Like

I am having a deja vu:

This was discussed before.

TLDR veracrypt does not support TPM so you should use bitlocker. Microsoft is a shitty company but given you are using windows you already have put trust in them.

1 Like