A while back, I explained why I believe that BitLocker is better than TrueCrypt when it comes to hard drive encryption. An article in the German print magazine C’t inspired me to add one more argument to the debate. It is about the question of whether TrueCrypt is a trustworthy encryption solution.

After the revelations of Microsoft’s role in the PRISM surveillance program, I guess many security-minded IT pros began to wonder if they should still trust Microsoft’s encryption solutions and if the Open Source tool TrueCrypt might be a safer option.



I am not really known as an Open Source enthusiast, but even I was surprised when I heard about the results of the C’t magazine inquiries (2013/16, p. 118-119) regarding the trustworthiness of TrueCrypt. It is one of the mantras of the Open Source movement that the community guarantees the security of free software by relentlessly inspecting the source code for vulnerabilities and backdoors.

Whereas I had my doubts that this is always true for relatively unknown Open Source software, I assumed that at least the popular tools, such as TrueCrypt, are safe because the community is big enough to ensure that the code is clean.

I am not talking about common security holes like the FireWire attack or the Stoned hack. Implementation flaws happen to the best developers and can even make encryption schemes vulnerable that have been mathematically proven secure.

What surprised me most in the C’t article is that it is unclear who is really behind TrueCrypt. The truecrypt.org domain was registered to dubious postal addresses in different countries and now belongs to TrueCrypt Developers Association LC, a letterbox company in Nevada. The digital signature of TrueCrypt 7.1a is owned by the TrueCrypt Foundation and is expired. Not really trustworthy—at least questionable—for a security solution, if you ask me.

Some Open Source supporters argue that you can always check the source code if you have doubts about the trustworthiness of the software. However, in practice, this is not really a realistic option for the average IT pro. You have to rely on people who are blessed with a lot of time.

The Ubuntu Privacy Remix Team had the time in 2011 and analyzed TrueCrypt 7.0a. They didn’t find backdoors, and their only criticism was that the key files were not well protected. However, this can only be considered as a random sample. How often is someone willing to invest that much time and take such a close look as did the Ubuntu team? But there is another, perhaps bigger, problem.

How can you be sure that the downloadable binaries are based on the publicly available source code? The geeks at C’t tried to verify this and found that it is amazingly complicated. Just to give you an idea what is needed for the compilation of the Windows version: a particular Visual Studio 2008 version (particular hotfixes installed), NASM assembler, the archaic Microsoft C compiler 1.52 from 1994, PKCS header files from RSAsecurity.com, the SDK of Windows 7, and the WDK 7.1.0.

The way they describe it, it took them a while to find this constellation. Nevertheless, they were still not able to get exactly the same binaries as on the download page, although they believe that it could be done by investing “considerably more time.”

Just to be clear, the C’t magazine does not claim that TrueCrypt contains backdoors. The point about all this is that, even with such a popular Open Source tool like TrueCrypt, it is extremely difficult to verify trustworthiness.

You might object that in Microsoft’s case it was already known that they are working with government agencies. Agreed, but if this is under the law, you can’t really blame Microsoft; you should blame the US government. The other question is if you trust a letterbox company like TrueCrypt Developers Association LC to always follow the law.

In my view, it is impossible to assert with 100% certainty that a complex application contains backdoors, even if you have the source code. Backdoors can always be disguised as vulnerabilities. If a security hole is detected later, the developers can always claim that it was just a bug. And, as we all know, you can never know if the software is buggy just by looking at the code.

Notice that I don’t claim that TrueCrypt is not trustworthy. You have to decide this for yourself. I am still using TrueCrypt to encrypt some of the files I stored in the cloud. I even think that the recommendation of the C’t magazine to always compile the software yourself instead of downloading the binaries is exaggerated. The point is that even if there are some people on this planet who can open my TrueCrypt files, they are most likely not interested in my top-secret data.

I wrote this post because, in the current discussion about PRISM, some people might get the wrong impression that it is better to count on Open Source when it comes to security software. I believe there is no general rule with regard to the question of whether Open Source or Closed Source software is more secure. How much confidence you can place in an application always depends on how much you trust the developers and the people behind them.

Are you now worried about your encrypted secrets?

  1. Babun 9 years ago

    If you’d also express similar “nothing is secure” opinions when serious security issues arise in the open source community one might actually consider you unbiased 🙂 That said, I’m pretty much of the opinion nothing is absolutely secure opinion myself.

  2. Michael Pietroforte 9 years ago

    Of course, I am not unbiased. Who is? Are you? 😉 Seriously, I agree that no encryption solution is absolutely secure. But some tools are some secure than others. Not everyone needs the same level of security. As far as I am concerned, TrueCrypt provides a sufficient level of security. However, I must also say that I trust Microsoft’s encryption solutions more than TrueCrypt’s

  3. Andrey d Oliveira 9 years ago

    See it also about True Crypt and attempts to decrypt data by FBI and Brazilian National Institute of Criminology: http://www.theregister.co.uk/2010/06/28/brazil_banker_crypto_lock_out/

  4. Tet 9 years ago

    Michael, I find it hilariously ironic that you would trust Microsoft’s BitLocker solution more than TrueCrypt’s. Has anyone other than Microsoft developers actually seen the code and what it does? I doubt you have, so why put so much faith in it? For all you know, MS probably has a master key for BitLocker-enabled hard drives that it can use to decrypt data at the behest of the NSA or other three letter organization.

  5. Michael Pietroforte 9 years ago

    Andrey, thanks. It is interesting although I guess the FBIs decryption abilities are rather limited compared to those of the NSA.

    Tet, I know that my view is not really popular and that was one reason why I wrote the article. As I outlined above, the code alone doesn’t help much if you want to know if a complex program has backdoors or not. It is also relatively unimportant whether someone has a master key or not. Interesting is only how big the risk is that this individual or this organization can or will hurt your organization. To estimate the risk you have to know who could be able to decrypt your data. What makes TrueCrypt less trustworthy than commercial solutions is that you can’t really say much about the “who.”

  6. john 9 years ago

    “Is TrueCrypt trustworthy?” “You have to decide this for yourself.” … cool, useless article. I just lost my time, thx.

  7. Michael Pietroforte 9 years ago

    John, you have to decide for yourself because it depends on your security requirements if you can trust TrueCrypt or not. The article just gives you information that can help to make the decision.

  8. Kyle Beckman 9 years ago

    If someone (whether law enforcement or malicious user) wants to get to encrypted data, is it really that difficult? All you would need to do is modify the TrueCrypt source code to include some type of logging function that would intercept any password you type into the application. Replace the original executable and those passwords could be stored locally or transmitted in innocuous network traffic so the attacker could access encrypted files. How many people are going to think to check the file hashes on TrueCrypt executables every time they are run?

    Even if that attack vector isn’t a possibility, the attacker that could gain physical access could plant a hardware key logger or even cameras to see passwords typed.

  9. Michael Pietroforte 9 years ago

    Kyle, if a keylogger were in the source code, someone would find it sooner or later and TrueCrypt would be dead. Whoever is behind TruCrypt, they certainly want to avoid this. However, since it is so difficult to verify that the downloadable binaries are based on the downloadable source code, you can’t really rule out that your TrueCrypt installation contains such a backdoor. This is why the authors of the C’t article recommend compiling TrueCrypt yourself.

    As to attacks with physical access to the computer, there are very hard to prevent if the attacker has access twice and the user enters the password between the attacks. I call those attacks cleaning lady hacks. The Stoned attack I mentioned above is based on this method. BitLocker is a bit more difficult to crack than TrueCrypt because of the TPM. However, even this is possible. I am no security expert, but I think if you enable secure boot on a UEFI PC things get significantly more difficult for an attacker with physical access.

  10. Peter 9 years ago

    Quote : “However, I must also say that I trust Microsoft’s encryption solutions more than TrueCrypt’s”

    Exactly what was it in the source-code that led you to this conclusion ?
    Oh wait …

    PS : You have one thing right in your article :
    ” Michael Pietroforte is Microsoft Most Valuable “

  11. Michael Pietroforte 9 years ago

    Peter, if you read my article, then you would know that my claim is that the source code is irrelevant. I assume you think TrueCrypt is trustworthy. What exactly makes you so sure?

  12. Tim 9 years ago

    I simply can’t believe I am reading this….

    Yes Truecrypt has some issues…yes it’s difficult to secure yourself against backdoors, doggy binaries etc.

    Nothing you have said in this article against Truecrypt, can not be applied to Bitlocker. Yes TPM helps ensure Bitlocker integrity – but only if you trust the manufacturing process(TPM hardware) + firmware + Microsoft. When you add to this the closed nature of MS source code…

    That’s a lot of trust.

    I use both and can honestly say, that neither give me a warm feeling of cosiness – but then, I know how to circumvent such security measures.

    (Microsoft solution has another major disadvantage – it costs a lot of money. Some people don’t have much money to spend – and as a result I would recommend TC over Bitlocker any day.)

    So, you’re *really* sure Bitlocker is more trustworthy than TC?

    I would humbly suggest that this displays a deep misunderstanding of how these solutions are circumvented – as there is nothing that TPM + Bitlocker provides that makes it harder to circumvent than TC.

  13. Michael Pietroforte 9 years ago

    Tim, almost everything in the article only applies to TrueCrypt, but not to BitLocker. The main point is that is unclear who is behind TrueCrypt. By contrast, it is clear who is behind Bitlocker and the firmware of TPM chips. Thus the question is whom you trust more, someone who is hiding behind a letterbox company or a public company who has a lot to lose if backdoors are discovered in their encryption software. I know how I answer this question for myself. However, trust and taste have in common that they are no objective entities. You have to decide for yourself what you like and whom you trust. All I did in the article is to provide information that can help you to make your decision.

  14. Tim 9 years ago


    I am merely trying to point out that your article appears to side favourably with Microsoft and not so favourably with TC – a standpoint which I believe is fundamentally flawed.

    Sure everyone has to make their own mind up, and yes, TC has flaws – loads of them, but all things considered there is no real *security* advantage to *either* product.

    There are administrative advantages – Bitlocker wins hands down in the corporate environment, but when it comes down to trusting that each encryption product, has been implemented correctly – and without flaw – and by a trusted company, your very first article sentence undermines the rest of the articles ‘pro bitlocker’ standpoint.

    If you really want to help people secure their systems, might I humbly suggest some articles (or links to) the real security weakness ‘people’ and their ‘practices’.

    Either way, I do like the site and for Windows admins it is a very useful resource.

  15. Joe 9 years ago

    You can rest assured that bitlocker has an NSA approved component. And did you ever notice how all Apple OS’s from phones to desktops come with a Trusted Root Certificate from the NSA? It makes unencrypting things so much easier using a man in the middle attack. Just look at: http://momentumbooks.com.au/blog/what-you-dont-know-about-nsas-prism-back-door-and-other-erotic-stories
    – Joe

  16. Peter 9 years ago

    ” Michael Pietroforte says:
    August 19, 2013 at 1:07 pm

    Peter, if you read my article, then you would know that my claim is that the source code is irrelevant. I assume you think TrueCrypt is trustworthy. What exactly makes you so sure? ”

    1: I did read you speculations .
    2 : The claim that the source-code is irrelevant is just that : A claim .
    3 : I can’t stop you from assuming whatever fits your agenda .
    4 : You DO NOT know who is really behind microsoft,apple,google,cisco etc etc .
    Do you know the names of all their employees, contractors etc etc ?
    Do you know how many of them ALSO work for ‘Three Letter Agencies’ ?
    Do you know who holds the stock-majority ?
    5 : ” Nevertheless, they were still not able to get exactly the same binaries as on the download page, although they believe that it could be done by investing “considerably more time.” ”
    That ‘considerable more time’ would have to be spent on stealing the certificate used by the TC-developers to sign the software .
    If you don’t have that certificate-You can not compile bit-exact binaries EVER !
    6 : You are truly a Microsoft Most Valuable Professional !

  17. Michael Pietroforte 9 years ago

    Check out this new project to create a verified, independent version control history repository for TrueCrypt

  18. William 9 years ago

    Bitlocker works if you ahve ultimate..it isn’t available in professional and home or anything else. This is a very poorly detailed argument.

  19. Michael Pietroforte 9 years ago

    William, BitLocker is also available for Windows 8.1 Professional. Good software has its price. As it turned out the free TrueCrypt was a very poor software. No more arguments are needed.

  20. Gregg DeMasters 8 years ago

    “It is also relatively unimportant whether someone has a master key or not. Interesting is only how big the risk is that this individual or this organization can or will hurt your organization. To estimate the risk you have to know who could be able to decrypt your data.”
    This is a HUGE point of trust. You trust Microsoft and the U.S. government with a master key to your encrypted data? You are trusting them to be perfectly secure! “You have to know who could be able to decrypt your data.” That could be anyone who gets the master key from a Microsoft or government source, a leak we surely would not hear about. Personal security is greatly diminished the moment it becomes shared security. I don’t trust others with my passwords, certainly not MS and the USG.

  21. Michael Pietroforte 8 years ago

    Gregg, I don’t think that this has much to do with trust. The point is whether those people who have access to the master key are interested in your encrypted data or are interested in harming you. I don’t really trust the tiger in Washington’s zoo. But this animal doesn’t even know that I exist.

  22. Gregg DeMasters 8 years ago

    We’ll have to agree to disagree on this one. You may not trust the tiger, but you are trusting the zoo to keep it locked up safely. Security breaches abound. You trust merchants to keep your credit card information safe, yet they can’t, as we have seen. A thief may not know you *now*, but once they have your information as part of information stolen en masse, they know you better than you realize. The point is, you are trusting those people with access to your information to keep that access secure. I don’t trust them to keep it secure.

  23. Michael Pietroforte 8 years ago

    Yeah, I trust the Washington zoo. But that is not the point.You know, it happened before that a tiger escaped from a zoo. The point is that when I am in Washington I don’t really worry to be eaten by a tiger.It also happened before that bad people got access to encrypted data and did bad things.But how likely is it that some super hacker breaks into Microsoft steals the master key (if there really is one), then Mr. super hacker comes to my house and steals my laptop to access my (for him) totally uninteresting data?

    I think these things only matter for a very small number of people. Industrial espionage comes to mind. But if you work in such a field, BitLocker and TrueCrypt are not your last line of defense anyway.These tools are for average people who just don’t want that sensitive data gets into the wrong hands when their laptop is stolen. The probability that an average laptop thief has access to the alleged master key is 0. This is why it is unimportant whether you trust Microsoft or not.

    I think the stir about a possible master key has nothing to do with the people’s worries about their data. The reasons are of political nature.

Leave a reply

Your email address will not be published.


© 4sysops 2006 - 2022


Please ask IT administration questions in the forums. Any other messages are welcome.


Log in with your credentials


Forgot your details?

Create Account