51

Unfortunately, TrueCrypt may have been discontinued yesterday.

I use LUKS on Linux, but I liked the fact that with TrueCrypt I had a portable solution across Windows, Mac, & Linux.

TrueCrypt has its own license, but it was Open Source. Are you aware of any reasonable fork of TrueCrypt or any other portable alternative?

Goals:

  • encrypt portable USB disks and flash drives
  • mountable at least on Linux and Windows (MAC is a plus)
  • easy setup (no need to recompile tons of stuff)
TRiG
  • 609
  • 5
  • 14
Michał Šrajer
  • 4,154
  • 4
  • 18
  • 21
  • 2
    possible duplicate of [Are there other ways to encrypt files other then TrueCrypt and BitLocker](http://security.stackexchange.com/questions/58955/are-there-other-ways-to-encrypt-files-other-then-truecrypt-and-bitlocker) – Deer Hunter May 29 '14 at 13:35
  • 7
    @DeerHunter, it's not really a duplicate. The other question (and answer) ignores portability factor which is a key point here. – Michał Šrajer May 29 '14 at 13:45
  • It looks like [FreeOFTE](http://sourceforge.net/projects/freeotfe.mirror/) provides access to LUKS partitions from Windows, but that project seems to have been abandoned. – tobyink May 29 '14 at 22:31
  • 5
    See also [True Goodbye: ‘Using TrueCrypt Is Not Secure’](http://krebsonsecurity.com/2014/05/true-goodbye-using-truecrypt-is-not-secure/) and the related [Hacker News discussion](https://news.ycombinator.com/item?id=7814725). – 40XUserNotFound May 29 '14 at 23:14
  • 2
    44 possibilities: http://alternativeto.net/software/truecrypt/ – Chloe May 30 '14 at 02:14
  • Be sure to checkout [www.truecrypt71a.com](http://www.truecrypt71a.com) for all releases + sourcecode – pila May 30 '14 at 06:44
  • Other alternatives may be listed at [freecode.com](http://freecode.com/tags/cryptography). See also @Chloe's comment – ignis May 30 '14 at 10:00
  • 1
    Huh, so that was not a hoax? What ever happened? (Clarification, I do not even run an OS supported by TrueCrypt, so it does not affect me at all. Just curious, especially staying informed about ITsec issues.) – mirabilos May 30 '14 at 15:16
  • 3
    Ah nevermind, [my question got formed into a proper question on this site](http://security.stackexchange.com/questions/59082/what-is-the-problem-with-truecrypt) in the meantime. – mirabilos May 30 '14 at 15:22
  • @tobyink It's not been abandonned per-se, but they never really saw a reason to further developing it, when things like TrueCrypt came along. This might change dramatically now. – polemon May 30 '14 at 19:10

5 Answers5

43

The main obstacle of a TrueCrypt fork is the non-standard TrueCrypt license.

While the intention of the authors seemed to be to write a share-alike license similar in spirit to the GPL, the license has a few quite unorthodox passages which can be interpreted in a way which puts unreasonable conditions on a fork. These conditions prevented the Open Source Initiative from recognizing it as an open-source license. A fork of the TrueCrypt project might not be legally possible without the permission of the original TrueCrypt authors, who prefer to remain anonymous for now.

Nevertheless, there is a team in Switzerland which promised to continue working on TrueCrypt under the name TrueCryptNext.

Edit: Now there is the company Sirrix from Germany which wants to make a TrueCrypt fork called TrustedDisk. To get rid of the complicated TrueCrypt license, they plan to reimplement those parts with questionable license conditions and release the software dual-licensed under both an common open source license and a commercial version (German news story).

Philipp
  • 48,867
  • 8
  • 127
  • 157
  • 11
    I do not believe your answer is accurate. [TrueCrypt's license](http://pastebin.com/raw.php?i=dTE8GbwX) (taken from [binary](http://www.unchartedbackwaters.co.uk/pyblosxom/static/truecrypt_debian_packaging)) explicitly gives you the right to modify and re-release as long as you (a) do not use the name TrueCrypt as the name of your product (e.g., can't call it TrueCrypt+), or (b) claim your modified version is from the TrueCrypt Foundation, (c) must display phrase "Based on TrueCrypt, freely available at http://www.truecrypt.org/", (d) must provide source for free, and (e) don't alter license. – dr jimbob May 30 '14 at 05:28
  • 9
    @drjimbob, the legals of the major Linux distributions, the FSF and the OSI have serious concerns about various versions of the license, and consider them "traps" designed to resemble free licenses, see [wp article](https://en.wikipedia.org/wiki/TrueCrypt#License_and_Open_Source_status) and mailing list discussions linked in the notes. – ignis May 30 '14 at 09:54
  • 7
    @drjimbob That license is a legal minefield. Among other things, it explicitly states that even if you follow it to the letter, they can still sue you for copyright infringement. I wouldn't go anywhere near this code. – Michael Hampton May 30 '14 at 13:25
  • 1
    @MichaelHampton - Again, I'm not a lawyer. I agree the license doesn't qualify OSI's "open source" or FSF's "free". But that's very different to "modifications and redistribution are not permitted". The clause you referred to about copyright infringement states "YOU MAY NOT USE, MODIFY ... EXCEPT AS EXPRESSLY PROVIDED IN THIS LICENSE". There is a huge section on the criteria to be able to modify it. I think if you followed their conditions you can distribute a modify version (credit truecrypt, don't use their name, distribute your source for free, keep their license, etc). – dr jimbob May 30 '14 at 19:45
  • 2
    Granted, you may not want to as their license kind of sucks in that it is quite restrictive compared to better licenses like BSD, MIT, or even GPL. I do agree that I would question including/distributing the TrueCrypt software in my linux distribution for potential legal reasons, especially if their is a commercial version of your software. But that's a separate issue. Note if you read through their legalese, the grounds to *modify* are equal to the grounds to *use* it unmodified. Granted, I'm not a lawyer, so don't take this as legal advice. – dr jimbob May 30 '14 at 19:47
  • For those interested, here's a link to one such mailing list [discussion](http://lists.freedesktop.org/archives/distributions/2008-October/000276.html) as mentioned by @ignis. – Lily Chung May 30 '14 at 22:53
  • @IstvanChung - Discussion of the TC License 2.5 is largely irrelevant as TC7 was released under 3.0. The two "trap" paragraphs Sec VI para 2, 3 are significantly altered, e.g., "NOTHING IN THIS LICENSE SHALL IMPLY OR BE CONSTRUED AS A PROMISE, ... NOT TO SUE FOR COPYRIGHT OR TRADEMARK INFRINGEMENT *IF YOU DO NOT COMPLY WITH THE TERMS AND CONDITIONS OF THIS LICENSE*. Missing that clause it does very much look like a trap. With that clause the trap seems much harder to legally defend. Similarly, paragraph 3 is qualified with "except as may be otherwise expressly provided in this License." – dr jimbob May 31 '14 at 03:22
  • Again, legal discussion of an old version that was significantly changed is largely irrelevant. Similarly analysis of whether you are free to create a forked version (subject to some potentially annoying constraints) versus whether its sensible for a commercial entity to include it in their linux distribution (that they reserve the right to charge for) is a very different matter. – dr jimbob May 31 '14 at 03:26
  • 2
    @drjimbob Fair enough, though version 3.0 is still a pretty ugly license for potential forkers. – Lily Chung May 31 '14 at 04:10
  • The license goes out of its way to make clear that it's legal to fork it, under certain conditions. A fork of v7.1a is taking place: http://truecrypt.ch/ What this or that linux distro decides to do as a result of the TC license is irrelevant. –  May 31 '14 at 14:54
8

In special means to the licences of TrueCrypt there are already running discussion: Simply because the main people behind the project are anonymous (some think they are from Eastern Europe like Czech) and given the possibility of National Security Letters (like lavabit) it would also be better for them to stay under the cover (Sidenote: it would be enough if they were forced to give away their private gpg signing key, so new releases are not trustworthy anymore)

The good side of this is that in the case of a fork they have to first reveal their id to claim possible licence rights.

In any case the security audit is going to stage2 now (even if project is shut down) to see if that version was safe.

UPDATE: There seems to start a fork here http://truecrypt.ch/

Stefan
  • 137
  • 4
  • 9
    Willingly violating the copyrights of someone when you know they can not reveal their identity to sue you is highly unethical, in my opinion. Also, it doesn't protect you should they decide that their anonymity isn't that important after all. – Philipp May 29 '14 at 19:15
  • 10
    I find it far more unethical to simply let the project die for no real reason (the reasons listed on the site are extremely suspect). Assuming that there is no critical flaw, it would do the world far more good if TC was forked than if it dies. Cant argue the second point though. – CountMurphy May 29 '14 at 23:11
  • 1
    I tried to show the possibilities without any valuation. Also keeping in mind that maybe they are stuck in a dilemma: That way their idea can live on even if they cannot encourage people actively (but letting it happen passively). *Sidenote:* Also during their active times journalist didnt reach them (no answers) for questions regarding licence concerns (eq. inclusion to a live-cd) – Stefan May 30 '14 at 13:04
  • 1
    Any discussion of ethics should be balanced with net positive impact to society. It's the entire point of IP rights. In this case, it's a far better ethical choice for the new forks to continue development given the original folks disappeared anonymously. – DeepSpace101 Oct 16 '14 at 01:19
6

I just found out about VeraCrypt.

It adds enhanced security to the algorithms used for system and partitions encryption making it immune to new developments in brute-force attacks.

For example, when the system partition is encrypted, TrueCrypt uses PBKDF2-RIPEMD160 with 1000 iterations whereas in VeraCrypt we use 327661. And for standard containers and other partitions, TrueCrypt uses at most 2000 iterations but VeraCrypt uses 655331 for RIPEMD160 and 500000 iterations for SHA-2 and Whirlpool.

This enhanced security adds some delay only to the opening of encrypted partitions without any performance impact to the application use phase. This is acceptable to the legitimate owner but it makes it much more harder for an attacker to gain access to the encrypted data.

VeraCrypt storage format is INCOMPATIBLE with TrueCrypt storage format.

SPRBRN
  • 7,379
  • 6
  • 33
  • 37
4

Here's the relevant section of the license. My non-lawyer interpretation of the license is that you do have permission to modify it, provided you:

  1. do not call it TrueCrypt (or base the name off of TrueCrypt)
  2. do not claim it is a release by the TrueCrypt Foundation,
  3. state that it is based on TrueCrypt freely available at truecrypt.org,
  4. freely provide the source for all your modifications if you distribute your source,
  5. use the same license as TrueCrypt

I put the full license in a pastebin taken from the License.txt included in the TrueCrypt 7.1a Source available here. Here's the most relevant sections:

III. Modification, Derivation, and Inclusion in Other Products

  1. If all conditions specified in the following paragraphs in this Chapter (III) are met (for exceptions, see Section III.2) and if You comply with all other applicable terms and conditions of this License, You may modify This Product (thus forming Your Product), derive new works from This Product or portions thereof (thus forming Your Product), include This Product or portions thereof in another product (thus forming Your Product, unless defined otherwise in Chapter I), and You may use (for non- commercial and/or commercial purposes), copy, and/or distribute Your Product.

    a. The name of Your Product (or of Your modified version of This Product) must not contain the name TrueCrypt (for example, the following names are not allowed: TrueCrypt, TrueCrypt+, TrueCrypt Professional, iTrueCrypt, etc.) nor any other names confusingly similar to the name TrueCrypt (e.g., True-Crypt, True Crypt, TruKrypt, etc.)

    All occurrences of the name TrueCrypt that could reasonably be considered to identify Your Product must be removed from Your Product and from any associated materials. Logo(s) included in (or attached to) Your Product (and in/to associated materials) must not incorporate and must not be confusingly similar to any of the TrueCrypt logos (including, but not limited to, the non-textual logo consisting primarily of a key in stylized form) or portion(s) thereof. All graphics contained in This Product (logos, icons, etc.) must be removed from Your Product (or from Your modified version of This Product) and from any associated materials.

    b. The following phrases must be removed from Your Product and from any associated materials, except the text of this License: "A TrueCrypt Foundation Release", "Released by TrueCrypt Foundation", "This is a TrueCrypt Foundation release."

    c. Phrase "Based on TrueCrypt, freely available at http://www.truecrypt.org/" must be displayed by Your Product (if technically feasible) and contained in its documentation. Alternatively, if This Product or its portion You included in Your Product constitutes only a minor portion of Your Product, phrase "Portions of this product are based in part on TrueCrypt, freely available at http://www.truecrypt.org/" may be displayed instead. In each of the cases mentioned above in this paragraph, "http://www.truecrypt.org/" must be a hyperlink (if technically feasible) pointing to http://www.truecrypt.org/ and You may freely choose the location within the user interface (if there is any) of Your Product (e.g., an "About" window, etc.) and the way in which Your Product will display the respective phrase.

    Your Product (and any associated materials, e.g., the documentation, the content of the official web site of Your Product, etc.) must not present any Internet address containing the domain name truecrypt.org (or any domain name that forwards to the domain name truecrypt.org) in a manner that might suggest that it is where information about Your Product may be obtained or where bugs found in Your Product may be reported or where support for Your Product may be available or otherwise attempt to indicate that the domain name truecrypt.org is associated with Your Product.

    d. The complete source code of Your Product must be freely and publicly available (for exceptions, see Section III.2) at least until You cease to distribute Your Product. This condition can be met in one or both of the following ways: (i) You include the complete source code of Your Product with every copy of Your Product that You make and distribute and You make all such copies of Your Product available to the general public free of charge, and/or (ii) You include information (valid and correct at least until You cease to distribute Your Product) about where the complete source code of Your Product can be obtained free of charge (e.g., an Internet address) or for a reasonable reproduction fee with every copy of Your Product that You make and distribute and, if there is a web site officially associated with Your Product, You include the aforementioned information about the source code on a freely and publicly accessible web page to which such web site links via an easily viewable hyperlink (at least until You cease to distribute Your Product).

    The source code of Your Product must not be deliberately obfuscated and it must not be in an intermediate form (e.g., the output of a preprocessor). Source code means the preferred form in which a programmer would usually modify the program.

    Portions of the source code of Your Product not contained in This Product (e.g., portions added by You in creating Your Product, whether created by You or by third parties) must be available under license(s) that (however, see also Subsection III.1.e) allow(s) anyone to modify and derive new works from the portions of the source code that are not contained in This Product and to use, copy, and redistribute such modifications and/or derivative works. The license(s) must be perpetual, non-exclusive, royalty-free, no-charge, and worldwide, and must not invalidate, weaken, restrict, interpret, amend, modify, interfere with or otherwise affect any part, term, provision, or clause of this License. The text(s) of the license(s) must be included with every copy of Your Product that You make and distribute.

    e. You must not change the license terms of This Product in any way (adding any new terms is considered changing the license terms even if the original terms are retained), which means, e.g., that no part of This Product may be put under another license. You must keep intact all the legal notices contained in the source code files. You must include the following items with every copy of Your Product that You make and distribute: a clear and conspicuous notice stating that Your Product or portion(s) thereof is/are governed by this version of the TrueCrypt License, a verbatim copy of this version of the TrueCrypt License (as contained herein), a clear and conspicuous notice containing information about where the included copy of the License can be found, and an appropriate copyright notice.

  2. You are not obligated to comply with Subsection III.1.d if Your Product is not distributed (i.e., Your Product is available only to You).

Granted there are also clauses of questionable legality; e.g., in Section VI there are two clauses that say if you "do not understand all parts of the license" OR that if any provision of the license is unenforceable then you MAY NOT USE, COPY or MODIFY their source code. I am not a lawyer, but these clauses strike me as odd and potentially unenforceable. This would leave you to have no right to even USE truecrypt, let alone create a derivative work even abiding by the rules of Section III.

  1. IF YOU ARE NOT SURE WHETHER YOU UNDERSTAND ALL PARTS OF THIS LICENSE OR IF YOU ARE NOT SURE WHETHER YOU CAN COMPLY WITH ALL TERMS AND CONDITIONS OF THIS LICENSE, YOU MUST NOT USE, COPY, MODIFY, CREATE DERIVATIVE WORKS OF, NOR (RE)DISTRIBUTE THIS PRODUCT, NOR ANY PORTION(S) OF IT. YOU SHOULD CONSULT WITH A LAWYER.

  2. IF (IN RELEVANT CONTEXT) ANY PROVISION OF CHAPTER IV OF THIS LICENSE IS UNENFORCEABLE, INVALID, OR PROHIBITED UNDER APPLICABLE LAW IN YOUR JURISDICTION, YOU HAVE NO RIGHTS UNDER THIS LICENSE AND YOU MUST NOT USE, COPY, MODIFY, CREATE DERIVATIVE WORKS OF, NOR (RE)DISTRIBUTE THIS PRODUCT, NOR ANY PORTION(S) THEREOF.

dr jimbob
  • 38,768
  • 8
  • 92
  • 161
  • 4
    Again: the legals of the major Linux distributions, the FSF and the OSI have serious concerns about various versions of the license, and consider them "traps" designed to resemble free licenses, see [wp article](https://en.wikipedia.org/wiki/TrueCrypt#License_and_Open_Source_status) and mailing list discussions linked in the notes. If I were you, I'd think thrice before giving a non-lawyer opinion. – ignis May 30 '14 at 09:48
  • 2
    @ignis are you a lawyer? I think what's important is thinking twice before acting on **non-lawyer** opinions in legal matters. Down vote if you disagree with something but if I were you, I'd think thrice before advising when others should keep their mouths shut. – Jeremy Cook May 30 '14 at 14:31
  • 2
    @JeremyCook I think that any non-legal opinion about TrueCrypt code that disagrees with what all the big monsters in the Free Software world say, and that is not supported by any (at least as much credible) source(s), does more harm than good, and I think that it is unfair and counter to the spirit of StackExchange (please read [Help Center > Our model](http://security.stackexchange.com/help/behavior)) to give said opinion to the public and say "if you do something wrong, you get to keep the pieces". – ignis May 30 '14 at 14:52
  • 2
    @ignis my issue is not with your statements about his advise being bad (my stance is neutral). My issue is with the statement, "if I were you, I'd think thrice before giving a non-lawyer opinion." Are you advising that unpopular opinions should never be voiced? Are you advising that because he stated he is not a lawyer he has no right to answer? What if he left out his IANAL statement, would that change anything? Are you advising that what he has said may put him personally at risk? Are you advising that dissenting opinions can hurt others? Please help me understand. – Jeremy Cook May 30 '14 at 15:38
  • 1
    @ignis - I tried repeatedly stating that IANAL. I understand that this doesn't count as FSF "free" or OSI-approved "open source" license. But that doesn't mean you do not have permission to view the source and modify it in compliance with the license. Taking [non-free examples from gnu](https://www.gnu.org/licenses/license-list.html#NonFreeSoftwareLicenses) the JSON license isn't free as it states "the software shall be used for good, not evil" and say the old Scilab license didn't allow for commercial distribution of a modified version, etc. – dr jimbob May 30 '14 at 19:36
  • 1
    @ignis - I agree, I'd be hesitant including TC in a linux distribution due to license issues (especially one with a commercial version) or one that you modified (and had to walk the careful line of giving TrueCrypt credit but not claiming it was made by TrueCrypt). The issue is nuanced and I tried to present it that way. Phillips highly upvoted answer just stated that you do not have the ability to modify and redistribute the source, where a large section of the license is dedicated to how you are permitted to do so, subject to some stipulation that make it not "free" in the OSI/FSF sense. – dr jimbob May 30 '14 at 19:40
  • 1
    Please read the lawyers' concerns, that are linked as references in the wp section that I linked above. Quoting Fedora/RedHat message: "this license has the appearance of being full of clever traps, which make the license appear to be a sham". That should make it clear the point has never been about being picky on some almost-free or de-facto-free license. – ignis May 30 '14 at 21:38
  • 1
    @ignis the only concerns that I have seen that are shown to originate from legal council talk about the state of the license in 2.5 in Oct 2008. The two so-called trap paragraphs were significantly changed to specifically address those concerns. See [comments to IstvanChung](http://security.stackexchange.com/questions/58994/are-there-any-reasonable-truecrypt-forks/59050#comment93836_58996) in other thread. Granted, as I pointed out above paragraph VI.2 seems questionable. But then its not a question of being able to fork truecrypt, its being able to legally use truecrypt. – dr jimbob May 31 '14 at 03:35
3

Short net-walk from the WikiPedia article linked by ignis lead me to TcPlay, an independent reimplementation of TrueCrypt. Unfortunately it only supports Linux and DragonFly BSD. It is even included in most relevant distributions.

Jan Hudec
  • 531
  • 1
  • 5
  • 10