Should Truecrypt be audited?

Truecrypt is a cross-platform, free disk encryption software for Windows and Unix-like operating systems. It is generally considered a good disk encryption software, and not too long ago, I wrote a tutorial that showed how to encrypt the Windows installation of a Windows-Linux dual-boot setup (see Dual-boot Fedora 18 and Windows 7, with full disk encryption configured on both OSs).

Truecrypt is said to be published under an open source license, but in some quarters, its license has not been accepted as a valid open source license. And some of those people believe it has a backdoor. Guess who is widely believed to be responsible for that backdoor.

In a recently published article on his blog (see Let’s audit Truecrypt!), Matthew Green, a cryptographer and research professor at Johns Hopkins University, Baltimore, Maryland, wrote that:

The ‘problem’ with Truecrypt is the same problem we have with any popular security software in the post-September-5 era: we don’t know what we can trust anymore. We now have hard evidence that the NSA is tampering with encryption software and hardware, and common sense tells us that NSA is probably not alone. Truecrypt, as popular and widely trusted as it is, is a fantastic target for subversion.

But quite frankly there are other things that worry me about Truecrypt. The biggest one is that nobody knows who wrote it. This skeeves me out. As Dan Kaminsky puts it, ‘authorship is a better predictor of quality than openness’. I would feel better if I knew who the TrueCrypt authors were.

So that’s why Professor Green has launched a project to audit the Truecrypt code. It’s a challenging project with very specific objectives. And it will require many hands on deck. Details are available here.

We Recommend These Vendors

Launch an SSD VPS in Europe, USA, Asia & Australia on Vultr's KVM-based Cloud platform starting at $5:00/month (15 GB SSD, 768 MB of RAM).

Deploy an SSD Cloud server in 55 seconds on DigitalOcean. Built for developers and starting at $5:00/month (20 GB SSD, 512 MB of RAM).


  1. Stupid question. Two questions you should be asking are:

    1. Should you use unaudited security software?
    2. Is auditing Truecrypt work $25k?
    Probably. Support of $16k before word got out seems to indicate that people are coughing up for it.

  2. Sum Yung Gai

    Got a problem with TrueCrypt? Well, if you’re using Microsoft or Apple software, then you’re already “pwn3d” by “We Know Whom” in the first place. Therefore, first thing to do is switch to a F/OSS platform like GNU/Linux or *BSD. Second thing to do is do an encrypted-partition installation. On GNU/Linux systems, I encrypt everything but the /boot partition. I consider that a reasonable mitigation of risk for my purposes. If “We Know Who” breaks into my house and installs a backdoor on /boot without my knowledge, then I’ve got a much bigger problem anyway. But if you know your computer’s been touched or tampered with (e. g. your computer got confiscated and then eventually returned to you), well, that’s what booting from a Knoppix or other Live-CD is for. :-) Same applies to backup media, BTW. Use the native GNU/Linux or *BSD tools to do the encrypting, and you should be good to go.


  3. I use and trust truecrypt

    but I believe it should be audited. all open-source (even closed source) should be looked at in details

    • But you can’t audit the source code of closed source tools. As such we can only trust that they are clean, that is, free of intentionally placed malware, also known as backdoors.

  4. Bob Robertson

    What a silly question.

    YES, it SHOULD be audited.

Leave a Comment

Your email address will not be published. Required fields are marked *