Thinking About the Next TrueCrypt


At the end of May 2014, the popular encryption software TrueCrypt made the news when the developers suddenly announced they were no longer continuing the project. As other developers inevitably move to fill this hole, we hope that they consider filling a vulnerability which TrueCrypt shared along with many other software products using encryption.

At the end of May 2014, the computer security industry (as well as many users) came in for a bit of a shock with the news that TrueCrypt (http://truecrypt.sourceforge.net/), a popular software project used to encrypt data on personal computer hard drives, was abruptly shutting down and was no longer available. The developers’ site lists Microsoft’s decision to end support of Windows XP as the reason to shut down the project, but there are more convoluted theories out there as well (https://news.ycombinator.com/item?id=7812133).

No matter what the reason, there is now a hole in the array of cross platform security tools available for people to protect their data. As with any market vacuum, we expect developers will move to come up with another product to fill this hole. In the process, we think this is a great opportunity for developers to address an issue that TrueCrypt shares along with many other computer security technologies. That is, they often leave sensitive cryptographic keys in memory during runtime. What this means is that when the program is booted and actively running on the computing device, the cryptographic keys are stored in the computer’s memory. There, given the right tools and knowledge, a bad actor can access these keys and accordingly the sensitive data they encrypt. This is not just an exercise in abstract possibilities, “ready to use” tools for accomplishing this already exist and are readily available for those who are looking.

There is a computing technique called white box cryptography available to developers who wish to plug this hole. Simply put, Secure Key Box and other tools implementing white box cryptography use a number of cryptographic algorithms to ensure that sensitive cryptographic keys can remain hidden, even if they are contained in memory and the code that holds them is completely transparent to an observer, hence the term, “white box.” Secure Key Box is cross platform and is available for all major personal computer and mobile device platforms and is designed to be easily integrated into any software using encryption to hide secrets. This, of course, includes anyone looking to replicate the success of TrueCrypt.