Curious to see this take from you! I followed TrueCrypt for years, but always thought it was very strange that they were anonymous, and then the mysterious shutdown happened, and I have no idea what to make of VeraCrypt. It's been in my "possibly good, but too many weird flags around the whole project" bucket.
Anything in particular that makes you wary? I'm aware of the 2016 and 2020 audits (https://ostif.org/the-veracrypt-audit-results/ is the 2016 one, I believe), but those seemed to suggest things were getting better over time. Curious what other signals to look for.
> not with even with your computer would I run VeraCrypt
This has got to be the most surprising encryption-related comment I've ever read from you. Please tell us what you're thinking about VeraCrypt. What would you say about TrueCrypt v7.1a, the last known good release?
I would also love to hear specific opinions about VeraCrypt because I need to get some Windows users to encrypt some of their seldom-used sensitive files, like HR for example.
They can't use age or any other "right answer" tools. I'm talking about people who don't know their own username, people who don't know that their Windows password is the one they use to log into Windows. "Is that for my email?" Just getting them to use a password manager is like arm wrestling an aligator. If VeraCrypt isn't the best option for them, then what is?
Generally I’d say this is what Sharepoint or Box or a more workflow-specific platform is for. You generally don’t want sensitive data living on individual people’s workstations in an enterprise context, you want it somewhere that you can enforce security settings.
My interpretation was that the authors received a National Security Letter and chose to shut down development rather than let their software get backdoored. IIRC the shutdown announcement cited the discontinuation of Windows XP as why the software got discontinued (when it was cross platform and supported newer versions of Windows) and included a step-by-step guide for how to migrate to Bitlocker (a red flag for anyone remotely cynical).
An independent audit of the last version of TrueCrypt was published about a year after the discontinuation. It did not find any significant security issues or backdoors.
One of the greatest cyber security mysteries of our time. Regardless of what actually happened, I hope the author is okay. (The story implied to me that the author was forced to post that, or was disappeared and the website was changed by someone else)
Is there a brand you do have trust in? I’ve kind of thrown my hands up, considered my attack surface is dude stealing my laptop and not the state department wants my 4chan history, and just use the encryption tools provided by Apple and Microsoft
Anything in particular that makes you wary? I'm aware of the 2016 and 2020 audits (https://ostif.org/the-veracrypt-audit-results/ is the 2016 one, I believe), but those seemed to suggest things were getting better over time. Curious what other signals to look for.