Several weeks ago, we announced our plan to encrypt all college-owned laptops and desktops. For Windows, we planned to use the open source software TrueCrypt, but last week, the tech world was surprised to see a dramatic change to the TrueCrypt website. Suddenly, the widely-used software was said to be insecure. The nameless developers released a new version, only for decryption purposes, and announced the old software should no longer be used.
Obviously, this gives us pause. On the one hand, TrueCrypt version 7.1a, which we were deploying, has successfully undergone the first half of an independent security audit. No backdoor exploits or major vulnerabilities were found. The second half of the audit is ongoing for v7.1a.
As is common with any open source software created by anonymous developers, communication can be sporadic and disparate, and it’s just as likely that a new team of developers could resume TrueCrypt’s life. Additionally, the second half of the audit could return with entirely positive results, and many companies/institutions will opt to continue using the software. However, the situation is uncertain.
For this reason, we have decided to take a breath, not react impulsively, and wait for more information. In the interim, the only change we intend to make is to not encrypt new Windows computers. This does not impact our continued encryption of Macs with FileVault2.
Please contact us with questions, and please continue to use this blog as your resource for all security and general IT updates.