German BSI withholds Truecrypt security report

Note, the title is no longer accurate. There&#x27;s an update at the end of the article, along with a download link:<p>&gt; Shortly before we published this article the BSI has allowed to publish the Truecrypt documents. They can be downloaded from the Frag den Staat web page. Update from December 16th 2019, 13:22

It is sad to see the state still making freedom of information requests so difficult and using copyright as a flimsy excuse to hinder citizens to share the information when they finally manage to get it out of them.<p>I find it especially sad to see something like this held back by an entity that claims to want to protect security in information technology and doubly so since this information would be relevant to the developers and many state entities that use the software and its successor.<p>The BSI is sadly often toothless when it comes to actually enforcing security standards on federal entities but to see them not even trying to educate on such matters, when they clearly know better, squanders a lot of trust one may have in them.

&quot;... in the simplest case a user can mount a Truecrypt volume that contains a file with suid root permission that will open a shell. Golem.de was able to replicate this scenario in a current version of Veracrypt.&quot;

The casual user stumbling on this article is going to think that TrueCrypt or VeraCrypt has been broken. There’s a big difference between attacks on a live system when a volume is being used, versus cases in which an encrypted volume is lost, stolen, or copied.<p>It needs to be firmly said that there is still <i>no known way</i> to recover plaintext from an unmounted TrueCrypt or VeraCrypt volume on a powered-off system without knowing the pass phrase. TrueCrypt and VeraCrypt are still totally secure for the standard use-case of protecting your powered-off laptop being stolen, or your backup drives being lost, or an encrypted volume that you’ve copied over to Dropbox being compromised.

&gt; As Truecrypt got no further releases the software is still vulnerable for all those weaknesses. [...]<p>&gt; The BSI knew all that. [...]<p>&gt; The results were communicated to the Truecrypt foundation, however the Truecrypt developers didn&#x27;t consider them to be relevant. BSI furthermore says that the results were not intended to be published.<p>This is looking pretty terrible for Truecrypt. It means they ignored a vulnerability report and kept the vulnerabilities around for five years.

Why would they release an audit that effectively provides them with zero-days into encrypted suspect disks.<p>They release now because no one is using TrueCrypt any longer..

I use VeraCrypt and none of this are of my concern in my daily use of it. Can anyone tell me if my containers are still safe from prying eyes since I upload them to cloud? I need specific answers from anyone working on VeraCrypt, not general answers of &quot;yeah, they are unsafe&quot; that usually HN does.

Is there a solid alternative to TrueCrypt with most of the features that’s been implemented with a proof-checking system such as OcaML Mirage?

If you&#x27;re going to comment, it&#x27;s highly preferable that you read the article where all of this is explained.

Much safer to assume that a decent nation state can decrypt Truecrypt and a lot of other things. You can hide stuff from your wife, friends or banana Republic countries, but I wouldn&#x27;t bet against NSA with 30 years in jail.

FWIF: <a href="https:&#x2F;&#x2F;truecrypt.ch&#x2F;" rel="nofollow">https:&#x2F;&#x2F;truecrypt.ch&#x2F;</a>