There are several significant problems with TrueCrypt. Somehow, they fall into different domains, so for most users only one of them really matters.
For FOSS-champions thing is that TrueCrypt developers are sneaky and don't accept contributions, so that in practice there is little outside control, and "given enough eyeballs are bugs are shallow" doesn't quite work.
For technical users, admins and frugal geeks TrueCrypt hides several unpleasant surprises, such as the encryption being undoable without a huge spare disk.
For casual users interface is cumbersome and counter-intuitive at times. It's almost as if developers have never considered usage scenarios. You have to type your passwords more often than strictly necessary, and sometimes you have to remember to do it, with risk of losing your data.
You forgot about their lack of public source code repository. Talk about significant problems for an "open source" project! Go try and download the old 6.2 or 6.1 versions. If you feel bold, go ask for a copy in their forum, or better yet, offer old TrueCrypt source code for download. They scare the hell out of me. They do now advertise a US address next to some Air Force base in Nevada. No I'm not paranoid, I speak only truth.
Edit: This is all common knowledge and has been for a few years. Wikipedia has all the details. The Czech Republic connection with the Trademark, the anonymous/unnamed developers, etc. The new (as of this year) mailing address in the US, the fake domain name registration, etc.
One last edit: TrueCrypt is probably fine protection against common thieves, but enough bits may have been knocked off of it to make it "acceptable" for export. If I was a Russian Spy, I would not touch it with a ten foot pole.
They do now advertise a US address next to some Air Force base in Nevada.
The address listed on their website appears to be an office in a pretty mundane Vegas suburb, surrounded by restaurants and small businesses. Am I missing something?
I've never noticed that their address is only given as a picture, it's not searchable. See for yourself: google.com/search?q=site:truecrypt.org+Henderson, NV.
I'm trying to figure out how you mean. Are you saying this could be foreign countries building it for a way in to US data or the US building it as an easy way in to foreign companies data?
* Assuming the people behind it's development are doing so with a sketchy purpose...
(If you look at Wikipedia's crypto-disk-software comparision page, http://en.wikipedia.org/wiki/Comparison_of_disk_encryption_s..., you'll see that dm-crypt/cryptsetup/LUKS has pretty much all the features you would care about. Hidden containers would be nice, though.)
I was going to say that truecrypt has the advantage of windows support, which is why I switched from dm-crypt to truecrypt.
But I did some googling before hitting "reply", and apparently you can also mount dm-crypt volumes on windows with FreeOTFE. I guess I should have done some more research before switching.
If you use full disk encryption, it'll encrypt/decrypt on the fly, no extra hard drive needed. Type in password when you boot and you're done.
If you're talking about an encrypted file container on a USB stick, the same problems exist with other encryption software. But I only remember typing in my password when mounting one, I'm not sure where it's asking you for your password over and over.
If you want a USB stick with decent usability, spend 99 bucks on an ironkey, and you'll get real hardware encryption as well.
Of course, like anything, they could have other unknown vulnerabilities. But like they say in the video on that link, they're a security company that makes a storage product, opposed to a storage company making a security product.
they're a security company that makes a storage product, opposed to a storage company making a security product.
I laughed a bit thinking of extreme trade off in those two statements (so allow me to respectfully embellish [is that possible?]):
Security company makes a storage product: It's secure because they have no idea how to make a storage product and therefore your data is not actually stored anywhere that it can be retrieved in the event that you've provided the correct key.
Storage company makes a security product: The data is stored properly. It is then encrypted using whatever sample code was discovered in a search for the acronym "AES" with a bunch of redundancy in the event that something with the physical media fails. This redundancy is stored in the clear.
A vulnerability in storage results in inaccessible data. A vulnerability in security results in overly accessible data.
>By default, TrueCrypt uses hardware-accelerated AES on computers that have a processor where the Intel AES-NI instructions are available. [sans key-generating instructions]
Example supported processors include (select) ones from the i5/i7 desktop and mobile Intel processors, but anything which has that instruction set should work, apparently.
(from: "hardware acceleration" chapter, link near the top of the article)
For FOSS-champions thing is that TrueCrypt developers are sneaky and don't accept contributions, so that in practice there is little outside control, and "given enough eyeballs are bugs are shallow" doesn't quite work.
For technical users, admins and frugal geeks TrueCrypt hides several unpleasant surprises, such as the encryption being undoable without a huge spare disk.
For casual users interface is cumbersome and counter-intuitive at times. It's almost as if developers have never considered usage scenarios. You have to type your passwords more often than strictly necessary, and sometimes you have to remember to do it, with risk of losing your data.