What’s up with TrueCrypt?

TrueCrypt is a free encryption application that runs on Windows, Mac OS, and other platforms. I’ve suggested its use before to aid lawyers in securing data stored in various cloud services. Heck, there’s even an iOS app that can open TrueCrypt vaults, Disk Decipher.

Recently, though, TrueCrypt appeared to pull the plug on itself, suggesting users migrate to BitLocker for Windows and using encrypted disk images for Mac OS X. People wondered, is this a joke, a hacking incident, or the real thing? Security guru Steve Gibson predicts the plug being pulled is probably the real thing.

The biggest question is: Can we still safely use TrueCrypt? Fortunately, the answer appears to be yes, and Steve Gibson has done the world a huge favor by creating an archive where users can download the last fully working versions of the software.

As we learn more and more about the NSA and other government agencies around the world spying on communications and information that have nothing to do with terrorism, crime, or anything else remotely relevant to public safety, we have to be mindful that encryption tools are critical. Sorting through all of the various claims by developers (“Our product is impossible to crack!”) can be a headache unless you have a Ph.D. in math and can understand the encryption algorithms being used. TrueCrypt is (was) a known application with a long history of not being broken by hackers.

It’s good to know that it is still safe to use.

How lawyers can use Dropbox safely

Dropbox is a popular cloud computing service that offers some advantages for lawyers. Imagine how nice it would be to sit at home with your own computer, open up a client’s document (contract, will, etc.) and work on it—all without having to carry the document on a flash drive or email it to yourself. Dropbox gives you that ability. The great thing about Dropbox is that you can use up to two gigabytes of storage on Dropbox absolutely free.

With Dropbox installed, you have a folder on your computer called (appropriately) Dropbox. Whatever you move into that folder gets uploaded to Dropbox’s servers. If you install Dropbox on another computer (like the one you have at home), you have another folder named Dropbox. When you open it, you’ll find the very same documents that you put in the Dropbox folder on your office computer.

Brilliant, right?

Absolutely, but for lawyers there’s a catch.

Our ethical obligations require us to maintain our clients’ information in confidence. In theory, an employee at Dropbox could snoop around and see the client’s documents. Practically, this is unlikely given that your client’s documents are like a needle in a haystack—one of millions (if not billions) of documents stored on thousands of servers at Dropbox’s location.

For some lawyers, this practical obscurity is enough security. It’s a personal judgment call, and some lawyers won’t be comfortable with this setup. (Personally, I find myself riding the fence between these two positions, which is why I use Dropbox for limited purposes.)

Suppose that we could make sure our client’s files and documents were encrypted before they were uploaded to Dropbox, so that anyone who might access the files on the Dropbox servers would see only gibberish. That would certainly address all concerns about confidentiality—so long as you use a smart password for the encryption.

It turns out that we lawyers can have a setup like this with the use of another free tool, TrueCrypt. This software lets you create a virtual hard disk that is encrypted and requires a password to open. TruCrypt is available for Windows, Mac OS X, and Linux.

Basically, on your work computer, you create a TrueCrypt volume, say one gigabyte. Copy the files you want to upload to Dropbox onto this volume. Next, unmount the volume, and you’ll have a file you can copy to Dropbox–the file is basically an encrypted container for your sensitive documents.

From the other computer you use (perhaps at home), you make sure TrueCrypt is installed. Open up your Dropbox on the second computer, pull the TrueCrypt file out, open it and mount it. Voila–your files are on your home computer where you can work on them.

This workaround is not perfect. Because Dropbox sees the TrueCrypt disk only as a file, any changes made on your home computer will not automatically sync with your work computer. When you’re done making changes on the home computer, you need to close the TrueCrypt disk, unmount it, and drag that TrueCrypt file back to Dropbox (replacing the old one).

The other thing that’s missing from this workaround is the ability to access files on a TrueCrypt disk from portable devices. Presently, TrueCrypt is not available on iOS, Android, Blackberry, or any of the other portable operating systems. Hopefully, the people behind TrueCrypt are at work on apps for the iPad and Android so that we can access files from those devices. I haven’t seen any indication that these apps are on their way, but perhaps if enough of us ask for it, we might get lucky.


Technorati Tags: , , ,