From time to time someone asks if Truecrypt is really secure (
1,
2).
I think the concern is raised from a legal point of view that gets sometimes misunderstood. I will explain that below.
From the other point of view, that is from the user, Truecrypt can keep your files safe from even FBI, provided that you have a strong password. There is a famous case of
Daniel Dantas. This is from
Wikipedia:
"In July 2008, several TrueCrypt-secured hard drives were seized from Daniel Dantas, who was suspected of financial crimes. The Brazilian National Institute of Criminology (INC) tried for five months (without success) to obtain access to TrueCrypt-protected disks owned by the banker, after which they enlisted the help of the FBI. The FBI used dictionary attacks against Dantas' disks for over 12 months, but were still unable to decrypt them."
The real concern is from a developer point of view, well analysed by lawyers from
Red Hat. The problem is that besides be free as in "free beer" and open source, Truecrypt is not "free as in freedom". You cant use it as you wish. You cant make money out of it. You can be sued even if you respect the License agreement!.
This discussion explain the License agreement:
These remarks are against v2.5 of the TrueCrypt license:
Section III:
1. d. : This provision requires distribution of source code if you
distribute "Your Product". However, it says
To meet this condition, it is sufficient that You merely include the
source code with every copy of Your Product that You make and
distribute . . . *provided that You make the copies available to the
general public free of charge*; it is also sufficient that You merely
include information . . . about where the source code can be freely
obtained . . . with every copy of Your Product that You make
and distribute . . . *provided that You make the copies available to
the general public free of charge*.
This is ambiguous, but the best reading of "the copies" seems to refer
to "every copy of Your Product that You make and distribute". That
therefore means that if you distribute modified versions of TrueCrypt,
you cannot charge for copies. That is non-free.
Section VI, Paragraph 2:
The license says:
NOTHING IN THIS LICENSE SHALL IMPLY OR BE CONSTRUED AS A PROMISE,
OBLIGATION, OR COVENANT NOT TO SUE FOR COPYRIGHT OR TRADEMARK
INFRINGEMENT.
(...)
While Fedora certainly has no intent to commit copyright infringement,
our
counsel advises that licenses are promises not to sue. If Fedora
complies with all of the conditions and/or obligations imposed by this
license, we would not be protected from a lawsuit from TrueCrypt. If we
cannot rely on this license granting us copyright permissions, counsel
advises us that this license is non-free.
