29 May 2014

How to securely download TrueCrypt 7.1a

Now that TrueCrypt has unexpectedly closed down the project, I recommend that no new users start using it. However, if you already use TrueCrypt and are not ready to migrate to anything different yet, you should stick to version 7.1a, since there are reports suggesting that version 7.2 may be compromised. EDIT: Version 7.2 is a read-only version to let you migrate to other platforms. The reports on suspicious network activity are still not confirmed. In short, you want version 7.1a.

But how do you download version 7.1a, now that TrueCrypt closed their site? Who do you trust? The answer is math! Trust the digital certificate used to sign the installation set, not the site you download it from. The way to do this is listed below.

Step 1 - Find the trusted certificate

On a computer that has version 7.1a installed and that you are quite confident that has not been taken over by evil martians, right click the file "C:\Program Files\TrueCrypt\TrueCrypt.exe" (or whereever you installed it) and select Properties. Go to the tab Digital Signatures, click Details, View Certificate and then scroll to Thumbprint in the Details tab.
Take note of this thumbprint. For me it was "‎58 20 fd ce 18 fb 95 80 e1 a5 9d 2b 58 fc 2b da 3d 6d 08 f6", but don't trust me, do it yourself.

As an added step of security, you should go to the Certification Path tab, click the topmost certificate in the chain, click View Certificate and find the thumbprint for that as well. For me this was "b1 bc 96 8b d4 f4 9d 62 2a a8 9a 81 f2 15 01 52 a4 1d 82 9c".

Step 2 - Download TrueCrypt 7.1a

It doesn't matter where you find it. Sure, don't go to the darkest places of the web and get your computer infected with all kinds of malware, but my point is that you will check the validity of the file after you download it. I downloaded from here: http://filehippo.com/download_truecrypt/11601

Edit: You can also download from this BitTorrent Magnet link. Once again, I checked it to be valid, but you really have to validate yourself.

Edit: Grc.com has a good page explaining the trustwortyness of TrueCrypt 7.1a and offers download links.

Step 3 - Verify the signature

Now go to the file you downloaded, and repeat the process. 
Verify that the Thumbprint is exactly the same and that the Signing time is in Febryary 2012. Also, if you checked the certificate chain previously, verify the thumbprint for the root certificate as well.

If any of these checks fail, delete the file you downloaded. No ifs or buts, no trusting someone else saying that exactly this version is trustworthy. Only trust the file if it was signed around the time the original version was signed and with the exact same certificate. Do not trust certificate names or anything but the thumprint.

I still think you should take TrueCrypts advice and migrate away from the software, but you probably don't have to rush. Until then, use a trusted version of 7.1a.