The TrueCrypt whole-disk encryption tool used by millions of privacy and security enthusiasts is safer than some studies have suggested, according to a comprehensive security analysis conducted by the prestigious Fraunhofer Institute for Secure Information Technology.
The extremely detailed 77-page report comes five weeks after Google's Project Zero security team disclosed two previously unknown TrueCrypt vulnerabilities. The most serious one allows an application running as a normal user or within a low-integrity security sandbox to elevate privileges to SYSTEM or even the kernel. The Fraunhofer researchers said they also uncovered several additional previously unknown TrueCrypt security bugs.
Despite the vulnerabilities, the analysis concluded that TrueCrypt remains safe when used as a tool for encrypting data at rest as opposed to data stored in computer memory or on a mounted drive. The researchers said the vulnerabilities uncovered by Project Zero and in the Fraunhofer analysis should be fixed but that there's no indication that they can be exploited to provide attackers access to encrypted data stored on an unmounted hard drive or thumb drive. According to a summary by Eric Bodden, the Technische Universität Darmstadt professor who led the Fraunhofer audit team: