TrueCrypt was about providing a safe alternative that you could be reasonably sure NSA and cronies hadn't touched. Why would they recommend bitlocker? Makes no sense to me.

yeah, their farewell message is so absurd that it looks suspicious.

i'd rather recommend to use the previous version of TrueCrypt and avoid updating. it is probably too secure for it's own good. :/

My question wasn't clear.  As long as I don't update to the new version of TC, my existing TC encryption should be unaffected should it not?  Does the warning apply only to version 7.2 or to all versions of TC?  In what I've read, some seem to be generalizing the warning, some not, but this appears to be based on assumption not fact.

Reviewing the SourceForge TrueCrypt page (how to migrate an encrypted volume/drive), it certainly implies that all versions of TrueCrypt are not secure (otherwise, why would migration be necessary?), but doesn't explicitly declare that to be the case.  Sad that we're left to puzzle that out.

My guess is the feds would consider TrueCrypt to be 'inadequate' now in the event of an audit, whatever version, but damn, the process of decrypting & re-encrypting is a pain.

Worth noting that the TrueCrypt security audit is going to proceed regardless. So it should be known before too long if there really is some major issue that is not feasible to fix, or if it would be practical for someone else to fork or take over the project.

Do the HIPAA rules actually specify acceptable ciphers and key lengths, key management requirements, etc? In the financial world the big one is GLBA, which only stipulates that measures must be planned, documented, and implemented to protect NPI but do not specify what those measures need to be.

Though even if there isn't a strict requirement, if there is a known vulnerability (there isn't at this point) that you are disregarding that could be a civil liability should a breach occur. I'd expect that any vulnerability that does exist would be in the realm of key strength or security, since they are using standard ciphers.

On a slightly OT note, CMS has a 'helpful tool' for use as a sort of template for conducting a security risk analysis for practices using EHR's, which all covered entities are required to do annually.  I downloaded and started through the assessment.  After an hour and a half of mind-numbing questions on all sorts of minutiae (Have you created an action plan for a lightning strike within 200 yards of your facility?  And distributed it to all appropriate personnel?  Had them review and sign off on the plan?  Designated a Responsible Party to initiate and implement the plan? You get the drift.) I glanced up at the progress bar & saw I was only half way through.

I got up, called my dentist and asked for an emergency root canal.  So I'd feel better.

While it's still ok to use, it won't let you encrypt new files.

Also, as time goes on, it will become less secure. I believe it's better to find something reliable now, since your real concern is the security of the patients' data.

Daiwa, thought this was a good article:

http://www.ghacks.net/2014/06/06/five-tips-disk-encryption-software-diskcryptor/?_m=3n%2e0038%2e1269%2ehj0ao01hy5%2e1bf4