A longtime Debian developer has recommended Vulnerability-related.DiscoverVulnerability that the Cryptkeeper Linux encryption app be removed from the distribution . The advice came after the disclosure Vulnerability-related.DiscoverVulnerability of a bug where the app sets the universal password “ p ” to decrypt any directory created with the program . Simon McVittie , a programmer at Collabora , confirmed the findings Vulnerability-related.DiscoverVulnerability of researcher Kirill Tkhai , who disclosed Vulnerability-related.DiscoverVulnerability the bug Jan. 26 . McVittie said Vulnerability-related.DiscoverVulnerability he was able to reproduce the bug in the Stretch version ( Debian 9 , in testing ) , but not in the Jessie version ( Debian 8 ) . “ I have recommended that the release team remove this package from stretch : it currently gives a false sense of security that is worse than not encrypting at all , ” McVittie said in response Vulnerability-related.DiscoverVulnerability to the original bug report . Francesco Namuri , another Debian developer , agreed the Cryptkeeper packages should be yanked from Debian . Tkhai ’ s advisory said Cryptkeeper version 0.9.5-5.1 is affected . The problem appears when Cryptkeeper calls encfs , a command line interface for the encrypted file system . Encfs simulates a ‘ p ’ keystroke but the uses it instead as a universal password .