The Mysterious TrueCrypt Abandonment

Speaking of TrueCrypt, the open source encryption project was mysteriously brought to a halt last week.  The website url now redirects to their SourceForge page with a strange message:

WARNING: Using TrueCrypt is not secure as it may contain unfixed security issues

The development of TrueCrypt was ended in 5/2014 after Microsoft terminated support of Windows XP.  Windows 8/7/Vista and later offer integrated support for encrypted disks and virtual disk images...You should migrate any data encrypted by TrueCrypt to encrypted disks or virtual disk images supported on your platform.

Now, at a glance this is a bit of a confusing statement.

The warning does not indicate that there are any actual security issues.  It is more of a blanket statement to warn users of the possible implications of using any unsupported piece of software.

In fact, since the Heartbleed bug there has been a movement to audit critical open source software to try and catch vulnerabilities.  The Open Crypto Audit Project has already completed a phase 1 audit report of TrueCrypt searching for backdoors.  Phase 2 would include a deeper look at the encryption algorithms and, despite the now abandoned status of the software, I hope it still happens.

Looking back at the above statement, Microsoft support ending for Windows XP doesn’t really have anything to do with TrueCrypt, which is a multi-platform encryption solution.  The only way to really connect these two separate events is that they are both ending support.  The whole recommendation of OS level encryption seems an odd recommendation from security experts when there are better alternatives out there.

The initial thought is this was a website hack, but I have personally checked the cryptographic signatures on the updated (crippled) version’s files (version 7.2) and everything looks legitimate (ie: they were released by the same people who released version 7.1a).  Others verify this and now we are left dealing with the reality of it.  Lots of people are reading between the lines and coming up with all sorts of conspiracy theories, but I won’t get into those here.

What it comes down to is that I trust the existing software and their proposed migration does not work for my cross-platform uses.  The latest stable version of TrueCrypt (version 7.1a) was released over two years ago, and has been publicly tested by security experts, law enforcement, and time.  The fact that the NSA has been unable to crack its encryption in court shows just how strong it really is.

People over at truecrypt.ch are organizing a future for users of the TrueCrypt software.  Likely, it will fork into a new project with a new name from this point forward.  I will closely follow security experts, like Steve Gibson of Security Now, for updated information.  But for now I will continue use my existing TrueCrypt encryption, and hopefully migrate to the new fork in the future.

UPDATE (June 18th, 2014): VeraCrypt is joining hands with truecrypt.ch in working together towards retaining truecrypt functionality and improving the project. (source)