Sometime in late May, TrueCrypt’s homepage began redirecting users to a Sourceforge page. As of this moment, the Sourceforge page says that the development of TrueCrypt has ended and that the program may not be secure. The only version of TrueCrypt offered at the page now (7.2) is a crippled version that only has the ability to decrypt files.
There was much speculation as to the reason for TrueCrypt’s demise, ranging from its site being hacked to the desire of the developers to call it quits. At this point, the cryptic messages still remain on TrueCrypt’s site, thus making some of the theories (e.g. the site being hacked) seem less plausible. We may never know the true reason development on TrueCrypt was stopped, but there are no signs that it is coming back.
There is no shortage of encryption programs available. So why is it news when the developers of one of them decide to jump ship?
For one, despite the aura of mystery surrounding the identity of its developers, TrueCrypt has a long history, and it has proven itself to be a reliable program. In 2008, even the FBI failed to obtain data on the hard drives of suspect Daniel Dantas. This incident demonstrated the strength of the protection offered by TrueCrypt when a strong passphrase is chosen.
TrueCrypt is very user-friendly. There are detailed instructions within the program to guide even users who have never used TrueCrypt before, and there also used to be extensive documentation of the program’s features on TrueCrypt’s homepage.
TrueCrypt also offers very useful features that help distinguish it from other programs. It offers the ability to repair a corrupted boot loader, which can come in handy if you make a mistake while setting up a multiboot system and can even protect you against an Evil Maid attack. If you even suspect that your boot loader has been tampered with, simply insert the CD that you were asked to burn during the initial encryption process and restore your original boot loader. TrueCrypt supports encrypted volumes on Windows, Mac, and Linux, which means you can take your encrypted files with you to different computers.
Perhaps most important of all, TrueCrypt’s source code was available to the public, which means that at least in theory, anyone who can read code can verify that no hidden backdoors have been built into the program. In fact, such an audit by the Open Crypto Audit Project was underway. Phase I of their report is here: PDF. To summarize the report, problems of up to “moderate” severity were found, but the audit found no “backdoors or otherwise intentionally malicious code.”
If any of these features of TrueCrypt are not by themselves unique, the combination of all these features combined certainly makes a strong case that among disk encryption programs, TrueCrypt was one of a kind.
What do we do while we wait for the dust to settle? If you simply want full-disk encryption on each individual computer and you don’t need to move files between them (e.g. using an external hard drive), there are alternatives.
For Windows users, the open source Diskcryptor, is an option. Diskcryptor is licensed under the GNU GPLv3, which means that should its developer(s) decide to abandon ship like TrueCrypt’s developers, others can carry on with its development free of any legal restrictions.
Linux users also have alternative full-disk encryption options. For example, Ubuntu and Mint have cryptsetup, which enables easy encryption of the entire hard drive during installation. If you’re using Ubuntu 12.04, cryptsetup can only be found in the alternate CD. cryptsetup is included by default in Ubuntu 14.04, the latest long-term-support (LTS) version. Neither option provides protection against an Evil Maid attack, but then again, it is never a good idea to leave your computer in a position where unauthorized users may have physical access to it anyways.
Some believe, however, that TrueCrypt is too widely used and too important to simply abandon. Steve Gibson is one such individual. In his opinion, TrueCrypt’s “code will be forked, the product’s license restructured, and it will evolve.” Comments by one of TrueCrypt’s developers may have put a damper on the idea that TrueCrypt’s source code can simply be copied line by line. However, the comments did not rule out using the code as a “reference” for a new program. In fact, such a program may already exist. tcplay claims to be a “free” and “fully featured” TrueCrypt implementation. tcplay’s developers claim that tcplay was developed solely from TrueCrypt documentation, thus presumably avoiding any licensing restrictions that may be contained in the TrueCrypt License. Caveat: I have not tried tcplay.
For those who still want and need to use TrueCrypt until a clear, usable alternative emerges, GRC is offering TrueCrypt 7.1a, the last fully functional version. GRC provides a link to a third-party site with a list of hashes for the TrueCrypt installers to prove that the installers have not been tampered with. As a second check, you can also upload the installers to VirusTotal. When I did this for the Windows version, I found that VirusTotal first received the file on February 7, 2012; over 2 years before TrueCrypt was discontinued. For these reasons, I believe the GRC files are trustworthy. Moreover, because no serious publicly known vulnerabilities have been found in the code yet, it may be safe to continue using TrueCrypt 7.1a for now.