TrueCrypt: What happened? Who cares? What’s next?

What happened?

Sometime in late May, TrueCrypt’s homepage began redirecting users to a Sourceforge page. As of this moment, the Sourceforge page says that the development of TrueCrypt has ended and that the program may not be secure. The only version of TrueCrypt offered at the page now (7.2) is a crippled version that only has the ability to decrypt files.

There was much speculation as to the reason for TrueCrypt’s demise, ranging from its site being hacked to the desire of the developers to call it quits. At this point, the cryptic messages still remain on TrueCrypt’s site, thus making some of the theories (e.g. the site being hacked) seem less plausible. We may never know the true reason development on TrueCrypt was stopped, but there are no signs that it is coming back.

Who cares?

There is no shortage of encryption programs available. So why is it news when the developers of one of them decide to jump ship?

For one, despite the aura of mystery surrounding the identity of its developers, TrueCrypt has a long history, and it has proven itself to be a reliable program. In 2008, even the FBI failed to obtain data on the hard drives of suspect Daniel Dantas. This incident demonstrated the strength of the protection offered by TrueCrypt when a strong passphrase is chosen.

TrueCrypt is very user-friendly. There are detailed instructions within the program to guide even users who have never used TrueCrypt before, and there also used to be extensive documentation of the program’s features on TrueCrypt’s homepage.

TrueCrypt also offers very useful features that help distinguish it from other programs. It offers the ability to repair a corrupted boot loader, which can come in handy if you make a mistake while setting up a multiboot system and can even protect you against an Evil Maid attack. If you even suspect that your boot loader has been tampered with, simply insert the CD that you were asked to burn during the initial encryption process and restore your original boot loader. TrueCrypt supports encrypted volumes on Windows, Mac, and Linux, which means you can take your encrypted files with you to different computers.

Perhaps most important of all, TrueCrypt’s source code was available to the public, which means that at least in theory, anyone who can read code can verify that no hidden backdoors have been built into the program. In fact, such an audit by the Open Crypto Audit Project was underway. Phase I of their report is here: PDF. To summarize the report, problems of up to “moderate” severity were found, but the audit found no “backdoors or otherwise intentionally malicious code.”

If any of these features of TrueCrypt are not by themselves unique, the combination of all these features combined certainly makes a strong case that among disk encryption programs, TrueCrypt was one of a kind.

What’s next?

What do we do while we wait for the dust to settle? If you simply want full-disk encryption on each individual computer and you don’t need to move files between them (e.g. using an external hard drive), there are alternatives.

For Windows users, the open source Diskcryptor, is an option. Diskcryptor is licensed under the GNU GPLv3, which means that should its developer(s) decide to abandon ship like TrueCrypt’s developers, others can carry on with its development free of any legal restrictions.

Linux users also have alternative full-disk encryption options. For example, Ubuntu and Mint have cryptsetup, which enables easy encryption of the entire hard drive during installation. If you’re using Ubuntu 12.04, cryptsetup can only be found in the alternate CD. cryptsetup is included by default in Ubuntu 14.04, the latest long-term-support (LTS) version. Neither option provides protection against an Evil Maid attack, but then again, it is never a good idea to leave your computer in a position where unauthorized users may have physical access to it anyways.

Some believe, however, that TrueCrypt is too widely used and too important to simply abandon. Steve Gibson is one such individual. In his opinion, TrueCrypt’s “code will be forked, the product’s license restructured, and it will evolve.” Comments by one of TrueCrypt’s developers may have put a damper on the idea that TrueCrypt’s source code can simply be copied line by line. However, the comments did not rule out using the code as a “reference” for a new program. In fact, such a program may already exist. tcplay claims to be a “free” and “fully featured” TrueCrypt implementation. tcplay’s developers claim that tcplay was developed solely from TrueCrypt documentation, thus presumably avoiding any licensing restrictions that may be contained in the TrueCrypt License. Caveat: I have not tried tcplay.

For those who still want and need to use TrueCrypt until a clear, usable alternative emerges, GRC is offering TrueCrypt 7.1a, the last fully functional version. GRC provides a link to a third-party site with a list of hashes for the TrueCrypt installers to prove that the installers have not been tampered with. As a second check, you can also upload the installers to VirusTotal. When I did this for the Windows version, I found that VirusTotal first received the file on February 7, 2012; over 2 years before TrueCrypt was discontinued. For these reasons, I believe the GRC files are trustworthy. Moreover, because no serious publicly known vulnerabilities have been found in the code yet, it may be safe to continue using TrueCrypt 7.1a for now.

One thought on “TrueCrypt: What happened? Who cares? What’s next?”

  1. I think I can shed some light on what really happened to TrueCrypt. I don’t think the NSA, FBI, or the US government had anything to do with it. See this wikipedia entry:

    https://en.wikipedia.org/wiki/E4M

    Basically Paul Le Roux was alleged to illegally distribute the source code to E4M from a company called SecurStar which TrueCrypt was based on. This allegation goes as goes as far to say that Le Roux had produced an illegal license in order to distribute E4M. What most likely happened was that SecurStar had filed a lawsuit against Le Roux and during the course of that lawsuit was forced to disclose the names of the TrueCrypt Developers. What is known is that SecurStar had contacted the TrueCrypt developers to let them know of what was going on. It’s possible that the TrueCrypt developers ended up a part of the lawsuit. A settlement was most likely reached that required everything that was based on E4M source code be pulled down from the internet. With the exception of a crippled version of TrueCrypt to allow people to migrate away from it. The TrueCrypt may very well be barred by the court to disclose to the public what has really happened and so they are just simply trying to scare everyone away from TrueCrypt.

    My take on this, assuming this to be true, is that SecurStar may find it is very difficult to put the genie back into the bottle as the damage was done 10 or 11 years ago. Too many people have been exposed to the source code and attempts to stop this will most likely be futile. One thing I did notice was that the TrueCrypt developers had an interest in rewriting TrueCrypt as a means to get around the problem. The courts might have stopped them however.

Leave a Reply

Your email address will not be published. Required fields are marked *