TrueCrypt, We Hardly Knew Ye

Published: by

TrueCrypt is gone. For a good number of years, TrueCrypt was the de facto cross-platform volume/file encryption standard. Sure, each platform (Windows, Mac) eventually developed their own encrypted volume option, but it largely depended on trusting the encryption and security of the platform developer. As anyone steeped in the world of encryption and security knows, and Bruce Schneier did enormous amounts to popularize, the only encryption you can trust is open source.

Why?

Because encryption is extremely hard to get right and extremely easy to get wrong... even if your intentions are pure. As we have seen from the last year of NSA revelations, trusting these large software companies is probably not be the best strategy.

TrueCrypt was great for a few simple reasons:

  1. It was cross-platform. You could use it on Windows, Mac, Linux and just about anything else you could compile it on (no, I didn't try on OS/2).
  2. It was open source. That meant really smart people could attack it, find weaknesses, and thus improve it... which is the only way to get really good encryption software (or any software, but that is a different matter...).
  3. It was freely available, which made for widespread adoption.

I would have liked to see the statistics on downloads and usage. Unfortunately, along with the rest of the site, the statistics page is gone, and it was marked not to be archived, so the Wayback Machine doesn't have it either. Various download sites, however, have it as well into the hundreds of thousands or millions each, not including direct downloads from the TrueCrypt site.

Even more interestingly, the TrueCrypt page redirects to their sourceforge page, which has a huge warning:

WARNING: Using TrueCrypt is not secure

So what happened? Why are they so adamant in moving in the span of a day from, "TrueCrypt is great, secure, perhaps not perfect, but the best option that there is," to "TrueCrypt is not secure; don't use it"?

I see a number of possibilities:

  • Some fundamental flaw was discovered that makes it unrecoverable. This is possible, but not very likely.
  • The developers no longer had the time to devote to it, and felt that a product that fell behind over time would become more and more insecure. This, too, is possible but also unlikely, since it would be easy, in open source, to find others willing to take it on.
  • The developers received a buyout offer from Microsoft. This is realistic. Since the TrueCrypt project page recommends customers replace TrueCrypt with Microsoft Windows BitLocker, Microsoft might simply have "bought" the many customers of TrueCrypt.
  • The developers received a visit from some government agencies. Like the Lavabit story, they were told to insert compromises, felt they could not, and so shut it down. As with Lavabit, if there is any truth to it, it will take months to a year or more to hear most of the story.

What really happened? I don't know. But this is a real loss for the Internet community and for privacy (and hence democracy) as a whole.