If you visit the website of the popular open-source encryption tool TrueCrypt, you’ll see a surprising message:
In the last 24 hours or so, truecrypt.org has redirected to the project’s homepage on SourceForge, where the abrupt announcement of TrueCrypt’s demise has been announced.
WARNING: Using TrueCrypt is not secure as it may contain unfixed security issues
This page exists only to help migrate existing data encrypted by TrueCrypt.
The development of TrueCrypt was ended in 5/2014 after Microsoft terminated support of Windows XP. Windows 8/7/Vista and later offer integrated support for encrypted disks and virtual disk images. Such integrated support is also available on other platforms (click here for more information). You should migrate any data encrypted by TrueCrypt to encrypted disks or virtual disk images supported on your platform.
You should download TrueCrypt only if you are migrating data encrypted by TrueCrypt.
The announcement has caught many people on the hop – the software is widely used by security-savvy users to encrypt their sensitive files and entire hard drives, and only last month TrueCrypt underwent the first phase of an independent security audit, which “found no evidence of backdoors or intentional flaws”.
Initially there were suspicions that the TrueCrypt webpage could have been defaced, or that a rogue member of the TrueCrypt team could have mischievously updated the site with the abrupt message, or that TrueCrypt had been forced into making the sudden move after undue pressure from the authorities (à la Lavabit).
But as more time goes on, there is a growing consensus that TrueCrypt’s anonymous developers might have genuinely decided to close the project – albeit in a somewhat bizarre fashion.
The webpage now offers a new decrypt-only version of TrueCrypt (version 7.2) for Windows, Mac OS X and Linux.
Until the situation is clearer, however, you might be wise to be wary of downloading that software.
Whether hoax, hack or genuine end-of-life for TrueCrypt, it’s clear that no security-conscious users are going to feel comfortable trusting the software after this debacle. It’s time to start looking for an alternative way to encrypt your files and hard drive.
Feel free to leave your suggestions of what solutions you recommend in the comments below.
Found this article interesting? Follow Graham Cluley on Twitter or Mastodon to read more of the exclusive content we post.
13 comments on “TrueCrypt warns that it is not secure, advises users to switch to BitLocker”
But Bitlocker is not available on every version of Windows 8 OS. What should those users that do not have bitlocker do?
This is very odd.
Why advocate moving to a proprietary solution that isn't cross-platform?
Here come the NSA shills with all the psychological keywords like "weird" in order to cast opinions which do not follow the narrative as not credible.
Interesting how different people across many different sites on the internet have comments which use the same exact keywords and phrases. I guess it's just coincidence.
bitlocker is not secure. truecrypt has probably also been compromised.
look for products from trusted sources, not necessarily open source. intelligent people will understand, for the others, well, good luck.
Yeah, that doesn't ring true: migrate from an open-source cross-platform product to Windows. My money is on a hacked website…
both are compromised. fool.
It's not a hack; the new package was signed by the legit project key. (Unless the key was compromised, in which case why break the new version rather than just implanting a subtle backdoor?)
The two theories I've heard* are:
1. They got National Security Letter'd, and this is a canary to indicate that they can't talk about why they're doing something weird; or
2. the crowdfunded professional audit of the codebase found a horrible bug that's been there for ages — if they patched it, adversaries could reverse the patch to find the bug and then break into any collection of old truecrypt'd volumes they might happen to have lying about in a large data centre in, say, Virginia.
* via various infosec/crypto types on Twitter
I go with answer #1. NSA likely has master keys to the "integrated support" on various platforms but not for TrueCrypt. I wouldn't be surprised if they're killing the baby rather than surrendering it to the NSA.
Yeah. And so many directions about bitlocker… It doesn't feel right…
Well, here's my take on it. It isn't the webserver configuration itself (e.g., Apache Redirects). It is in fact in the index.html file :
meta http-equiv="refresh" content="2;URL='http://truecrypt.sourceforge.net/'"
(Not showing the tag open/close as it seems to not interpret it correctly – shows the encodings themselves and including them in the response is just interprets it as if it was part of the site).
I used telnet to see the source of the file itself (one of many ways). Actually take that back. It might also be the server config. Just checked another way and got a 301:
HTTP request sent, awaiting response… 301 Moved Permanently
My initial reaction was "This is indeed odd." My reaction is still seems odd. But, responding to a few bits:
Re: "Until the situation is clearer, however, you might be wise to be wary of downloading that software."
Definitely agree. That is a given but yet I somehow think some would miss it so let me repeat that: Until the situation is clearer, however, you might be wise to be wary of downloading that software.
And I'll add, that goes for either or. As in: don't make the decision until more is found out. Especially following the advice – if it is genuine then fine but there's no clear indication yet.
Re: "Whether hoax, hack or genuine end-of-life for TrueCrypt, it’s clear that no security-conscious users are going to feel comfortable trusting the software after this debacle. It’s time to start looking for an alternative way to encrypt your files and hard drive."
I would be very surprised if it was a hoax (of course there's always an exception to every rule). Reason is simple: of all types of programmers, open source programmers are most genuine and care the most about fixing bugs and spending their time with the software (it is, after all, a hobby in many cases and respects!). I know when I find a bug in any of the programs I am a programmer for, I will lose sleep over it if I have to (I've also sent in patches to other open source projects, to add features or fix bugs, and I _know_ they appreciate it _a lot_ as I've always been credited for it and thanked; credits in the change log and thanked via other means). It is simply part of me: I don't like seeing problems in my work and so I will fix them, simple as that. And while other programmers may feel the same way, those who work on a free or open source project are very sincere in general but also about bugs (see my previous point): they are to be fixed; workarounds should only be temporary and generally as short as possible (if at all).
As for alternatives. My only suggestion would be for Linux users: use either LUKS or ecryptfs. That's standard Linux kernel encryption and like I described, they take bugs serious. Also, the fact it is standard, binary distributions will have it digitally signed (and in standard repositories which itself is helpful for updates, etc.). For Windows, I cannot remember the last time I used it (a blessing) and while I was sufficient in it I never liked it as much as Unix and its derivatives. So no comment on Windows encryption.
I want to encrypt containers or folders rather than individual files. I've preferred TC since I alternate use of desktop Windows and Linux and it's available for both. Regardless what the explanation of this episode, it indicates some deep unsoundness on the developer side that I can't trust going forward. I hope somebody hasn't "gone rogue" in one bad way or another.
I'll push on experimenting with BoxCryptor, that apparently will work with something called Encfs in Linux.
What I find odd is their reason for their abrupt termination (XP EOL). If that truly is the case, why did it take them so long to end TC? XP ended April 8th, and it's now the end of May. Furthermore, XP's demise was hardly a secret. There was plenty of warning, and yet, they gave no indication that they were going to end TC because of it. Surely, they must have known prior to nearly-two-months *after* XP EOL that XP EOL would affect TC to the point that they would have to shut down TC.
Something is just odd (imo).
Here is exactly what I think happened:
The FBI asked for a backdoor to bitlocker back in 2013 and microsoft collaborates with the NSA. So the NSA forced the truecrypt developers to shutdown and recommend they switch to a backdoored product so that they can be spied on.
1. The latest release of the software was in 2012. Are they saying that it took 2 years to discover unfixed security issues?
2. How is the end of Windows XP even related to the development of truecrypt? And just because an Operating system has their own built in encryption, doesn't mean its better than open source options.
There are many other fishy things that don't add up.
I think the maintainer of TrueCrypt has decided for one or another reason to stop maintaining the product and the text is for future bugs/security issues that may be discovered.
But this is far from the end of TrueCrypt, for it has been forked and can be found at truecrypt.ch