Starting on Wednesday, the official TrueCrypt website, truecrypt.org, has redirected to SourceForge and says that development has ended 5/2014.
WARNING: Using TrueCrypt is not secure as it may contain unfixed security issues
The development of TrueCrypt was ended in 5/2014 after Microsoft terminated support of Windows XP. Windows 8/7/Vista and later offer integrated support for encrypted disks and virtual disk images. Such integrated support is also available on other platforms (click here for more information). You should migrate any data encrypted by TrueCrypt to encrypted disks or virtual disk images supported on your platform.
The website then goes on to recommend Microsoft’s BitLocker and suggestions for other platforms. The sudden change, poor grammar, lack of confirmation, and other signals are leading to a lot of doubt and speculation about the situation. Was the website simply hacked and defaced? Are the developers aware of a bug that would be too time consuming to fix? Is it a secret signal that TrueCrypt might be compromised by the NSA or involved in FBI investigations and this was the developers’ only move that satisfied the gag order but also served to warn users of the encryption software? Did the anonymous developers simply want to stop working on the project?
Clearly, more questions than answers have come from Wednesday’s announcement.
Money was recently raised to audit TrueCrypt, or have security researchers go through the code to see if it was secure. The first phase of the audit (PDF) gave the code a green light with no glaring problems. The auditors made an announcement yesterday that they plan to continue moving forward with the audit and hope to deliver a final report in a few months. One scenario under consideration is supporting a fork of TrueCrypt with a free license.
Meanwhile, some others are trying to coordinate putting TrueCrypt on life support. With Wednesday’s announcement, a new version was also released. Version 7.2 only had the ability to decrypt volumes, which would assist people migrating from TrueCrypt to other solutions. With concerns surrounding the announcement, 7.2 could be seen as untrusted. The previous version 7.1a is being hosted on private mirrors by truecrypt71a.com and truecrypt.ch as well as possibly others.
While TrueCrypt’s developers were anonymous, the software became widely used because of its features and cross-platform compatibility. It has been hard to come up with a concrete list of alternatives to recommend. Microsoft’s BitLocker is only available to Windows Enterprise line of operating systems. AlternativeTo lists Axcrypt, AES Crypt, Cloudfogger, and a number of others but none of them compare to TrueCrypt in popularity.
Whatever the future holds for TrueCrypt or a good alternative, it will be interesting to see it unfold.