thad eirich

Searching for Truth in TrueCrypt

Created at: 2014-05-30 15:24:23 UTC

Updated on: 2014-09-25 01:45:25 UTC

What happens when one of the most trusted and, arguably, the most enigmatic security programs shutters its door within a warning?


In today’s NSA-phobia fueled privacy renaissance... about what you’d expect.  


TrueCrypt is a (sort-of*) open source tool which offered several methods of personal hard drive encryption as well as several methods of obfuscation. For example, users can also add encrypted volumes to their existing hard drive which are hidden to give users ‘plausible deniablility’ in the case of punching-bag decryption.


Its originates in 2004, when it was released by a team of anonymous developers who called themselves the “TrueCrypt Foundation”.  Since then it has had a steady stream of updates, despite occasional controversy and legal problems when Brazilian bankers encrypt their files to hide financial fraud. After ten years the  identity of TrueCrypt’s developers is still a mystery.


TrueCrypt’s offers security without perjuice, which means their encryption is available to model citizens looking to safeguard tax documents and, on the flipside,child pornographers trying to hide from the law.


However, it’s this historical impregnability that lead to its widespread use & endorsement by security advocates including security rockstar Bruce Schneier as well as NSA defector Edward Snowden. In fact, it was in the wake of Snowden’s NSA revelations that old rumors surfaced regarding a supposed ‘backdoor’, ( a software unsecured entrance for parties in the know) within the application.


After all, with the developers’ identity unknown, it’s easy to imagine how certain interested individuals (governments, corporations, etc. ) could have a reason to release encryption software where they alone have access to a secret way in. 


It’s conspiracy theories like that that gave birth to, a site which has raised $63K on it’s FundFill and IndieGoGo accounts (so far).


This would eventually spawn the Open Crypto Audit Program whose purpose was to examine the TrueCrypt source code and determine whether the program deserved the blind trust the security industry has placed upon it.  On April 14th Phase I of the audit was made public. It reported that “iSEC found no evidence of backdoors or otherwise intentionally malicious code in the assessed area.”


However on Thursday May 28th the TrueCrypt website ( was taken down and replaced with a simple holding page that stated “WARNING: Using TrueCrypt is not secure as it may contain unfixed security issues.” The page also featured instructions on how to migrate your protected files from TrueCrypt to Microsoft Windows’ built-in Bitlocker encryption (or other encryption types depending upon your platform).  The site provided a final release of TrueCrypt that only allows users access to existing TrueCrypt partitions, and the options for creating new encryptions are disabled. A message claimed that “development was halted after Microsoft discontinued support for XP as later Windows releases have built-in encryption.” 


Because of the abrupt nature of this announcement as well as the unsatisfactory nature of the alternatives given (other services do not have TrueCrypt’s signature obfuscation techniques), security advocates have been quick to weigh in with their thoughts about TrueCrypt’s shutdown.

I’m going to list some of the more popular theories about TrueCrypt’s demise that are floating around the web:

imMute (Reddit) Perhaps the developer was served an NSL[National Security Letter] coercing them to implement a backdoor. Rather than throw users under the "security" bus, they chose to shut down development all together.

Like what lavabit did, but without the loud yelling about why.


BoppreH (HN) If I had to wager a crazy bet, I would go with newly developed Dead-Man's-Switch gone wrong.


ultramancool (HN) I think it's far more likely at this point that the devs, who had not updated their software in years, finally decided to call the project over and have marked it insecure because the codebase is now unmaintained and should be assumed insecure.


tghw(HN)What if this is an attempt to smoke out the TrueCrypt devs? [...]we know so little about the TrueCrypt maintainers, there's little way for us to hear that this isn't legitimate. In order to keep the project from dying (if this is a hoax), they would have to prove that they are the maintainers, because any plausible deniability would undermine their claim that the change was not legitimate.


Wikileaks(Twitter) Truecrypt has released an update saying that it is insecure and development has been terminated

the style of the announcement is very odd; however we believe it is likely to be legitimate and not a simple defacement

the new executable contains the same message and is cryptographically signed. We believe that there is either a power conflict..

in the dev team or psychological issues, coersion of some form, or a hacker with access to site and keys.


rodalpho(Ars) If this is defacement, it's the most elaborate defacement I've ever seen.


@matthew_d_green[Audit organizer](Twitter)I'm not going to point any fingers over this Truecrypt stuff, but... does anyone know where Microsoft was the past few days?


We may never know what caused the abrupt halt in TrueCrypt development or the fate and identities of its developers; however in the wake of the recent Heartbleed epidemic it’s easy to see the increased pressure and scrutiny that’s being placed on open-source security software.

TrueCrypt was never properly open-source, it had its own custom license, but it was source-available- the code was out there for everybody to see. Industry professionals relied and on - and some individuals lived and died by - a piece of code which no one was ever paid to make, was never publicly audited, and whose creator’s faces were never known. The public outcry following it’s purported demise goes to show how much we take these tools and the people who develop them for granted.

security TrueCrypt open source