This is bad. Very bad. And strange. And very, very, bad.

Wait, whut?

TrueCrypt has apparently shutdown, called itself insecure, and advised everyone to switch to BitLocker. You should read the comments on those articles folks, people waaaaay smarter than me are talking.

XKCD: Security
XKCD: Security via XKCD


This is very reminiscent of the Lavabit scandal where the developers were “forced” to allow a backdoor for surveillance and instead of doing so, they just shut down their business rather than give their customer a false sense of security. TrueCrypt was (is?) in the middle of a 3rd party security audit that had already cleared the 1st stage and was expected to clear the second stage as well. The cryptic (see what I did there) message on TrueCyrpt’s new website is so -odd- that one can only assume it’s a hidden message meant to alert users without actually saying so.

WARNING: Using TrueCrypt is not secure as it may contain unfixed security issues

This page exists only to help migrate existing data encrypted by TrueCrypt.

The development of TrueCrypt was ended in 5/2014 after Microsoft terminated support of Windows XP. Windows 8/7/Vista and later offer integrated support for encrypted disks and virtual disk images. Such integrated support is also available on other platforms (click here for more information). You should migrate any data encrypted by TrueCrypt to encrypted disks or virtual disk images supported on your platform.

It “may” contain unfixed security issues? What does that mean? Does it, or doesn’t it have security issues?

What does Windows XP have to do with anything? They’ve supported pretty much all major versions of Windows, OSX, and Linux up until now. TrueCrypt has always faced competition from “integrated” solutions, so there’s no reason to shut down now.

If I were to play conspiracy theorist, I’d say the audit will come back clean which would give more credibility to an already (almost) industry standard. And the developers were coerced into putting in a backdoor that they couldn’t tell anyone about, that everyone would *think* was clean due to the recent audit, but it wasn’t. So instead of doing that, they decided to shut down with a winkwink nudgenudge statement.

Or Maybe….?

Other plausible reasons include there actually is a huge security hole and the entire thing is unsafe. Perhaps some buyout by a large company or other issue with the founders/developers/owners. Those don’t seem as likely to me due to the scorched Earth nature of the message.

What now?

For now, the recommendation is to NOT download the new, neutered version of TrueCrypt. Use an older version if you have it, at least until further news comes out if that is secure or not. You could also try an alternative from here or here. You may be able to get one from here although I personally have no way of verifying their authenticity or legitimacy.

Strange days indeed.