The future of the widely used and much relied upon TrueCrypt whole disk encryption software has come under question this week after the open source project’s web page was redirected to a statement claiming that as of May 2014 TrueCrypt is no longer under active development.
The page claims that the software is not secure as “it may contain unfixed security issues”, which is an odd statement as, lets face it, any security issues that exist within TrueCrypt now have most likely been there in previous versions that were deemed to be secure – the only difference now is that if any major issues are discovered, they will never be fixed. That said, TrueCrypt has so far stood the test of time, and there have been no indications up until now that we should be concerned about the crypto. In fact an ongoing crowd funded audit of the software has so far offered some pleasing results with no major causes for concern.
Worryingly, the page encourages Windows users to migrate their encrypted system drive over to Microsoft’s closed source and unauditable BitLocker technology! Given the evidence contained within the Snowden leaks, can Microsoft be trusted with securing our data? Furthermore, why would the developers behind TrueCrypt be recommending the very thing that they have been working to help us avoid for years? Is this a Joke, or is something more sinister going on behind the scenes?
There are a lot of conspiracy theories flying around about TrueCrypt going the way of LavaBit and bowing to governmental pressure. Other plausible explanations suggest that the developers are rebelling against the media backlash on the open source community in the wake of the OpenSSL Heart Bleed vulnerability. After all, why would you give up your free time to help an ungrateful, uninformed and uncommitted community who take open source software for granted? I am inclined to lean towards the latter, but I certainly wouldn’t rule out any of the conspiracy theories, particularly with this years revelations in mind.
So, the question is should we still use TrueCrypt? This has to be an individual decision as data privacy is a personal thing; I am personally going to wait to see if any further information emerges before making a decision.
I have raised a lot of questions in this post, many of which we will most likely never know the answers to, but one thing we do know is that the apparent demise of TrueCrypt, if true, will leave a gaping hole in the open source and security communities. I fear that the world is somewhat of a less secure place without TrueCrypt.