Is TRUECRYPT Really Dead?

The very popular software used by millions for encrypting data has apparently halted development and is advising users to migrate to something different due to "potential security concerns". While this is breaking news, at this time it is hard to believe for many. Some are guessing a defacement of their website has occurred, some suggest a disgruntled developer. An analysis of the software version (mysteriously released yesterday) has shown the same key being used as previous software releases. The latest software release does not allow you to encrypt anything, only decrypt. 

Worth noting:

  • A $70,000 dollar audit was started last year, the goal is to perform a complete analysis of the source code looking for any major vulnerabilities. Phase 1 of the audit was completed early this year with no major security issues found. Phase 2 was to conclude over this summer. The audit team has reached out to the developer(s) as of today regarding the "news", awaiting a response.
  • With the recent Snowden revelations, he mentioned the use of a secure email provider called Lavabit, shortly after he mentioned this publicly, the service shutdown with the explanation of a court order demanding the "keys" thus making the core of his service useless/insecure. Recent news mentions Snowden's use/belief in Truecrypt.
  • The Truecrypt team had posted a "roadmap" of sorts outlining the continued development of the software for use on the latest Windows 8.1 platform. This was not a "dead" project. Something bad has happened...
  • The Truecrypt developer(s) have always been "anonymous" however the audit team has been in contact with them.
  • A popular service called the waybackmachine is an internet website archive, you can view websites as they were in the past, the Truecrypt website has been excluded..hmm.

At this time, it is advised not to download or use the latest version found at It is also advised not yet to migrate away from any existing instance you may be running.  Until a "tool" is released, or the audit finds a big hole that exploits Truecrypt making it almost useless, it remains one of the best encryption tools out there. If however they were forced to insert a backdoor of sorts (via court order) and this is his/her/their way of letting everyone know (explains the bizarre recommendations), than by all means we will stop using it. Until more info is released, we are staying still.

More info: Arstechnica | Slashdot | Krebs on Security | Reddit | Cory Doctrow

Subscribe to our Newsletter

Search ALL Articles

Managed V. Non-Managed


US-CERT Latest Warnings

Latest US-CERT Released Warnings