TrueCrypt abruptly shuts down

The TrueCrypt disk-encryption software project has abruptly shut down, leaving only a vague warning message that users should not entrust their data to it and should migrate to another platform. If the shutdown was made in response to a recently-discovered security flaw, then there is indeed cause for concern, but the enigmatic nature of the announcement—and the project itself—make the circumstances more puzzling.

The TrueCrypt project is just over ten years old; the first release was made in February 2004. Its emphasis has always been on full-disk encryption for Windows machines, though it has also offered some features rarely found in competing programs, such as the creation of encrypted "hidden volumes" within other volumes. There have also been third-party projects to support TrueCrypt volumes on Linux and other operating systems. Performance was generally regarded as good, and it supported a range of different ciphers.

But TrueCrypt has always been a peculiar project. It has had licensing issues for many years that prevent it from actually being considered open source or free software. The TrueCrypt License (which, as of this week's shutdown, is no longer available on the web, including the Wayback Machine and Google cache, but can be found in the project's downloadable packages) was submitted to the Open Source Initiative (OSI) in 2006, but OSI determined that it did not meet the open source definition; it is also not on the Free Software Foundation's (FSF) list of free-software licenses. That is why official Linux releases from the project are not included in any mainstream distributions, but the third-party efforts are. The project continued to make its periodic releases and, interestingly enough, did so without ever revealing the identities of the team members.

On May 28, many users were surprised to discover that the project's previous URL truecrypt.org was suddenly redirecting visitors to truecrypt.sourceforge.net, where a page announced that development on TrueCrypt had ended and that TrueCrypt was not secure. The full text of the announcement reads:

Beneath the message are instructions for migrating a TrueCrypt-encrypted volume to BitLocker, plus a link to a new, signed Windows executable labeled TrueCrypt 7.2 (although source is also available from the SourceForge project files page). The signature on the new release does validate, and it was made with the same key used to sign previous releases. The 7.2 executable, however, does not encrypt; it can only decrypt TrueCrypt volumes.

The statement tying the project shutdown to Microsoft's end-of-life for Windows XP is more or less plausible, since subsequent Windows releases have other encryption options. Linux, of course, has full-disk encryption options of its own as well, such as Linux Unified Key Setup (LUKS) and dm-crypt. But the sudden disappearance of TrueCrypt is troubling for other reasons.

First, a longstanding criticism of TrueCrypt was that it had never been subjected to a real security audit. The site istruecryptauditedyet.com was set up and a crowdfunding campaign was launched in October 2013 to hire an auditor. The campaign was successful, and in April 2014 an initial report [PDF] was published, covering an analysis of the overall application. Cryptographer Matthew Green was handling the second phase of the audit, an in-depth analysis of the core encryption routines.

On May 29, Green told security blogger Brian Krebs that he still intends to complete the audit—and that he believes that the project shutdown was a move made by the real TrueCrypt developers, not a hijacking of the project's domain. The question then becomes whether or not the shutdown was related to the audit—for example, if there is a backdoor or serious vulnerability that the TrueCrypt developers anticipate Green will discover.

At this point, of course, such a discovery is purely speculation. Social media channels and discussion forums are filled with debates about other possibilities, such as government intervention like that which precipitated the sudden shutdowns of Lavabit and Silent Circle in August of 2013. Without further explanation from the TrueCrypt team, the community may never know for sure, and the team (as always) seems not to be speaking publicly.

But regardless of what led to the shutdown, TrueCrypt fans are left with a dilemma on their hands. If TrueCrypt had been released under a standard open-source or free-software license, then the community could easily take the last release and pick up development where the original authors left off. But the TrueCrypt license is not merely non-standard, it is confusing. As Richard Fontana noted in his summary of the OSI's consideration of the license, it even includes a provision that suggests anyone who does not understand whether or not they are in compliance with the license does not have the right to redistribute the code. Tom Callaway also noted that the TrueCrypt developers seem to intentionally reserve the right to sue for copyright infringement even if they remain in compliance with the license, a provision that makes the TrueCrypt source code not merely inconvenient, but perhaps even dangerous to work with.

In all likelihood, the community will move away from TrueCrypt and replace it with something else. Should Green's security audit or other subsequent investigations reveal a heretofore unknown explanation for the project's abrupt shutdown, that will be news in and of itself. But considering how well the TrueCrypt developers have managed to keep to themselves over the years, the odds are low that simple, clear explanation for these events is on its way.