TrueCrypt, an open source encryption software project that was particularly popular with individuals and developers, was recently abandoned. In May 2014, the TrueCrypt website posted a warning that “TrueCrypt is not secure as it may contain unfixed security issues.” Users were encouraged to migrate to BitLocker. Despite the developers’ abandonment, an audit of the code will continue into Phase II.
Reasons for the abandonment are not entirely clear, in part because the developers of TrueCrypt were mostly anonymous. Some speculators suggested the abandonment was due to an NSA-backed takedown, perhaps tied to Edward Snowden’s use of the software in his leak of NSA documents. Others say a campaign to audit the code made the developers skittish, due to concerns that an audit would reveal security flaws.
Coming on the heels of the Heartbleed problems with OpenSSL earlier this year, the TrueCrypt abandonment underscores the importance of popular open source projects being organized and transparent, and tethered to a legal entity that can continue the project beyond the participation of the original developers.
The community is responding accordingly. In an effort to salvage TrueCrypt, Thomas Bruderer and Jos Doekbrijder established truecrypt.ch, a Switzerland-based collaboration with a mission to “organize a future” for TrueCrypt. That site allows users to download versions of TrueCrypt previously made unavailable. Last month, Bruderer and Doekbrijder also launched the pure-privacy association, to provide a legal framework for handling open-source project development in the privacy area. The TrueCrypt reboot is pure-privacy’s first project.
A true reboot of TrueCrypt may involve auditing and forking the code, normalizing the licensing of the code, and re-launching the project under a different name. The goal is to provide an open source cross-platform encryption option to succeed TrueCrypt. The new project is tentatively called “CipherShed.”
More information about the TrueCrypt revival can be found by following the @TrueCryptNext Twitter feed and by checking the website https://truecrypt.ch.