It appears that the truecrypt project is officially dead. At approximately 1800hrs the Truecrypt project’s sourceforge project page was updated, with the status being set to ‘inactive’ and new binaries posted – ostensibly of ‘Truecrypt v7.2′. The main page featured the warning that “Truecrypt is not secure as it may contain unfixed security issues.’ The signing keys used match those used previously. Krebs notes that there have been no changes to delegation, etc.
Their rationale that Truecrypt development was ended as a result of Windows XP becoming end-of-support seems curious as there appears no relationship between the two. Their advice to to abandon Truecrypt for propreitary solutions like Microsoft’s (almost certainly backdoored) BitLocker also seems odd.
Users on Schneier’s blog have been discussing the various possibilities with the most plausible mentioned being that the Truecrypt team were compelled via NSL or other government instrument to co-operate and that burning down the project was potentially the thing that they could have done. This is possibly why they were unable to give a legitimate explanation, instead citing the ludicrous one regarding Windows XP support. Another possibility is that Matthew Green et. al.’s TrueCrypt audit had spooked the authors in some way.
Just twelve hours ago I believed that this was a website compromise, but I am now convinced these actions were initiated by a member of the TC team and not by a malicious attacker. It is indeed possible that one of the developers has gone rogue, but I believe that it is almost a certainty at this point that TC – as we have known it, at least – is dead. Given the licensing issues (TC’s license is not completely FOSS friendly) it remains far from certain that anyone will fork the source from 7.1a and continue to develop the software.
This marks the death of the second free(ish) Windows full disk encryption suite with the first being FreeOTFE. The important thing to note is that Truecrypt had several very large stumbling blocks in the way of its acceptance by the community – some of them technical, some of them legal and license related, and the vast majority of them social. The shadowy Truecrypt Foundation and the way the organization attempted to shield themselves from any scrutiny made many understandably cautious of the software. Only several months ago on this very blog I detailed the myriad issues I have with Truecrypt and advised readers not to trust the product and to instead seek alternatives. That said, there are no free and trustworthy full disk encryption products for Windows (and obviously, Windows itself – and the underlying Wintel architecture – has some major trust issues of its own).