It’s been about a week since the developers of Truecrypt discontinued their project in a baffling and controversial way. There have been a number of forks of the code base including truecrypt.ch – which has already been mentioned previously on this blog. The other effort, now known as ciphershed was spearheaded by Bill Cox, and following my correspondence with him about his team and their project, I figured that it was only fair that we provided a brief overview of the project and its goals to my readers.
I’ve noted that forks can often dissolve community trust in a project. I think it is important to note for the record that Ciphershed notes on their website that they have reached out to truecrypt.ch in an attempt to merge their two projects but this appears an unlikely proposition given the personalities involved. It appears that the Ciphershed project already has a greater level of organization, with actual development already taking place and several well known identities getting involved. Bill stated that it is his fervent hope that ciphershed will save Truecrypt. Given the importance of having an open source multi-platform FDE solution, I can only hope that the project moves forward despite significant hurdles – namely the not-so-friendly licensing terms of the TC code, the decidedly average code quality in some parts of TC (namely the boot loader) and the dependency on a decade old Microsoft compiler.
I’ve contacted Bill to see if he would be interested in writing a few words about the project, and hopefully he can do so and directly speak about how ciphershed intends to bring TC into the 21st century, namely whether a new boot loader is planned in order to support UEFI and whether they have given any consideration to modifying the on-disk format and default cipher selections. I should note that the project have already placed an audit ‘roadmap’ up for public comment – detailing how they propose to address deficiencies found in the code audit.
On a related note, several people have asked for a reliable source for 7.1a. There are several mirrors of the code available, the two linked here being that of Steve Gibson and the OpenCryptoAudit’s github page. Note that the MD5 hashes provided below are courtesy of OCA and that I have not personally verified their accuracy or authenticity.