Yesterday (May 28th, 2014) the truecrypt.org website suddenly started redirecting to the project page on SourceForge. The redirected webpage claims TrueCrypt is insecure and won’t be fixed, and urges people to migrate to Microsoft’s proprietary, windows-only BitLocker solution (TrueCrypt is multi-platform and supports multiple Linux OS’s as well as Windows).
As of right now (5/29/14 at 10:00 EST), there is no further information available. There is however quite a bit of Internet echo-chamber effect and a rising tide of hysteria from many corners (a lot of Fear, Uncertainty and Doubt aka FUD). Even Brian Krebs is reporting the sudden change at face value (http://krebsonsecurity.com/2014/05/true-goodbye-using-truecrypt-is-not-secure/).
There are many scenarios that would explain this very sudden switch over. I’m going to try and avoid those and focus on some facts here:
- TrueCrypt is open source software. The source code is still available, including the code before the most recent changes. If there are security holes in it, they could be fixed (though at what resource cost would be pointless conjecture).
- TrueCrypt is cross-platform. It’s not just Microsoft Windows but also Linux and Mac OS X as well. However, the current SourceForge page for the TrueCrypt project makes only a glancing reference to those and focuses entirely on migrating to BitLocker on Windows. There’s a sub-page that mentions other platforms, but even for Linux it only tells you to use the TrueCrypt 7.2 binaries (there are *nix programs besides TrueCrypt that can at least read TrueCrypt containers).
- While it is true the current binaries on the TrueCrypt webpage are signed with the same keys as earlier binaries, and the truecrypt.org domain registration still continues to use the same nameservers, the original static webpage for TrueCrypt.org has been removed and replaced with a re-direct to the SourceForge project page. Sub-pages of any sort use a meta-refresh technique however, indicative of the entire website directory having been moved aside and a new webserver config put in place.
- Since the TrueCrypt announcement does not stipulate any details on the supposed insecurity of TrueCrypt, it’s unknown if the problem would be in the code, the container format, the encryption algorithms or some combination thereof. Note that lack of WinXP support from Microsoft is not a hard barrier to continued TrueCrypt development though.
What do these facts mean? There is no reason to do anything immediately. There are alternatives to access TrueCrypt containers that do not require unencrypting TC containers wholesale. Many trustworthy individuals will probably have untainted, archived binaries. The source code can be forked and new projects spun-up around it (FOSS shows it’s greatest resliance and strength in times like this). And lastly but most importantly: We do not have any sort of out-of-band verification of this announcement.
At this point I see no reason to abandon use of TrueCrypt. Planning for the possibility is not unreasonable, but rushed implementation without all the questions answered could seriously risk the secrecy of your data. It will not take long for more concrete details to emerge, or a successful fork of the code to be established by trustworthy individuals.