The developers of TrueCrypt, a once highly respected, open-source encryption application, have apparently folded their tents and disappeared.
Left behind are questions and paranoia — and a message that users should migrate to other encryption platforms.
Leading the way to public data encryption
TrueCrypt was first released back in 2004 — well before most other mass-market encryption platforms became mainstream, and certainly long before we became aware that the U.S. National Security Agency (NSA) was trying to tinker with these security apps for its own ends. It was built and has been maintained by an anonymous group of developers known simply as the TrueCrypt team. According to Wikipedia, the TrueCrypt moniker is “registered in the Czech Republic under the name “David Tesařík.”
TrueCrypt’s developers based their new encryption software on E4M (Encryption for the Masses) — code that was, according to a February 2004 usenet thread, stolen from security company SecurStar by ex-employee and E4M author Paul Le Roux. That dispute effectively shut down TrueCrypt distribution for several months.
TrueCrypt 2.0 was released in June 2004 and updated off and on until 2012. But then there were no new releases the following two years — a fact noted by several Windows Secrets readers who expressed concern that their favorite encryption software did not officially support Windows 8 or 8.1; nor did it support computers equipped with a Unified Extensible Firmware Interface BIOS. These enhancements were reportedly promised but never delivered.
One of the fundamental concepts of open-source software is that it can be audited for security flaws by any competent developer — not just by its authors. With millions of active TrueCrypt users, there was, not surprisingly, growing concern over the software’s lack of updates and the resulting possibility of new vulnerabilities.
That led to the creation of the not-for-profit Open Crypto Audit Project (OCAP; site), tasked primarily to conduct an external security audit of TrueCrypt’s code. The project would be funded via crowdsourcing, and various programming and security experts would volunteer their time.
The life and untimely demise of TrueCrypt