Widely used encryption program TrueCrypt is no longer under development and users are warned that the tool is no longer safe to use.“Warning: Using TrueCrypt is not secure as it may contain unfixed security issues,” reads TrueCrypt’s page on SourceForge.
According to the announcement, development for the service ended this month, after Microsoft put a stop to support for Windows XP. “Windows 8/7/Vista and later offer integrated support for encrypted disks and virtual disk images. […] You should migrate any data encrypted by TrueCrypt to encrypted disks or virtual disk images supported on your platform,” developers said.
The site advises users on using BitLocker and offers a quick guide on how to migrate the data to the new tool.
Visitors of the regular truecrypt.org site have found themselves to be forwarded to the program’s home page on sourceforge.net, to a page that seeks to help users transition to a life without TrueCrypt.
While many have hoped that the site was hacked and that it was all a hoax, there’s been no big changes to the WHOIS and DNS records for the site, which most likely indicates that it’s all real.
Furthermore, the latest TrueCrypt version, which was uploaded a couple of days ago, displays the same key used to sign the previous installer file released back in January, effectively proving that everything is real.
TrueCrypt has been around for more than a decade as a free tool to add a protective layer to online private content. It quickly became the go-to program for people who wanted to encrypt sensitive files or entire hard drives.
TrueCrypt is a tool that was endorsed by Edward Snowden, the whistleblower who revealed the NSA’s mass surveillance apparatus to the world. Before he stole and shared the files from the intelligence agency, Snowden hosted a CryptoParty in Hawaii, where he talked about how the open source tool could be used to keep information safe from those who weren’t supposed to lay eyes on the data.
The tool even underwent a thorough audit last year, following media revelations that the NSA had been trying to install its own backdoors into encryption tools. Given its wide use, this was a particularly important topic, but the investigation didn’t reveal any problems.
This makes the warning about the fact that TrueCrypt is not secure that much more baffling and has sparked a lot of discussions online, especially on Twitter.
Matthew Green, one of the professors specialized in cryptography that handled the audit, was just as surprised about the announcement. However, he confirms that everything appears to be authentic, as he wrote on Twitter.
The suspicions continue to rage on however, particularly due to the suddenness of the decision to shut down a decade-old tool. Cryptographers hope that volunteer programmers will pick up the job.