TrueCrypt Goes the Way of Lavabit as Developers Shut it Down Without Warning

On the 8 August last year, encrypted email service Lavabit was abruptly taken offline with creator of the service Ladar Levison citing legal reasons which prevented him from explaining why he was closing the service down.

Just last week Levinson finally revealed that rather than allow the FBI install a backdoor on the service, giving them unfettered access to all users' communications, he shut it down to protect his customers - of which Edward Snowden was one.

Nine months on from the mysterious shuttering of Lavabit, another well-known and trusted encryption service has this week been discontinued without warning.

TrueCrypt is a popular, open-source disk encryption tool which has been downloaded 28 million times (including by Snowden) since its initial release in 2004, but which has now been discontinued by the anonymous group of developers who created it.

Warning

On Wednesday the TrueCrypt website began redirecting to a site on the source code repository SourceForge.net with a message that read:

The messages goes on to say:

"This page exists only to help migrate existing data encrypted by TrueCrypt. The development of TrueCrypt was ended in 5/2014 after Microsoft terminated support of Windows XP. Windows 8/7/Vista and later offer integrated support for encrypted disks and virtual disk images. Such integrated support is also available on other platforms. You should migrate any data encrypted by TrueCrypt to encrypted disks or virtual disk images supported on your platform."

The pages includes directions on how to transition disks which were encrypted with TrueCrypt to BitLocker, Microsoft's proprietary encryption tool which ships only with Ultimate, Enterprise or Pro editions of Windows.

Signature

Initially many in the security sector believed that the site had been defaced and that this was not the work of the developers behind the project - developers who had worked hard to keep their identities secret - but that the service had been hijacked by outside forces.

However further investigation by security researchers Brian Krebs and Matthew Green proved that this in all likelihood was not a hoax, but the deliberate work of those behind TrueCrypt:

"I think the TrueCrypt team did this. They decided to quit and this is their signature way of doing it," Green said on Thursday.

Green has been one of the most vocal critics of TrueCrypt in the past, and helped organise a full security audit of the software earlier this year, with initial results published in April finding no major security flaws or backdoors.

Set it on fire

The future for TrueCrypt remains unclear. While the code is open source, the licensing arrangement means it is unknown whether those who use it have the right to modify it and use it within other projects.

Green added that he thinks the way the end of TrueCrypt has been handled would suggest the developers wanted to bury it forever:

"There are a lot of things they could have done to make it easier for people to take over this code, including fixing the licensing situation. But maybe what they did today makes that impossible. They set the whole thing on fire, and now maybe nobody is going to trust it because they'll think there's some big evil vulnerability in the code."

Keep TrueCrypt

It is easy to imagine the people behind TrueCrypt facing the same situation as Levinson, and rather than compromising the security of users of TrueCrypt, decided to try and destroy it forever.

Green, who helped raise $70,000 to fund the audit into the code says he still has $30,000 of that money left and is planning on finishing what he started, by completing the audit this summer.

"Before this happened, we were in process of working with people to look at the crypto side of the code, and that was the project we were going to get done over this summer," Green said. "Hopefully, we'll be able to keep TrueCrypt."