The development of TrueCrypt, the popular open-source application used to encrypt files, partitions and entire storage devices, has come to an abrupt end after a warning message appeared on the application’s SourceForge development pages.
The sudden, ominous warning has caused widespread speculation, including that the application may have been compromised by the US National Security Agency (NSA).
“WARNING: Using TrueCrypt is not secure as it may contain unfixed security issues,” read the message.
It continued: “The development of TrueCrypt was ended in 5/2014 after Microsoft terminated support of Windows XP. Windows 8/7/Vista and later offer integrated support for encrypted disks and virtual disk images.
“Such integrated support is also available on other platforms. You should migrate any data encrypted by TrueCrypt to encrypted disks or virtual disk images supported on your platform.”
However, TrueCrypt was recently professionally audited in response to fears that the NSA had compromised the software and, while sloppy coding practices were revealed, the auditors say that they did not find any evidence of compromise.
Matthew Green, a cryptography specialist working at John Hopkins University in the US who led the auditing initiative, said that he believed the announcement to be authentic. He claims that he is endeavouring to contact the secretive cabal of developers to find out more.
Security commentator Brian Krebs also argued that the announcement was probably legitimate and that the software was being retired by the developers.
“The last version of TrueCrypt uploaded to the site on May 27 (still available at this link) shows that the key used to sign the executable installer file is the same one that was used to sign the program back in January 2014 (hat tip to @runasand and @pyllyukko). Taken together, these two facts suggest that the message is legitimate, and that TrueCrypt is officially being retired,” Krebs wrote in a blog posting.
The current version available for download on TrueCrypt’s SourceForge pages contains changes warning that the application is not safe to use, while the new release enables users to decrypt already-encrypted data, but without the ability to create new encrypted volumes.
Users of TrueCrypt have been advised to migrate to alternative encryption software.