What Happened to TrueCrypt, and Why You Should Care

What is TrueCrypt and what happened to it? TrueCrypt is, or was, a data encryption program. You could use it to encrypt a group of files, a partition of a hard drive, or an entire hard drive. It also worked on flash drives, so anyone carrying around sensitive data found TrueCrypt extremely useful.

It had a solid gold reputation — nobody has succeeded in cracking it, it could encrypt unlimited amounts of data, and a recent analysis of the code showed that there were no “back doors” that hackers (or NSA) could use to break it. There was even a way to make the encrypted volume invisible for what the TrueCrypt manual calls “Plausable Deniability” — that is, the ability to plausably deny that you even have encrypted data even if someone has access to your hard drive (clearly they were envisioning darker scenarios than most of us ever encounter…).

So what’s the issue and what happened to it? Well, first of all it was built and maintained by an anonymous group known only as the TrueCrypt Team. Second, it was free and the company had no obvious source of revenue. The TrueCrypt Team did not use it as a sales tool to attract paying customers for security consulting, which would have been the most obvious way to monetize it.

But there are a lot of weird people in software, and every test of the software said it was exactly what it claimed to be. So many well-known industry gurus used it and swore by it (including Edward Snowden, apparently). What’s more, there was nothing else that did encryption quite as well for free.

There are currently two encryption applications that come close. One (DiskCryptor) is free but only encrypts an entire drive partition, so you have to know how to create a partition to use it. The other (Cypherix) is free for a version that encrypts very limited amounts of data; paid versions encrypt more.

Then on May 28 of this year, an announcement appeared on the TrueCrypt site saying that development of TrueCrypt had ended and that users should be aware that TrueCrypt may not be secure “as it may contain unfixed security issues.” They released a final version of the program that only decrypted previously-encrypted volumes but could not be used to encrypt any new volumes.

To date, no explanation for TrueCrypt’s sudden demise has been put forth by anyone, although there is no shortage of theories. Many (myself included) continue to use the application, using previously-downloaded copies, which still work as they always did and still have not been cracked. There are some rumors that a software group will pick up the pieces and continue development, possibly under a new name.

Well, OK, this is interesting and intriguing, but what does it have to do with the majority of computer users who never use an encryption application? Quite a bit, as it turns out. While the loss of this application will not affect many, the implications of the sudden disappearance of a widely-used and trusted utility should give many of us pause. For example:

  1. Your website resides on a hosting service. Do you have a plan of action if that hosting service goes belly-up tomorrow? Do you have a backup copy of your website that you could upload to a new hosting service? Do you know what hosting service you would choose?
  2. You may have industry-specific software that maintains records vital to your business (medical or accounting records, for example). If the company behind that software disappears tomorrow, what are your options?
  3. Do you keep data in the cloud? How valuable is that data? What would happen to that data if the vendor you are using went bust or had a system failure? The vendor probably maintains backups, but how much can you trust their backups and how long would it take to get your hands on your backed-up data?
  4. In this world of cloud computing, we can find ourselves dependent upon a wide variety of companies that we have little or no information about. If these companies are providing services that are critical to the operation of our business, shouldn’t we know something about their financial status and their stability?

TrueCrypt may rise again. But whether it does or not, its misadventures have raised some important issues that many of us need to think about. Even if everyone (inluding industry gurus) take some application or service for granted, you should at least think about your use of it and, quietly repeating the words “Remember TrueCrypt,” consider what you would do if it suddenly disappeared.