TrueCrypt, the popular open-source encryption program, on Wednesday unexpectedly recommended that users drop its product and shift to Microsoft’s Bitlocker.
TrueCrypt’s Web page redirected itself to a SourceForge repository, which carried the following warning:
“WARNING: Using TrueCrypt is not secure as it may contain unfixed security issues,” a note at the top of the page read. “This page exists only to help migrate existing data encrypted by TrueCrypt.”
The site continued: “The development of TrueCrypt was ended in 5/2014 after Microsoft terminated support of Windows XP,” it read. “Windows 8/7/Vista and later offer integrated support for encrypted disks and virtual disk images. Such integrated support is also available on other platforms (click here for more information). You should migrate any data encrypted by TrueCrypt to encrypted disks or virtual disk images supported on your platform.”
The page then goes on to describe how users should migrate their data from TrueCrypt to an encrypted BitLocker drive. (Note: BitLocker is ony available in the Windows 7 Pro and Ultimate Editions, as well as Windows 8.1 Pro and Windows 8.1 Enterprise, making this a solution of limited use, reader Wesley Novack points out.)
The move was especially puzzling, given that TrueCrypt, a popular security choice for PCWorld users for several years, had recently passed the first round of a security audit. iSec, the firm that did the audit, found 11 flaws, but none that were immediately exploitable. Otherwise, iSec said it “found no evidence of backdoors or intentional flaws”.
Matthew Green, who teaches cryptoanalysis at Johns Hopkins and who worked on the audit, tweeted that he thought the change was a legitimate exit on the part of the developer, and not a hack. He said that he had attempted to contact the developers, and not heard back from them yet. But The Register is reporting that the most recent version of TrueCrypt appears compromised.
Last I heard from Truecrypt: "We are looking forward to results of phase 2 of your audit. Thank you very much for all your efforts again!"— Matthew Green (@matthew_d_green) May 29, 2014
In the meantime, it’s probably best that users who were going to download TrueCrypt simply hold off, until more information is revealed.
This story was updated at 9:38 AM on May 29 with additional details.