From Wikispooks
Revision as of 15:52, 27 August 2019 by Robin (talk | contribs) (Text replacement - " backdoor" to " backdoor")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

Concept.png TrueCrypt 
(software,  encryption)Rdf-entity.pngRdf-icon.png
Widely praised disk encryption software, abruptly discontinued in 2015. Version 7.1a (not 7.2) is the latest fully functional version.

Sudden discontinuation

The software's Sourceforge page was abruptly edited in May 2015, to begin with the following red warning:

WARNING: Using TrueCrypt is not secure as it may contain unfixed security issues.

Since it is proprietary, closed-source software, the site's recommendation to switch to Microsoft's BitLocker makes no sense at all, and so some have interpreted it as an indication that the developers had been pressurised but prohibited from directly stating so, i.e. as a warrant canary.[1]

Warrant Canary?

Some speculated that "not secure as" may be a coded reference to the National Security Agency.[2] This was followed up by the observation that the whole phrase may contain a hidden acronym: "Using TrueCrypt is not secure as it may contain unfixed security issues" ~ "Uti NSA im cu si". The language and meaning of this is debated, but many interpret it as a warrant canary.[3][4]

Legal status

The code had a non-standard open source licence, and did allow derivative products, although the developers later commented discouraging this practice. It has been forked by other developers and the original code is being treated as abandonware. Perhaps the most notable fork is VeraCrypt.


TrueCrypt Version 7.1a was the last fully featured software. (7.2 was released only to encourage users to decrypt existing volumes.) In April 2015, TrueCrypt Version 7.1a successfully passed the second phase of a security audit, finding "no evidence of deliberate backdoors, or any severe design flaws that will make the software insecure in most instances."[5][6] Mirrors of the truecrypt download page quickly appeared. GRC reports that Google were generating false-positive malware infection warnings about their mirror download page.[7]

Bug reports

It was reported in September 2015 that James Forshaw had found two bugs in the software, named CVE-2015-7358 and CVE-2015-7359, of which the former was "critical". Details of the bugs were not immediately released, but Forshaw advised switching to a forked version of the code, VeraCrypt.[8]