151
TrueCrypt, what really happened? (lemmy.world)
submitted 3 weeks ago by oyzmo@lemmy.world to c/asklemmy@lemmy.world
22 comments fedilink hide all child comments

What really happened to TrueCrypt back in 2014? Did anyone ever find out?

It was a widely used encryption tool, that was suddenly dropped with the message " not safe, use something else".

all 24 comments
sorted by: hot top controversial new old
[-] bamboo 68 points 3 weeks ago

My assumption has been that the author was pressured to add a backdoor or abandon the project since it was an issue for law enforcement. After TrueCrypt stopped releasing new versions, it was audited and there was no sign of any backdoor or flaw in the encryption. Now on device encryption is more common but so are cloud backups, and law enforcement has found that going after cloud backups is much easier to subpoena. Plus there is a more mature industry for law enforcement to provide tools tools to bypass encryption without the developer complying.

[-] audaxdreik@pawb.social 26 points 3 weeks ago

This was always my assumption as well. When they quit the project, didn't they leave some message recommending Microsoft BitLocker as an alternative? Everyone at the time interpreted this as the clearest "they're already in the room with me" warning sign, given that that kind of project would NEVER reasonably make such a closed source, corporate centered recommendation ...

[-] Shadow@lemmy.ca 19 points 3 weeks ago

Also if you sign into the Microsoft cloud, your bit locker keys are backed up there.

[-] vividspecter@aussie.zone 35 points 3 weeks ago

It was forked to veracrypt from memory. And LUKS was already widely available on Linux as alternative.

[-] beSyl@slrpnk.net 30 points 3 weeks ago

This is not really the question though. It was forked BECAUSE of the whole "fiasco". OP is asking what happened, as in, what made the dev give up on the project. This was a big topic back then.

[-] GamingChairModel@lemmy.world 4 points 3 weeks ago

And LUKS was already widely available on Linux as alternative.

Yeah, I found LUKS and LVM to be more intuitive for creating encrypted partitions, and had that on my daily driver by around 2009 or so, so I never really felt the need to try Truecrypt.

[-] ITGuyLevi@programming.dev 2 points 3 weeks ago

Yeah but I never found a way to do whole disk encryption with a decoy OS like TrueCrypt could. Really I don't have a need for that, but it was an amazing feature in my mind.

[-] DarkAri 35 points 3 weeks ago* (last edited 3 weeks ago)

The story I heard is that the creator got a national security letter, which forced him to add backdoors or go to prison, and so he did the minimum necessary by law, meaning the last few versions of it are probably compromised, but also took out a clause from the user agreement that stated that he had not received a NSL. That was sort of a canary to get around the gag order and stuff at the time.

Honestly who knows though? That was over 10 years ago when I heard that.

If I had to guess he was using his own encryption method that wasn't crackable. It is well known that the NSA bought up some standard setting organizations for encryption. Normally rolling your own encryption would be risky if you dont know how to depattern it. I suspect that many common encryption standards are picked because they have a shortcut to cracking them.

[-] bamboo 36 points 3 weeks ago

All of these claims are easily able to be checked from the archived version of the site . It was not using home grown encryption algorithm.

The last version released was independently audited and "found no evidence of deliberate backdoors, or any severe design flaws that will make the software insecure in most instances"

I had never heard of the warrant canary for TrueCrypt, and quickly searching for news of the time, was unable to find anything to indicate that there was ever a mention of NSL on the website, so nothing to remove if they were served with a NSL.

[-] snooggums@piefed.world 6 points 3 weeks ago

If he received a national security letter that had an indication of the government possibly taking over the project and adding in their own back door, that would be a reason to say the software wasn't safe (from future changes). If there wasn't follow through then it would pass an audit.

[-] _cryptagion@anarchist.nexus 15 points 3 weeks ago

TrueCrypt used the encryption method you chose, it didn't have a custom one. Usually that entailed triple layer encryption such as AES-Twofish-Blowfish, but you could use weaker encryption if you desired to.

[-] Pat@feddit.nu 17 points 3 weeks ago

IIRC (but don't quote me on it), it had some vulnerability, and was gag-ordered to not touch it by some government, and that was the extent to which they could.

[-] lazynooblet@lazysoci.al 13 points 3 weeks ago

I've read multiple times that no vulnerability has ever been found, so I'm interested in knowing more about this.

[-] MarriedCavelady50@lemmy.ml 15 points 3 weeks ago

We have nothing but speculation. Dude could have just gotten tired. Appreciate that the developer announced no future development.

[-] Funky_Beak@lemmy.sdf.org 6 points 3 weeks ago

I remeber it happening. There was no backdoor. It was during that time there was a push to put backdoors or weaken public encryption in the name of national security. Truceypt didnt want to play and were threatened with possible legal action. Rather than fight it they decided to stop the project.

[-] silentdon@lemmy.world 6 points 3 weeks ago

Was the developer ever heard from again? One possible theory is that they died suddenly. This is assuming that the team was actually one guy

[-] hperrin@lemmy.ca 5 points 3 weeks ago

It could be the same thing that happened to me. The dev could have realized what people were using it for and quit to not be a part of that.

I used to run an encrypted messenger called Tunnelgram. It had some advantages and disadvantages compared to something like Signal (signing in on multiple devices, the web, you didn’t need an existing device to set up a new one, the chat history was saved on the server (encrypted), groups were easy to manage and new users could be added on the fly and see all the old messages, but it didn’t have forward secrecy (if someone got your key, they could see all the messages you sent in the future)). After Jan 6, and reading about how the insurrectionists planned their attacks on encrypted messengers, I just didn’t want to be a part of that anymore.

[-] nutsack@lemmy.dbzer0.com 6 points 3 weeks ago

that's weird

[-] tomsh@lemmy.world 1 points 3 weeks ago

Try searching truecrypt and criminals

[-] tomsh@lemmy.world 4 points 3 weeks ago

To explain, I read about this many years ago. It's about a journalist who tried to find out what was happening with TrueCrypt, and it turned out it was apparently connected to serious criminals who were killing people, etc. The story is actually really interesting, and I'd love to find the original piece. I have nothing against TrueCrypt, and in fact, I used it back then and still use it now (VeraCrypt).

[-] brbposting@sh.itjust.works 4 points 3 weeks ago

Maybe March 30, 2016:

The Strange Origins of TrueCrypt, ISIS’s Favored Encryption Tool

By Evan Ratliff for The New Yorker (paywall)

In isis’s training and operational planning, Callimachi reported, the group appeared to routinely use a piece of software called TrueCrypt. When one would-be bomber was dispatched from Syria to France, Callimachi writes, “an Islamic State computer specialist handed him a USB key. It contained CCleaner, a program used to erase a user’s online history on a given computer, as well as TrueCrypt, an encryption program that was widely available at the time and that experts say has not yet been cracked.”

[-] tomsh@lemmy.world 2 points 3 weeks ago* (last edited 3 weeks ago)

That wasn't the article. It was in some lesser-known magazine (maybe even a blog) and it wasn't about ISIS or the terrorists we know today. It was written specifically about the guy who created the program and his connection to drug cartels, if I remember correctly.

this post was submitted on 31 Oct 2025
151 points (100.0% liked)

Ask Lemmy

35660 readers
1141 users here now

A Fediverse community for open-ended, thought provoking questions

Rules: (interactive)

1) Be nice and; have funDoxxing, trolling, sealioning, racism, and toxicity are not welcomed in AskLemmy. Remember what your mother said: if you can't say something nice, don't say anything at all. In addition, the site-wide Lemmy.world terms of service also apply here. Please familiarize yourself with them

2) All posts must end with a '?'This is sort of like Jeopardy. Please phrase all post titles in the form of a proper question ending with ?

3) No spamPlease do not flood the community with nonsense. Actual suspected spammers will be banned on site. No astroturfing.

4) NSFW is okay, within reasonJust remember to tag posts with either a content warning or a [NSFW] tag. Overtly sexual posts are not allowed, please direct them to either !asklemmyafterdark@lemmy.world or !asklemmynsfw@lemmynsfw.com. NSFW comments should be restricted to posts tagged [NSFW].

5) This is not a support community.
It is not a place for 'how do I?', type questions. If you have any questions regarding the site itself or would like to report a community, please direct them to Lemmy.world Support or email info@lemmy.world. For other questions check our partnered communities list, or use the search function.

6) No US Politics.
Please don't post about current US Politics. If you need to do this, try !politicaldiscussion@lemmy.world or !askusa@discuss.online

Reminder: The terms of service apply here too.

Partnered Communities:

Tech Support

No Stupid Questions

You Should Know

Reddit

Jokes

Ask Ouija

Logo design credit goes to: tubbadu

founded 2 years ago
MODERATORS
Bluetreefrog@lemmy.world
TheSaneWriter@lemm.ee
TheSaneWriter@lemmy.thesanewriter.com
Asudox@lemmy.world
lemmy_bot@lemmy.world
beefbaby182@lemmy.world
ModeratorCan@lemmy.world
neidu3@sh.itjust.works
asudox@lemmy.asudox.dev
candyman337@lemmy.world
candyman337@sh.itjust.works