My assumption has been that the author was pressured to add a backdoor or abandon the project since it was an issue for law enforcement. After TrueCrypt stopped releasing new versions, it was audited and there was no sign of any backdoor or flaw in the encryption. Now on device encryption is more common but so are cloud backups, and law enforcement has found that going after cloud backups is much easier to subpoena. Plus there is a more mature industry for law enforcement to provide tools tools to bypass encryption without the developer complying.
this post was submitted on 31 Oct 2025
148 points (98.7% liked)
Ask Lemmy
35344 readers
1722 users here now
A Fediverse community for open-ended, thought provoking questions
Rules: (interactive)
1) Be nice and; have fun
Doxxing, trolling, sealioning, racism, and toxicity are not welcomed in AskLemmy. Remember what your mother said: if you can't say something nice, don't say anything at all. In addition, the site-wide Lemmy.world terms of service also apply here. Please familiarize yourself with them
2) All posts must end with a '?'
This is sort of like Jeopardy. Please phrase all post titles in the form of a proper question ending with ?
3) No spam
Please do not flood the community with nonsense. Actual suspected spammers will be banned on site. No astroturfing.
4) NSFW is okay, within reason
Just remember to tag posts with either a content warning or a [NSFW] tag. Overtly sexual posts are not allowed, please direct them to either !asklemmyafterdark@lemmy.world or !asklemmynsfw@lemmynsfw.com.
NSFW comments should be restricted to posts tagged [NSFW].
5) This is not a support community.
It is not a place for 'how do I?', type questions.
If you have any questions regarding the site itself or would like to report a community, please direct them to Lemmy.world Support or email info@lemmy.world. For other questions check our partnered communities list, or use the search function.
6) No US Politics.
Please don't post about current US Politics. If you need to do this, try !politicaldiscussion@lemmy.world or !askusa@discuss.online
Reminder: The terms of service apply here too.
Partnered Communities:
Logo design credit goes to: tubbadu
founded 2 years ago
MODERATORS
This was always my assumption as well. When they quit the project, didn't they leave some message recommending Microsoft BitLocker as an alternative? Everyone at the time interpreted this as the clearest "they're already in the room with me" warning sign, given that that kind of project would NEVER reasonably make such a closed source, corporate centered recommendation ...
Also if you sign into the Microsoft cloud, your bit locker keys are backed up there.
"For your convenience"
It was forked to veracrypt from memory. And LUKS was already widely available on Linux as alternative.
This is not really the question though. It was forked BECAUSE of the whole "fiasco". OP is asking what happened, as in, what made the dev give up on the project. This was a big topic back then.
And LUKS was already widely available on Linux as alternative.
Yeah, I found LUKS and LVM to be more intuitive for creating encrypted partitions, and had that on my daily driver by around 2009 or so, so I never really felt the need to try Truecrypt.
Yeah but I never found a way to do whole disk encryption with a decoy OS like TrueCrypt could. Really I don't have a need for that, but it was an amazing feature in my mind.
The story I heard is that the creator got a national security letter, which forced him to add backdoors or go to prison, and so he did the minimum necessary by law, meaning the last few versions of it are probably compromised, but also took out a clause from the user agreement that stated that he had not received a NSL. That was sort of a canary to get around the gag order and stuff at the time.
Honestly who knows though? That was over 10 years ago when I heard that.
If I had to guess he was using his own encryption method that wasn't crackable. It is well known that the NSA bought up some standard setting organizations for encryption. Normally rolling your own encryption would be risky if you dont know how to depattern it. I suspect that many common encryption standards are picked because they have a shortcut to cracking them.
All of these claims are easily able to be checked from the archived version of the site . It was not using home grown encryption algorithm.
The last version released was independently audited and "found no evidence of deliberate backdoors, or any severe design flaws that will make the software insecure in most instances"
I had never heard of the warrant canary for TrueCrypt, and quickly searching for news of the time, was unable to find anything to indicate that there was ever a mention of NSL on the website, so nothing to remove if they were served with a NSL.
If he received a national security letter that had an indication of the government possibly taking over the project and adding in their own back door, that would be a reason to say the software wasn't safe (from future changes). If there wasn't follow through then it would pass an audit.
TrueCrypt used the encryption method you chose, it didn't have a custom one. Usually that entailed triple layer encryption such as AES-Twofish-Blowfish, but you could use weaker encryption if you desired to.
IIRC (but don't quote me on it), it had some vulnerability, and was gag-ordered to not touch it by some government, and that was the extent to which they could.
I've read multiple times that no vulnerability has ever been found, so I'm interested in knowing more about this.
The Internet was rife with rumors at the time, this is likely just an echo of the rampant speculation that was occurring.
It was around the time that TOR hidden services were making their way into mainstream tech circles (and law enforcement) and people were getting arrested with encrypted hard drives and law enforcement was upset that they couldn't subpoena Mathematics and force it to turn over the keys.
So, when ~~Bitlocker~~ Truecrypt stopped updating and the message appeared people just tied it into the things that were happening at the time.
So, when Bitlocker stopped updating and the message appeared people just tied it into the things that were happening at the time.
I think you wanted to say truecrypt
x.x
My brain and fingers are conspiring to make me look dumb.
Was the developer ever heard from again? One possible theory is that they died suddenly. This is assuming that the team was actually one guy
I remeber it happening. There was no backdoor. It was during that time there was a push to put backdoors or weaken public encryption in the name of national security. Truceypt didnt want to play and were threatened with possible legal action. Rather than fight it they decided to stop the project.
It could be the same thing that happened to me. The dev could have realized what people were using it for and quit to not be a part of that.
I used to run an encrypted messenger called Tunnelgram. It had some advantages and disadvantages compared to something like Signal (signing in on multiple devices, the web, you didn’t need an existing device to set up a new one, the chat history was saved on the server (encrypted), groups were easy to manage and new users could be added on the fly and see all the old messages, but it didn’t have forward secrecy (if someone got your key, they could see all the messages you sent in the future)). After Jan 6, and reading about how the insurrectionists planned their attacks on encrypted messengers, I just didn’t want to be a part of that anymore.
that's weird