Although the disappearance of the TrueCrypt site, whose ever-presence the Internet community long ago grew to take for granted, shocked and surprised many, it clearly came as no surprise to the developers who maintained the site and its namesake code for the past ten years. An analysis of the extensive changes made to TrueCrypt's swan song v7.2 release, and to the code's updated v3.1 license, shows that this departure, which was unveiled without preamble, was in fact quite well planned.

For reasons that remain a titillating source of hypothesis, intrigue and paranoia, TrueCrypt's developers chose not to graciously turn their beloved creation over to a wider Internet development community, but rather, as has always been their right granted by TrueCrypt's longstanding license, to attempt to kill it off by creating a dramatically neutered 7.2 version that can only be used to view, but no longer to create new, TrueCrypt volumes.

Then, leveraging the perverse and wrongheaded belief that software whose support was just cancelled renders it immediately untrustworthy, they attempted to foreclose on TrueCrypt's current and continued use by warning the industry that future problems would remain unrepaired. This being said of the latest 7.1a version of the code that has been used by millions, without change, since its release in February of 2012, more than 27 months before. Suddenly, for no disclosed reason, we should no longer trust it?

But that's not the way the Internet works. Having created something of such enduring value, which inherently requires significant trust and buy-in, they are rightly unable to now take it back. They might be done with it, but the rest of us are not.

The developers' jealousy is perhaps made more understandable by examining the code they have created. It is truly lovely. It is beautifully constructed. It is amazing work to be deeply proud of. Creating something of TrueCrypt's size and complexity, and holding it together as they did across the span of a decade, is a monumental and truly impressive feat of discipline. So it is entirely understandable when they imply, as quoted below, that they don't trust anyone else to completely understand and maintain their creation as they have. Indeed, it will not be easy. They might look at the coding nightmare atrocity that OpenSSL became over the same span of time and think: “Better to kill off our perfect creation than turn it over to others and have it become that.”

TrueCrypt's creators may well be correct. TrueCrypt may never be as pure and perfect as it is at this moment, today—in the form they created and perfected. Their true final version, 7.1a, may be the pinnacle of this story. So anyone would and should be proud to use and to continue to use this beautiful tool as it is today.

TrueCrypt's formal code audit will continue as planned. Then the code will be forked, the product's license restructured, and it will evolve. The name will be changed because the developers wish to preserve the integrity of the name they have built. They won't allow their name to continue without them. But the world will get some future version, that runs on future operating systems, and future mass storage systems.

There will be continuity . . . as an interesting new chapter of Internet lore is born.

So it appears that the unexpected (putting it mildly) disappearance of TrueCrypt.org and the startling disavowal of TrueCrypt's bullet proof security will turn out to be a brief disturbance in the force. We should know much more about a trustworthy TrueCrypt in the late summer of 2014.

My two blog postings on the day, and the day after, TrueCrypt's self-takedown:

• Whither TrueCrypt?
• An Imagined Letter from the TrueCrypt Developer(s)

My third and final posting about this page, in order to allow feedback.
The posting generated many interesting comments:

• Yes . . . TrueCrypt is still safe to use.

Additional online TrueCrypt sites and repositories:

• The reconstructed browsable version of the truecrypt.org website. A terrific Canadian web developer, Andrew Y. (who also created the ScriptSafe Chrome browser extension to duplicate the script-disabling of Firefox's NoScript), captured some of the TrueCrypt.org website before it disappeared from the Internet and then reconstructed the missing pieces using the PDF manual. The result is a terrific web-browsable site for TrueCrypt.
• TrueCrypt.ch: A just launched, Swiss-based, possible new home for TrueCrypt. Follow these folks on Twitter: @TrueCryptNext. Given the deliberate continuing licensing encumbrance of the registered TrueCrypt trademark, it seems more likely that the current TrueCrypt code will be forked and subsequently renamed. In other words . . . for legal reasons it appears that what TrueCrypt becomes will not be called “TrueCrypt.”
• github.com/DrWhax/truecrypt-archive: This is a frequently cited and trusted archive maintained by Jurre van Bergen (@DrWhax) and Stefan Sundin. It contains a nearly complete, historical repository of previous TrueCrypt versions, tracking its evolution all the way back to when it was previously named “ScramDisk” (which is when we were first using and working with it).
• github.com/syglug/truecrypt: Another TrueCrypt v7.1 archive, though apparently not the latest. But readily browsable if someone wishes to poke around within the source with their web browser.
• IsTrueCryptAuditedYet.com: This is the home of the TrueCrypt auditing project. As the audit moves into its next phase, digging past the startup and boot loader and into the core crypto, updates will be posted and maintained here.

256 x 256 pixels

32 x 32 pixels

Additional Miscellany:

• Amazon uses TrueCrypt when exporting archived data to users. See the first Q&A of the link. TrueCrypt is a perfect solution for this. We have every reason to believe that it is utterly bulletproof and only TrueCrypt provides the universal Windows/Mac/Linux platform neutrality that this application requires.