TrueCrypt

{{see also|TrueCrypt release history}}

TrueCrypt was initially released as version 1.0 in February 2004, based on E4M (Encryption for the Masses). Several versions and many additional minor releases have been made since then, with the most current version being 7.1a.

Original release of TrueCrypt was made by anonymous developers called "the TrueCrypt Team".{{cite web | title =Version Information | work =TrueCrypt User's Guide, version 1.0 | publisher =TrueCrypt Team | date =2 February 2004 | url =http://www.truecrypt.org/usersguide | access-date = 28 May 2014 }}{{dead link|date=July 2020|bot=medic}}{{cbignore|bot=medic}} [http://alt.security.scramdisk.narkive.com/0PPFbtws/copy-of-truecrypt-user-manual Alt URL] Shortly after version 1.0 was released in 2004, the TrueCrypt Team reported receiving email from Wilfried Hafner, manager of SecurStar, a computer security company. According to the TrueCrypt Team, Hafner claimed in the email that the acknowledged author of E4M, developer Paul Le Roux, had stolen the source code from SecurStar as an employee. It was further stated that Le Roux illegally distributed E4M, and authored an illegal license permitting anyone to base derivative work on the code and distribute it freely. Hafner alleges all versions of E4M always belonged only to SecurStar, and Le Roux did not have any right to release it under such a license.{{cite magazine | url=https://www.newyorker.com/news/news-desk/the-strange-origins-of-truecrypt-isiss-favored-encryption-tool | title=The Strange Origins of TrueCrypt, ISIS's Favored Encryption Tool | magazine=The New Yorker | date=30 March 2016 | last1=Ratliff | first1=Evan }}

This led the TrueCrypt Team to immediately stop developing and distributing TrueCrypt, which they announced online through usenet.{{cite newsgroup | title =P. Le Roux (author of E4M) accused by W.Hafner (SecurStar) | author =TrueCrypt Team | date =3 February 2004 | newsgroup =alt.security.scramdisk |message-id=a7b8b26d77f67aa7c5cc3f55b84c3975@news.teranews.com | url =https://groups.google.com/forum/#!topic/alt.security.scramdisk/HYa8Wb_4acs | access-date = 28 May 2014}} TrueCrypt Team member David Tesařík stated that Le Roux informed the team that there was a legal dispute between himself and SecurStar, and that he received legal advisement not to comment on any issues of the case. Tesařík concluded that should the TrueCrypt Team continue distributing TrueCrypt, Le Roux may ultimately be held liable and be forced to pay consequent damages to SecurStar. To continue in good faith, he said, the team would need to verify the validity of the E4M license. However, because of Le Roux's need to remain silent on the matter, he was unable to confirm or deny its legitimacy, keeping TrueCrypt development in limbo.{{cite newsgroup | title =Summary of current TrueCrypt situation...? | author =David T. | date =7 February 2004 | newsgroup =alt.security.scramdisk |message-id=30e9930aece70b0f63435ecd85a67736@news.teranews.com | url =https://groups.google.com/d/msg/alt.security.scramdisk/I4F5-_MmBGg/U6kATrKKMLoJ | access-date = 28 May 2014}}

Thereafter, would-be visitors reported trouble accessing the TrueCrypt website, and third-party mirrors appeared online making the source code and installer continually available, outside of official sanction by the TrueCrypt Team.{{cite newsgroup | title =Truecrypt for David T. from Truecrypt-Team | author =Carsten Krueger | date =7 February 2004 | newsgroup =alt.security.scramdisk |message-id=76va20di0jami8nspk743kuddgj6etabhh@4ax.com | url =https://groups.google.com/forum/#!topic/alt.security.scramdisk/rptNbr00X_k | access-date = 28 May 2014}}{{cite newsgroup | title =Unofficial TrueCrypt Site | author =Andraia Matrix | date =6 February 2004 | newsgroup =alt.security.scramdisk |message-id=76va20di0jami8nspk743kuddgj6etabhh@4ax.com | url =https://groups.google.com/forum/#!topic/alt.security.scramdisk/UvYU3tXboDE/2CYWE9TQvDsJ | access-date = 28 May 2014}}

In the FAQ section of its website, SecurStar maintains its claims of ownership over both E4M and Scramdisk, another free encryption program. The company states that with those products, SecurStar "had a long tradition of open source software", but that "competitors had nothing better to do but to steal our source code", causing the company to make its products closed-source, forcing potential customers to place a substantial order and sign a non-disclosure agreement before being allowed to review the code for security.{{cite web |title=Is the source code of your software available? |work=Drivecrypt FAQ |publisher=SecurStar |url=http://www.securstar.com/faq_drivecrypt.php |access-date=28 May 2014 |archive-url=https://web.archive.org/web/20140605052751/http://www.securstar.com/faq_drivecrypt.php |archive-date=5 June 2014 |url-status=dead |df=dmy }}

Le Roux himself has denied developing TrueCrypt in a court hearing in March 2016, in which he also confirmed he had written E4M.{{cite web |url=https://mastermind.atavist.com/the-next-big-deal |title=The Next Big Deal |last=Ratliff |first=Evan |date=29 April 2016 |access-date=1 May 2016 |archive-date=29 April 2016 |archive-url=https://web.archive.org/web/20160429124424/https://mastermind.atavist.com/the-next-big-deal |url-status=dead }}

Months later on 7 June 2004, TrueCrypt 2.0 was released. The new version contained a different digital signature from that of the original TrueCrypt Team, with the developers now being referred to as "the TrueCrypt Foundation." The software license was also changed to the open source GNU General Public License (GPL). However, given the wide range of components with differing licenses making up the software, and the contested nature of the legality of the program's release, a few weeks later on 21 June, version 2.1 was released under the original E4M license to avoid potential problems relating to the GPL license.{{cite web |title=Version History |work=TrueCrypt User's Guide, version 3.1a |publisher=TrueCrypt Foundation |date=7 February 2005 |url-status=live |url=http://docs.huihoo.com/truecrypt/truecrypt-3.1a-user-guide.pdf |access-date=2 March 2017 |archive-url=https://web.archive.org/web/20081230095719/http://docs.huihoo.com/truecrypt/truecrypt-3.1a-user-guide.pdf |archive-date=30 December 2008}}

Version 2.1a of the software was released on 1 October 2004 on truecrypt.sourceforge.net sub-domain. By May 2005, the original TrueCrypt website returned and truecrypt.sourceforge.net redirected visitors to truecrypt.org.

On 28 May 2014, the TrueCrypt official website, truecrypt.org, began redirecting visitors to truecrypt.sourceforge.net with a HTTP 301 "Moved Permanently" status, which warned that the software may contain unfixed security issues, and that development of TrueCrypt was ended in May 2014, following Windows XP's end of support. The message noted that more recent versions of Windows have built-in support for disk encryption using BitLocker, and that Linux and OS X had similar built-in solutions, which the message states renders TrueCrypt unnecessary. The page recommends any data encrypted by TrueCrypt be migrated to other encryption setups and offered instructions on moving to BitLocker. The SourceForge project page for the software at sourceforge.net/truecrypt was updated to display the same initial message, and the status was changed to "inactive".{{cite web |last=tc-foundation |title=TrueCrypt project page |publisher=SourceForge |date=28 May 2014 |url=http://sourceforge.net/projects/truecrypt/ |access-date=30 May 2014 |archive-url=https://web.archive.org/web/20140530161229/http://sourceforge.net/projects/truecrypt/ |archive-date=30 May 2014 |url-status=dead |df=dmy }} The page also announced a new software version, 7.2, which only allows decryption.

Initially, the authenticity of the announcement and new software was questioned.{{Citation | last =Goodin | first =Dan | title ="TrueCrypt is not secure," official SourceForge page abruptly warns | work=Ars Technica |publisher=Condé Nast | date =28 May 2014 | url =https://arstechnica.com/security/2014/05/truecrypt-is-not-secure-official-sourceforge-page-abruptly-warns/ | access-date = 28 May 2014}}{{cite news|last=O'Neill|first=Patrick|title=TrueCrypt, encryption tool used by Snowden, shuts down due to alleged 'security issues'|url=http://www.dailydot.com/technology/truecrypt-dead-unsecure/|access-date=28 May 2014|newspaper=The Daily Dot|date=28 May 2014}}{{citation|last=McAllister|first=Neil|title=TrueCrypt considered HARMFUL – downloads, website meddled to warn: 'It's not secure'|publisher=The Register|date=28 May 2014|url=https://www.theregister.co.uk/2014/05/28/truecrypt_hack/|access-date=29 May 2014}} Multiple theories attempting to explain the reason behind the announcement arose throughout the tech community.{{Citation|last =Goodin | first =Dan | title =Bombshell TrueCrypt advisory: Backdoor? Hack? Hoax? None of the above? | work=Ars Technica |publisher=Condé Nasta | date =29 May 2014 | url =https://arstechnica.com/security/2014/05/bombshell-truecrypt-advisory-backdoor-hack-hoax-none-of-the-above/| access-date = 29 May 2014}}{{Citation |last =Gibson | first =Steve | title =TrueCrypt, the final release, archive | publisher=Gibson Research Corporation | date =5 June 2014 | url =https://www.grc.com/misc/truecrypt/truecrypt.htm | access-date = 1 August 2014}}

Shortly after the end of life announcement of TrueCrypt, Gibson Research Corporation posted an announcement titled "Yes... TrueCrypt is still safe to use" and a Final Release Repository to host the last official non-crippled version 7.1a of TrueCrypt. They no longer host the final release repository as of 2022.

Truecrypt.org has been excluded from the Internet Archive Wayback Machine.{{cite web | url=http://truecrypt.org/ | title=TrueCrypt |archive-url=https://web.archive.org/web/20140101010101/http://truecrypt.org/ |archive-date=2014-01-01 }} The exclusion policy says they will exclude pages at the site owner's request.[https://help.archive.org/help/wayback-machine-general-information/ Wayback Machine General Information] Internet Archive

TrueCrypt supports Windows, OS X, and Linux operating systems.{{cite web | title =Supported Operating Systems | work =TrueCrypt Documentation | publisher =TrueCrypt Foundation | url =http://www.truecrypt.org/docs/?s=supported-operating-systems | access-date =24 May 2014 }} Both 32-bit and 64-bit versions of these operating systems are supported, except for Windows IA-64 (not supported) and Mac OS X 10.6 Snow Leopard (runs as a 32-bit process). The version for Windows 7, Windows Vista, and Windows XP can encrypt the boot partition or entire boot drive.{{cite web | title =Operating Systems Supported for System Encryption | work =TrueCrypt Documentation | publisher =TrueCrypt Foundation | url =http://www.truecrypt.org/docs/?s=sys-encryption-supported-os | archive-url =https://archive.today/20130108161502/http://www.truecrypt.org/docs/?s=sys-encryption-supported-os | url-status =dead | archive-date =8 January 2013 | access-date =24 May 2014 }}

{{Anchor|tc-play}}There is an independent, compatible{{cite web | title=DragonFly On-Line Manual Pages | url=http://leaf.dragonflybsd.org/cgi/web-man?command=tcplay§ion=ANY | publisher= DragonFly BSD Project | access-date=17 July 2011}} implementation, tcplay, for DragonFly BSD and Linux.{{cite web | title=README | url=https://github.com/bwalex/tc-play/blob/master/README.md | publisher=tc-play | access-date=14 March 2014}}{{cite web | title=Fedora Review Request: tcplay - Utility to create/open/map TrueCrypt-compatible volumes | url=https://bugzilla.redhat.com/show_bug.cgi?id=743497 | publisher=FEDORA | access-date=25 January 2012}}

The Dm-crypt module included in default Linux kernel supports a TrueCrypt target called "tcw" since Linux version 3.13.{{cite web|url=https://git.kernel.org/cgit/linux/kernel/git/stable/linux-stable.git/tree/drivers/md/dm-crypt.c?id=refs/tags/v3.13|title=index : kernel/git/stable/linux-stable.git - path: root/drivers/md/dm-crypt.c|publisher=Kernel.org cgit|date=20 January 2014|access-date=13 June 2014|at=Line 241}}{{cite web|url=https://code.google.com/p/cryptsetup/wiki/DMCrypt|title=dm-crypt: Linux kernel device-mapper crypto target - IV generators|publisher=cryptsetup|date=11 January 2014|access-date=10 June 2014}}{{cite web|url=http://www.redhat.com/archives/dm-devel/2013-October/msg00081.html|title=[dm-devel] [PATCH 2/2] dm-crypt: Add TCW IV mode for old CBC TCRYPT containers.|publisher=redhat.com|access-date=17 June 2014}}

Individual ciphers supported by TrueCrypt are AES, Serpent, and Twofish. Additionally, five different combinations of cascaded algorithms are available: AES-Twofish, AES-Twofish-Serpent, Serpent-AES, Serpent-Twofish-AES and Twofish-Serpent.{{cite web | title =Encryption Algorithms | work =TrueCrypt Documentation | publisher =TrueCrypt Foundation | url =http://www.truecrypt.org/docs/encryption-algorithms | access-date = 24 May 2014}} The cryptographic hash functions available for use in TrueCrypt are RIPEMD-160, SHA-512, and Whirlpool.{{cite web | title =Hash Algorithms | work =TrueCrypt Documentation | publisher =TrueCrypt Foundation | url =http://www.truecrypt.org/docs/hash-algorithms | archive-url =https://archive.today/20140525064033/http://www.truecrypt.org/docs/hash-algorithms | url-status =dead | archive-date =25 May 2014 | access-date = 24 May 2014}} Early versions of TrueCrypt until 2007 also supported the block ciphers Blowfish, CAST-128, TDEA and IDEA; but these were deprecated due to having relatively lower 64-bit security and patent licensing issues.

The practical security provided by TrueCrypt depends altogether on the applied encyption algorithms and their different weaknesses. TrueCrypt by itself offers no extra protection against a weak trusted algorithm.

TrueCrypt currently uses the XTS mode of operation.{{cite web | title =Modes of Operation | work =TrueCrypt Documentation | publisher =TrueCrypt Foundation | url =http://www.truecrypt.org/docs/modes-of-operation | archive-url =https://archive.today/20130904135344/http://www.truecrypt.org/docs/modes-of-operation | url-status =dead | archive-date =4 September 2013 | access-date =24 May 2014 }} Prior to this, TrueCrypt used LRW mode in versions 4.1 through 4.3a, and CBC mode in versions 4.0 and earlier.{{cite web|url=http://www.truecrypt.org/docs/?s=version-history|archive-url=https://archive.today/20130108162305/http://www.truecrypt.org/docs/?s=version-history|url-status=dead|archive-date=8 January 2013|title=Version History|publisher=TrueCrypt Foundation|access-date=1 October 2009}} XTS mode is thought to be more secure than LRW mode, which in turn is more secure than CBC mode.{{cite web |first = Clemens |last = Fruhwirth |url = http://clemens.endorphin.org/nmihde/nmihde-A4-ds.pdf |title = New Methods in Hard Disk Encryption |publisher = Institute for Computer Languages, Theory and Logic Group, Vienna University of Technology |date = 18 July 2005 |access-date = 10 March 2007}}

Although new volumes can only be created in XTS mode, TrueCrypt is backward compatible with older volumes using LRW mode and CBC mode. Later versions produce a security warning when mounting CBC mode volumes and recommend that they be replaced with new volumes in XTS mode.

The header key and the secondary header key (XTS mode) are generated using PBKDF2 with a 512-bit salt and 1000 or 2000 iterations, depending on the underlying hash function used.{{cite web | title =Header Key Derivation, Salt, and Iteration Count | work =TrueCrypt Documentation | publisher =TrueCrypt Foundation | url =http://www.truecrypt.org/docs/header-key-derivation | access-date = 24 May 2014}}

TrueCrypt supports a concept called plausible deniability,{{cite web | title =Plausible Deniability | work =TrueCrypt Documentation | publisher =TrueCrypt Foundation | url =http://www.truecrypt.org/docs/?s=plausible-deniability | archive-url =http://arquivo.pt/wayback/20080226032737/http://www.truecrypt.org/docs/?s=plausible-deniability | url-status =dead | archive-date =26 February 2008 | access-date = 24 May 2014}} by allowing a single "hidden volume" to be created within another volume.{{cite web | title =Hidden Volume | work =TrueCrypt Documentation | publisher =TrueCrypt Foundation | url =http://www.truecrypt.org/docs/?s=hidden-volume | access-date =24 May 2014 }} In addition, the Windows versions of TrueCrypt have the ability to create and run a hidden encrypted operating system whose existence may be denied.{{cite web | title =Hidden Operating System | work =TrueCrypt Documentation | publisher =TrueCrypt Foundation | url =http://www.truecrypt.org/docs/hidden-operating-system | archive-url =https://archive.today/20130416074157/http://www.truecrypt.org/docs/hidden-operating-system | url-status =dead | archive-date =16 April 2013 | access-date =24 May 2014 }}

The TrueCrypt documentation lists many ways in which TrueCrypt's hidden volume deniability features may be compromised (e.g. by third-party software which may leak information through temporary files, thumbnails, etc., to unencrypted disks) and possible ways to avoid this.{{cite web | title =Security Requirements for Hidden Volumes | work =TrueCrypt Documentation | publisher =TrueCrypt Foundation | url =http://www.truecrypt.org/docs/?s=hidden-volume-precautions | archive-url =https://archive.today/20120917175346/http://www.truecrypt.org/docs/?s=hidden-volume-precautions | url-status =dead | archive-date =17 September 2012 | access-date =24 May 2014 }} In a paper published in 2008 and focused on the then latest version (v5.1a) and its plausible deniability, a team of security researchers led by Bruce Schneier states that Windows Vista, Microsoft Word, Google Desktop, and others store information on unencrypted disks, which might compromise TrueCrypt's plausible deniability. The study suggested the addition of a hidden operating system functionality; this feature was added in TrueCrypt 6.0. When a hidden operating system is running, TrueCrypt also makes local unencrypted filesystems and non-hidden TrueCrypt volumes read-only to prevent data leaks. The security of TrueCrypt's implementation of this feature was not evaluated because the first version of TrueCrypt with this option had only recently been released.{{cite conference |book-title=3rd USENIX Workshop on Hot Topics in Security |title=Defeating Encrypted and Deniable File Systems: TrueCrypt v5.1a and the Case of the Tattling OS and Applications |url=http://www.cs.washington.edu/homes/supersat/paper-truecrypt-dfs.pdf |author1=Alexei Czeskis |author2=David J. St. Hilaire |author3=Karl Koscher |author4=Steven D. Gribble |author5=Tadayoshi Kohno |author6=Bruce Schneier |date=18 July 2008 |url-status=dead |archive-url=https://web.archive.org/web/20081227025727/http://www.cs.washington.edu/homes/supersat/paper-truecrypt-dfs.pdf |archive-date=27 December 2008 |df=dmy-all }}

There was a functional evaluation of the deniability of hidden volumes in an earlier version of TrueCrypt by Schneier et al. that found security leaks.[http://yro.slashdot.org/story/08/07/17/2043248/schneier-uw-team-show-flaw-in-truecrypt-deniability Schneier, UW Team Show Flaw In TrueCrypt Deniability]. Accessed on: 12 June 2012

When analyzed, TrueCrypt volumes appear to have no header and contain random data.Piccinelli, Mario, and Paolo Gubian. "Detecting Hidden Encrypted Volume Files via Statistical Analysis." International Journal of Cyber-Security and Digital Forensics (IJCSDF) 3.1 (2014): 30-37. TrueCrypt volumes have sizes that are multiples of 512 due to the block size of the cipher mode and key data is either 512 bytes stored separately in the case of system encryption or two 128 kB headers for non-system containers.{{cite web | title =TrueCrypt Volume Format Specification | work =TrueCrypt Documentation | publisher =TrueCrypt Foundation | url =http://www.truecrypt.org/docs/volume-format-specification | archive-url =https://archive.today/20130619023456/http://www.truecrypt.org/docs/volume-format-specification | url-status =dead | archive-date =19 June 2013 | access-date =24 May 2014}} Forensics tools may use these properties of file size, apparent lack of a header, and randomness tests to attempt to identify TrueCrypt volumes.{{cite web |url=http://16s.us/software/TCHunt/tchunt_faq.txt |title=Archive |url-status=dead |archive-url=https://archive.today/20140507093925/http://16s.us/software/TCHunt/tchunt_faq.txt |archive-date=7 May 2014 |access-date=2 March 2017 |df=dmy-all }} Although these features give reason to suspect a file to be a TrueCrypt volume, there are, however, some programs which exist for the purpose of securely erasing files by employing a method of overwriting file contents, and free disk space, with purely random data (i.e. "shred" & "scrub"{{cite web | title = diskscrub - disk overwrite utility - Google Project Hosting | url= http://code.google.com/p/diskscrub/ |access-date=16 July 2014}}), thereby creating reasonable doubt to counter pointed accusations declaring a file, made of statistically random data, to be a TrueCrypt file.{{cite web | title =Plausible Deniability | publisher =FreeOTFE | url =http://www.freeotfe.org/docs/Main/plausible_deniability.htm#level_3_heading_2 | archive-url = https://web.archive.org/web/20130124091432/http://freeotfe.org/docs/Main/plausible_deniability.htm#level_3_heading_2 | archive-date = 24 January 2013}}

If a system drive, or a partition on it, has been encrypted with TrueCrypt, then only the data on that partition is deniable. When the TrueCrypt boot loader replaces the normal boot loader, an offline analysis of the drive can positively determine that a TrueCrypt boot loader is present and so lead to the logical inference that a TrueCrypt partition is also present. Even though there are features to obfuscate its purpose (i.e. displaying a BIOS-like message to misdirect an observer such as, "Non-system disk" or "disk error"), these reduce the functionality of the TrueCrypt boot loader and do not hide the content of the TrueCrypt boot loader from offline analysis.[http://www.truecrypt.org/faq TrueCrypt FAQ] - see question

I use pre-boot authentication. Can I prevent a person (adversary) that is watching me start my computer from knowing that I use TrueCrypt? Here again, the use of a hidden operating system is the suggested method for retaining deniability.

TrueCrypt supports parallelized{{cite web|title=TrueCrypt User Guide|url=https://www.grc.com/misc/truecrypt/TrueCrypt%20User%20Guide.pdf|publisher=TrueCrypt Foundation|date=7 February 2012|edition=7.1a}}{{Rp|63}} encryption for multi-core systems and, under Microsoft Windows, pipelined read/write operations (a form of asynchronous processing){{Rp|63}} to reduce the performance hit of encryption and decryption. On newer processors supporting the AES-NI instruction set, TrueCrypt supports hardware-accelerated AES to further improve performance.{{Rp|64}} The performance impact of disk encryption is especially noticeable on operations which would normally use direct memory access (DMA), as all data must pass through the CPU for decryption, rather than being copied directly from disk to RAM.

In a test carried out by Tom's Hardware, although TrueCrypt is slower compared to an unencrypted disk, the overhead of real-time encryption was found to be similar regardless of whether mid-range or state-of-the-art hardware is in use, and this impact was "quite acceptable".{{cite web | last1 =Schmid | first1 =Patrick | last2 =Roos | first2 =Achim | title =Conclusion | work =System Encryption: BitLocker And TrueCrypt Compared | publisher =Tom's Hardware | date =28 April 2010 | url =http://www.tomshardware.com/reviews/bitlocker-truecrypt-encryption,2587-9.html | access-date = 24 May 2014 }} In another article the performance cost was found to be unnoticeable when working with "popular desktop applications in a reasonable manner", but it was noted that "power users will complain".{{cite web | last1 =Schmid | first1 =Patrick | last2 =Roos | first2 =Achim | title =Conclusion | work =Protect Your Data With Encryption | publisher =Tom's Hardware | date =28 April 2010 | url =http://www.tomshardware.com/reviews/truecrypt-security-hdd,2125-11.html | access-date = 24 May 2014 }}

{{main|FlexNet Publisher#Issues with bootloaders}}

Installing third-party software which uses FlexNet Publisher or SafeCast (which are used for preventing software piracy on products by Adobe such as Adobe Photoshop) can damage the TrueCrypt bootloader on Windows partitions/drives encrypted by TrueCrypt and render the drive unbootable.{{cite web | title =Freeze when you reboot a Windows system that has TrueCrypt Disk Encryption software and Adobe applications installed | work =Adobe Creative Suite Help | publisher =Adobe Systems | date =16 November 2009 | url =http://helpx.adobe.com/creative-suite/kb/freeze-reboot-windows-system-truecrypt.html | access-date = 24 May 2014 }} This is caused by the inappropriate design of FlexNet Publisher writing to the first drive track and overwriting whatever non-Windows bootloader exists there.{{cite web | title =Incompatibilities | work =TrueCrypt Documentation | publisher =TrueCrypt Foundation | url =http://www.truecrypt.org/docs/incompatibilities | archive-url =https://archive.today/20130416014149/http://www.truecrypt.org/docs/incompatibilities | url-status =dead | archive-date =16 April 2013 | access-date =24 May 2014 }}

TrueCrypt is vulnerable to various known attacks which are also present in other disk encryption software releases such as BitLocker. To prevent those, the documentation distributed with TrueCrypt requires users to follow various security precautions.{{cite web | title =Security Requirements and Precautions | work =TrueCrypt Documentation | publisher =TrueCrypt Foundation | url =http://www.truecrypt.org/docs/?s=security-requirements-and-precautions | archive-url =https://archive.today/20130416034644/http://www.truecrypt.org/docs/?s=security-requirements-and-precautions | url-status =dead | archive-date =16 April 2013 | access-date =24 May 2014 }} Some of those attacks are detailed below.

TrueCrypt stores its keys in RAM; on an ordinary personal computer the DRAM will maintain its contents for several seconds after power is cut (or longer if the temperature is lowered). Even if there is some degradation in the memory contents, various algorithms can intelligently recover the keys. This method, known as a cold boot attack (which would apply in particular to a notebook computer obtained while in power-on, suspended, or screen-locked mode), has been successfully used to attack a file system protected by TrueCrypt.{{cite web |url=http://www.usenix.org/event/sec08/tech/full_papers/halderman/halderman_html/ |title=Lest We Remember: Cold Boot Attacks on Encryption Keys |author=Alex Halderman |display-authors=etal}}

TrueCrypt documentation states that TrueCrypt is unable to secure data on a computer if an attacker physically accessed it and TrueCrypt is used on the compromised computer by the user again (this does not apply to a common case of a stolen, lost, or confiscated computer).{{cite web | title =Physical Security | work =TrueCrypt Documentation | publisher =TrueCrypt Foundation | url =http://www.truecrypt.org/docs/?s=physical-security | archive-url =https://archive.today/20120913113052/http://www.truecrypt.org/docs/?s=physical-security | url-status =dead | archive-date =13 September 2012 | access-date =24 May 2014 }} The attacker having physical access to a computer can, for example, install a hardware/software keylogger, a bus-mastering device capturing memory, or install any other malicious hardware or software, allowing the attacker to capture unencrypted data (including encryption keys and passwords), or to decrypt encrypted data using captured passwords or encryption keys. Therefore, physical security is a basic premise of a secure system. Attacks such as this are often called "evil maid attacks".{{cite web | last =Schneier | first =Bruce | author-link =Bruce Schneier | title ="Evil Maid" Attacks on Encrypted Hard Drives | publisher =Schneier on Security | date =23 October 2009 | url =https://www.schneier.com/blog/archives/2009/10/evil_maid_attac.html | access-date = 24 May 2014 }}

TrueCrypt documentation states that TrueCrypt cannot secure data on a computer if it has any kind of malware installed. Malware may log keystrokes, thus exposing passwords to an attacker.{{cite web | title =Malware | work =TrueCrypt Documentation | publisher =TrueCrypt Foundation | url =http://www.truecrypt.org/docs/?s=malware | archive-url =https://archive.today/20120913051130/http://www.truecrypt.org/docs/?s=malware | url-status =dead | archive-date =13 September 2012 | access-date =24 May 2014 }}

The "Stoned" bootkit, an MBR rootkit presented by Austrian software developer Peter Kleissner at the Black Hat Technical Security Conference USA 2009,{{cite web | url = https://www.blackhat.com/presentations/bh-usa-09/KLEISSNER/BHUSA09-Kleissner-StonedBootkit-PAPER.pdf | title = Stoned bootkit White Paper | publisher = Peter Kleissner | work = Black Hat Technical Security Conference USA 2009 | access-date = 5 August 2009 }}{{cite web | url = https://www.blackhat.com/presentations/bh-usa-09/KLEISSNER/BHUSA09-Kleissner-StonedBootkit-SLIDES.pdf | title = Stoned bootkit Presentation Slides | publisher = Peter Kleissner | work = Black Hat Technical Security Conference USA 2009 | access-date = 5 August 2009 }} has been shown capable of tampering TrueCrypt's MBR, effectively bypassing TrueCrypt's full volume encryption.{{cite web | url = http://www.h-online.com/security/Bootkit-bypasses-hard-disk-encryption--/news/113884 |archive-url=https://web.archive.org/web/20090801080610/http://www.h-online.com/security/Bootkit-bypasses-hard-disk-encryption--/news/113884|archive-date=1 August 2009| title = Bootkit bypasses hard disk encryption | publisher = Heise Media UK Ltd. | work = The H-Security (H-Online.com) | access-date = 5 August 2009 }}{{cite news |author=David M Williams |date=7 September 2009 |title=The dark side of open source software is Stoned |publisher=iTWire |url=http://www.itwire.com/opinion-and-analysis/the-linux-distillery/27503-the-dark-side-of-open-source-software-is-stoned }}{{cite web | last =Hunt | first =Simon | title =TrueCrypt vs Peter Kleissner, Or Stoned BootKit Revisited.. | publisher =Simon Hunt | date =4 August 2009 | url =http://simonhunt.wordpress.com/2009/08/04/truecrypt-vs-peter-kleissner-or-stoned-bootkit-revisited | access-date =24 May 2014 }}{{cite news |author=Uli Ries |date=30 July 2009 |title=Bootkit hebelt Festplattenverschlüsselung aus |language=de |publisher=Heise Online |url=http://www.heise.de/newsticker/meldung/Bootkit-hebelt-Festplattenverschluesselung-aus-748859.html }}{{cite news |date=30 July 2009 |title=Windows-Hacking: TrueCrypt Verschlüsselung umgangen |language=de |publisher=Gulli News |url=http://www.gulli.com/news/windows-hacking-truecrypt-2009-07-30 }} Potentially every hard disk encryption software is affected by this kind of attack if the encryption software does not rely on hardware-based encryption technologies like TPM, or if the attack is made with administrative privileges while the encrypted operating system is running.{{cite web | url = http://www.stoned-vienna.com/downloads/TrueCrypt%20Foundation%20Mail%2018.%20Juli%202009.tif | title = Stoned bootkit attacking TrueCrypt's full volume encryption | publisher = TrueCrypt Foundation mail in response to Peter Kleissner on 18 July 2009 | access-date = 5 August 2009 }}{{cite web | url = http://www.truecrypt.org/faq#tpm | archive-url = https://archive.today/20130416052646/http://www.truecrypt.org/faq | url-status = dead | archive-date = 16 April 2013 | title = Some encryption programs use TPM to prevent attacks. Will TrueCrypt use it too? | publisher = TrueCrypt Foundation | work = TrueCrypt FAQ | access-date = 24 August 2011 }}

Two types of attack scenarios exist in which it is possible to maliciously take advantage of this bootkit: in the first one, the user is required to launch the bootkit with administrative privileges once the PC has already booted into Windows; in the second one, analogously to hardware keyloggers, a malicious person needs physical access to the user's TrueCrypt-encrypted hard disk: in this context this is needed to modify the user's TrueCrypt MBR with that of the Stoned bootkit and then place the hard disk back on the unknowing user's PC, so that when the user boots the PC and types his/her TrueCrypt password on boot, the "Stoned" bootkit intercepts it thereafter because, from that moment on, the Stoned bootkit is loaded before TrueCrypt's MBR in the boot sequence. The first type of attack can be prevented as usual by good security practices, e.g. avoid running non-trusted executables with administrative privileges. The second one can be successfully neutralized by the user if he/she suspects that the encrypted hard disk might have been physically available to someone he/she does not trust, by booting the encrypted operating system with TrueCrypt's Rescue Disk instead of booting it directly from the hard disk. With the rescue disk, the user can restore TrueCrypt's MBR to the hard disk.{{cite web | last =Kleissner | first =Peter | title =TrueCrypt Foundation is a joke to the security industry, pro Microsoft | publisher =Peter Kleissner | date =21 July 2009 | url =http://www.peterkleissner.com/?p=11 | access-date = 5 August 2009 | archive-url = https://web.archive.org/web/20100818024921/http://www.peterkleissner.com/?p=11 | archive-date = 18 August 2010}}

The FAQ section of the TrueCrypt website states that the Trusted Platform Module (TPM) cannot be relied upon for security, because if the attacker has physical or administrative access to the computer and you use it afterwards, the computer could have been modified by the attacker e.g. a malicious component—such as a hardware keystroke logger—could have been used to capture the password or other sensitive information. Since the TPM does not prevent an attacker from maliciously modifying the computer, TrueCrypt will not support the TPM.

In 2013 a graduate student at Concordia University published a detailed online report, in which he states that he has confirmed the integrity of the distributed Windows binaries of version 7.1a.{{cite web| url = https://madiba.encs.concordia.ca/~x_decarn/truecrypt-binaries-analysis/| author = Xavier de Carné de Carnavalet| year = 2013| title = How I compiled TrueCrypt 7.1a for Win32 and matched the official binaries

}}

A crowdfunding campaign attempting to conduct an independent security audit of TrueCrypt was successfully funded in October 2013. A non-profit organization called the Open Crypto Audit Project (OCAP) was formed, calling itself "a community-driven global initiative which grew out of the first comprehensive public audit and cryptanalysis of the widely used encryption software TrueCrypt".{{cite web |title=Welcome to the Open Crypto Audit Project |publisher=Open Crypto Audit Project |url=http://opencryptoaudit.org/ |access-date=31 May 2014 |archive-url=https://web.archive.org/web/20140608231500/http://opencryptoaudit.org/ |archive-date=8 June 2014 |url-status=dead |df=dmy }} The organization established contact with TrueCrypt developers, who welcomed the audit.{{cite web|url=http://www.indiegogo.com/projects/the-truecrypt-audit|title=The TrueCrypt Audit Project |publisher=Indiegogo|access-date=2 November 2013}}{{cite web|url=https://threatpost.com/one-truecrypt-audit-grows-another-gives-encryption-tool-clean-bill-of-health|title=TrueCrypt Audit Endorsed by Development Team |date=25 October 2013 |publisher=Threatpost|access-date=2 November 2013}} Phase I of the audit was successfully completed on 14 April 2014, finding "no evidence of backdoors or malicious code". Matthew D. Green, one of the auditors, added "I think it's good that we didn't find anything super critical."{{Citation | last =Farivar | first =Cyrus | title =TrueCrypt audit finds "no evidence of backdoors" or malicious code | work=Ars Technica |publisher=Condé Nast | date =14 April 2014 | url =https://arstechnica.com/security/2014/04/truecrypt-audit-finds-no-evidence-of-backdoors-or-malicious-code/ | access-date = 24 May 2014}}

One day after TrueCrypt's end of life announcement, OCAP confirmed that the audit would continue as planned, with Phase II expected to begin in June 2014 and wrap up by the end of September.{{Citation | last =Goodin | first =Dan | title =TrueCrypt security audit presses on, despite developers jumping ship | work=Ars Technica |publisher=Condé Nast | date =30 May 2014 | url =https://arstechnica.com/security/2014/05/truecrypt-security-audit-presses-on-despite-developers-jumping-ship/ | access-date = 31 May 2014}}{{Citation | last =Doctorow | first =Cory | author-link =Cory Doctorow | title =Mysterious announcement from Truecrypt declares the project insecure and dead | publisher =Boing Boing | date =29 May 2014 | url =http://boingboing.net/2014/05/29/mysterious-announcement-from-t.html | access-date = 31 May 2014}} The Phase II audit was delayed, but was completed 2 April 2015 by NCC Cryptography Services. This audit "found no evidence of deliberate backdoors, or any severe design flaws that will make the software insecure in most instances".{{cite web | url=http://blog.cryptographyengineering.com/2015/04/truecrypt-report.html | title=Truecrypt report | work=A Few Thoughts on Cryptographic Engineering | date=2 April 2015 | access-date=4 April 2015 |last=Green |first=Matthew}}{{cite web | url=http://blog.cryptographyengineering.com/2015/02/another-update-on-truecrypt-audit.html | title=Another update on the Truecrypt audit | work=A Few Thoughts on Cryptographic Engineering | date=18 February 2015 | access-date=22 February 2015 |last=Green |first=Matthew}}{{cite web | url=https://cryptoservices.github.io/fde/2015/02/18/truecrypt-phase-two.html | title=Truecrypt Phase Two Audit Announced | publisher=NCC Group | work=Cryptography Services | date=18 February 2015 | access-date=22 February 2015}} The French National Agency for the Security of Information Systems (ANSSI) stated that while TrueCrypt 6.0 and 7.1a have previously attained ANSSI certification, migration to an alternate certified product is recommended as a precautionary measure.{{cite web|title=Possible abandon de TrueCrypt par ses développeurs|url=http://www.ssi.gouv.fr/fr/menu/actualites/possible-abandon-de-truecrypt-par-ses-developpeurs.html|website=ssi.gouv.fr|publisher=Agence nationale de la sécurité des systèmes d'information|access-date=21 June 2014|date=2 June 2014}}

According to Gibson Research Corporation, Steven Barnhart wrote to an email address for a TrueCrypt Foundation member he had used in the past and received several replies from "David". According to Barnhart, the main points of the email messages were that the TrueCrypt Foundation was "happy with the audit, it didn't spark anything", and that the reason for the announcement was that "there is no longer interest [in maintaining the project]."{{cite web |last=Gibson |first=Steve |author-link=Steve Gibson (computer programmer) |title=And then the TrueCrypt developers were heard from! |work=TrueCrypt Latest Release Repository |publisher=Gibson Research Corporation |date=30 May 2014 |url=https://www.grc.com/misc/truecrypt/truecrypt.htm |access-date=30 May 2014 |archive-url=https://web.archive.org/web/20140531001927/https://www.grc.com/misc/truecrypt/truecrypt.htm |archive-date=31 May 2014 |url-status=dead |df=dmy }}

According to a study released 29 September 2015, TrueCrypt includes two vulnerabilities in the driver that TrueCrypt installs on Windows systems allowing an attacker arbitrary code execution and privilege escalation via DLL hijacking.{{Cite web|url=https://www.pcworld.com/article/423766/newly-found-truecrypt-flaw-allows-full-system-compromise.html|title=Newly found TrueCrypt flaw allows full system compromise|website=PCWorld}} In January 2016, the vulnerability was fixed in VeraCrypt,{{Cite web|url=https://seclists.org/oss-sec/2016/q1/58|title=oss-sec: CVE-2016-1281: TrueCrypt and VeraCrypt Windows installers allow arbitrary code execution with elevation of privilege|website=seclists.org}} but it remains unpatched in TrueCrypt's unmaintained installers.

In July 2008, several TrueCrypt-secured hard drives were seized from Brazilian banker Daniel Dantas, who was suspected of financial crimes. The Brazilian National Institute of Criminology (INC) tried unsuccessfully for five months to obtain access to his files on the TrueCrypt-protected disks. They enlisted the help of the FBI, who used dictionary attacks against Dantas' disks for over 12 months, but were still unable to decrypt them.{{cite web |last=Leyden |first=John | title=Brazilian banker's crypto baffles FBI | url=https://www.theregister.co.uk/2010/06/28/brazil_banker_crypto_lock_out/ | publisher=The Register | date =28 June 2010 | access-date=13 August 2010}}{{Citation | last =Dunn | first =John E. | title =FBI hackers fail to crack TrueCrypt | publisher =TechWorld | date =30 June 2010 | url =http://news.techworld.com/security/3228701/ | access-date = 30 May 2014}}

In 2012 the United States 11th Circuit Court of Appeals ruled that a John Doe TrueCrypt user could not be compelled to decrypt several of his hard drives.{{Citation | last =Palazzolo | first =Joe | title =Court: Fifth Amendment Protects Suspects from Having to Decrypt Hard Drives | publisher =The Wall Street Journal | date =23 February 2012 | url =https://blogs.wsj.com/law/2012/02/23/court-fifth-amendment-protects-suspects-from-decrypting-computers/ | access-date = 24 May 2014}}{{Citation | last =Kravets | first =David | title =Forcing Defendant to Decrypt Hard Drive Is Unconstitutional, Appeals Court Rules | publisher =Wired | date =24 February 2012 | url =https://www.wired.com/2012/02/laptop-decryption-unconstitutional/ | access-date = 24 May 2014}} The court's ruling noted that FBI forensic examiners were unable to get past TrueCrypt's encryption (and therefore were unable to access the data) unless Doe either decrypted the drives or gave the FBI the password, and the court then ruled that Doe's Fifth Amendment right to remain silent legally prevented the Government from making them do so.{{cite court |litigants =United States v. John Doe |opinion =11–12268 & 11–15421 |court =11th Cir. |date =23 February 2012 |url= https://caselaw.findlaw.com/us-11th-circuit/1595245.html}}[http://www.ca11.uscourts.gov/opinions/ops/201112268.pdf United States v. John Doe] {{webarchive|url=https://web.archive.org/web/20130115144156/http://www.ca11.uscourts.gov/opinions/ops/201112268.pdf |date=15 January 2013 }}

{{further|David Miranda (politician)#Global surveillance activism}}

On 18 August 2013 David Miranda, partner of journalist Glenn Greenwald, was detained at London's Heathrow Airport by Metropolitan Police while en route to Rio de Janeiro from Berlin. He was carrying with him an external hard drive said to be containing sensitive documents pertaining to the 2013 global surveillance disclosures sparked by Edward Snowden. Contents of the drive were encrypted by TrueCrypt, which authorities said "renders the material extremely difficult to access".{{Citation |last=Hosenball |first=Mark |author-link=Mark Hosenball |title=UK asked N.Y. Times to destroy Snowden material |publisher=Reuters |date=30 August 2013 |url=https://www.reuters.com/article/us-usa-security-snowden-nytimes-idUSBRE97T0RC20130830 |access-date=30 May 2014 |archive-url=https://web.archive.org/web/20140706234052/http://www.reuters.com/article/2013/08/30/us-usa-security-snowden-nytimes-idUSBRE97T0RC20130830 |archive-date=6 July 2014 |url-status=live |df=dmy }} Detective Superintendent Caroline Goode stated the hard drive contained around 60 gigabytes of data, "of which only 20 have been accessed to date." She further stated the process to decode the material was complex and "so far only 75 documents have been reconstructed since the property was initially received."

Guardian contributor Naomi Colvin concluded the statements were misleading, stating that it was possible Goode was not even referring to any actual encrypted material, but rather deleted files reconstructed from unencrypted, unallocated space on the hard drive, or even plaintext documents from Miranda's personal effects.{{cite web |last=Colvin |first=Naomi |title=#Miranda: Where is the UK Government getting its numbers from? |work=Extraordinary Popular Delusions |publisher=Auerfeld.com |date=31 August 2013 |url=http://auerfeld.wordpress.com/2013/08/31/miranda-where-is-the-uk-government-getting-its-numbers-from/ |access-date=30 May 2014 |archive-url=https://web.archive.org/web/20140531090315/http://auerfeld.wordpress.com/2013/08/31/miranda-where-is-the-uk-government-getting-its-numbers-from/ |archive-date=31 May 2014 |url-status=dead |df=dmy }} Greenwald supported this assessment in an interview with Democracy Now!, mentioning that the UK government filed an affidavit asking the court to allow them to retain possession of Miranda's belongings. The grounds for the request were that they could not break the encryption, and were only able to access 75 of the documents that he was carrying, which Greenwald said "most of which were probably ones related to his school work and personal use".{{cite AV media |last=Greenwald |first=Glenn| author-link =Glenn Greenwald | date =6 September 2013 | title =Greenwald: UK's Detention of My Partner Was Incredibly Menacing Bid to Stop NSA Reports | medium =News broadcast | url =https://www.youtube.com/watch?v=wZxAoY_t7MY#t=5m13s | access-date =30 May 2014 | format =Video | time =5:12 | location =New York | publisher =Democracy Now!}}

In October 2013, British–Finnish activist Lauri Love was arrested by the National Crime Agency (NCA) on charges of hacking into a US department or agency computer and one count of conspiring to do the same.{{cite web |last=Halliday|first=Josh|title=Briton Lauri Love faces hacking charges in US|url=https://www.theguardian.com/world/2013/oct/28/us-briton-hacking-charges-nasa-lauri-love|access-date=13 May 2016|work=The Guardian|date=29 October 2013}}{{cite web |url=https://www.bbc.co.uk/news/world-us-canada-26376865|title=Briton Lauri Love faces new US hacking charges|date=27 February 2014|work=BBC News Online|publisher=BBC|access-date=13 May 2016}}{{cite web|title=Hacker Charged with Breaching Multiple Government Computers and Stealing Thousands of Employee and Financial Records|url=https://www.fbi.gov/washingtondc/press-releases/2014/hacker-charged-with-breaching-multiple-government-computers-and-stealing-thousands-of-employee-and-financial-records|website=fbi.gov|publisher=U.S. Department of Justice|access-date=15 May 2016|location=Alexandria, VA|date=24 July 2014}} The government confiscated all of his electronics and demanded he provide them with the necessary keys to decrypt the devices. Love refused. On 10 May 2016 a District Judge (Magistrate's Court) rejected a request by the NCA that Love be forced to turn over his encryption keys or passwords to TrueCrypt files on an SD card and hard drives that were among the confiscated property.{{cite web | last =Masnick | first =Mike | title =Judge Rejects Attempt To Force Lauri Love To Decrypt His Computers, Despite Never Charging Him With A Crime | website=Techdirt | publisher=Floor64 | date =10 May 2016 | url =https://www.techdirt.com/articles/20160510/08042734397/judge-rejects-attempt-to-force-lauri-love-to-decrypt-his-computers-despite-never-charging-him-with-crime.shtml | access-date = 13 May 2016}}

In February 2014, an Arizona Department of Real Estate IT department employee, James DeSilva, was arrested on charges of sexual exploitation of a minor through the sharing of explicit images over the Internet. His computer, encrypted with TrueCrypt, was seized, and DeSilva refused to reveal the password. Forensics detectives from the Maricopa County Sheriff's Office were unable to gain access to his stored files.{{Citation |last=Stern |first=Ray |title='True Crypt' Encryption Software Stumps MCSO Detectives in Child-Porn Case |publisher=Phoenix New Times |date=4 February 2014 |url=http://blogs.phoenixnewtimes.com/valleyfever/2014/02/true_crypt_software_that_hides.php |access-date=30 May 2014 |archive-url=https://web.archive.org/web/20140531090337/http://blogs.phoenixnewtimes.com/valleyfever/2014/02/true_crypt_software_that_hides.php |archive-date=31 May 2014 |url-status=dead |df=dmy }}

In the special prosecutor investigation for Druking in South Korea, the special prosecutor decrypted some of the files encrypted by TrueCrypt by guessing the passphrase.[일문일답] '드루킹 특검' 종료..."수사 종료 자체 판단...외압 없었다", NewsPim, 2018.08.27., http://newspim.com/news/view/20180827000369특검 "김경수, 킹크랩 개발·운영 허락...댓글 8800만건 조작 관여", Maeil Business Newspaper, 2018.08.27., http://news.mk.co.kr/newsRead.php?year=2018&no=538301

The special prosecutor said the hidden volumes were especially difficult to deal with. He decrypted some of encrypted files by trying words and phrases the druking group had used elsewhere as parts of the passphrase in order to make educated guesses."드루킹 일당이 걸어둔 암호 풀어라"...특검, 전문가 총동원, Yonhap, 2018/07/18, http://www.yonhapnews.co.kr/bulletin/2018/07/18/0200000000AKR20180718142500004.HTML"드루킹 댓글조작 1/3 암호...FBI도 못 푸는 트루크립트 사용", OBS Gyeongin TV, 2018.07.19, http://voda.donga.com/3/all/39/1394189/1"Top ten password cracking techniques, http://www.alphr.com/features/371158/top-ten-password-cracking-techniques'FBI도 못 푼다'는 암호 풀자 드루킹 측근들 태도가 변했다, Chosun Broadcasting Company, 2018.07.18, http://news.tvchosun.com/site/data/html_dir/2018/07/18/2018071890102.html

TrueCrypt was released as source-available, under the "TrueCrypt License," which is unique to the TrueCrypt software.[http://www.truecrypt.org/legal/license TrueCrypt License]. Accessed on: 21 May 2012 {{webarchive|url=https://archive.today/20120530131309/http://www.truecrypt.org/legal/license |date=30 May 2012 }}[https://www.ohloh.net/licenses/TrueCrypt_Collective_License TrueCrypt Collective License]. Accessed on: 4 June 2014 As of version 7.1a (the last full version of the software, released Feb 2012), the TrueCrypt License was version 3.0. It is not part of the panoply of widely used open source licenses. The Free Software Foundation (FSF) states that it is not a free software license.[https://www.gnu.org/licenses/license-list.html#Truecrypt-3.0 Various Licenses and Comments about Them] Free Software Foundation

Discussion of the licensing terms on the Open Source Initiative (OSI)'s license-discuss mailing list in October 2013 suggests that the TrueCrypt License has made progress towards compliance with the Open Source Definition but would not yet pass if proposed for certification as Open Source software.{{Citation |last=Phipps |first=Simon |title=TrueCrypt or false? Would-be open source project must clean up its act |date=15 November 2013 |url=http://www.infoworld.com/d/open-source-software/truecrypt-or-false-would-be-open-source-project-must-clean-its-act-230862 |publisher=InfoWorld |access-date=20 May 2014 |author-link=Simon Phipps (programmer)}}{{cite web|last=Fontana |first=Richard |title=TrueCrypt license (not OSI-approved; seeking history, context). |date=October 2013 |url=http://projects.opensource.org/pipermail/license-discuss/2013-October/001313.html |access-date=26 October 2013 |url-status=dead |archive-url=https://web.archive.org/web/20131029185711/http://projects.opensource.org/pipermail/license-discuss/2013-October/001313.html |archive-date=29 October 2013 |df=dmy }} According to current OSI president Simon Phipps:

...it is not at all appropriate for [TrueCrypt] to describe itself as "open source". This use of the term "open source" to describe something under a license that's not only unapproved by OSI but known to be subject to issues is unacceptable. ... As OSI director and open source expert Karl Fogel said, "The ideal solution is not to have them remove the words 'open source' from their self-description, but rather for their software to be under an OSI-approved open source license."

As a result of its questionable status with regard to copyright restrictions and other potential legal issues,[http://lists.freedesktop.org/archives/distributions/2008-October/000276.html Tom Callaway of Red Hat about TrueCrypt licensing concern] Accessed on 10 July 2009 major Linux distributions do not consider the TrueCrypt License free: TrueCrypt is not included with Debian,[http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=364034 Debian Bug report logs - #364034]. Accessed on: 12 January 2009. Ubuntu,[https://bugs.edge.launchpad.net/ubuntu/+bug/109701 Bug #109701 in Ubuntu]. Accessed on: 20 April 2009 Fedora,[http://lists.freedesktop.org/archives/distributions/2008-October/000276.html TrueCrypt licensing concern] Accessed on: 20 April 2009 or openSUSE.[http://lists.opensuse.org/opensuse-buildservice/2008-10/msg00055.html non-OSI compliant packages in the openSUSE Build Service]. Accessed on: 20 April 2009

28 May 2014 announcement of discontinuation of TrueCrypt also came with a new version 7.2 of the software. Among the many changes to the source code from the previous release were changes to the TrueCrypt License — including removal of specific language that required attribution of TrueCrypt as well as a link to the official website to be included on any derivative products — forming a license version 3.1.{{cite web|url=https://github.com/DrWhax/truecrypt-archive/blob/master/doc/License-v3.1.txt|title=truecrypt-archive/License-v3.1.txt at master · DrWhax/truecrypt-archive|website=GitHub|date=28 Mar 2014|access-date=23 Jul 2018}}

Cryptographer Matthew Green, who had help raise funds for TrueCrypt's audit noted a connection between TrueCrypt's refusal to change the license and their departure-time warning. "They set the whole thing on fire, and now maybe nobody is going to trust it because they'll think there's some big evil vulnerability in the code."{{cite web|url=http://www.ibtimes.co.uk/truecrypt-goes-way-lavabit-developers-shut-it-down-without-warning-1450467 |title=TrueCrypt Goes the Way of Lavabit as Developers Shut it Down Without Warning |date=29 May 2014 |publisher=Ibtimes.co.uk |access-date=1 June 2014}}

On 16 June 2014, the only alleged TrueCrypt developer still answering email replied to a message by Matthew Green asking for permission to use the TrueCrypt trademark for a fork released under a standard open source license. Permission was denied, which led to the two known forks being named VeraCrypt and CipherShed as well as a re-implementation named tc-play rather than TrueCrypt.{{cite web |last=Green |first=Matthew D. |author-link=Matthew D. Green |title=Here is the note... |date=16 June 2014 |url=https://twitter.com/matthew_d_green/status/478721271316758528 |format=Twitter |access-date=22 June 2014 |archive-url=https://web.archive.org/web/20140817063344/https://twitter.com/matthew_d_green/status/478721271316758528 |archive-date=17 August 2014 |url-status=dead |df=dmy }}{{Citation | last =Goodin | first =Dan | title =Following TrueCrypt's bombshell advisory, developer says fork is "impossible" | work=Ars Technica |publisher=Condé Nast | date =19 June 2014 | url =https://arstechnica.com/security/2014/06/following-truecrypts-bombshell-advisory-developer-says-fork-is-impossible/ | access-date = 22 June 2014}}

In 2007 a US trademark for TrueCrypt was registered under the name of Ondrej Tesarik with a company name TrueCrypt Developers Association{{cite web|url=http://tmsearch.uspto.gov/ |title=Trademark Electronic Search System (TESS) |website=tmsearch.uspto.gov |access-date=31 August 2017}} (search trademark directory for "TrueCrypt") and a trademark on the "key" logo was registered under the name of David Tesarik with a company name TrueCrypt Developers Association.{{cite web|url=http://www.tmdb.de/us/marke/Tesarik_David,77165797.html |title=77165797 - Markeninformation USPTO - via tmdb |website=Tmdb.de |access-date=31 August 2017}}

In 2009 the company name TrueCrypt Foundation was registered in the US by a person named David Tesarik.{{cite web|url=http://nvsos.gov/sosentitysearch/CorpDetails.aspx?lx8nvq=djRu2RWGpIESdKlMBbSrDw%253d%253d |title=Entity Details - Secretary of State, Nevada |website=Nvsos.gov |date=19 August 2009 |access-date=31 August 2017}} The TrueCrypt Foundation non-profit organization last filed tax returns in 2010,{{cite web|url=http://citizenaudit.org/680678780/#http://bulk.resource.org/irs.gov/eo/2011_04_PF/68-0678780_990PF_201012.pdf |title=Truecrypt Foundation |website=CitizenAudit.org |access-date=31 August 2017}} (search database for "TrueCrypt") and the company was dissolved in 2014.{{citation needed|date=October 2017}}

• Comparison of disk encryption software

{{reflist|colwidth=30em}}

• {{Official website}}
• [http://opencryptoaudit.org Open Crypto Audit Project (OCAP)] – non-profit organization promoting an audit of TrueCrypt
• [http://istruecryptauditedyet.com IsTrueCryptAuditedYet.com] – website for the audit
• [https://www.veracrypt.fr Veracrypt] – official fork website

• [http://filehippo.com/download_truecrypt/history Past versions] on FileHippo
• [https://github.com/DrWhax/truecrypt-archive Past versions] on GitHub
• [https://truecrypt.ch/downloads/ Past versions] {{Webarchive|url=https://web.archive.org/web/20141010023601/https://truecrypt.ch/downloads/ |date=10 October 2014 }} on truecrypt.ch
• [https://www.grc.com/misc/truecrypt/truecrypt.htm Last version] on Gibson Research Corporation website
• [http://andryou.com/truecrypt/docs/ Partial mirror of the original TrueCrypt 7.1a online manual]

{{Cryptography navbox}}

{{Cryptographic software}}

Category:2004 software

Category:Cross-platform software

Category:Cryptographic software

Category:Discontinued software

Category:Disk encryption

Category:Linux security software

Category:Software that uses wxWidgets

Category:Assembly language software

Category:Windows security software