Following TrueCrypt’s bombshell advisory, developer says fork is “impossible”

One of the developers of the TrueCrypt encryption program said it's unlikely that fans will receive permission to start an independent "fork" that borrows from the current source code, a refusal that further clouds the future of the highly regarded application.

The reluctance surfaced in an e-mail published three weeks after TrueCrypt developers' bombshell advisory that users should stop using the cross-platform whole disk encryption program. TrueCrypt has been held up by a variety of privacy advocates—former National Security Agency contractor Edward Snowden among them—as a reliable means to protect individual files or entire hard drive contents from the prying eyes of government agencies and criminal hackers. In the days immediately following last month's TrueCrypt retirement, Johns Hopkins University professor Matt Green asked one of the secretive developers if it would be OK for other software engineers to use the existing source code to start an independent version. The developer responded:

I am sorry, but I think what you're asking for here is impossible. I don't feel that forking truecrypt would be a good idea, a complete rewrite was something we wanted to do for a while. I believe that starting from scratch wouldn't require much more work than actually learning and understanding all of truecrypt's current codebase.

I have no problem with the source code being used as reference.

The denial came in response to an e-mail in which Green said he suspected a TrueCrypt fork was inevitable, given the groundswell of interest in the program. Language in the TrueCrypt license raises the possibility that such independent projects will put developers at risk of violating contractual terms. Without the blessing of TrueCrypt developers, users may be forced to abandon the considerable amount of work already put into TrueCrypt. In his e-mail to the TrueCrypt developer, Green wrote:

We think Truecrypt is an important project—no proprietary disk encryption system offers cross-platform support and the same feature set. Moreover, Truecrypt is unlikely to ‘go away’ just because the developers have abandoned the project. In fact, it may become significantly less secure if it goes forward as samizdat or as part of some unauthorized fork.

We’d like the project to continue, but in a responsible way. That means fully auditing all of the crypto/container and bootloader code and (likely) replacing much of it with fresh implementations. Even though this will require some substantial re-development it still seems more practical than starting from scratch. The current plan is being led by a group of people who have a great deal of experience with cryptography and the expertise to identify flaws, but would prefer not to engineer from scratch.

The main concern we have right now is with the license structure and trademarks associated with Truecrypt. Of course some will fork the reject regardless of the legal issues, but this doesn’t seem appropriate without clear guidance. What we would like is permission to take at least portions of the current codebase and fork it under a standard open source license (e.g., GPL/MIT/BSD). We would also like permission to use the Truecrypt trademark as part of this effort. If that’s not possible, we would accept a clear statement that you would prefer the software not be renamed.

I realize this is a great deal to ask, but I would ask you to consider the alternative. Without expert attention there’s a high likelihood that TC 7.1a or some future insecure fork will occupy the niche that a secure version of TC could occupy. Giving your permission to undertake a responsible process of forking and redevelopment would ensure that your work can go on, and that nobody is at risk from using older software.

Green is one of the organizers of a project to fully audit TrueCrypt for backdoors that could be exploited by the National Security Agency or other groups or individuals. Results from Phase I of the audit released in April revealed no evidence of any backdoors. Phase II of the audit is scheduled to commence soon. The full text of Green's correspondence with the unnamed TrueCrypt developer is here.