When TrueCrypt mysteriously self-destructed in 2014 with a cryptic warning to use BitLocker instead, VeraCrypt — which had quietly forked a year earlier — became the world's standard for disk encryption. Nobody knows why TrueCrypt died.
VeraCrypt provides on-the-fly encryption supporting AES, Twofish, Serpent, Camellia, and Kuznyechik ciphers, with cascaded encryption options. It uses PBKDF2 with significantly higher iteration counts than TrueCrypt for key derivation. It supports full disk encryption, hidden volumes, and plausible deniability through hidden operating systems.
TrueCrypt was the gold standard for disk encryption — the tool that journalists, activists, and security-conscious users trusted to protect their data. Edward Snowden recommended it. Security researchers praised its design. And then, on May 28, 2014, the project's website was replaced with a bizarre message declaring that TrueCrypt was 'not secure' and recommending users switch to... Microsoft BitLocker. Yes, the proprietary, closed-source encryption tool built into Windows. For a security tool whose entire raison d'etre was independence from corporate software, this was like a vegan restaurant's farewell note recommending McDonald's.
Nobody knows what actually happened. The anonymous developers (who had maintained TrueCrypt since 2004) never explained themselves. Theories ranged from NSA pressure to burn out to a discovered-but-undisclosed vulnerability. An independent audit completed shortly after found no backdoors — just some implementation weaknesses. The mystery remains unsolved to this day.
Fortunately, Mounir Idrassi, a French cryptography expert and founder of IDRIX, had already forked TrueCrypt in June 2013 — a full year before the shutdown. VeraCrypt was initially created to address some security concerns Idrassi had identified in TrueCrypt's key derivation functions, which he considered too weak against brute-force attacks. When TrueCrypt imploded, VeraCrypt was already a functioning project with strengthened cryptography.
VeraCrypt enhanced the original in several key areas: it increased the iteration count for PBKDF2-RIPEMD160 from 1,000 to 655,331, making brute-force attacks orders of magnitude harder. It added support for SHA-256, SHA-512, and Whirlpool hash algorithms for key derivation. It could still open TrueCrypt volumes, providing a seamless migration path.
Over time, more of VeraCrypt's code has been rewritten and released under the Apache License 2.0, moving away from TrueCrypt's restrictive and legally ambiguous license. The project became the unquestioned successor, recommended by security professionals and organizations worldwide. Sometimes the best time to fork is before the original dies.
TrueCrypt 1.0 released as open-source disk encryption software
Mounir Idrassi forks TrueCrypt to create VeraCrypt with improved key derivation
TrueCrypt website replaced with cryptic shutdown notice recommending BitLocker
Independent audit of TrueCrypt finds no backdoors but some implementation weaknesses
VeraCrypt becomes the de facto standard for open-source disk encryption
VeraCrypt filled a critical gap in the security ecosystem when TrueCrypt vanished. Without it, millions of users would have been left without a trusted, open-source disk encryption option — potentially forcing them toward proprietary solutions that offered less transparency.
The TrueCrypt shutdown remains one of the great mysteries of open-source history, but its legacy lives on through VeraCrypt. Idrassi's foresight in forking a year early meant that when the crisis hit, a hardened alternative was already available. It's the open-source equivalent of building the lifeboat before the ship starts sinking.