Disk Encryption Programs
The first version of TrueCrypt was released in 2004. It has been the most famous disk encryption program, available for Windows, OS X, Linux and other operating systems for a long time. It was popular because it was open source, long time proven and easy to use.
When the NSA affair became known, it was noticed that no one knew who the developers of TC were. This gave rise to wild speculation.
On May 28th, 2014, the TrueCrypt website announced that the project was no longer maintained. The announcement was really strange. The developers recommended to use instead a commercial close source project of Microsoft - during the NSA affair, it became public that Microsoft had worked closely with the NSA.
TryCrypt was audited by the Open Crypto Audit Project. In short, there were some weaknesses, some were discovered even after the audit, but an ultimate backdoor was not found. VeraCrypt has now closed the most important weaknesses.
This means, although TrueCrypt itself should not be used anymore, it is a good starting point for a fork, a further development. Several forks emerged, the most famous being VeraCrypt and CipherShed.
VeraCrypt is the most popular fork of TrueCrypt. The IDRIX team solved many vulnerabilities and security issues of TrueCrypt, they installed a warrent canary, moved to Apache license, and there was also an audit for VeraCrypt and the major found vulnerability was fixed on the same day. The basis of developers is France, which offers at least a better legal situation than the USA.
In my opinion, rewriting the code would be more useful than simply pluging security holes. The performance of VeraCrypt is terrible and some vulnerabilities like the insecure key derivation function PBKDF2 can't be solved in this way.
I agree with the response of Bill Cox to the Audit Team and the VeraCrypt fork. A flaw in the TrueCrypt design makes it almost impossible to increase the security of the key derivation function. Each available password hashing function is perfomed in sequence, until one succeeds. That contradicts the requirement of key derivation functions to be time consuming to hinder the cracking of passwords. At TrueCrypt and also VeraCrypt, a large amount of the execution time is wasted for this design error and not to protect the password.
The VeraCrypt team did not take this flaw into account and simply increased the number of iterations. This results in an unnecessarily long execution time, sometimes several seconds. So, VeraCrypt users have to wait a long time without a corresponding security advantage.
Nevertheless, VeraCrypt is perhaps the first choice today. The policy of rapid closing weaknesses, the transparency of the project, the audit and the warrent canary are good reasons to use VeraCrypt. But some wishes will probably remain unfulfilled.
CipherShed has sufficient expertise and far-reaching plans to implement it. They plan to rewrite the code, replace PBKDF2 with a strong key derivation function and many more. Unfortunately, they have so far mainly replaced the logos.
At first glance, everything speaks for a future version of CipherShed. But in addition to the expertise, such a project also requires trustworthiness. The NSA, too, undoubtedly has expertise, but they use it for other purposes.
It is a great advancement that the developers are known publicly (about the developers of TrueCrypt there are still conspiracy theories today), but if a person has (possibly) previously worked against privacy, then he or she must first regain trust. It is not enough to affirm that this time he is being worked out for privacy. Perhaps today he is doing good and trustworthy work, but normal users can not judge that.
The objection to CipherShed is not technical, but a careless handling of the existing policy of surveillance.
File Level Encryption
See also the File Lock PEA website about the distinction between disk encryption and file encryption.