New VeraCrypt Version Released

Discussion in 'privacy technology' started by JRViejo, Oct 17, 2016.

  1. guest

    guest Guest

    VeraCrypt v1.23 Hotfix (September 20, 2018)
    Website
    Download (SourceForge)
     
  2. guest

    guest Guest

    VeraCrypt v1.23 Hotfix 2 (October 10, 2018)
    Website
    Announcement
    Download (SourceForge)
     
  3. ExtremeGamerBR

    ExtremeGamerBR Registered Member

    Joined:
    Aug 3, 2010
    Posts:
    1,351
  4. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    Guys, I'm a complete noob when it comes to encryption. How do you use such a tool like VeraCrypt, is it to encrypt only certain folders, or does it encrypt all data on shutdown?
     
  5. guest

    guest Guest

    1) You can create an encrypted file container (for example: c:\users\rasheed187\data). After "mounting" it (for example on D:) you can place your secret files on D:
    If you unmount it, D: is gone and everyone can only see the "innocently looking file" c:\users\rasheed187\data

    2) You can create an encrypted partition. In this case the whole partition is encrypted.
    The same as above, after mounting it to a drive letter you have access to your files.

    3) a) The system partition (C:) can be encrypted. And without entering of a correct password in the VeraCrypt Boot Loader, the OS which resides in the encrypted partiton cannot be booted.
    3) b) The entire system drive can be encrypted

    You also have the option to create a hidden volume or even a hidden OS.
    What will be mounted depends on what password you are entering.
    If you are "forced" to enter a password, you can now use the password for your (only if created) "decoy OS" or decoy volume.
     
  6. 142395

    142395 Guest

    Probably your use is to encrypt files before uploading them to cloud on Windows, right? Then probably Cryptomator (or alternatively BoxCryptor) will be better suited.
    As mood has explained, VC mount a file as a virtual drive, but if you sync many files the container file have to be large. Mine is several GBs so syncing takes hours, and as it is a single file when you'd changed only 1 file in it whole container have to be reuploaded.
    Cryptomator also uses virtual drive, but its not a single file. All files are individually encrypted (file/folder name is also encrypted, but note you can't hide approximate file size) so if you change only 1 then only that file will be reuploaded.
    I don't have any experience for CM nor BC so might be wrong in details, but had used similar program called encfs (it's Windows folk was again (2nd time) deprecated so I don't recommend it for you). Both are free except for CM on mobile costs a bit.
     
  7. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    OK thanks for the info. So I guess it makes sense to only put important files inside the encrypted partition. But will these files be accessible almost instantly?

    Thanks will check them out. But no, my intention was to protect data in case desktop or laptop gets stolen.
     
  8. 142395

    142395 Guest

    OK, then there can be some options depending on how much security you need. Encrypting system partition or whole drive as mood mentioned is one, and as you said, separate impo data and save them in encrypted drive or encrypted container is another, tho it's less secure as your OS will record metadata such as file path and timestamp for them, and swap or hibernation may save them in plain text temporary.

    I don't know what you mean by instantly, but you have to type password every time you want to first access them, then VC will 'stretch' your pwd (u can ctrl how long it takes tho), then finally you get. Once decrypted, it's unnoticeable in modern processor regardless if your CPU support AES-NI.
     
  9. guest

    guest Guest

    To find out what maximum speed (encryption/decryption) you can expect, you can use the "Tools - Benchmark -> VeraCrypt - Algorithms Benchmark"
    And Features like Parallelization, Pipelining or Hardware Acceleration can speed up the process of encryption/decryption in addition.

    Most probably you won't "feel" any difference if you are accessing encrypted containers/partitions.
     
  10. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    Basically, what if you want access to let's say 300GB of data, will this take some time to decrypt? And is there any risk of loosing data when you make use of encryption?
     
  11. 142395

    142395 Guest

    That depends on your architecture (CPU, AES-NI, your HDD/SSD's I/O) but regardless of size it'll unlikely you notice perf degradation, unless your PC is super old & low-end. Usually key-stretching when you've entered pwd is the most time-consuming part unless you adjust param called PIM.
    Other than obvious case you forgot pwd, yes, such thing can happen and we've seen occasionally someone come here and cry. So if you chose system encryption, make sure to create VC rescue disk (IDK much about GPT/UEFI tho). If you chose container, create header backup and save it in safe place. VC uses XTS mode encryption that means even when a part of your data is corrupted it doesn't spread to other sector. However, you lose access to entire drive/volume if VC boot loader/volume header was corrupted, this is when the above methods come into play. I've only once got this for around 5y use of TC/VC but the backup saved me.
     
  12. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    OK I see. So you say it will only take seconds with a Intel Core i5 CPU? The reason I ask is because from what I understood, all modern smartphones use encryption for the whole drive. And it only takes second to decrypt all data apparently. And what about Bitlocker, is it any different than VeraCrypt?
     
  13. Palancar

    Palancar Registered Member

    Joined:
    Oct 26, 2011
    Posts:
    2,402
    I haven't been chiming in much lately on VC or TC questions. I decided to jump on this because the "delay" being examined is providing tremendous security. First let me state what I hope is obvious. The delay only happens during the initial opening of the volume and has almost nothing to do with the volume's size or contents. The code is performing needed iterations as it processes the passcodes. By examining the PIM feature in VC you can quickly see that increased iteration counts necessitate longer times to unlock headers being used. Frankly there have been significant code improvements over the older brother TC. In my case I have some archive externals with high and specific PIM instructions coded in the headers. Those will take almost 10 seconds to open on ANY normal computer. I want it that way, as opposed to weak non specific iteration software that opens almost instantly. Instant sounds great until you consider WHY its instant. Just giving food for thought here. I don't code for system disks any longer on these two programs, but I still deal with archives because of the hidden volume header code and having storage off premise.
     
  14. 142395

    142395 Guest

    @Rasheed187
    I guess perhaps you misunderstand how it works. When you enter pwd, it derive encryption key from the pwd and it takes some time as Palancar & me have explained. No decryption occurs in this step, but encryption/decryption occur whenever the OS or apps write/read HDD/SSD on the fly. This means no plain text data will be written to disk, they're only on memory, and when we say you won't notice delay it is about this process - especially as Core i5 supports AES-NI (confirm it is enabled in BIOS), if you chose AES for algorithm you'll never feel actual diff. Ofc the 1st time you encrypt the disk is exception, it can take quite a time but it's only once.

    The diff btwn BL is (1) VC is open source and audited by expert, BL not. there've been many talks that somebody (not necessarilly law enforcer) bypassed BL, but not all cases are clear, maybe some of them are just poor user decision (weak pwd, poorly secured backup key) but we will never know. (2) VC is interoperable w/ Win, Mac, Linux, and even Android (w/ unofficial apps) but BL is Windows only and configuring it requires Pro+ version tho opening BL encrypted drive is supported in all versions. (3) You can use USB drive instead of pwd in BL. But it means you have to carry around the USB and if adversary who stole your laptop also could get the USB, it's game over.
     
  15. 142395

    142395 Guest

    I rarely see rigorous explanation so I write short notes about PIM. TC/VC dev have been recommending you to use 20+ char random pwd consisted from all printable ASCII char set. 20 char random pwd from that 95 char set have more than 128 bit entropy and as a matter of math & physics it's impossible to break that until quantum computer w/ at least thousands of qubits realizes. So if you use 20 char random pwd, you can safely set PIM to 1. You can diminish the length of pwd to 14 while keeping practical security, as 14 char pwd still has 92 bit and VC forces at least 16000 rounds of PBKDF2 so total entropy is more than 103 bit, which the world best computer will achieve in around 2050. Assuming super computer may sound funny, but criminals w/ large botnet can get close level of computation. But if you wanna use 13 char, then keep default PIM of 485. If you prefer even shorter, PIM have to be increased exponentially which will cause much waiting time. All of above assume your pwd is derived from well-designed pwd generator (alternatively u can use Diceware w/ diff entropy calc), but if you chose sth more memorable like Schneier scheme make it longer or increase PIM. Also if you only use UC, LC, nums only and not punctuation, add 1 char length.

    If your threat model includes shoulder hacking, keeping large PIM still makes sense even w/ strong pwd (getting full pwd via shoulder hack is not easy, but he has clue). Note the fact PBKDF2 is not memory-hard is irrelevant to entropy calc, tho memory hard function is better to have (well, why VC dev keep to add some quirky hash instead of big move to bcrypt, scrypt, or Argon2 even as an option?)

    [EDIT:] miscalc
     
    Last edited by a moderator: Oct 23, 2018
  16. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    OK I see. I haven't got any problems with a small delay. I guess I will need to experiment a bit with VeraCrypt. I will make a selection of most important data and put it on a separate volume. However, you guys didn't respond to my question about BitLocker, does this encrypt all data on the drive, or does it work the same as VeraCrypt?
     
  17. 142395

    142395 Guest

    I responded, but anyway, BL can encrypt whole drive or system, so except for container mode in VC it works in the same way.
     
  18. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    Sorry about that, I must have had a black-out or something, but I now see your response. I have read a bit more about BitLocker, weird that M$ doesn't offer this on all Windows versions. Since it encrypts the entire drive, I suppose it's a pretty good and fast system and that you don't have to worry about data corruption. Perhaps in the future, PC makers can offer a dedicated encryption chip like the T2 from Apple.
     
  19. guest

    guest Guest

    VeraCrypt v1.24 Beta 0 (December 18, 2018)
    Website
    Announcement
    Download (SourceForge)
     
  20. JRViejo

    JRViejo Super Moderator

    Joined:
    Jul 9, 2008
    Posts:
    97,440
    Location:
    U.S.A.
  21. guest

    guest Guest

    VeraCrypt v1.24 Beta 1 (January 21. 2019)
    Website
    Announcement
    Download (SourceForge)
    Changes between 1.24 Beta 0 and 1.24 Beta 1:
    • Fix issue related to Windows Update breaking VeraCrypt UEFI bootloader.
    • Better support for Multi-boot for EFI system encryption.
    • New security features:
      • Erase system encryption keys from memory during shutdown/reboot to help mitigate some cold boot attacks.
      • Add option when system encryption is used to erase all encryption keys from memory when a new device is connected to the system.
      • Add new driver entry point that can be called by applications to erase encryption keys from memory in case of emergency.
    • Fix editor of EFI system encryption configuration file not accepting ENTER key to add new lines.
     
  22. guest

    guest Guest

    VeraCrypt v1.24 Beta 2 (January 31. 2019)
    Website
    Announcement
    Download (SourceForge)
    Changes compared to 1.24-Beta1:
    • Increase password maximum length to 128 bytes in UTF-8 encoding for non system encryption.
    • Speed optimization of XTS mode on 64-bit machine using SSE2 (up to 10% faster).
    • Fix detection of CPU features AVX2/BMI2. Add detection of RDRAND/RDSEED CPU features. Detect Hygon CPU as AMD one.
    • Several enhancements and fixes for EFI bootloader:
      • Implement timeout mechanism for password input. Set default timeout value to 3 minutes and default timeout action to "shutdown".
      • Implement new actions "shutdown" and "reboot" for EFI DcsProp config file.
      • Enhance Rescue Disk implementation of restoring VeraCrypt loader.
      • Fix ESC on password prompt during Pre-Test not starting Windows.
      • Add menu entry in Rescue Disk that enables starting original Windows loader.
    • Use CPU RDRAND or RDSEED as an additional entropy source for our random generator when available.
     
  23. guest

    guest Guest

    VeraCrypt v1.24 Beta 3 (March 3. 2019)
    Website
    Download (SourceForge)
    Changes between 1.23-Hotfix-2 and 1.24-Beta3 (3 March 2019) :
    • All OSs:
    • Increase password maximum length to 128 bytes in UTF-8 encoding.
      • Add option to use legacy maximum password length (64) instead of new one for compatibility reasons.
    • Use Hardware RNG based on CPU timing jitter "Jitterentropy" by Stephan Mueller as a good alternative to CPU RDRAND (http://www.chronox.de/jent.html)
    • Speed optimization of XTS mode on 64-bit machine using SSE2 (up to 10% faster).
    • Fix detection of CPU features AVX2/BMI2. Add detection of RDRAND/RDSEED CPU features. Detect Hygon CPU as AMD one.
    • Windows:
    • Implement RAM encryption for keys and passwords using ChaCha12 cipher, t1ha non-cryptographic fast hash and ChaCha20 based CSPRNG.
      • Available only on 64-bit machines.
      • Disabled by default. Can be enabled using option in UI.
      • Less than 10% overhead on modern CPUs.
    • Mitigate some memory attacks by making VeraCrypt applications memory inaccessible to non-admin users (based on KeePassXC implementation)
    • New security features:
      • Erase system encryption keys from memory during shutdown/reboot to help mitigate some cold boot attacks
      • Add option when system encryption is used to erase all encryption keys from memory when a new device is connected to the system.
      • Add new driver entry point that can be called by applications to erase encryption keys from memory in case of emergency.
    • MBR Bootloader: dynamically determine boot loader memory segment instead of hardcoded values (proposed by neos6464)
    • MBR Bootloader: workaround for issue affecting creation of hidden OS on some SSD drives.
    • Fix issue related to Windows Update breaking VeraCrypt UEFI bootloader.
    • Several enhancements and fixes for EFI bootloader:
      • Implement timeout mechanism for password input. Set default timeout value to 3 minutes and default timeout action to "shutdown".
      • Implement new actions "shutdown" and "reboot" for EFI DcsProp config file.
      • Enhance Rescue Disk implementation of restoring VeraCrypt loader.
      • Fix ESC on password prompt during Pre-Test not starting Windows.
      • Add menu entry in Rescue Disk that enables starting original Windows loader.
    • Add option (disabled by default) to use CPU RDRAND or RDSEED as an additional entropy source for our random generator when available.
    • Add mount option (both UI and command line) that allows mounting a volume without attaching it to the specified drive letter.
    • Update libzip to version 1.5.1
    • Do not create uninstall shortcut in startmenu when installing VeraCrypt. (by Sven Strickroth)
    • Enable selection of Quick Format for file containers creation. Separate Quick Format and Dynamic Volume options in the wizard UI.
    • Fix editor of EFI system encryption configuration file not accepting ENTER key to add new lines.
    • Avoid simultaneous calls of favorites mounting, for example if corresponding hotkey is pressed multiple times.
    • Ensure that only one thread at a time can create a secure desktop.
    • Updates and corrections to translations and documentation.
     
  24. guest

    guest Guest

    VeraCrypt v1.24 Beta 5 (March 8, 2019)
    Website
    Announcement
    Download (SourceForge)
     
  25. lucd

    lucd Registered Member

    Joined:
    Jan 30, 2018
    Posts:
    782
    Location:
    Island of Woman
    so I just started using this for file system encryption , the drive I use to boot in and work from, I must say I am positively surprised as decryption is immediate on reboot

    I don't fully understand though, when there are new files added to drive the new files on encrypted system drive get encrypted on the fly or on reboot?
    what can go wrong? I suppose you won't boot if the vera crypt installation gets corrupted, what else?
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.