is nested encryption good

Discussion in 'encryption problems' started by garry35, Jun 19, 2024.

  1. garry35

    garry35 Registered Member

    Joined:
    Jan 20, 2009
    Posts:
    488
    if i created an encrypted container inside of an already encrypted container plus an extra layer of encryption each time using a different passcode, is there any advantages for security ?
     
  2. reasonablePrivacy

    reasonablePrivacy Registered Member

    Joined:
    Oct 7, 2017
    Posts:
    2,060
    Location:
    Member state of European Union
    If passwords are of same complexity then you approx. double brute force attack time, which is almost nothing really.
    So no, not in a way that you may hope at least.

    Second layer of encryption like container could be an advantage if you i.e. have whole drive encryption but you leave laptop unattended with only lockscreen as only protection. Then you should close container when you leave device unattended and in that case that's advantegous. Focus on opening and closing encryption layer and what could go wrong in between
     
  3. garry35

    garry35 Registered Member

    Joined:
    Jan 20, 2009
    Posts:
    488
    not sure if its possible but an encrypted container inside another encrypted container
     
  4. reasonablePrivacy

    reasonablePrivacy Registered Member

    Joined:
    Oct 7, 2017
    Posts:
    2,060
    Location:
    Member state of European Union
    Only theoretical possibility. Don't bother
     
  5. Palancar

    Palancar Registered Member

    Joined:
    Oct 26, 2011
    Posts:
    2,413
    Much easier to simply use a VeraCrypt cascade algo if that is really something you worry about. Each additional part of the cascade will lower performance because your machine will have to do more math for the same operations.

    FYI - nesting is really easy and safe to do BUT is it worth it? You will have to decide.
     
  6. reasonablePrivacy

    reasonablePrivacy Registered Member

    Joined:
    Oct 7, 2017
    Posts:
    2,060
    Location:
    Member state of European Union
    It is safe until you forget passwords, because it is too many of them. I mean most passwords can be stored in Password Manager, but it does not make sense for me to store passwords for 2nd, 3rd, 4th layer of encryption in same KeePass file. If someone is able to decrypt that KeePass file then all further layers become non-existent.
    Also backups are becoming more and more incovenient.
     
  7. Palancar

    Palancar Registered Member

    Joined:
    Oct 26, 2011
    Posts:
    2,413
    Missed my point. Using cascade algo's means ONE password but VeraCrypt (or other programs) will run it through 2-4 different algo's making breaking all three less likely. There are times when an algo gets broken and if so the other two would keep the data out of sight.

    Modern algo's rarely are bad and broken it is ALWAYS a crappy password or a pwned computer where the "bad guy" has control of the machine.

    My suggestion rather than trying to use two passwords is to simply add 5 digits to your current password. That alone would add 64 to the 5th exponent to the current password.
     
  8. Raza0007

    Raza0007 Registered Member

    Joined:
    Mar 30, 2009
    Posts:
    1,713
    Location:
    USA
    On paper, having a hidden nested container inside an encrypted container doubles the security of your data, but in real life it is pointless. Here is why:

    If you are protecting your data from a highly skilled individual that is targeting you, and if this person is able to break your external container, then they will use the same methods to break your hidden container as well.

    On the other hand, if you are protecting your data from a causal person, then one encrypted container using a good encryption cipher, with a strong password is good enough.

    Having a hidden container uses more computational resources to decrypt the data, you have to remember an extra password, you have to take special care of your external container, as now there is a hidden container inside of it, so the free space is not actually free space, and you cannot overwrite it.
     
  9. reasonablePrivacy

    reasonablePrivacy Registered Member

    Joined:
    Oct 7, 2017
    Posts:
    2,060
    Location:
    Member state of European Union
    OP was saying multiple containers and multiple passwords.

    I didn't know VeraCrypt has cascade option. I mostly use LUKS and GnuPG. Interesting, although I don't see in mine threat model use for it
     
  10. Palancar

    Palancar Registered Member

    Joined:
    Oct 26, 2011
    Posts:
    2,413
    Same here. My most protected data is lurking under a LUKS2 super block with argon2id as the crypto hash. I really wish Veracrypt would work on adding argon2, which is demonstrably more secure than other older methods.

    I do have VeraCrypt vaults inside of my LUKS2 umbrella simply to provide isolation from other data on the LUKS drive. e.g. - I keep 4 VC vaults for Virtual Machines and I open one at a time usually. The mounted virtual machine cannot possibly see the other VM's because they reside in other virtual drives (VeraCrypt) that are locked. So 4 well used, privacy oriented machines, that are only open to the host when I physically open their respective virtual drive. Its easy because I use a special keyfile and don't need to type anything just click and it opens in under 5 seconds. I know VirtualBox and KVM are supposed to do a great job at isolation, but my take is using virtual drives assures the process is just about bullet proof. Just wanted to give one example of where VC on an already impossible to crack LUKS2 umbrella could add some OPSec!! Hope this example makes sense!
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.