New VeraCrypt Version Released

Discussion in 'privacy technology' started by JRViejo, Oct 17, 2016.

  1. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    9,439
    VeraCrypt v1.23 Hotfix (September 20, 2018)
    Website
    Download (SourceForge)
     
  2. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    9,439
    VeraCrypt v1.23 Hotfix 2 (October 10, 2018)
    Website
    Announcement
    Download (SourceForge)
     
  3. ExtremeGamerBR

    ExtremeGamerBR Registered Member

    Joined:
    Aug 3, 2010
    Posts:
    1,331
  4. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    11,127
    Location:
    The Netherlands
    Guys, I'm a complete noob when it comes to encryption. How do you use such a tool like VeraCrypt, is it to encrypt only certain folders, or does it encrypt all data on shutdown?
     
  5. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    9,439
    1) You can create an encrypted file container (for example: c:\users\rasheed187\data). After "mounting" it (for example on D:) you can place your secret files on D:
    If you unmount it, D: is gone and everyone can only see the "innocently looking file" c:\users\rasheed187\data

    2) You can create an encrypted partition. In this case the whole partition is encrypted.
    The same as above, after mounting it to a drive letter you have access to your files.

    3) a) The system partition (C:) can be encrypted. And without entering of a correct password in the VeraCrypt Boot Loader, the OS which resides in the encrypted partiton cannot be booted.
    3) b) The entire system drive can be encrypted

    You also have the option to create a hidden volume or even a hidden OS.
    What will be mounted depends on what password you are entering.
    If you are "forced" to enter a password, you can now use the password for your (only if created) "decoy OS" or decoy volume.
     
  6. Yuki2718

    Yuki2718 Registered Member

    Joined:
    Aug 15, 2014
    Posts:
    1,642
    Probably your use is to encrypt files before uploading them to cloud on Windows, right? Then probably Cryptomator (or alternatively BoxCryptor) will be better suited.
    As mood has explained, VC mount a file as a virtual drive, but if you sync many files the container file have to be large. Mine is several GBs so syncing takes hours, and as it is a single file when you'd changed only 1 file in it whole container have to be reuploaded.
    Cryptomator also uses virtual drive, but its not a single file. All files are individually encrypted (file/folder name is also encrypted, but note you can't hide approximate file size) so if you change only 1 then only that file will be reuploaded.
    I don't have any experience for CM nor BC so might be wrong in details, but had used similar program called encfs (it's Windows folk was again (2nd time) deprecated so I don't recommend it for you). Both are free except for CM on mobile costs a bit.
     
  7. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    11,127
    Location:
    The Netherlands
    OK thanks for the info. So I guess it makes sense to only put important files inside the encrypted partition. But will these files be accessible almost instantly?

    Thanks will check them out. But no, my intention was to protect data in case desktop or laptop gets stolen.
     
  8. Yuki2718

    Yuki2718 Registered Member

    Joined:
    Aug 15, 2014
    Posts:
    1,642
    OK, then there can be some options depending on how much security you need. Encrypting system partition or whole drive as mood mentioned is one, and as you said, separate impo data and save them in encrypted drive or encrypted container is another, tho it's less secure as your OS will record metadata such as file path and timestamp for them, and swap or hibernation may save them in plain text temporary.

    I don't know what you mean by instantly, but you have to type password every time you want to first access them, then VC will 'stretch' your pwd (u can ctrl how long it takes tho), then finally you get. Once decrypted, it's unnoticeable in modern processor regardless if your CPU support AES-NI.
     
  9. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    9,439
    To find out what maximum speed (encryption/decryption) you can expect, you can use the "Tools - Benchmark -> VeraCrypt - Algorithms Benchmark"
    And Features like Parallelization, Pipelining or Hardware Acceleration can speed up the process of encryption/decryption in addition.

    Most probably you won't "feel" any difference if you are accessing encrypted containers/partitions.
     
  10. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    11,127
    Location:
    The Netherlands
    Basically, what if you want access to let's say 300GB of data, will this take some time to decrypt? And is there any risk of loosing data when you make use of encryption?
     
  11. Yuki2718

    Yuki2718 Registered Member

    Joined:
    Aug 15, 2014
    Posts:
    1,642
    That depends on your architecture (CPU, AES-NI, your HDD/SSD's I/O) but regardless of size it'll unlikely you notice perf degradation, unless your PC is super old & low-end. Usually key-stretching when you've entered pwd is the most time-consuming part unless you adjust param called PIM.
    Other than obvious case you forgot pwd, yes, such thing can happen and we've seen occasionally someone come here and cry. So if you chose system encryption, make sure to create VC rescue disk (IDK much about GPT/UEFI tho). If you chose container, create header backup and save it in safe place. VC uses XTS mode encryption that means even when a part of your data is corrupted it doesn't spread to other sector. However, you lose access to entire drive/volume if VC boot loader/volume header was corrupted, this is when the above methods come into play. I've only once got this for around 5y use of TC/VC but the backup saved me.
     
  12. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    11,127
    Location:
    The Netherlands
    OK I see. So you say it will only take seconds with a Intel Core i5 CPU? The reason I ask is because from what I understood, all modern smartphones use encryption for the whole drive. And it only takes second to decrypt all data apparently. And what about Bitlocker, is it any different than VeraCrypt?
     
  13. Palancar

    Palancar Registered Member

    Joined:
    Oct 26, 2011
    Posts:
    2,113
    I haven't been chiming in much lately on VC or TC questions. I decided to jump on this because the "delay" being examined is providing tremendous security. First let me state what I hope is obvious. The delay only happens during the initial opening of the volume and has almost nothing to do with the volume's size or contents. The code is performing needed iterations as it processes the passcodes. By examining the PIM feature in VC you can quickly see that increased iteration counts necessitate longer times to unlock headers being used. Frankly there have been significant code improvements over the older brother TC. In my case I have some archive externals with high and specific PIM instructions coded in the headers. Those will take almost 10 seconds to open on ANY normal computer. I want it that way, as opposed to weak non specific iteration software that opens almost instantly. Instant sounds great until you consider WHY its instant. Just giving food for thought here. I don't code for system disks any longer on these two programs, but I still deal with archives because of the hidden volume header code and having storage off premise.
     
  14. Yuki2718

    Yuki2718 Registered Member

    Joined:
    Aug 15, 2014
    Posts:
    1,642
    @Rasheed187
    I guess perhaps you misunderstand how it works. When you enter pwd, it derive encryption key from the pwd and it takes some time as Palancar & me have explained. No decryption occurs in this step, but encryption/decryption occur whenever the OS or apps write/read HDD/SSD on the fly. This means no plain text data will be written to disk, they're only on memory, and when we say you won't notice delay it is about this process - especially as Core i5 supports AES-NI (confirm it is enabled in BIOS), if you chose AES for algorithm you'll never feel actual diff. Ofc the 1st time you encrypt the disk is exception, it can take quite a time but it's only once.

    The diff btwn BL is (1) VC is open source and audited by expert, BL not. there've been many talks that somebody (not necessarilly law enforcer) bypassed BL, but not all cases are clear, maybe some of them are just poor user decision (weak pwd, poorly secured backup key) but we will never know. (2) VC is interoperable w/ Win, Mac, Linux, and even Android (w/ unofficial apps) but BL is Windows only and configuring it requires Pro+ version tho opening BL encrypted drive is supported in all versions. (3) You can use USB drive instead of pwd in BL. But it means you have to carry around the USB and if adversary who stole your laptop also could get the USB, it's game over.
     
  15. Yuki2718

    Yuki2718 Registered Member

    Joined:
    Aug 15, 2014
    Posts:
    1,642
    I rarely see rigorous explanation so I write short notes about PIM. TC/VC dev have been recommending you to use 20+ char random pwd consisted from all printable ASCII char set. 20 char random pwd from that 95 char set have more than 128 bit entropy and as a matter of math & physics it's impossible to break that until quantum computer w/ at least thousands of qubits realizes. So if you use 20 char random pwd, you can safely set PIM to 1. You can diminish the length of pwd to 14 while keeping practical security, as 14 char pwd still has 92 bit and VC forces at least 16000 rounds of PBKDF2 so total entropy is more than 103 bit, which the world best computer will achieve in around 2050. Assuming super computer may sound funny, but criminals w/ large botnet can get close level of computation. But if you wanna use 13 char, then keep default PIM of 485. If you prefer even shorter, PIM have to be increased exponentially which will cause much waiting time. All of above assume your pwd is derived from well-designed pwd generator (alternatively u can use Diceware w/ diff entropy calc), but if you chose sth more memorable like Schneier scheme make it longer or increase PIM. Also if you only use UC, LC, nums only and not punctuation, add 1 char length.

    If your threat model includes shoulder hacking, keeping large PIM still makes sense even w/ strong pwd (getting full pwd via shoulder hack is not easy, but he has clue). Note the fact PBKDF2 is not memory-hard is irrelevant to entropy calc, tho memory hard function is better to have (well, why VC dev keep to add some quirky hash instead of big move to bcrypt, scrypt, or Argon2 even as an option?)

    [EDIT:] miscalc
     
    Last edited: Oct 23, 2018
  16. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    11,127
    Location:
    The Netherlands
    OK I see. I haven't got any problems with a small delay. I guess I will need to experiment a bit with VeraCrypt. I will make a selection of most important data and put it on a separate volume. However, you guys didn't respond to my question about BitLocker, does this encrypt all data on the drive, or does it work the same as VeraCrypt?
     
  17. Yuki2718

    Yuki2718 Registered Member

    Joined:
    Aug 15, 2014
    Posts:
    1,642
    I responded, but anyway, BL can encrypt whole drive or system, so except for container mode in VC it works in the same way.
     
  18. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    11,127
    Location:
    The Netherlands
    Sorry about that, I must have had a black-out or something, but I now see your response. I have read a bit more about BitLocker, weird that M$ doesn't offer this on all Windows versions. Since it encrypts the entire drive, I suppose it's a pretty good and fast system and that you don't have to worry about data corruption. Perhaps in the future, PC makers can offer a dedicated encryption chip like the T2 from Apple.
     
  19. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    9,439
    VeraCrypt v1.24 Beta 0 (December 18, 2018)
    Website
    Announcement
    Download (SourceForge)
     
Loading...
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.