VeraCrypt - an enhanced version of TrueCrypt

Discussion in 'privacy technology' started by oliverjia, Sep 16, 2014.

  1. oliverjia

    oliverjia Registered Member

    Joined:
    Jul 21, 2005
    Posts:
    1,517
    Hi all,

    I just came across this enhanced version of Truecrypt: https://veracrypt.codeplex.com/

    It's code is based on Truecrypt, with enhanced encrypting iterations against modern brute-forcing, and fixed bugs found in Truecrypt Open crypto audit project https://opencryptoaudit.org/.
    I feel like since the Truecrypt is basically abandoned and there is currently no other fork, what do you think about this project, and would you intend to use it in the near future to replace Truecrypt?
     
  2. deBoetie

    deBoetie Registered Member

    Joined:
    Aug 7, 2013
    Posts:
    1,150
    Location:
    UK
    I'm waiting for the second audit before making a call here. I really do hope that the talent that does take over Truecrypt properly pools its resources. In my opinion what's needed is: response to bugs found in the audit; support for GPT (so that it remains the only solution for full cross-platform encryption); easier/more repeatable compilation with easier verification & audit; a more regular OS licence. I'd also hope they could be personally open and seeking funding from commercial support contracts, because I think that's the only way to get it properly maintained as a long-term proposition.
     
  3. WeAreAllHacked

    WeAreAllHacked Registered Member

    Joined:
    May 22, 2014
    Posts:
    28
    "VeraCrypt 1.0e is out with many security fixes and performance enhancements."

    Okay security fixes such as? The documentation could be better....
     
  4. oliverjia

    oliverjia Registered Member

    Joined:
    Jul 21, 2005
    Posts:
    1,517
    All good points you have in my opinion. And I agree money is needed for a sustained development of this great tool. I used to rely on Truecrypt for all my encryption needs, since I thought TC was open-source and should be no hidden gems (back doors etc), until I heard about the audit program. But then TC goes abandoned right after the audit started, which is quite suspicious if we look at the timeline of these events.

    Anyway, I may use Veracrypt for now, until a more proper fork is in effect, with clean audit results of TC.
     
  5. lordraiden

    lordraiden Registered Member

    Joined:
    Jan 30, 2006
    Posts:
    3,081
    There is also https://truecrypt.ch/
    I don't know which one will become the "standard", and probably there are other forks, to much effort being spread
     
  6. BoerenkoolMetWorst

    BoerenkoolMetWorst Registered Member

    Joined:
    Dec 22, 2009
    Posts:
    3,771
    Location:
    Outer space
    I haven't check it out yet, but there is also CipherShed, first version will be available foor download soon:
    https://ciphershed.org/
     
  7. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,794
    Location:
    Texas
  8. oliverjia

    oliverjia Registered Member

    Joined:
    Jul 21, 2005
    Posts:
    1,517
  9. Overdone

    Overdone Registered Member

    Joined:
    Sep 7, 2014
    Posts:
    87
    I'm really interested in knowing what the next TC will be.. Does anyone know when the next phase of the audit will be completed?
     
  10. drm2000

    drm2000 Registered Member

    Joined:
    Apr 20, 2014
    Posts:
    18
    I continue to use Truecrypt. One of the reasons is because it is cross platform. And it has been around a long time and is very stable. I'm not worried about being hacked until someone publishes a method. Sure the NSA may be able to do it ... but I have nothing to hide from them.

    Veracrypt is new. But how do we know it isn't already compromised? What reason do we have to believe it is stable and safer? Trusting any application over the internet is difficult when there is no history and we don't know who is really behind it.
     
  11. BoerenkoolMetWorst

    BoerenkoolMetWorst Registered Member

    Joined:
    Dec 22, 2009
    Posts:
    3,771
    Location:
    Outer space
    Linux and OSX setup files are signed with PGP but the Windows version isn't :thumbd:
     
  12. mantra

    mantra Registered Member

    Joined:
    Jan 25, 2005
    Posts:
    5,153
    hi
    a new version is out

    1.0f

    is there a portable version ?


    and the changelog is
     
  13. sokatech

    sokatech Registered Member

    Joined:
    Jun 7, 2013
    Posts:
    1
    Location:
    Germany
    When you start the downloaded 1.0f-1 setup file then you can decide, whether you want install VeraCrypt on the PC or only expand the package.
    Expand it and you have the portable version. The procedure remained the same like it was with TrueCrypt.
     
  14. mantra

    mantra Registered Member

    Joined:
    Jan 25, 2005
    Posts:
    5,153
    thanks
    i have some truecrypt partition encryped
    the only way to use them with veracrypt ,is to decrypt with truecrypt and move the data , and create a new one with veracrypt ?
     
  15. Yuki2718

    Yuki2718 Registered Member

    Joined:
    Aug 15, 2014
    Posts:
    1,257
    I personally feel Veracrypt's added iterations is nothing more than performance down.
    As long as you use very strong password, brute-force is almost impossible until big advancement is invented.
    IMO what they should add was not such iteration, but auto-delete feature that if wrong passwords were inputted more than a threshold it deletes key in secure way.
     
  16. mantra

    mantra Registered Member

    Joined:
    Jan 25, 2005
    Posts:
    5,153
    hi
    but seems that truecrypt will not more developed :(
    about bruteforce did you try it ?
    is there a test about bruteforce vera vs truecrypt?
     
  17. deBoetie

    deBoetie Registered Member

    Joined:
    Aug 7, 2013
    Posts:
    1,150
    Location:
    UK
    The issue with any at-rest encryption is that you can't prevent people from making an evil form of Truecrypt which does not have that feature in it. And the file formats are essentially open for anyone to write a brute force program.
     
  18. Palancar

    Palancar Registered Member

    Joined:
    Oct 26, 2011
    Posts:
    1,599
    Plus, I have made this statement many times before as a forensic guy: the first thing done is to sector by sector clone/copy the intended target. We thereby maintain an exact replica just in case anything goes wrong with the examining computer or a software crash of any nature. This feature won't do anything when an adversary can repeatedly return to a "known" starting point. You are kidding yourself if you think a "rookie" mistake like working on the target without an exact replica being created first will ever happen. It won't!


    Mantra,

    You do have another option on your pre-established TrueCrypt volumes. If you want to use Vera Crypt for now and in the future (not a call I would make but it is YOUR call), it is simple to employ TC portable to access the truecrypt volumes. The TC portable application maintains the same security level as a full install in creation, and use of encryption. This may be especially useful if you are talking about 2 TB externals which are already encrypted.
     
  19. mantra

    mantra Registered Member

    Joined:
    Jan 25, 2005
    Posts:
    5,153
    Hi Palancar
    thanks but i would like to use veracrypt , and all my volume are created with truecrypt
    sadly they are incompatible are they ?
     
  20. 4Qman

    4Qman Registered Member

    Joined:
    Mar 19, 2014
    Posts:
    12
    Mantra, as far as i'm aware you need to decrypt your volumes and re-encrypt with Verarypt, due to the enhancements put in place it is not possible to mount TC volumes with veracrypt. I myself decrypted a couple of my file containers and then went back to truecrypt again due to the delay in loading them, it was very noticeable and caused sustained delay on weak CPU systems.

    The latest version 1.0f does mention an improvement in this area so its worth trying.
     
  21. Yuki2718

    Yuki2718 Registered Member

    Joined:
    Aug 15, 2014
    Posts:
    1,257
    Ouch! Both of your points are surely valid! I was wrong.
    Thanks, another valid point. So maybe a possible solution is implement auto deletion capability to not software but encrypted container/disk itself and delete not the key but entire container/disk, but both of them would be technically impractical.

    It was naive to think a function seen in some hardware-assisted encryption drive can be imported to this kind of encryption software. But if anyone have any idea about it, it's very welcome.
     
  22. Yuki2718

    Yuki2718 Registered Member

    Joined:
    Aug 15, 2014
    Posts:
    1,257
    Didn't try myself and the result will be not interesting as my computer is not so powerful.
    But it's rather simple math question, and as long as you choose very strong and random password, bruteforcing it within practically meaningful time period is almost impossible at least in current situation.

    And if you combine key file with password by clever (not make it easy to guess or grab your key file) way, only possible bruteforce will be bruteforcing key itself, but it is also very hard unless attacker use supercomputer.
    [EDIT: it seems even with supercomputer, bruteforcing AES256 key is impossible.
    http://www.reddit.com/r/theydidthem...e_and_energy_required_to_bruteforce_a_aes256/
    Of course if serious and practical vuln is found in AES, or quantum computer is finally invented, the game will change...]
     
    Last edited: Jan 9, 2015
  23. deBoetie

    deBoetie Registered Member

    Joined:
    Aug 7, 2013
    Posts:
    1,150
    Location:
    UK
    I think this is the ONLY way to do this kind of thing - have a modified vanilla disk drive, which will trash the content if it doesn't get the right codes when started. Even there, it's unlikely you'd be able to delete much of the drive before someone noticed the activity. Or perhaps, if the right code were not entered, it would serve up rubbish or pretend to be blank or something.

    In a way though, I think you're better off with keeping it simple, and using strong passwords - they do work.....!

    The focus on brute-forcing is perhaps diversionary, if we cast our minds to the cartoon of the hammer-based persuasion, or the fact that most people use weak passwords - that's what a lot of the password crackers rely on.

    On a separate note, I have looked at some patterns for WDE which include the use of a Yubikey HMAC-SHA1 as part of a TFA keying process - I think this is much superior to using keyfiles. I would like that to be included in developments of Truecrypt.
     
  24. Yuki2718

    Yuki2718 Registered Member

    Joined:
    Aug 15, 2014
    Posts:
    1,257
    Thanks, always appreciate your input!
     
  25. mlauzon

    mlauzon Registered Member

    Joined:
    Aug 9, 2011
    Posts:
    107
    Location:
    Canada
    I still believe the license should be changed, the original developers completely abandoned TC, so why stick to the original license?!
     
Loading...