Veracrypt patched against two critical Truecrypt flaws

Discussion in 'privacy technology' started by Minimalist, Sep 28, 2015.

  1. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    5,043
    https://threatpost.com/veracrypt-patched-against-two-critical-truecrypt-flaws
     
  2. amarildojr

    amarildojr Registered Member

    Joined:
    Aug 8, 2013
    Posts:
    1,963
    Location:
    Brasil
    How is VeraCrypt working these days? Is it true that it takes 30 seconds (or 30 min) to mount drives?
     
  3. oliverjia

    oliverjia Registered Member

    Joined:
    Jul 21, 2005
    Posts:
    1,517
    If you are using it on a Pentium III, 64MB RAM computer, then yeah sure why not, maybe take you 3 hours to mount a drive.
    For me, it only takes a few seconds (less than 5 seconds) to mount a drive or container, on my i7-2700K, 8GB RAM computer.

    my point is, you have to be logical asking any questions here. So you need to specify what sort of hardware you are talking about, because speed always depends on hardware.
     
  4. amarildojr

    amarildojr Registered Member

    Joined:
    Aug 8, 2013
    Posts:
    1,963
    Location:
    Brasil
    I didn't give any details because I never saw an encryption software take more than a second to decrypt/mount a drive, and I didn't know if the claims were true.
     
  5. haakon

    haakon Registered Member

    Joined:
    May 25, 2015
    Posts:
    749
    Location:
    SW USA
    Well, you didn't see all that much, then. :rolleyes:

    I have a 1GB container in which I run PortableApps Thunderbird. It takes six seconds to mount, the same since I first used Vera when it came out. i7-3770K, 8GB.

    The same on an old E8400, 4GB, takes maybe a skootch longer. It's my backup system and firing it up to time it is beyond the effort I want to expend on this topic. I just had to chime in as whatever claims you refer to (30 minutes? Seriously?) are ordure.

    VeraCrypt rocks. As did TrueCrypt.
     
  6. Robin A.

    Robin A. Registered Member

    Joined:
    Feb 25, 2006
    Posts:
    2,278
    In my case,
    10 s to mount a 300 MB volume in Windows 7, 5-years old desktop, 4 GB.
    14 s to mount a 400 MB volume in Windows 10, 2-years old laptop, 6 GB.
     
  7. dogbite

    dogbite Registered Member

    Joined:
    Dec 13, 2012
    Posts:
    1,166
    Location:
    EU
    On my 16GB RAM i5 4210 laptop with Ubuntu: 4 secs (465GB partition).
    Same laptop and partition but using Windows7: 12 secs
     
  8. deBoetie

    deBoetie Registered Member

    Joined:
    Aug 7, 2013
    Posts:
    1,147
    Location:
    UK
    My feeling is that these flaws are actually less important than the fundamental issue that, if your machine is attacked while running, then all the files in the Truecrypt container are accessible to any process once mounted. You don't need to escalate to get that information, and there are many other ways to escalate anyway.
    I want to move beyond the Truecrypt model and get something that is more partitioned and maybe two-factor/presence mediated.
     
  9. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,719
    Location:
    Texas
  10. Palancar

    Palancar Registered Member

    Joined:
    Oct 26, 2011
    Posts:
    1,591
    I personally have been looking under the hood on VeraCrypt some. Don't claim to be qualified at this point to do anything much beyond build/compile the VC linux version pretty easily. I no longer study the windows specific code (no personal need) because my system disks are linux with LUKS. I find the linux version of VeraCrypt to be quite solid for non-system disk encryption. The patches for code glitches in TC's work were adequate as of VC 1.16. There is a monster improvement with the advent of PIM in hardening the headers on the volumes.

    It only takes a few minutes at most to convert your old TC volumes to VC as long as the TC version used to create them was version 2 (6.X releases +). The conversion is for non-system disks ONLY. The new volume headers are much harder and your custom set PIM takes them to the next level as far as an adversary would be concerned. Of course all things come at a cost. A high PIM and long password mean great security but it takes sometimes 15 seconds to open a volume. After being open though they work at lightning speed just like they used to on TC. I will gladly wait the 10-15 seconds for a volume to open in exchange for so much more security. You can lower your PIM and such if you just want speed and will live with less hardening.
     
  11. chrisretusn

    chrisretusn Registered Member

    Joined:
    Jun 16, 2004
    Posts:
    1,322
    Location:
    Philippines
    I recently switch over to VeraCrypt. I have not converted any volumes yet. Current using the TrueCrypt compatibility mode to access my TrueCrypt volumes. Thinking now is the time to do the conversion.
     
  12. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    4,947
    Location:
    USA
    I will just create a new container with VC, and copy my files from my TC container to my new VC container. Less risk in something going wrong with the conversion.
     
  13. chrisretusn

    chrisretusn Registered Member

    Joined:
    Jun 16, 2004
    Posts:
    1,322
    Location:
    Philippines
    I made backups of my container files and also backed up the volume header for each, then did the conversion. Conversion didn't take long and was successful. I think that time it took to convert was much shorter than copying files from the TC to the VC container files.

    From the FAQ:
    I chose the "Set Header Key Derivation Algorithm" option. Be sure to check "TrueCrypt Mode", I forgot to do that on my first try on my smallest container.

    I does as @Palancar mentioned take a bit longer to open. I can live with that.
     
  14. affinityv

    affinityv Registered Member

    Joined:
    Aug 19, 2013
    Posts:
    3
    Location:
    Australia
    Use a good pass phrase, 20+ characters, better if more random, but using the diceware method is quite suitable -- 7, 8 or 9 random words from a set of 7776, plus adjustments if you like to make it even more safe.

    If the unlocking of the drive is too long, use the PIM feature -- set a value that is reasonable; with a good pass phrase, the PIM value might be good with under 10 as a value for PIM.

    VC 1.17 works very, very well for me. But definitely use a good pass phrase AND deliberately use a lower and more reasonable PIM value, especially for the system drive. Better still move away from Windows if you can and use LUKS on a Linux system, there are plenty of good Linux options (albeit many now with systemd failings, but that is another matter).

    Oh and if you have an old TC container and you use VC, well the "Use TC" checkbox is a bonus, it adds another security choice and doubles your security by itself -- do I use this option or not?

    As I understand, just having the TC driver installed on your system gives risk, if it is detected, it can leverage the file (truecrypt.sys) and escalate to admin user rights -- you should never run Windows using a user with admin rights as your daily driver; but even if you do it right and you still have truecrypt.sys driver file, then there is risk that it will be exploited. NB: Uninstalling TC still leaves the truecrypt.sys file in the c:\windows\system32\drivers directory or wherever your drivers directory is.
     
  15. chrisretusn

    chrisretusn Registered Member

    Joined:
    Jun 16, 2004
    Posts:
    1,322
    Location:
    Philippines
    I converted my old TC containers to VC.
     
Loading...