For instance, typed passwords may be sent to the attacker over the Internet or saved to an unencrypted local drive, from which the attacker might be able to read the passwords upon gaining physical access to the computer. Clarifying the point further, the documentation says that some kinds of malware are designed to log keystrokes. VeraCrypt documentation makes it clear that it cannot secure data on a computer if it has any kind of malware installed. This is acceptable to the legitimate owner, but it makes it much harder for an attacker to gain access to the encrypted data.” No Protection if Malware Installed This enhanced security adds some delay only to the opening of encrypted partitions without any performance impact to the application use phase. And for standard containers and other partitions, TrueCrypt uses at most 2000 iterations but VeraCrypt uses 655331 for RIPEMD100 iterations for SHA-2 and Whirlpool. “When the system partition is encrypted, TrueCrypt uses PBKDF2-RIPEMD160 with 1000 iterations whereas in VeraCrypt we use 327661. Idrassi also said that, for the past 10 years, government agencies like the NSA have developed infrastructure and tools to do forensic analysis of TrueCrypt volumes.Ĭomparing the security features between the erstwhile TrueCrypt and VeraCrypt, the website explains:
CipherShed's developers corrected the few coding errors pointed out by 'that' audit' LAST YEAR months ago and optimized the source code which anyone can obtain and compile for themselves. Idrassi found that TrueCrypt’s transformation was not very complex, and did not provide efficient security - especially with cloud cracking systems. This is April 2015, Open Audit upon request by Truecrypt Fork CipherShed audited TC 7.1a and found what this article 'audit' found.
Though these were no big issues, there were some small things that he wanted to address, prompting him to start VeraCrypt.Īccording to Idrassi, TrueCrypt was not secure the main weakness in program was that the software did not adequately transform passwords to derive keys. While he was working on this project, he carried out a security audit of the code and discovered some issues. The French consultant got the idea of developing VeraCrypt in 2012 when he was asked to integrate TrueCrypt with a client’s product.
VeraCrypt, a fork of the original TrueCrypt code, was launched in June 2013 by IT security consultant Mounir Idrassi. Thus, VeraCrypt hopes to ease the disappointment TrueCrypt users felt upon the project’s abandonment. Later on, it was found that the people behind TrueCrypt abandoned the project itself. Earlier in 2014, VeraCrypt started receiving appreciation among those who were reluctant to continue using TrueCrypt or did not want to wait for the CipherShed fork to mature. Those bugs can only be detected through an audit.Is a source-available freeware utility used for on-the-fly encryption (OTFE) to create a virtual encrypted disk within a file or to encrypt a partition. This does not tell you anything about other issues such as a bad RNG. An incorrect AES implementation that results in VeraCrypt using an algorithm that is not really AES would be quickly noticed when other tools are not able to read the volume, despite having the right key.
If a third-party tool, using a re-implementation of the algorithm, is able to decrypt your volume when the password is supplied, you can verify that the algorithms in use are what has been stated. Another way to verify that at least the encryption is correct is to use a third-party tool to decrypt the volume. There were no severe bugs found in the crypto implementation. Luckily, this has already been done for VeraCrypt, and the results were, while not perfect, good enough. The only way to verify if the encryption was properly done would be to audit the source code. For example, a bug that results in the system accidentally using ECB mode, a bug that results in a null cipher key being used each time rather than your own key, or an insecure RNG that creates a predictable master key. I can imagine a dozen failure modes that completely break the encryption but would result in the drive still appearing to be fully encrypted and unreadable without it.
While it is easy to check if it has not encrypted it at all, you will not be able to easily check if it has been encrypted incorrectly. There is no easy way to check if a program has correctly encrypted your drive. Let's assume, however, that it was never audited, and that we are talking about any generic potentially-insecure disk encryption utility.