World Library  
Flag as Inappropriate
Email this Article


Article Id: WHEBN0045345491
Reproduction Date:

Title: VeraCrypt  
Author: World Heritage Encyclopedia
Language: English
Subject: Latest stable software release/VeraCrypt, Disk encryption, AES implementations, Articles for deletion/Log/2015 February 2, Linux security software
Publisher: World Heritage Encyclopedia


VeraCrypt 1.0f on Windows
Developer(s) IDRIX
Initial release June 22, 2013 (2013-06-22)
Stable release 1.16 (October 7, 2015 (2015-10-07)[1])
Development status Active
Written in C, C++, Assembly
Operating system
Available in 37 languages[2]
Type Disk encryption software
License Apache License 2.0
Website .com.codeplexveracrypt

VeraCrypt is a source-available freeware utility used for on-the-fly encryption (OTFE).[3] It can create a virtual encrypted disk within a file or encrypt a partition[4] or (under Microsoft Windows except Windows 8 with UEFI or GPT) the entire storage device with pre-boot authentication.[5]

VeraCrypt is a fork of the discontinued TrueCrypt project.[6] It was initially released on June 22, 2013 and has produced its eleventh release (version 1.16) as of October 7, 2015.[7] According to its developers, security improvements have been implemented and issues raised by the initial TrueCrypt code audit have been addressed.[8]


  • Encryption scheme 1
    • Algorithms 1.1
    • Modes of operation 1.2
    • Keys 1.3
  • Security improvements 2
  • Plausible deniability 3
  • Performance 4
  • Security concerns 5
    • Encryption keys stored in memory 5.1
    • Physical security 5.2
    • Malware 5.3
    • Trusted Platform Module 5.4
  • Security audits 6
  • License and source model 7
  • Planned features 8
  • See also 9
  • References 10
  • External links 11

Encryption scheme


Individual ciphers supported by VeraCrypt are AES, Serpent, and Twofish. Additionally, five different combinations of cascaded algorithms are available: AES-Twofish, AES-Twofish-Serpent, Serpent-AES, Serpent-Twofish-AES and Twofish-Serpent.[9] The cryptographic hash functions available for use in VeraCrypt are RIPEMD-160, SHA-256, SHA-512, and Whirlpool.[10]

Modes of operation

VeraCrypt uses the XTS mode of operation.[11]


The header key and the secondary header key (XTS mode) are generated using PBKDF2 with a 512-bit salt and 327,661 to 655,331 iterations, depending on the underlying hash function used.[12]

Security improvements

According to its developers, VeraCrypt has made several security improvements over TrueCrypt.

While TrueCrypt uses 1000 iterations of the PBKDF2-RIPEMD160 algorithm for system partitions, VeraCrypt uses 327,661 iterations. For standard containers and other partitions, VeraCrypt uses 655,331 iterations of RIPEMD160 and 500,000 iterations of SHA-2 and Whirlpool. While this makes VeraCrypt slightly slower at opening encrypted partitions, it makes the software a minimum of 10 and a maximum of about 300 times harder to brute force. "Effectively, something that might take a month to crack with TrueCrypt might take a year with VeraCrypt".[6]

A vulnerability in the bootloader was fixed on Windows and various optimizations were made as well. The developers added support for SHA-256 to the system boot encryption option and also fixed a ShellExecute security issue. Linux and Mac OS X users benefit from support for hard drives with sector sizes larger than 512. Linux also received support for the NTFS formatting of volumes.

Due to the security improvements, the VeraCrypt storage format is incompatible with that of TrueCrypt. The VeraCrypt development team believes that the old TrueCrypt format is too vulnerable to an NSA attack and thus it must be abandoned. This is one of the main differences between VeraCrypt and its competitor, CipherShed, as CipherShed continues to use the TrueCrypt format. However, beginning with version 1.0f, VeraCrypt is capable of opening and converting volumes in the TrueCrypt format.[13][14]

Plausible deniability

VeraCrypt supports a concept called plausible deniability,[15] by allowing a single "hidden volume" to be created within another volume.[16] In addition, the Windows versions of VeraCrypt have the ability to create and run a hidden encrypted operating system whose existence may be denied.[17]

The VeraCrypt documentation lists many ways in which VeraCrypt's hidden volume deniability features may be compromised (e.g. by third party software which may leak information through temporary files, thumbnails, etc., to unencrypted disks) and possible ways to avoid this.[18]


VeraCrypt supports parallelized[19]:63 encryption for multi-core systems and, under Microsoft Windows, pipelined read/write operations (a form of asynchronous processing)[19]:63 to reduce the performance hit of encryption and decryption. On newer processors supporting the AES-NI instruction set, VeraCrypt supports hardware-accelerated AES to further improve performance.[19]:64 The performance impact of disk encryption is especially noticeable on operations which would normally use direct memory access (DMA), as all data must pass through the CPU for decryption, rather than being copied directly from disk to RAM.

Security concerns

VeraCrypt is vulnerable to various known attacks that also affect other software-based disk encryption software such as BitLocker. To mitigate these attacks, the documentation distributed with VeraCrypt requires users to follow various security precautions.[18][20] Some of these attacks are detailed below.

Encryption keys stored in memory

VeraCrypt stores its keys in the RAM; on an ordinary personal computer the DRAM will maintain its contents for several seconds after power is cut (or longer if the temperature is lowered). Even if there is some degradation in the memory contents, various algorithms can intelligently recover the keys. This method, known as a cold boot attack (which would apply in particular to a notebook computer obtained while in power-on, suspended, or screen-locked mode), has been successfully used to attack a file system protected by TrueCrypt.[21]

Physical security

VeraCrypt documentation states that VeraCrypt is unable to secure data on a computer if an attacker physically accessed it and VeraCrypt is then used on the compromised computer by the user again. This does not affect the common case of a stolen, lost, or confiscated computer.[22] The attacker having physical access to a computer can, for example, install a hardware/software keylogger, a bus-mastering device capturing memory, or install any other malicious hardware or software, allowing the attacker to capture unencrypted data (including encryption keys and passwords), or to decrypt encrypted data using captured passwords or encryption keys. Therefore, physical security is a basic premise of a secure system. Attacks such as this are often called "evil maid attacks".[23]


VeraCrypt documentation states that VeraCrypt cannot secure data on a computer if it has any kind of malware installed. Some kinds of malware are designed to log keystrokes, including typed passwords, that may then be sent to the attacker over the Internet or saved to an unencrypted local drive from which the attacker might be able to read it later, when he or she gains physical access to the computer.[24]

Trusted Platform Module

The FAQ section of the VeraCrypt website [25] states that the Trusted Platform Module (TPM) cannot be relied upon for security, because if the attacker has physical or administrative access to the computer and you use it afterwards, the computer could have been modified by the attacker e.g. a malicious component—such as a hardware keystroke logger—could have been used to capture the password or other sensitive information. Since the TPM does not prevent an attacker from maliciously modifying the computer, VeraCrypt will not support TPM.

Security audits

An independent code audit of VeraCrypt is currently in the initial planning stage.[26]

VeraCrypt is based on the source code of TrueCrypt, which passed an independent security audit. Phase I of the audit was successfully completed on 14 April 2014, finding "no evidence of backdoors or malicious code."[27] Phase II of the audit was successfully completed on 2 April 2015, finding "no evidence of deliberate backdoors, or any severe design flaws that will make the software insecure in most instances."[28][29]

License and source model

VeraCrypt has been licensed under the Apache License 2.0 since 28 June 2015.[30] Prior to that, it was released under the Microsoft Public License.[31] VeraCrypt inherited a substantial amount of code from its TrueCrypt predecessor and thus is also subject to the terms of version 3.0 of the "TrueCrypt License" which is unique to the TrueCrypt software.[32][33] It is not part of the pantheon of widely used open source licenses and is not a free software license according to the Free Software Foundation (FSF) license list, as it contains distribution and copyright-liability restrictions.[34]

Planned features

Planned features include adding the capability to encrypt GPT System Partitions.[35]

See also


  1. ^ "Release Notes". 2015-10-07. Retrieved 2015-10-08. 
  2. ^ "VeraCrypt 1.0f Bundle (All files and their signatures)". IDRIX. Retrieved 2015-01-04. 
  3. ^ "VeraCrypt Official Site"
  4. ^ "VeraCrypt Volume". VeraCrypt Official Website. Retrieved February 16, 2015. 
  5. ^ "Operating Systems Supported for System Encryption". VeraCrypt Official Website. Retrieved February 16, 2015. 
  6. ^ a b Rubens, Paul (October 13, 2014). "VeraCrypt a Worthy TrueCrypt Alternative". eSecurity Planet. Quinstreet Enterprise. Retrieved February 16, 2015. 
  7. ^ "VeraCrypt Downloads"
  8. ^ Henry, Alan (February 8, 2015). "Five Best File Encryption Tools". Lifehacker. Gawker Media. Retrieved February 16, 2015. 
  9. ^ "Encryption Algorithms". VeraCrypt Documentation. IDRIX. 2015-01-04. Retrieved 2015-01-04. 
  10. ^ "Hash Algorithms". VeraCrypt Documentation. IDRIX. Retrieved 2015-01-04. 
  11. ^ "Modes of Operation". VeraCrypt Documentation. IDRIX. 2015-01-04. Retrieved 2015-01-04. 
  12. ^ "Header Key Derivation, Salt, and Iteration Count". VeraCrypt Documentation. IDRIX. 2015-01-04. Retrieved 2015-01-04. 
  13. ^ "VeraCrypt Release Notes"
  14. ^ Castle, Alex (March, 2015). "Where Are We At With TrueCrypt?". MaximumPC, p. 59.
  15. ^ "Plausible Deniability". VeraCrypt Documentation. IDRIX. 2015-01-04. Retrieved 2015-01-04. 
  16. ^ "Hidden Volume". VeraCrypt Documentation. IDRIX. Retrieved 2015-01-04. 
  17. ^ "Hidden Operating System". VeraCrypt Documentation. IDRIX. 2014-01-04. Retrieved 2015-01-04. 
  18. ^ a b "Security Requirements and Precautions Pertaining to Hidden Volumes". VeraCrypt Documentation. IDRIX. 2015-01-04. Retrieved 2015-01-04. 
  19. ^ a b c "VeraCrypt User Guide" (1.0f ed.). IDRIX. 2015-01-04. 
  20. ^ "Security Requirements and Precautions". VeraCrypt Documentation. IDRIX. Retrieved February 16, 2015. 
  21. ^ Alex Halderman; et al. "Lest We Remember: Cold Boot Attacks on Encryption Keys". 
  22. ^ "Physical Security". VeraCrypt Documentation. IDRIX. 2015-01-04. Retrieved 2015-01-04. 
  23. ^  
  24. ^ "Malware". VeraCrypt Documentation. IDRIX. 2015-01-04. Retrieved 2015-01-04. 
  25. ^ "FAQ". Retrieved 2015-01-04. 
  26. ^ Idrassi, Mounir (December 31, 2014). "Security audit". Retrieved February 22, 2015. 
  27. ^ Farivar, Cyrus (2014-04-14), TrueCrypt audit finds "no evidence of backdoors" or malicious code, Ars Technica, retrieved 2014-05-24 
  28. ^ Green, Matthew (April 2, 2015). "Truecrypt report". A Few Thoughts on Cryptographic Engineering. Retrieved April 4, 2015. 
  29. ^ "Truecrypt Phase Two Audit Announced". Cryptography Services. NCC Group. February 18, 2015. Retrieved February 22, 2015. 
  30. ^ "Apache License 2.0 (Apache)". Retrieved 2015-07-01. 
  31. ^ "Microsoft Public License (Ms-PL)". Retrieved 2015-07-01. 
  32. ^ TrueCrypt License. Accessed on: May 21, 2012
  33. ^ TrueCrypt Collective License. Accessed on: June 4, 2014
  34. ^  
  35. ^ "Issues". Retrieved 2015-01-04. 

External links

  • VeraCrypt website
  • TrueCrypt website
This article was sourced from Creative Commons Attribution-ShareAlike License; additional terms may apply. World Heritage Encyclopedia content is assembled from numerous content providers, Open Access Publishing, and in compliance with The Fair Access to Science and Technology Research Act (FASTR), Wikimedia Foundation, Inc., Public Library of Science, The Encyclopedia of Life, Open Book Publishers (OBP), PubMed, U.S. National Library of Medicine, National Center for Biotechnology Information, U.S. National Library of Medicine, National Institutes of Health (NIH), U.S. Department of Health & Human Services, and, which sources content from all federal, state, local, tribal, and territorial government publication portals (.gov, .mil, .edu). Funding for and content contributors is made possible from the U.S. Congress, E-Government Act of 2002.
Crowd sourced content that is contributed to World Heritage Encyclopedia is peer reviewed and edited by our editorial staff to ensure quality scholarly research articles.
By using this site, you agree to the Terms of Use and Privacy Policy. World Heritage Encyclopedia™ is a registered trademark of the World Public Library Association, a non-profit organization.

Copyright © World Library Foundation. All rights reserved. eBooks from Project Gutenberg are sponsored by the World Library Foundation,
a 501c(4) Member's Support Non-Profit Organization, and is NOT affiliated with any governmental agency or department.