VeraCrypt Migration

I admit being a holdout for TrueCrypt.  I wrote about it in my Your Ultimate Security Guide: Windows 7 Edition.  I encouraged it’s use among my friends and family.  I have used it myself.  I have stood so strongly beside TrueCrypt for two reasons.  The first is The Audit.  Being independently audited is incredibly rare among encryption tools and I placed a great deal of trust in the audit which was only recently completed, and the results of which were mostly good.  There were some minor vulnerabilities but nothing to be overly concerned about, and certainly no backdoors.  The other reason I held onto TrueCrypt for so long (and it pains me to admit this) was nostalgia.  TrueCrypt was the gold standard for years and it had been with me through thick and thin, protecting my data on half a dozen personal laptops and across scores of international borders. Letting go of TrueCrypt felt like letting go of an old friend.

But, I didn’t hold onto it out of misplaced loyalty or nostalgia alone.  The audit was huge, and until I had a good reason to believe TrueCrypt was insecure there was no reason to switch.   But audits are not perfect, and now we have that reason.  A new privilege escalation vulnerability was discovered in Windows versions of TrueCrypt (almost two months ago now) that allows the compromise of your full system.  For this reason I am moving, and recommend moving to VeraCrypt as soon as possible.

VeraCrypt Migration
The VeraCrypt interface is updated but still comfortably familiar to TrueCrypt users.

Going back to an un-audited program feels like a huge step backward to me.  I don’t think the developers have maliciously inserted a backdoor, but code is complex and getting encryption right is hard. But there is a very big silver lining.  First, vulnerabilities like the one affecting TrueCrypt can be (and will be, and in this case, already have been) patched.  TrueCrypt’s vulnerabilities will never be patches.  Next, an audit is planned for VeraCrypt that will probably be undertaken after the program is in its next version and has added some new features.  Finally, by increasing the number of iterations from a maximum of  2,000 in TrueCrypt to as many as 500,000 in VeraCrypt, the newer program is significantly stronger against brute-force attacks.  Using VeraCrypt requires almost no learning curve for anyone familiar with TrueCrypt as the two programs are almost identical in up-front operation.

Unfortunately (or fortunately, depending on how you look at it), VeraCrypt and TrueCrypt volumes are incompatible.  This means that if you are using volume-level encryption you will have to create a new VeraCrypt volume, mount your TrueCrypt volume, and drag files into the new one.  If you are using full-disk encryption (which you should be) this will mean fully decrypting your machine and re-encrypting with VeraCrypt.  While it’s decrypted would be an ideal time for a clean install, too.

11/23/2015:  Shortly after this post was published this Ars Technica article was published indicating TrueCrypt is still safer than we thought.  This is good news, but the clock is still ticking on the aging encryption application.

VeraCrypt URL and Checksums:


SHA256: E885951442D91EF237EC6C4F4622C12D8AB7D377CC5DDFBE2181360072C429F1

SHA512: 80EA23F2D70786A0BC3E1ECEDE12A6644FF4507F0AE0C436E4E5367854F38C16020CE62C083B07C844CAA82117BBCE30029AF986DB41E8A7CD1693A104CAA440

USB Flash Drives

Since YUSG: Win7 was released, several of you have asked which USB flash drives I prefer.  There are two that I use on a daily basis for my backups, the Kingston Data Traveler and the SanDisk Cruzer Fit.

The Kingston Digital DataTraveler SE9 64GB USB 2.0 Flash Drive. I like this flash drive because it is rugged and can survive life on my keychain; I have had the same one for almost eighteen months now and it is still going strong. There is a new version that is USB 3.0 capable but I have yet to try it (link HERE).  Though I am quite certain it performs, the redesigned keychain hole doesn’t look as sturdy.  I intend to get my hands on one in the coming weeks and report back.

The other USB flash drive I use is the SanDisk Cruzer Fit CZ33 64GB USB 2.0 Low-Profile Flash Drive. This flash drive is low-profile enough to remain in my USB port full-time and does not snag when taking my laptop in and out of a bag. I have two of these, and one of the two is always in my machine being backed up by CryptSync and the other is at my offsite backup location. There is also a USB 3.0 version of this drive available and I have tried it but do not prefer it because it is much larger and sticks out much further (link HERE). This is probably not an issue if you primarily utilize a desktop PC or travel with your laptop infrequently.

All three of the flash drives I use for backups are full-disk encrypted with TrueCrypt.

The 64 Gb versions of the SanDisk Cruzer Fit (left) and the Kingston Data Traveler.
The 64 Gb versions of the SanDisk Cruzer Fit (left) and the Kingston Data Traveler.