VeraCrypt Keyfiles as TFA

VeraCrypt Keyfiles VeraCrypt External Media Encryption

This week will get into some advanced features of VeraCrypt. These features are where VeraCrypt really starts to stand head and shoulders above other encryption options. One such feature, and one that I rarely hear mentioned, is the ability to use keyfiles. I think much of this is due to a lack of understanding as to exactly what keyfiles are to begin with. But they offer a pretty incredibly capability. Without them, your VeraCrypt volumes are protected only with a password. But using the VeraCrypt keyfiles feature allows you to require a second authentication factor – the keyfile. Let’s look at how this works.

VeraCrypt Keyfiles

VeraCrypt keyfiles can be anything. From JPEGs to PowerPoints to .exe files, anything can be a VeraCrypt keyfile. When you add a keyfile to a VeraCrypt volume, you require that that keyfile be added, in addition to the password, each time the volume is opened. To get into your volume, an attacker would have to do the following:

  • Capture or break your password,
  • know that the volume requires a keyfile, and
  • have the correct keyfile.

This creates an orders-of-magnitude increase in the security of your VeraCrypt volumes. If you add the wrong keyfiles, too many keyfiles, too few keyfiles, or no keyfiles at all, the volume will not mount, and it will not tell you that the failure is because of keyfile problems. And there’s more! You can use as many keyfiles as you like (I have used as many as 50). So let’s look at this in a real-world context. Let’s assume I have a volume that is extremely sensitive. I can encrypt the volume with a password, and add eight keyfiles. Each keyfile can be from a different location on my computer, i.e. three photos from three different folders, two Word documents, a PowerPoint, a PDF, and a MP3. If an attacker gained access to the volume, he or she would have to break the password, and aquire all of these files.

Where do you store these files? Well…pretty much anywhere you want. You could store them on a full disk encrypted flash drive that you keep on your computer. They could be a handful of files that your store in your Dropbox account (despite the fact that I don’t like cloud storage). The could be photos on your favorite website that you don’t store at all, but just download when you need them. The options are pretty much limitless.

Now, there are some dangers to using VeraCrypt keyfiles, and I recommend extreme caution if using them for your day-to-day volumes. If you lose them, your files are gone. Not only is there a risk of losing them – they can also be damaged. When VeraCrypt associates a keyfile, it takes the first 1024 kilobytes of the file as a form of password. If the first 1024 kilobytes of the file are changed in any way, the keyfile is no longer valid. For this reason I recommend using files that are not easily modified, like photos, songs, and videos.

Using VeraCrypt Keyfiles

Now let’s talk about actually using VeraCrypt keyfiles. They can be added during volume creation, or added to a volume that has already been created. When going through the Volume Creation Wizard, check the “Use Keyfiles” box on the “Volume Password” screen.

VeraCrypt KeyfilesNext, click the “Keyfiles” button. This will open the keyfiles dialog, shown below.

VeraCrypt KeyfilesClick “Add Files” to open a Finder/Explorer window, or drag your keyfiles onto the interface.

VeraCrypt KeyfilesContinue with the volume creation process as normal. The next time you have to open the volume, you will have to have access to its keyfiles. Proceed with the mount process as normal. Enter your password and check the “Use Keyfiles” box. Next, click the “Keyfiles” button.

VeraCrypt KeyfilesAgain, either click “Add Keyfiles” or drag your keyfiles onto the interface.

VeraCrypt KeyfilesWhen the keyfiles have been added, click “OK”. Proceed with volume mount. If the password has been entered correctly, and the exact keyfiles have been added, the volume will mount. If not, it won’t.

If you have a requirement for very high security volumes, you should look at using VeraCrypt keyfiles as a second authentication factor. The security increase offered is almost inestimable. Stay tuned tomorrow as I cover another one of VeraCrypt’s rather unique advanced features!

If you enjoyed this article and would like exclusive content, sign up for the Operational-Security Newsletter.

2 thoughts on “VeraCrypt Keyfiles as TFA”

  1. How secure is it really though with the keyfiles. Does it do something to the data to make it literally impossible to access the data without it? (i.e the data is corrupt and incomplete without it) or is it merely a matter of only making it much harder to crack? In other words, in 1000 years when computing power to hack encrypted volumes is billions of times more powerful, will it still be impossible to get in because the data is just corrupted or something, or will it then be a peice of cake to get in?

    1. First off – there is probably nothing that I can say about anything on this blog that will be valid in 1,000 years. Actually there’s very little that anyone can say about where computing and encryption will be in 25 years. If you’re looking for a solution to that stuff – it doesn’t exist.
      Think of keyfiles as an extension of the password. The program grabs the first 1024 bytes of the file (the totally unique 1,024 1s or 0s) and adds them to the password. This can theoretically be brute forced but a volume with a good password plus a couple of keyfiles is impervious to password brute forcing as we know it today.

Leave a Reply

Your email address will not be published.