VeraCrypt Migration

I admit being a holdout for TrueCrypt.  I wrote about it in my Your Ultimate Security Guide: Windows 7 Edition.  I encouraged it’s use among my friends and family.  I have used it myself.  I have stood so strongly beside TrueCrypt for two reasons.  The first is The Audit.  Being independently audited is incredibly rare among encryption tools and I placed a great deal of trust in the audit which was only recently completed, and the results of which were mostly good.  There were some minor vulnerabilities but nothing to be overly concerned about, and certainly no backdoors.  The other reason I held onto TrueCrypt for so long (and it pains me to admit this) was nostalgia.  TrueCrypt was the gold standard for years and it had been with me through thick and thin, protecting my data on half a dozen personal laptops and across scores of international borders. Letting go of TrueCrypt felt like letting go of an old friend.

But, I didn’t hold onto it out of misplaced loyalty or nostalgia alone.  The audit was huge, and until I had a good reason to believe TrueCrypt was insecure there was no reason to switch.   But audits are not perfect, and now we have that reason.  A new privilege escalation vulnerability was discovered in Windows versions of TrueCrypt (almost two months ago now) that allows the compromise of your full system.  For this reason I am moving, and recommend moving to VeraCrypt as soon as possible.

VeraCrypt Migration
The VeraCrypt interface is updated but still comfortably familiar to TrueCrypt users.

Going back to an un-audited program feels like a huge step backward to me.  I don’t think the developers have maliciously inserted a backdoor, but code is complex and getting encryption right is hard. But there is a very big silver lining.  First, vulnerabilities like the one affecting TrueCrypt can be (and will be, and in this case, already have been) patched.  TrueCrypt’s vulnerabilities will never be patches.  Next, an audit is planned for VeraCrypt that will probably be undertaken after the program is in its next version and has added some new features.  Finally, by increasing the number of iterations from a maximum of  2,000 in TrueCrypt to as many as 500,000 in VeraCrypt, the newer program is significantly stronger against brute-force attacks.  Using VeraCrypt requires almost no learning curve for anyone familiar with TrueCrypt as the two programs are almost identical in up-front operation.

Unfortunately (or fortunately, depending on how you look at it), VeraCrypt and TrueCrypt volumes are incompatible.  This means that if you are using volume-level encryption you will have to create a new VeraCrypt volume, mount your TrueCrypt volume, and drag files into the new one.  If you are using full-disk encryption (which you should be) this will mean fully decrypting your machine and re-encrypting with VeraCrypt.  While it’s decrypted would be an ideal time for a clean install, too.

11/23/2015:  Shortly after this post was published this Ars Technica article was published indicating TrueCrypt is still safer than we thought.  This is good news, but the clock is still ticking on the aging encryption application.

VeraCrypt URL and Checksums:

URL: http://sourceforge.net/projects/veracrypt/files/VeraCrypt%201.16/VeraCrypt_1.16_Bundle.7z/download

SHA256: E885951442D91EF237EC6C4F4622C12D8AB7D377CC5DDFBE2181360072C429F1

SHA512: 80EA23F2D70786A0BC3E1ECEDE12A6644FF4507F0AE0C436E4E5367854F38C16020CE62C083B07C844CAA82117BBCE30029AF986DB41E8A7CD1693A104CAA440

6 thoughts on “VeraCrypt Migration”

  1. Like you, I’ve been a holdout for truecrypt. I started looking to migrate my volumes to veracrypt but noticed that bitlocker is suggested on the truecrypt home page. Obviously you’ve chosen veracrypt but what are your thoughts on veracrypt vs bitlocker?

    1. Nate:

      I think BitLocker is probably a fine solution. Unfortunately, unless you have one of the upper-tiered versions of Windows or are willing to pay for an upgrade to one of those versions (listed below), BitLocker is not available to you. There is also the issue of Microsoft being much more vulnerable to use legal pressure than free/open source software. Finally, with Windows 10, Microsoft stores your BitLocker recovery key on its servers. These are my reasons for shying away from BitLocker. All of that said, and based on my threat model, if I had a version of windows that offered it, I’d probably use it for full-disk encryption.

      Windows 7: Enterprise and Ultimate
      Windows 8+: Pro and Enterprise

      1. Ah. Didn’t look that far into it. Seeing as I’m running Linux, BitLocker is completely out of the question for me. Moving files from truecrypt to veracrypt now. Thanks for the info!

    1. Dave,

      Thanks for this. The fact that these are uploaded in the first place says a lot about the ideology/philosophy of the company. Overall though I think BitLocker is a LOT better than nothing, and device decryption is really only a concern if a. your adversary can access your device physically, and b. he or she can retrieve your keys from MS servers through hacking or legal means. Either way, very sophisticated adversaries. If I ran a Win7-10 machine with BitLocker I would probably feel ok about using it, but I would take the step you pointed out.

      Thanks again – really good points!
      Justin

Leave a Reply

Your email address will not be published.