VeraCrypt Migration

I admit being a holdout for TrueCrypt.  I wrote about it in my Your Ultimate Security Guide: Windows 7 Edition.  I encouraged it’s use among my friends and family.  I have used it myself.  I have stood so strongly beside TrueCrypt for two reasons.  The first is The Audit.  Being independently audited is incredibly rare among encryption tools and I placed a great deal of trust in the audit which was only recently completed, and the results of which were mostly good.  There were some minor vulnerabilities but nothing to be overly concerned about, and certainly no backdoors.  The other reason I held onto TrueCrypt for so long (and it pains me to admit this) was nostalgia.  TrueCrypt was the gold standard for years and it had been with me through thick and thin, protecting my data on half a dozen personal laptops and across scores of international borders. Letting go of TrueCrypt felt like letting go of an old friend.

But, I didn’t hold onto it out of misplaced loyalty or nostalgia alone.  The audit was huge, and until I had a good reason to believe TrueCrypt was insecure there was no reason to switch.   But audits are not perfect, and now we have that reason.  A new privilege escalation vulnerability was discovered in Windows versions of TrueCrypt (almost two months ago now) that allows the compromise of your full system.  For this reason I am moving, and recommend moving to VeraCrypt as soon as possible.

VeraCrypt Migration
The VeraCrypt interface is updated but still comfortably familiar to TrueCrypt users.

Going back to an un-audited program feels like a huge step backward to me.  I don’t think the developers have maliciously inserted a backdoor, but code is complex and getting encryption right is hard. But there is a very big silver lining.  First, vulnerabilities like the one affecting TrueCrypt can be (and will be, and in this case, already have been) patched.  TrueCrypt’s vulnerabilities will never be patches.  Next, an audit is planned for VeraCrypt that will probably be undertaken after the program is in its next version and has added some new features.  Finally, by increasing the number of iterations from a maximum of  2,000 in TrueCrypt to as many as 500,000 in VeraCrypt, the newer program is significantly stronger against brute-force attacks.  Using VeraCrypt requires almost no learning curve for anyone familiar with TrueCrypt as the two programs are almost identical in up-front operation.

Unfortunately (or fortunately, depending on how you look at it), VeraCrypt and TrueCrypt volumes are incompatible.  This means that if you are using volume-level encryption you will have to create a new VeraCrypt volume, mount your TrueCrypt volume, and drag files into the new one.  If you are using full-disk encryption (which you should be) this will mean fully decrypting your machine and re-encrypting with VeraCrypt.  While it’s decrypted would be an ideal time for a clean install, too.

11/23/2015:  Shortly after this post was published this Ars Technica article was published indicating TrueCrypt is still safer than we thought.  This is good news, but the clock is still ticking on the aging encryption application.

VeraCrypt URL and Checksums:


SHA256: E885951442D91EF237EC6C4F4622C12D8AB7D377CC5DDFBE2181360072C429F1

SHA512: 80EA23F2D70786A0BC3E1ECEDE12A6644FF4507F0AE0C436E4E5367854F38C16020CE62C083B07C844CAA82117BBCE30029AF986DB41E8A7CD1693A104CAA440

Security Measures Categorized

On this site I talk about a number of different security measures. Just as in my discussion of attacks and attackers it is important to have a firm understanding of security measures and exactly what type of security each provides. Though many, including me, view an alarm as a serious security upgrade it is important to realize that it does not actually make your home more difficult to get into. An alarm is merely a detective security measure; that is, it makes your home more difficult to get into undetected. There are three categories of security measures: deterring, delaying, and detective. Alternatively these categories can be thought of as “before” (deterring), “during” (delaying), and “after” (detective) security measures, based on what stage of an attack with are intended to address.

Security Measures Categorized
This sign represents a deterring security measure; the actual audio and video surveillance (if it exists) represent a detective security measure.

Category I: Deterring Measures. Deterrents are those security measures that play a role before the attack is even attempted (i.e. during the reconnaissance phase of an organized attack). Deterring security measures deter the attack from even attempting the breach by making him or her re-think your defenses in comparison to risk of compromise and his or her ability. Security measures in this category often include signs or stickers indicating the presence of an alarm, visible security cameras, etc.   Other deterring measures include motion lights, visible cameras, signs warning of alarm systems and dogs, and routine police patrols.

Deterring security measures are difficult to quantify in the digital security realm, but they exist. A password prompt for a full-disk encrypted computer may serve as a deterrent to an attacker, as may a passcode on a smartphone.

Category II: Delaying Measures. Delaying devices are those devices that play a role during the breach attempt. Locks cannot make your home impossible to get into, but they can make the task take an unacceptably long time especially if the attack is intended to go undetected. Items in this category include locks, fences, anti-shatter window film, etc., all of which are intended to slow an attacker’s progress during the breach. In some cases delaying devices may exceed an attacker’s skill level and force him to move on to an easier target.

Delaying measures are the ones the average user primarily employs on the digital perimeter. These measures include strong encryption of data-at-rest using file-level and full-disk encryption on computers, encryption of data-in-transit using HTTPS and a VPN and ensuring your Wi-Fi is encrypted, and the use of good, strong passwords.

Category III: Detective Measures. Detective security devices are the “after” measures, the ones that alert you that a breach is in progress or has already occurred or been attempted. Devices in this category include intrusion detection systems (alarms) and surveillance cameras. The presence of these types of devices may have the added benefit of serving as Category 1 security measures, but this is generally not their primary purpose. In addition to alerting us to the breach or breach attempt, Category 3 security measures can also capture images of the attacker, alert police or security, and, if overt, place severe limitations on the amount of time an attacker is willing to spend “on target”. A good example of Category III measures in the digital world are event logs.

There is some degree of overlap in these categories and you should understand exactly what benefits a given security measure provides when considering your perimeter. A high security lock is a good example of a security measure serving in multiple categories. The lock is certainly primarily intended as a Category II security measure. Because of the novel mechanisms and tight manufacturing tolerances common to high security locks it would be extremely difficult to pick or otherwise defeat covertly, delaying the attack and forcing the attacker to spend a great deal of time exposed during this process. This simple fact alone may also place it in Category I. An intruder who notices the lock may decide it is simply too difficult to defeat (and wonder what other security measures you have) and move on.  On the other hand, if the attacker is sufficiently determined to enter your home, he may make the decision to simply kick in the door or break a window. This would place the lock indirectly into Category III, as you would immediately notice a kicked-in door or broken window and know someone had been in your home. This is the chief comfort I derive from the high security locks I use: while I fully realize that a burglar could smash a window, I know with a reasonable degree of certainty that no one (except possibly a Level IV attacker) can enter my home without my knowledge.