VeraCrypt

toggle-button

VeraCrypt

A free disk encryption software based on TrueCrypt.

5

Our rating: 

5

Pros & Cons:

The VeraCrypt fork (derivative) of the once-venerable TrueCrypt is plausibly backdoor-free. It is developed and maintained in France, where the government respects the need and right of users to data privacy. Multi-factor security is available. VeraCrypt is a polished program, with careful attention to the quick repair of bugs and vulnerabilities, and is maintained under a policy of transparency for code changes and other information. The documentation and FAQs are comprehensive. Care has been taken to make the default settings safe for casual users, but it offers many sophisticated options for experts. VeraCrypt can be installed as a portable program. I have personally switched to VeraCrypt.
It is possible that VeraCrypt has not corrected all the problems of interference with File History and other functions of Windows 8 and possibly 10 that are mentioned under "Caution:" below. There is some indication that Windows 10 is not effected.

Our Review:

VeraCrypt: This fork of TrueCrypt is the most plausibly backdoor-free derivative of that abandoned product. It is developed and maintained in France, where government still respects the right users have for data privacy. The enthusiasm and expertise of the developer are clearly evident in this interview.

VeraCrypt is a carefully tweaked program, with attention to documentation [beginners guide] and quick repair of bugs and vulnerabilities. It is maintained under a policy of timely transparency related to vulnerabilities, code and other information. The documentation and FAQs are comprehensive and well organized. Care has been taken to make default settings safe for casual users, but it offers many sophisticated options for experts. [continuing good news related to security] [developer's response]

It seems to me that VeraCrypt is the only TrueCrypt fork that is reasonably likely to be secure at this point, and I  have switched to it myself.

VeraCrypt creates encrypted "volumes" (special container files) that are mounted as virtual drives to which a drive letter is assigned. You read and write to these volumes using OTFE (on-the-fly-encryption). You can add, create, and delete files and folders in these volumes directly. The contents of the volumes are always encrypted. VeraCrypt makes them transparently available when a volume is mounted (opened) using the password. A variety of encryption protocols are provided. Two-factor security is available.

Caution:

Fred Langa reported* that VeraCrypt, TrueCrypt, and similar products interfere with File History, Custom Recovery Image creation and UEFI Secure Boot in Windows 8. The portable configurations are no better, because they install the same low-level drivers, which cause the problem) as the installed version. It's not clear if Windows 10 is also effected. It may depend on the devices specific hardware configuration.

UEFI is a complex system that is easily disrupted. Elements of those encryption products were developed long before Microsoft introduced UEFI. It's not surprising that the low level drivers that these encryption programs rely on aren't compatible with UEFI.

* "Why VeraCrypt won’t work with Windows 8" and "VeraCrypt: A superior alternative to TrueCrypt?" by Fred Langa. Scroll half way down those pages to find the titles shown here.

On the other hand: I have installed both TrueCrypt and VeraCrypt on the one Windows 10 PC with UEFI boot that I have available, and Windows File History works correctly on it. I have also been able to create a Custom System Image for Windows 10.

A fatal backup trap:

Encryption programs that create encrypted "volumes" (files that contain encrypted files) do not change the size of the container file, and often intentionally do not change "date modified", even though files in the volume have been changed or added.  The purpose is to maintain plausible deniability, but the result can be that your backup software does not recognize that the volume file has changed, and skips backing it up.

TrueCrypt is an example: By default, it does not change the timestamp (date modified) of a container file. You can change that in the preferences (uncheck the default preference as shown). Now cloud-based and conventional backup apps will recognize that the file has changed.

Some cloud backup services - DropBox for example - do check the hash value of volume files, and if they change, they store a new copy of the volume file. So if you are using DropBox, you could allow TrueCrypt to preserve the modification timestamp. The fact that it doesn't change hides when you last modified the contents of a volume.


VeraCrypt was reviewed by on