Veracrypt - volume encryption (TrueCrypt Fork)

Submit portable freeware that you find here. It helps if you include information like description, extraction instruction, Unicode support, whether it writes to the registry, and so on.
Message
Author
User avatar
Midas
Posts: 6710
Joined: Mon Dec 07, 2009 7:09 am
Location: Sol3

Veracrypt - volume encryption (TrueCrypt Fork)

#1 Post by Midas »

[Moderator note:
  • This is the primary thread for the Veracrypt entry.
  • This was originally split from the TrueCrypt thread, and Veracrypt is widely considered the successor of TrueCrypt.]

---

Briefly checked user Mixture's alternative suggestions (http://www.portablefreeware.com/?id=199#comment26017).

IMHO, Veracrypt should get our userbase urgent attention, in the interest of possible database inclusion...

FYI, Veracrypt resides at http://veracrypt.codeplex.com/.

User avatar
webfork
Posts: 10818
Joined: Wed Apr 11, 2007 8:06 pm
Location: US, Texas
Contact:

Re: TrueCrypt

#2 Post by webfork »

Midas wrote:Veracrypt should get our userbase urgent attention, in the interest of possible database inclusion...
I dunno ... Veracrypt license is MS-Pl, which isn't a license I have much faith in ...
incompatible with the GPL and ... if you submit code with this license, your code can then be taken into a proprietary black hole by someone else.
(source)

Still, it's better than the TrueCrypt license (at least OSI-accepted) assuming their license allows for forks like this, which I guess Haller was calling into question above.

User avatar
SYSTEM
Posts: 2041
Joined: Sat Jul 31, 2010 1:19 am
Location: Helsinki, Finland

Re: TrueCrypt

#3 Post by SYSTEM »

webfork wrote:
Midas wrote:Veracrypt should get our userbase urgent attention, in the interest of possible database inclusion...
I dunno ... Veracrypt license is MS-Pl, which isn't a license I have much faith in ...
incompatible with the GPL and ... if you submit code with this license, your code can then be taken into a proprietary black hole by someone else.
(source)

Still, it's better than the TrueCrypt license (at least OSI-accepted) assuming their license allows for forks like this, which I guess Haller was calling into question above.
Well, based on the article you linked, Ms-PL is not bad at all.

According to the Free Software Foundation "it has a copyleft that is not strong, but incompatible with the GNU GPL". GPL incompatibility is not a big problem: it mostly means that no one can create a GPL fork of VeraCrypt.

"if you submit code with this license, your code can then be taken into a proprietary black hole by someone else" - it's arguably a feature. A developer can use Ms-PL if he/she explicitly wants to allow the code to be used in commercial programs. In my opinion such code is more free than code under the GPL. (However, I'd use an even more permissive license such as BSD or MIT.)

See also https://tldrlegal.com/license/microsoft ... 28ms-pl%29.

There is one problem in VeraCrypt's licensing, though: I doubt the developers have permission to relicence the code as Ms-PL...
My YouTube channel | Release date of my 13th playlist: August 24, 2020

User avatar
webfork
Posts: 10818
Joined: Wed Apr 11, 2007 8:06 pm
Location: US, Texas
Contact:

Re: TrueCrypt

#4 Post by webfork »

SYSTEM wrote:There is one problem in VeraCrypt's licensing, though: I doubt the developers have permission to relicence the code as Ms-PL...
Yeah, true. However, I do want to talk about my hesitation with Ms-PL since this will probably come up again in the future...
SYSTEM wrote:In my opinion such code is more free than code under the GPL. (However, I'd use an even more permissive license such as BSD or MIT.)
You're absolutely right that you are free to do whatever you want to do with the code. However, in practice I think this ends up being less free.
  • Some developers are bothered for example by the idea that what they're working on could get snapped up by some company who would add the marginal necessary features/polish and then sell it. This certainly happened with Microsoft who used the BSD networking stack and at least to some extent from Apple with Darwin. It might also explain the success of Linux over the many flavors of *BSD.
  • Some users are bothered by the fact that a company can take an open protocol or system, go commercial with it to adopt and improve it in a closed way, and then dump it later (the embrace, extend, extinguish strategy).
More critically, I want a security program's code to remain open so that we can have audits like the one that was run on TrueCrypt. The GPL a better license to encourage that type of analysis and ongoing scrutiny because the community is less afraid that it's going to get yanked into something commercial.

All that aside, we're not doing great in the security realm right now so if a great program comes out, I'll definitely use it regardless of my hesitations about the license.

User avatar
SYSTEM
Posts: 2041
Joined: Sat Jul 31, 2010 1:19 am
Location: Helsinki, Finland

Re: TrueCrypt

#5 Post by SYSTEM »

webfork wrote:
SYSTEM wrote:In my opinion such code is more free than code under the GPL. (However, I'd use an even more permissive license such as BSD or MIT.)
You're absolutely right that you are free to do whatever you want to do with the code. However, in practice I think this ends up being less free.
  • Some developers are bothered for example by the idea that what they're working on could get snapped up by some company who would add the marginal necessary features/polish and then sell it. This certainly happened with Microsoft who used the BSD networking stack and at least to some extent from Apple with Darwin. It might also explain the success of Linux over the many flavors of *BSD.
  • Some users are bothered by the fact that a company can take an open protocol or system, go commercial with it to adopt and improve it in a closed way, and then dump it later (the embrace, extend, extinguish strategy).
It's up to the developer if he/she wants to allow it. Not every company that uses open source is evil. :) More about it below.
webfork wrote: More critically, I want a security program's code to remain open so that we can have audits like the one that was run on TrueCrypt. The GPL a better license to encourage that type of analysis and ongoing scrutiny because the community is less afraid that it's going to get yanked into something commercial.
Even if a company creates a closed-source fork of a security program, that doesn't automatically mean that the original open source project dies. They can coexist, or the closed-source project can die (e.g. if it's payware and no one is willing to pay).

----

Myself I'm on the other side of the fence: I develop commercial software. We use some open source libraries such as Box2D. Of course we respect licenses and don't use GPL code at all.

We have no intention of killing Box2D or any other library we use. After all, we benefit from upstream improvements. :)
My YouTube channel | Release date of my 13th playlist: August 24, 2020

User avatar
webfork
Posts: 10818
Joined: Wed Apr 11, 2007 8:06 pm
Location: US, Texas
Contact:

Re: TrueCrypt

#6 Post by webfork »

SYSTEM wrote:Even if a company creates a closed-source fork of a security program, that doesn't automatically mean that the original open source project dies. They can coexist, or the closed-source project can die (e.g. if it's payware and no one is willing to pay).
No, it definitely doesn't imply an automatic death. No question there.
SYSTEM wrote:We have no intention of killing Box2D or any other library we use. After all, we benefit from upstream improvements.
This is kind of a GPL vs. BSD argument in a bottle. The BSD crowd counts on openness being in everyone's best interests, whereas the GPL crowd is concerned about their work going into some company's "new" format.

The only other thing I can add here is that open formats aren't in the interests of a big company. A few examples that come to mind:
  • Microsoft has been making millions off it's exclusive control of the standard office format for documents, spreadsheets, and presentations. They continually create "Microsoft" versions of existing technologies to try and grasp this in other areas (audio, network, video, etc.)
  • Apple makes a ton of money selling the only power adapter that really works for Apple laptops. Quicktime is remarkably bad at playing any video format other than those created by Apple products.
  • Google dumped the Open Document Format in favor of their own, developed their own browser even after they put quite a bit of time and money into Firefox.

User avatar
Midas
Posts: 6710
Joined: Mon Dec 07, 2009 7:09 am
Location: Sol3

Re: VeraCrypt

#7 Post by Midas »

VeraCrypt v1.0e released (changelog and downloads at http://sourceforge.net/projects/veracrypt/files/).
  • [url]http://veracrypt.codeplex.com/[/url] author wrote:UPDATE September 15th 2014 : VeraCrypt 1.0e is out with many security fixes and performance enhancements. [...] It supports MacOSX 10.6 and above and it requires OSXFUSE 2.3 and later (https://osxfuse.github.io/). MacFUSE compatibility layer must checked during OSXFUSE installation. Also a Linux version is available [...] Linux and MacOSX releases are signed with a PGP key.
    • Image

User avatar
Midas
Posts: 6710
Joined: Mon Dec 07, 2009 7:09 am
Location: Sol3

Re: Veracrypt

#8 Post by Midas »

EDIT: it must be noted that for extensive coverage of the current TrueCrypt status (plus downright support -- and mirror), it's highly recommended to check security expert Steve Gibson dedicated page at http://www.grc.com/misc/truecrypt/truecrypt.htm.

VeraCrypt v1.0f-1 released (changelog and download at http://veracrypt.codeplex.com/releases/view/565079).

Most importantly, VeraCrypt now supports TrueCrypt volumes and containers...
  • [url]http://veracrypt.codeplex.com/[/url] author wrote:Starting from version 1.0f, VeraCrypt can load TrueCrypt volume. It also offers the possibility to convert TrueCrypt containers and non-system partitions to VeraCrypt format.

    UPDATE January 5th 2014 : Support of the old TrueCrypt 6.0 has been included in VeraCrypt 1.0f-1, which is a minor update of VeraCrypt 1.0f.

abc
Posts: 74
Joined: Thu Aug 04, 2011 10:01 am

VeraCrypt - TrueCrypt Fork

#9 Post by abc »

VeraCrypt is a free disk encryption software that is based on TrueCrypt.

VeraCrypt adds enhanced security to the algorithms used for system and partitions encryption making it immune to new developments in brute-force attacks.
VeraCrypt also solves many vulnerabilities and security issues found in TrueCrypt. The following post describes parts of the major enhancements and corrections done so far: https://veracrypt.codeplex.com/discussi ... nt_1313325

As an example, when the system partition is encrypted, TrueCrypt uses PBKDF2-RIPEMD160 with 1000 iterations whereas in VeraCrypt we use 327661. And for standard containers and other partitions, TrueCrypt uses at most 2000 iterations but VeraCrypt uses 655331 for RIPEMD160 and 500000 iterations for SHA-2 and Whirlpool.

This enhanced security adds some delay only to the opening of encrypted partitions without any performance impact to the application use phase. This is acceptable to the legitimate owner but it makes it much harder for an attacker to gain access to the encrypted data.

Starting from version 1.0f, VeraCrypt can load TrueCrypt volume. It also offers the possibility to convert TrueCrypt containers and non-system partitions to VeraCrypt format.

Website
Database entry needs votes

Image[/url]


User avatar
webfork
Posts: 10818
Joined: Wed Apr 11, 2007 8:06 pm
Location: US, Texas
Contact:

Re: VeraCrypt - TrueCrypt Fork

#11 Post by webfork »

Merged. This needed to get split from the TrueCrypt thread anyhow.

User avatar
Midas
Posts: 6710
Joined: Mon Dec 07, 2009 7:09 am
Location: Sol3

Re: VeraCrypt - TrueCrypt Fork

#12 Post by Midas »

abc wrote:Database entry needs votes ...
  • Edited and voted. Thanks. :)

User avatar
webfork
Posts: 10818
Joined: Wed Apr 11, 2007 8:06 pm
Location: US, Texas
Contact:

Re: VeraCrypt - TrueCrypt Fork

#13 Post by webfork »

abc wrote:Database entry needs votes
I made a few edits because I wanted to back off the notion of "immunity" to brute force and that the vulnerabilities are now "fixed". Hopefully that's the case but it might be a little soon to tell.

Edit: switched the license over to Ms-Pl. Though I noticed the TL:DR legal site you listed. Very interesting site.

User avatar
webfork
Posts: 10818
Joined: Wed Apr 11, 2007 8:06 pm
Location: US, Texas
Contact:

Re: Veracrypt - volume encryption (TrueCrypt Fork)

#14 Post by webfork »

webfork wrote:switched the license over to Ms-Pl
Happily, the authors switched over to Apache 2.0. Updated entry and voted.

Edit: few usage notes:
  • The license file included with the program download still lists the old license, which is probably binding
  • I was unable to create an NTFS volume. Although the help file suggests this is a limitation of those without admin privileges, I don't have this problem on my machine. I'm not sure what's wrong and I am unwilling to use FAT for anything but data I don't care if I lose. Edit: this was caused by my volume being too small.

User avatar
webfork
Posts: 10818
Joined: Wed Apr 11, 2007 8:06 pm
Location: US, Texas
Contact:

Re: Veracrypt - volume encryption (TrueCrypt Fork)

#15 Post by webfork »

User MoisheP noted in the entry comments that the program's inability to be uniextracted or opened with 7-zip means it's encrypted or less open than it should be. Some suggestions on this:
  • 1. Contact the developers and ask:
    • A. ... what compression they used to figure out if there's a way to decompress it without executing self-extract code. It might even be listed in the forums.

      B. ... them to distribute a 7-zipped version
    2. Go ahead and execute the code inside a sandbox to see if it does anything bad, then analyze the components

    3. Build the software from source and skip the compression bit
For the record, I don't think this is a serious concern with regard to Veracrypt's security. I think the EXE distro is more than adequate for analysis in VirusTotal, since that tool's reputation analysis isn't independent of the extracted contents. As a long time TrueCrypt user, I think there are much more pressing questions, specifically around whether VeraCrypt can reasonably secure computers in a very weird era of security.

Post Reply