Page 1 of 4
Veracrypt - volume encryption (TrueCrypt Fork)
Posted: Fri Jun 06, 2014 7:23 am
by Midas
[Moderator note:
- This is the primary thread for the Veracrypt entry.
- This was originally split from the TrueCrypt thread, and Veracrypt is widely considered the successor of TrueCrypt.]
---
Briefly checked user
Mixture's alternative suggestions (
http://www.portablefreeware.com/?id=199#comment26017).
IMHO,
Veracrypt should get our userbase urgent attention, in the interest of possible database inclusion...
FYI,
Veracrypt resides at
http://veracrypt.codeplex.com/.
Re: TrueCrypt
Posted: Fri Jun 06, 2014 3:04 pm
by webfork
Midas wrote:Veracrypt should get our userbase urgent attention, in the interest of possible database inclusion...
I dunno ... Veracrypt license is MS-Pl, which isn't a license I have much faith in ...
incompatible with the GPL and ... if you submit code with this license, your code can then be taken into a proprietary black hole by someone else.
(
source)
Still, it's better than the TrueCrypt license (at least OSI-accepted) assuming their license allows for forks like this, which I guess Haller was calling into question above.
Re: TrueCrypt
Posted: Sun Jun 08, 2014 12:39 am
by SYSTEM
webfork wrote:Midas wrote:Veracrypt should get our userbase urgent attention, in the interest of possible database inclusion...
I dunno ... Veracrypt license is MS-Pl, which isn't a license I have much faith in ...
incompatible with the GPL and ... if you submit code with this license, your code can then be taken into a proprietary black hole by someone else.
(
source)
Still, it's better than the TrueCrypt license (at least OSI-accepted) assuming their license allows for forks like this, which I guess Haller was calling into question above.
Well, based on the article you linked, Ms-PL is not bad at all.
According to the
Free Software Foundation "it has a copyleft that is not strong, but incompatible with the GNU GPL". GPL incompatibility is not a big problem: it mostly means that no one can create a GPL fork of VeraCrypt.
"if you submit code with this license, your code can then be taken into a proprietary black hole by someone else" - it's arguably a feature. A developer can use Ms-PL if he/she explicitly wants to allow the code to be used in commercial programs. In my opinion such code is more free than code under the GPL. (However, I'd use an even more permissive license such as BSD or MIT.)
See also
https://tldrlegal.com/license/microsoft ... 28ms-pl%29.
There is one problem in VeraCrypt's licensing, though: I doubt the developers have permission to relicence the code as Ms-PL...
Re: TrueCrypt
Posted: Mon Jun 09, 2014 5:50 pm
by webfork
SYSTEM wrote:There is one problem in VeraCrypt's licensing, though: I doubt the developers have permission to relicence the code as Ms-PL...
Yeah, true. However, I do want to talk about my hesitation with Ms-PL since this will probably come up again in the future...
SYSTEM wrote:In my opinion such code is more free than code under the GPL. (However, I'd use an even more permissive license such as BSD or MIT.)
You're absolutely right that you are free to do whatever you want to do with the code. However, in practice I think this ends up being less free.
- Some developers are bothered for example by the idea that what they're working on could get snapped up by some company who would add the marginal necessary features/polish and then sell it. This certainly happened with Microsoft who used the BSD networking stack and at least to some extent from Apple with Darwin. It might also explain the success of Linux over the many flavors of *BSD.
- Some users are bothered by the fact that a company can take an open protocol or system, go commercial with it to adopt and improve it in a closed way, and then dump it later (the embrace, extend, extinguish strategy).
More critically, I want a security program's code to remain open so that we can have audits like the one that was run on TrueCrypt. The GPL a better license to encourage that type of analysis and ongoing scrutiny because the community is less afraid that it's going to get yanked into something commercial.
All that aside, we're not doing great in the security realm right now so if a great program comes out, I'll definitely use it regardless of my hesitations about the license.
Re: TrueCrypt
Posted: Mon Jun 09, 2014 8:10 pm
by SYSTEM
webfork wrote:
SYSTEM wrote:In my opinion such code is more free than code under the GPL. (However, I'd use an even more permissive license such as BSD or MIT.)
You're absolutely right that you are free to do whatever you want to do with the code. However, in practice I think this ends up being less free.
- Some developers are bothered for example by the idea that what they're working on could get snapped up by some company who would add the marginal necessary features/polish and then sell it. This certainly happened with Microsoft who used the BSD networking stack and at least to some extent from Apple with Darwin. It might also explain the success of Linux over the many flavors of *BSD.
- Some users are bothered by the fact that a company can take an open protocol or system, go commercial with it to adopt and improve it in a closed way, and then dump it later (the embrace, extend, extinguish strategy).
It's up to the developer if he/she wants to allow it. Not every company that uses open source is evil.
More about it below.
webfork wrote:
More critically, I want a security program's code to remain open so that we can have audits like the one that was run on TrueCrypt. The GPL a better license to encourage that type of analysis and ongoing scrutiny because the community is less afraid that it's going to get yanked into something commercial.
Even if a company creates a closed-source fork of a security program, that doesn't automatically mean that the original open source project dies. They can coexist, or the closed-source project can die (e.g. if it's payware and no one is willing to pay).
----
Myself I'm on the other side of the fence: I develop commercial software. We use some open source libraries such as
Box2D. Of course we respect licenses and don't use GPL code at all.
We have no intention of killing Box2D or any other library we use. After all, we benefit from upstream improvements.
Re: TrueCrypt
Posted: Fri Jun 27, 2014 4:49 pm
by webfork
SYSTEM wrote:Even if a company creates a closed-source fork of a security program, that doesn't automatically mean that the original open source project dies. They can coexist, or the closed-source project can die (e.g. if it's payware and no one is willing to pay).
No, it definitely doesn't imply an automatic death. No question there.
SYSTEM wrote:We have no intention of killing Box2D or any other library we use. After all, we benefit from upstream improvements.
This is kind of a GPL vs. BSD argument in a bottle. The BSD crowd counts on openness being in everyone's best interests, whereas the GPL crowd is concerned about their work going into some company's "new" format.
The only other thing I can add here is that open formats aren't in the interests of a big company. A few examples that come to mind:
- Microsoft has been making millions off it's exclusive control of the standard office format for documents, spreadsheets, and presentations. They continually create "Microsoft" versions of existing technologies to try and grasp this in other areas (audio, network, video, etc.)
- Apple makes a ton of money selling the only power adapter that really works for Apple laptops. Quicktime is remarkably bad at playing any video format other than those created by Apple products.
- Google dumped the Open Document Format in favor of their own, developed their own browser even after they put quite a bit of time and money into Firefox.
Re: VeraCrypt
Posted: Thu Dec 04, 2014 4:15 am
by Midas
VeraCrypt v1.0e released (changelog and downloads at
http://sourceforge.net/projects/veracrypt/files/).
[url]http://veracrypt.codeplex.com/[/url] author wrote:UPDATE September 15th 2014 :
VeraCrypt 1.0e is out with many security fixes and performance enhancements. [...] It supports MacOSX 10.6 and above and it requires OSXFUSE 2.3 and later (
https://osxfuse.github.io/). MacFUSE compatibility layer must checked during OSXFUSE installation. Also a Linux version is available [...] Linux and MacOSX releases are signed with a PGP key.
Re: Veracrypt
Posted: Mon Jan 05, 2015 5:56 pm
by Midas
EDIT: it must be noted that for extensive coverage of the current
TrueCrypt status (plus downright support -- and mirror), it's highly recommended to check security expert Steve Gibson dedicated page at
http://www.grc.com/misc/truecrypt/truecrypt.htm.
VeraCrypt v1.0f-1 released (changelog and download at
http://veracrypt.codeplex.com/releases/view/565079).
Most importantly,
VeraCrypt now supports
TrueCrypt volumes and containers...
[url]http://veracrypt.codeplex.com/[/url] author wrote:Starting from version 1.0f,
VeraCrypt can load
TrueCrypt volume. It also offers the possibility to convert
TrueCrypt containers and non-system partitions to
VeraCrypt format.
UPDATE January 5th 2014 : Support of the old
TrueCrypt 6.0 has been included in
VeraCrypt 1.0f-1, which is a minor update of
VeraCrypt 1.0f.
VeraCrypt - TrueCrypt Fork
Posted: Sat Apr 04, 2015 9:29 am
by abc
VeraCrypt is a free disk encryption software that is based on TrueCrypt.
VeraCrypt adds enhanced security to the algorithms used for system and partitions encryption making it immune to new developments in brute-force attacks.
VeraCrypt also solves many vulnerabilities and security issues found in TrueCrypt. The following post describes parts of the major enhancements and corrections done so far:
https://veracrypt.codeplex.com/discussi ... nt_1313325
As an example, when the system partition is encrypted, TrueCrypt uses PBKDF2-RIPEMD160 with 1000 iterations whereas in VeraCrypt we use 327661. And for standard containers and other partitions, TrueCrypt uses at most 2000 iterations but VeraCrypt uses 655331 for RIPEMD160 and 500000 iterations for SHA-2 and Whirlpool.
This enhanced security adds some delay only to the opening of encrypted partitions without any performance impact to the application use phase. This is acceptable to the legitimate owner but it makes it much harder for an attacker to gain access to the encrypted data.
Starting from version 1.0f, VeraCrypt can load TrueCrypt volume. It also offers the possibility to convert TrueCrypt containers and non-system partitions to VeraCrypt format.
Website
Database entry needs votes
[/url]
Re: VeraCrypt - TrueCrypt Fork
Posted: Sat Apr 04, 2015 9:53 am
by I am Baas
Re: VeraCrypt - TrueCrypt Fork
Posted: Sat Apr 04, 2015 5:30 pm
by webfork
Merged. This needed to get split from the TrueCrypt thread anyhow.
Re: VeraCrypt - TrueCrypt Fork
Posted: Fri Apr 10, 2015 2:02 am
by Midas
- Edited and voted. Thanks.
Re: VeraCrypt - TrueCrypt Fork
Posted: Fri Apr 10, 2015 5:51 pm
by webfork
I made a few edits because I wanted to back off the notion of "immunity" to brute force and that the vulnerabilities are now "fixed". Hopefully that's the case but it might be a little soon to tell.
Edit: switched the license over to Ms-Pl. Though I noticed the TL:DR legal site you listed. Very interesting site.
Re: Veracrypt - volume encryption (TrueCrypt Fork)
Posted: Sun Jul 26, 2015 9:18 am
by webfork
webfork wrote:switched the license over to Ms-Pl
Happily, the authors switched over to Apache 2.0. Updated entry and voted.
Edit: few usage notes:
- The license file included with the program download still lists the old license, which is probably binding
- I was unable to create an NTFS volume. Although the help file suggests this is a limitation of those without admin privileges, I don't have this problem on my machine. I'm not sure what's wrong and I am unwilling to use FAT for anything but data I don't care if I lose. Edit: this was caused by my volume being too small.
Re: Veracrypt - volume encryption (TrueCrypt Fork)
Posted: Sat Aug 01, 2015 1:37 pm
by webfork
User
MoisheP noted in the entry comments that the program's inability to be uniextracted or opened with 7-zip means it's encrypted or less open than it should be. Some suggestions on this:
- 1. Contact the developers and ask:
- A. ... what compression they used to figure out if there's a way to decompress it without executing self-extract code. It might even be listed in the forums.
B. ... them to distribute a 7-zipped version
2. Go ahead and execute the code inside a sandbox to see if it does anything bad, then analyze the components
3. Build the software from source and skip the compression bit
For the record, I don't think this is a serious concern with regard to Veracrypt's security. I think the EXE distro is more than adequate for analysis in VirusTotal, since that tool's reputation analysis isn't independent of the extracted contents. As a long time TrueCrypt user, I think there are much more pressing questions, specifically around whether VeraCrypt can reasonably secure computers in a very weird era of security.