I love it, but it’s not an answer to normal people yet. The 0.01% of us who know and understand encryption, cool. But getting ready for the main world? Bitlocker lets people click a button and walk away. Administrators make a few small changes and have the whole fleet bitlockered with centrally managed recovery keys should anyone have an issue. Does Veracrypt offer better security? Yes. Would I be thrilled to roll it to my clients? Yes. Would it be an absolute nightmare to deploy and manage across an organization? Yes.
I’m sad because this is great and the answer to much but stands no chance when you move past the “single user who is IT literate” user group.
Veracrypt is a fork of TrueCrypt, which was used by lots of low tech people (I know some personally). For certain use cases, it's pretty straightforward to use. I suspect that at that time, it was the simplest highly secure SW that was available to people: Free and open source.
Comparing with Bitlocker is silly - its source is closed, and that's almost an automatic "untrustworthy" for many. It also is Windows only.
I don't think the target of Veracrypt is to be used by corporations.
Almost by definition, corporations will sell their souls to MS if that means "accountability", that means someone to blame when things go wrong. Not if, when.
Just the fact Veracrypt exists and can be used by that 0.01% is enough. It is already useful beyond expectations.
LOL, that was when they _removed_ all encryption in their last, final update. That was part of the deal probably, but they made it so obvious that nobody took it seriously. Everybody got the message: something is going wrong.
Since then truecrypt was carefully reviewed, some bugs were found, but no backdoors. It was forked and veracrypt is one of those forks. It has enhanced security which makes it annoying to use. For example to disconnect the drive one needs to enter admin's password. That's done because veracrypt doesn't store it. On one hand it makes it more secure, on the other entering passwords many times in public makes it less.
> LOL, that was when they _removed_ all encryption in their last, final update
That's was the time the other Truecrypt contributors learned that Paul le Roux was in federal custody[1]. Most likely they nukes encryption & gave dire warnings as a scorched earth play to avoid the possibility of an FBI-authored binary release of TrueCrypt, since Paul controlled the website and the infrastructure, IIRC.
> For example to disconnect the drive one needs to enter admin's password. That's done because veracrypt doesn't store it.
What? For me, VeraCrypt can mount and unmount volumes (on Windows 11) without ever prompting for UAC. It could also do the same on my other, Windows 10 PC.
On Ubuntu it requires admin pas on every action. Like mount/unmount. On truecrypt it's on click. Sadly they are not compatible. Not sure, did veracrypt pass external audit like truecrypt?
That was 9 years ago, not "now". BitLocker was the only alternative that they could recommend back then.
It's possible that whatever vulnerability the TrueCrypt developers were alluding to still lurks in the VeraCrypt codebase, but the chances seem pretty low. VeraCrypt uses much stronger encryption methods, it has addressed all the issues raised in the original TrueCrypt audit as well as a separate audit of its own code, and the latest version isn't even backward-compatible with TrueCrypt volumes.
No, recommending bitlocker back then was basically a joke to anyone at that time, an obvious way of telling you something wrong.
The obvious recommendation back then was LUKS. And even if there were no alternatives they're not going to recommend you a proprietary solution with a high chance of being backdoored. They'll just say to use "other software".
The majority of TrueCrypt users were on Windows and needed a GUI. Backdoors or not, BitLocker was the only comparable alternative.
Recommending BitLocker might have been a signal to hackers in the aftermath of the Snowden revelations, but IIRC the announcement also included a detailed tutorial for setting up BitLocker that was actually quite helpful to anyone whose threat model mostly concrerned thieves, corporate spies, and non-Five Eyes intelligence agencies.
This probably has nothing to do with vulnerabilities in the source code, it has to do with the observations that Mounir Idrassi took over truecrypt very fast when it was shut down, yet was not known in cryptography circles prior to this at all, and his company idrix.fr looks a lot like a typical DGSE shell company. It is unclear what kind of contracts it had (if any) before it dedicated seemingly most of its time to Veracrypt.
Of course, it would be the binaries that are problem, if there is one. If you vet the source code and compile it yourself, there shouldn't be any issue. Note that the French government has long history of being anti-cryptography for end-consumers.
I personally wouldn't even touch Veracrypt with a long pole. But that's just my personal opinion.
They audited the source code. I was talking about the executables on their website. Intelligence agencies tend to substitute binaries with compromised executables when they are downloaded by specific targets. We know that's what the NSA was routinely doing (among other things like hardware interception) from the Snowden revelations. There is no reason to believe DGSE works differently. Of course, it is also possible to provide compromised source code to specific targets if necessary.
Replacing binaries for specific targets certainly happens more than one would like. This has even happened specifically with TC and VC files in the past. A mitigating circumstance though with Veracrypt is that the binaries also have detached GPG signatures that one can check against IDRIX's public key to verify that it is in fact what Idrassi has released on the website. It's still possible for actors to tamper with the binaries in other ways even if signed, so it's best to pull from source and periodically check the diffs.
the latest version isn't even backward-compatible with TrueCrypt volumes
Are you sure? I thought it could open them in read-only mode. Here's a 2023 post suggesting it's supposed to still be able to open TC 6.0+ files, though the user in question is having trouble: https://sourceforge.net/p/veracrypt/discussion/technical/thr...
Bitlocker for an equivalent level of security (password at boot) is way more confusing and way more error prone in my experience. I know what I'm looking for and understand all the terms in use and I had to try three times, and lost access to my drive once.
No way in hell would I recommend it to less technical people (except default settings, which works fine but offers near zero security against extremely common things like theft). Bitlocker is by far the least user-friendly OS-provided I've ever seen - it's so bad I have to assume it's being intentionally ruined.
I’m sad because this is great and the answer to much but stands no chance when you move past the “single user who is IT literate” user group.