Now that more Truecrypt weaknesses have been revealed the open-source solution taking its place appears to be VeraCrypt. Yet its extra-secure encryption of the system partition adds so many rounds booting is slowed and the extra PIM concept mandates an extra step to every startup. This situation makes it even less suited to non-technical users than TrueCrypt before it.
Steve Gibson may be ready to recommend VeraCrypt, but I don’t think it’s ready for the masses; up to version 1.15 anyway. After clocking my boot time with system encryption it took an extra 85 seconds. Talking non-technical friends and family through even basic use of TrueCrypt volumes was challenging enough. VeraCrypt’s additional Personal Iteration Multiplier certainly adds more security. Still, the extra step and forgettable-yet-necessary element is only making it less novice friendly.
Another long term problem is VeraCrypt’s lack of Secure Boot support. This prevents booting with whole-disk encryption on machines locked down within UEFI’s boot-loader signing. Hopefully VeraCryp support will be done before Secure Boot becomes widespread.
Now having tried the built-in encryption features of Windows, OS X, and Ubuntu Linux the VeraCrypt software does still offer a nice cross-platform solution. The VeraCrypt UI is also easier than Linux, though it has a way to go before being as easy as Windows and OS X. With a little UX love and simpler defaults VeraCrypt has the potential to offer a compelling alternative for regular folks.
Veracrypt is no more difficult to use that Truecrypt. The PIM option is just that, optional. You don’t have to set it to anything for VC to use it’s default.
If your non-tech friends and family have more trouble with VC than TC they aren’t just non-tech, they’re something worse.
For FREE, opensource and cross-platform VC is as good as you’re going to get.
Correct me if I’m wrong, but the PIM prompt cannot be turned off (as of v1.15). That additional step becomes tiresome when it is not needed.
That is just crap. That is just utter and utter crap. If someone says 5 is more than 4, and you go and say that 5 is not more than 4, you are saying crap. Then you insult people to prove your point, as so many people in Linux do (The user is stupid, that’s why my program doesn’t work as well). It is pretty clear the PIM is annoying: with computers we try to automate as many steps away as we can, and having to repeat steps over and over becomes tiresome. Without a low PIM, the iteration count is extremely high, causing the long boot delay. With a low PIM, as Paul says, a hacker (or attacker, or adversary, as they are called) merely needs to test at most 10 different iteration counts which means the “multiplication factor” as that point is only an average of 5. If you design a software that takes 85 seconds to boot you are just full of crap and you don’t listen to your users at all, or, like you are doing here, you call them stupid and then say you don’t need to listen to them because they are stupid and shouldn’t use computers anyway.
And opensource and cross-platform VC is definitely not as good as you’re going to get. Even a single person patching this thing by lowering the iteration count (and possibly introducing a different hashing algorithm, but that aside) and being willing to distribute and maintain this patch, will have created something better and it won’t (or wouldn’t) take more than a minute of programming, in that sense. Of course, without that, you will be creating volumes that are not compatible with regular VeraCrypt because the iteration counts will be off and they are hardcoded mostly. VeraCrypt is not userfriendly and TrueCrypt always was very user friendly. The VeraCrypt authors would never have been able to create something the quality of TrueCrypt, they just don’t have the mindset for that. They take an existing project and then make it worse, and that is mostly all they do. And then you call that “as good as you’re going to get”. Well, if that is the best the regular open source community can do (ruin things) then that doesn’t bode well for open source, my friend (or nemesis). This TrueCrypt software was so perfectly excellent and the number of changes VeraCrypt has done to it is absolutely minimal and yet they have managed to ruin its user friendlyness already. It boggles the mind how people can be so detrimental to common sanity. It boggles the mind what happens when arrogance is allowed to take over, and answering for your “crimes” is no longer necessary (because it is “open source”, and “we control things now”). It boggles the mind how quickly people can depart common sense when there is no pay involved and listening to users is no longer required. Or when it is not a personal project to create something great, but something to flaunt the open source community with: take a project that is someone else’s and call it your own and then claim you’re better than that person. The people at TCnext are equally disproportionately arrogant. The author of TrueCrypt did all that work but /they/ will help organize a future, but the first thing they do is ask for /support/, is that the sign of someone who is in charge of what he’s doing? No. It is the sign of a weakling who only wants free work and financial aid. They don’t display any sense of work they’ve done first, no they ask for help first. That’s not a project. That’s a charity. That’s a charity begging for funds.
Spoken like a true crypto hipster.
I like the PIM. Before VC was very slow to start. Now I use a fairly long yet simple password, then an easy single digit PIM, and it boots right up. As far as non-tech people using it. Non-tech people don’t know about hard drive encryption, so it’s a non-issue.
A simpler PIM is a reasonable workaround, though it mitigates most of the benefit at a high cost to potential users. Since I’m responsible for helping these non-techies secure their computers it is very much an issue for them and myself.
I believe the simplest patch to VeraCrypt that will make it easy to use again would be to hard-code a specific PIM into the application which will fix the iteration count at a certain default. At that point to use your volumes with Regular VeraCrypt you would have to manually insert that fixed PIM you’ve used. Suppose the PIM is 20, you would have to calculate the number of iterations (you don’t need to, but you could) and see if it suffices. Pick a PIM that takes away the boot delay, that makes it hard to notice the boot delay. Then fix your PIM at that (the iteration count is just a multiple of that). Make it a round number, ie. 32, or 64, or 128. Or even 16. Now your volumes will be VeraCrypt compatible (but not TrueCrypt, I think) (But I don’t know the detail of the header format) (and whether it’s flexible or not) but will not incur the longer delays and lack of usability.
I am creating a volume that is 2TB. When it started the speed is about 30MB/S and estimate to completion 16 hours. That was about 30 hours ago. Now the speed is 9 MB/S and estimate to completion is 26 hours. My machine is running macOS Sierra with an Intel i7 6700K and 4.01GHz processor and 16GB memory. At the rate the speed is decreasing and estimate completion time is increasing, I do not believe it will ever finish.
Years ago, I created similar 2TB volume with Truecrypt and it completed successfully in less than 24 hours.
I use Mac, Linux and Windows and so Truecrypt and Veracrypt are really ideal for me. But they are useless if they cannot handle large volume and are slow.
Please consider allowing users to select less secure but faster options so it can create and process larger volumes at reasonable time.
Please post your suggestion on the Feature Request topic of the official project.
I can only second this. I got a small 4TB USB3.0 drive encrypting with Vera Crypt.
When it started, ETA was around 30 hours.
Now 30 hours later, its at 81% and says 47 hours left.
The same disk (same model and brand, bought o the same day) was encrypted in 27 hours with TrueCrypt..
VeraCrypt is seriously a piece of garbage, done by developers with no fucking clue about usability.
No that “Its safer” argument doesn’t count when i simply can’t use this software in any way.
I don’t know what is happening to you guys with all this hassle and time for encrypting a volume. Could someone please explain it to me?
My scenario, on September, 01-2017:
– ASUS Ultrabook: Intel Core i7-3517U (Hardware Acceleration: processor (CPU) supports hardware acceleration for AES: YES); 8GB RAM.
– Operating System: Windows 10-64bit.
– VeraCrypt version 1.21-64bit.
– Seagate Expansion 4TB drive using 3.0 USB port.
– I divided the drive into 4 partitions: 1TB each (technically/exactly: 3x976GB, and 1x796GB now formatted as NTFS).
– I encrypted a 1TB VOLUME inside a/the 1TB PARTITION in less than 70min, at mostly 189MB/s speed transfer with no speed loss.
– I used AES with SHA-512 with a 40+ long password.
I lost my Truecrypt volumes and can no longer access important data. I wish that I knew that TrueCrypt/VeraCrypt was so unreliable before trusting them with my data!
Sorry to hear that. I’m afraid the problem of lost files has less to do with TrueCrypt and VeraCrypt than just how computer files work at an individual level. Each of us must maintain backups in one way or another. Services like Dropbox, Onedrive, and Spideroak do that backing up automatically; while TC and VC leave that responsibility entirely up to the user.
It is possible to back up TC and VC files to managed services like Dropbox or OneDrive. But take care as the file timestamps aren’t updated as the files change, unless you change the default. And many services rely on an accurate timestamp to know when a local file needs to be backed up.
I totally agree. I used Veracrypt for a while, but since the developer has no interest to listen to the users, I stopped using it. It is as simple as that. Having the PIM as an _option_ gives the user _option_ to decide what he wants. Forcing high PIM with unreasonably long startup times is just plain stupidity, which makes me think that there is much more of that used when creating the software. No thanks.
I wanted to use VeraCrypt, but I see that it still forces PIM (causing unusable mount times) on you if you have a password that is less than 20 characters. No thanks. If I want to use a shorter password and PIM of 1 pass and have less security, that should be my choice, not the developer’s.