VeraCrypt — Free Open Source Disk Encryption Software

Introduction

VeraCrypt is a free disk encryption tool that creates encrypted volumes and supports full-disk encryption. It is a fork of TrueCrypt that fixes known security vulnerabilities and adds stronger key derivation. VeraCrypt is widely used by security-conscious professionals and journalists for protecting sensitive data at rest.

What VeraCrypt Does

• Creates encrypted file containers that mount as virtual drives
• Encrypts entire disk partitions and USB drives with sector-level encryption
• Supports full-disk encryption for Windows system drives with pre-boot authentication
• Offers cascaded encryption using combinations of AES, Serpent, and Twofish
• Provides hidden volumes and hidden operating systems for plausible deniability

Architecture Overview

VeraCrypt uses a volume format where a header encrypted with the user's password stores the master key. Key derivation uses PBKDF2 with a high iteration count (configurable via PIM) using SHA-512, Whirlpool, or Streebog. Data blocks are encrypted in XTS mode, providing tweakable encryption that ties each block to its disk position. The driver intercepts disk I/O at the block layer and decrypts transparently. On Windows, a boot loader handles pre-boot authentication for system encryption. Hidden volumes use a second header at a different offset, so the outer volume appears to contain random data.

Self-Hosting & Configuration

• Download from veracrypt.fr or install via system package managers
• Create volumes via the GUI wizard or the command-line interface veracrypt -c
• Choose cipher (AES, Serpent, Twofish, or cascades) and hash algorithm during creation
• Set the PIM (Personal Iterations Multiplier) to balance security and mount time
• Mount volumes via veracrypt /path/to/volume /mnt/point or the GUI

Key Features

• Strong key derivation with configurable PBKDF2 iterations via PIM
• Cascaded encryption (AES-Twofish-Serpent) for defense in depth
• Hidden volume and hidden OS for plausible deniability under coercion
• Cross-platform support for Windows, macOS, and Linux
• Independently audited by Quarkslab with published results

Comparison with Similar Tools

• Cryptomator — file-level cloud encryption; VeraCrypt is block-level disk encryption
• LUKS/dm-crypt — Linux-native disk encryption; VeraCrypt is cross-platform with a GUI
• BitLocker — Windows-only, proprietary, no hidden volume support
• FileVault — macOS-only, tied to Apple hardware; VeraCrypt is portable across OSes
• age — simple file encryption CLI; VeraCrypt encrypts entire volumes transparently

FAQ

Q: Is VeraCrypt compatible with TrueCrypt volumes? A: Yes. VeraCrypt can mount TrueCrypt volumes in legacy mode, though migration to the VeraCrypt format is recommended for stronger key derivation.

Q: What is the PIM and should I change it? A: The PIM controls the number of PBKDF2 iterations. A higher PIM increases resistance to brute-force attacks but slows mounting. The default is secure for most users.

Q: Can I use VeraCrypt for full-disk encryption on Linux? A: VeraCrypt supports full-disk encryption on Windows only. On Linux, use LUKS for system partition encryption and VeraCrypt for data volumes.

Q: Has VeraCrypt been audited? A: Yes. Quarkslab performed a security audit in 2016, and the identified issues were addressed in subsequent releases.

Sources

• https://github.com/veracrypt/VeraCrypt
• https://veracrypt.fr/en/Documentation.html