Encryption comes up frequently in many of my answers. People are concerned about privacy as well as identity and data theft, particularly on computers or portable devices where they don’t always have total physical control of the media.
The concern is that someone might gain access to sensitive data.
Encryption is the answer.
Even if your device falls into the wrong hands, proper encryption renders that access useless.
VeraCrypt makes encryption not only easy, but nearly un-crackable.
Become a Patron of Ask Leo! and go ad-free!
VeraCrypt versus TrueCrypt
VeraCrypt is based on, and the heir-apparent to, the exceptionally popular TrueCrypt. Everything described below applies to both. Indeed, this article is based on an earlier article specifically about TrueCrypt.
TrueCrypt development was abruptly and somewhat mysteriously halted in 2014. In 2015, it was reported that a serious security vulnerability had been discovered in TrueCrypt. With TrueCrypt development halted, there’s no fix forthcoming.
VeraCrypt is a free, compatible, supported alternative, based on a fork (copy) of the original TrueCrypt code. And yes — the vulnerabilities are fixed in VeraCrypt.
Drives and containers
There are two approaches to using VeraCrypt.
- Whole-drive encryption. Using VeraCrypt, you can encrypt your entire hard disk, including the boot partition. You supply your passphrase to enable decryption in order to boot. Once running, data is transparently encrypted and decrypted as it travels to and from the disk. Once your machine is turned off, the data is unrecoverable if the user doesn’t know the passphrase.
- Container encryption. Using this approach, you create a single file on your computer’s hard drive that is encrypted. You then “mount” that container file using VeraCrypt with the correct passphrase. The contents of that file appear as another drive on your system. Reading from and writing to that drive transparently decrypts and encrypts the data. Once the drive is unmounted, the data is once again unrecoverable without knowing the passphrase.
Both approaches have their uses.
In my opinion, container encryption has two advantages over whole-drive encryption:
- Portability. VeraCrypt containers can be copied to, opened, and mounted on any device that supports VeraCrypt. This extends to your other Windows computers, as well as other platforms, including Macs and machines running Linux.
- Limited visibility. You can elect to mount a VeraCrypt volume only when needed, thus limiting the amount of time the data is accessible in its unencrypted form.
Personally, I tend to use OS-specific whole-drive encryption for my portable devices, but would use VeraCrypt containers for collections of data that need to be secured, particularly if those collections need to be copied from machine to machine.
VeraCrypt and the cloud
VeraCrypt containers are what I refer to as “monolithic”. A VeraCrypt container is a single file on your hard disk that contains all the individual files you’ve elected to store within it. When one file within the container changes, the entire container is considered to have changed.1
If you place your VeraCrypt container into a cloud storage folder (such as Dropbox, OneDrive, or others), even the smallest change taking place within the container will cause the entire container to be uploaded when it’s unmounted. If you have a large container (and a slow internet connection), that can become quite the burden.
In cloud storage situations, alternatives such as BoxCryptor or Cryptomator — both designed specifically for this cloud storage scenario to encrypt files individually — may be more viable.
Encryption risks
There are a couple of important caveats to encrypting your data using tools like VeraCrypt.
First, encryption does not make a bad passphrase more secure. If you choose an obvious, short, or otherwise easy-to-guess passphrase, an attack can certainly unlock your encrypted volume. This is why we talk about a passphrase instead of a password. Length matters, so using a multi-word phrase is key to keeping your data secure.
Second: an encrypted volume does you no good if the files are also elsewhere on your machine. If you’ve copied the file to an unencrypted location on your machine, it’s available to anyone with access. In addition, simple deletion of that unencrypted file might not be enough — undelete utilities might be able to recover it. Finally, depending on the software you use to access or edit the file, it’s possible that temporary copies might be created in unencrypted locations.
Finally, make sure you back up your files regularly. I recommend backing up the files in their unencrypted state and then securing those backups in some other way. This protects you from scenarios where you forget or otherwise lose your passphrase. If you’ve chosen a good passphrase, VeraCrypt cannot recover the data without it.
Data encryption is an important part of an overall security strategy, and VeraCrypt can be a key part of that strategy.
I recommend it.
Do this
Subscribe to Confident Computing! Less frustration and more confidence, solutions, answers, and tips in your inbox every week.
I'll see you there!
Podcast audio
Video Narration
Hi Leo…I am wondering if advertisers are sending encrypted emails to me using my yahoo email. the texts are quite lengthy and I can’t read a word. I use Win10, the edge browser first to open my email until I spot all the gobbledy gook. Then I got to the website where I can read without distraction using Yahoo email just fine. Is it a Microsoft browser problem ? I will be adding Veracrypt in the future because of the content in your article. Thanks Judy
Are these ads from companies you deal with or spam?
Lots of spam ads are gibberish that is trying to look legitimate by using random words that are safe but there is a payload that is dangerous in them.
If it is from someone you have a relationship with, let them know what browser or reader you are using and ask if they have tested their message with it.
Is VeraCrypt the best option for encrypting flash drives?
If I move my flash drive to another Windows pc, is it mandatory that VeraCrypt be installed on that pc to access files on my flash drive?
It’s certainly one option – whether it’s best is really up to you and your usage scenario. Yes, you’ll need to have something installed to be able to read the contents of a VeraCrypt volume or drive.
And you’ll need to be logged into an administrator account on that other computer. For those reasons, I’d generally not recommend Veracrypt for portable drive encryption. For USB encryption, I use 7Zip. Those can be opened by almost any computer.
The problem with 7Zip is the extra steps needed, as well as the (high) risk of leaving unencrypted copies in unexpected places. Agree VeraCrypt isn’t for all (though it’s great across computers that are in your control), but encryption of portable devices you expect to take to other computers you don’t own is a different can of worms. There’s a strong argument that if the data is important enough to encrypt, then you shouldn’t be taking it to computers that are not 100% in your control.
1/ “depending on the software you use to access or edit the file, it’s possible that temporary copies might be created in unencrypted locations”.
I check the “recent” of Microsoft Word, the title of the file is there but not accessible after unmounted (unaccessible in…%appdata% )
2/ so, if I checked “preserve modification timestamp” then I can sync with the cloud reliably, albeit time comsuming ?
Thanks
Leo –
Hi. In the last section of the article, under Encryption Risks, you said: “…depending on the software you use to access or edit the file, it’s possible that temporary copies might be created in unencrypted locations.”
Many of my encrypted data involves Microsoft Excel. According to a Microsoft article, “when you save an existing file in Excel, Excel creates a temporary file in the destination folder that you specify in the Save As dialog box.” When I’m finished editing a file, I re-encrypt its destination folder, which is located either within an encrypted file container or within an encrypted external hard drive.
So, am I safe from the encryption risks you alluded to?
Thanks.
I believe so. As I said, it’s “depending on the software you use”. I was concerned about software that writes to the typically unencrypted Windows temporary folder.
Be aware though that the paging file might also have remnants of your data. Typically it has little-to-none, but it’s also typically not encrypted.
Hi Leo,
I’ve been a regualr user of Veracrypt for many years and make use of an encrypted volume to hold some of my confidential data. Recently I bought a new PC but within a few week had an issue with the SD card which meant returning it to the manufacturer. Given the nature of the failure I was able beforehand to copy my files to an external drive and delete the originals on the PCs hard disk. This got me thinking that if I have future issues with the PC which require it to be sent away for repair I may not be able to access the files to delete them before shipping (I would have a backup on external media but the original versions would still be accessible by the repairer, on the hard disk). As I result of this I have decided to extend my use of Veracrypt adding a second encrypted volume and using this to store almost all my data). My big worry now is that I may accidentally delete this volume. Is it possible to have an encrypted volume which allows all sorts of access to the files contained within BUT prevents deletion of the volume itself?
What comes to mind is playing with the advanced Windows File Permissions of the volume file itself. I don’t know if that has the granularity you need, but perhaps between that and specific account access you can acheive what you’re looking for.
As Leo said, you can set permissions, but it shouldn’t matter if you accidentally delete the volume if you are backing up daily.