Encryption comes up frequently in many of my answers. People are concerned about privacy as well as identity and data theft, particularly on computers or portable devices where they don’t always have total physical control of the media.
The concern is that someone might gain access to sensitive data.
Encryption is the answer.
Even if your device falls into the wrong hands, proper encryption renders that access useless.
VeraCrypt makes encryption not only easy, but nearly un-crackable.
Become a Patron of Ask Leo! and go ad-free!
VeraCrypt versus TrueCrypt
VeraCrypt is based on, and the heir-apparent to, the exceptionally popular TrueCrypt. Everything described below applies to both. Indeed, this article is based on an earlier article specifically about TrueCrypt.
TrueCrypt development was abruptly and somewhat mysteriously halted in 2014. In 2015, it was reported that a serious security vulnerability had been discovered in TrueCrypt. With TrueCrypt development halted, there’s no fix forthcoming.
VeraCrypt is a free, compatible, supported alternative, based on a fork (copy) of the original TrueCrypt code. And yes — the vulnerabilities are fixed in VeraCrypt.
Drives and containers
There are two approaches to using VeraCrypt.
- Whole-drive encryption. Using VeraCrypt, you can encrypt your entire hard disk, including the boot partition. You supply your passphrase to enable decryption in order to boot. Once running, data is transparently encrypted and decrypted as it travels to and from the disk. Once your machine is turned off, the data is unrecoverable if the user doesn’t know the passphrase.
- Container encryption. Using this approach, you create a single file on your computer’s hard drive that is encrypted. You then “mount” that container file using VeraCrypt with the correct passphrase. The contents of that file appear as another drive on your system. Reading from and writing to that drive transparently decrypts and encrypts the data. Once the drive is unmounted, the data is once again unrecoverable without knowing the passphrase.
Both approaches have their uses.
In my opinion, container encryption has two advantages over whole-drive encryption:
- Portability. VeraCrypt containers can be copied to, opened, and mounted on any device that supports VeraCrypt. This extends to your other Windows computers, as well as other platforms, including Macs and machines running Linux.
- Limited visibility. You can elect to mount a VeraCrypt volume only when needed, thus limiting the amount of time the data is accessible in its unencrypted form.
Personally, I tend to use OS-specific whole-drive encryption for my portable devices, but would use VeraCrypt containers for collections of data that need to be secured, particularly if those collections need to be copied from machine to machine.
VeraCrypt and the cloud
VeraCrypt containers are what I refer to as “monolithic”. A VeraCrypt container is a single file on your hard disk that contains all the individual files you’ve elected to store within it. When one file within the container changes, the entire container is considered to have changed.1
If you place your VeraCrypt container into a cloud storage folder (such as Dropbox, OneDrive, or others), even the smallest change taking place within the container will cause the entire container to be uploaded when it’s unmounted. If you have a large container (and a slow internet connection), that can become quite the burden.
In cloud storage situations, alternatives such as BoxCryptor or Cryptomator — both designed specifically for this cloud storage scenario to encrypt files individually — may be more viable.
There are a couple of important caveats to encrypting your data using tools like VeraCrypt.
First, encryption does not make a bad passphrase more secure. If you choose an obvious, short, or otherwise easy-to-guess passphrase, an attack can certainly unlock your encrypted volume. This is why we talk about a passphrase instead of a password. Length matters, so using a multi-word phrase is key to keeping your data secure.
Second: an encrypted volume does you no good if the files are also elsewhere on your machine. If you’ve copied the file to an unencrypted location on your machine, it’s available to anyone with access. In addition, simple deletion of that unencrypted file might not be enough — undelete utilities might be able to recover it. Finally, depending on the software you use to access or edit the file, it’s possible that temporary copies might be created in unencrypted locations.
Finally, make sure you back up your files regularly. I recommend backing up the files in their unencrypted state and then securing those backups in some other way. This protects you from scenarios where you forget or otherwise lose your passphrase. If you’ve chosen a good passphrase, VeraCrypt cannot recover the data without it.
Data encryption is an important part of an overall security strategy, and VeraCrypt can be a key part of that strategy.
I recommend it.