Technology in terms you understand. Sign up for my weekly newsletter, "Confident Computing", for more solutions you can use to make your life easier. Click here.

VeraCrypt: Free Open Source Industrial Strength Encryption

Encryption comes up frequently in many of my answers. People are concerned about privacy as well as identity and data theft, particularly on computers or portable devices where they don’t always have total physical control of the media.

The concern is that someone might gain access to sensitive data.

Encryption is the answer.

Even if your device falls into the wrong hands, proper encryption renders that access useless.

VeraCrypt makes encryption not only easy, but nearly un-crackable.

Become a Patron of Ask Leo! and go ad-free!

VeraCrypt versus TrueCrypt

VeraCrypt is based on, and the heir-apparent to, the exceptionally popular TrueCrypt. Everything described below applies to both. Indeed, this article is based on an earlier article specifically about TrueCrypt.

TrueCrypt development was abruptly and somewhat mysteriously halted in 2014. In 2015, it was reported that a serious security vulnerability had been discovered in TrueCrypt. With TrueCrypt development halted, there’s no fix forthcoming.

VeraCrypt is a free, compatible, supported alternative, based on a fork (copy) of the original TrueCrypt code. And yes — the vulnerabilities are fixed in VeraCrypt.

Drives and containers

There are two approaches to using VeraCrypt.

  • Whole-drive encryption. Using VeraCrypt, you can encrypt your entire hard disk, including the boot partition. You supply your passphrase to enable decryption in order to boot. Once running, data is transparently encrypted and decrypted as it travels to and from the disk. Once your machine is turned off, the data is unrecoverable if the user doesn’t know the passphrase.
  • Container encryption. Using this approach, you create a single file on your computer’s hard drive that is encrypted. You then “mount” that container file using VeraCrypt with the correct passphrase. The contents of that file appear as another drive on your system. Reading from and writing to that drive transparently decrypts and encrypts the data. Once the drive is unmounted, the data is once again unrecoverable without knowing the passphrase.

Both approaches have their uses.

Locked Computer

In my opinion, container encryption has two advantages over whole-drive encryption:

  • Portability. VeraCrypt containers can be copied to, opened, and mounted on any device that supports VeraCrypt. This extends to your other Windows computers, as well as other platforms, including Macs and machines running Linux.
  • Limited visibility. You can elect to mount a VeraCrypt volume only when needed, thus limiting the amount of time the data is accessible in its unencrypted form.

Personally, I tend to use OS-specific whole-drive encryption for my portable devices, but would use VeraCrypt containers for collections of data that need to be secured, particularly if those collections need to be copied from machine to machine.

VeraCrypt and the cloud

VeraCrypt containers are what I refer to as “monolithic”. A VeraCrypt container is a single file on your hard disk that contains all the individual files you’ve elected to store within it. When one file within the container changes, the entire container is considered to have changed.1

If you place your VeraCrypt container into a cloud storage folder (such as Dropbox, OneDrive, or others), even the smallest change taking place within the container will cause the entire container to be uploaded when it’s unmounted. If you have a large container (and a slow internet connection), that can become quite the burden.

In cloud storage situations, alternatives such as BoxCryptor or Cryptomator — both designed specifically for this cloud storage scenario to encrypt files individually — may be more viable.

Encryption risks

There are a couple of important caveats to encrypting your data using tools like VeraCrypt.

First, encryption does not make a bad passphrase more secure. If you choose an obvious, short, or otherwise easy-to-guess passphrase, an attack can certainly unlock your encrypted volume. This is why we talk about a passphrase instead of a password. Length matters, so using a multi-word phrase is key to keeping your data secure.

Second: an encrypted volume does you no good if the files are also elsewhere on your machine. If you’ve copied the file to an unencrypted location on your machine, it’s available to anyone with access. In addition, simple deletion of that unencrypted file might not be enough — undelete utilities might be able to recover it. Finally, depending on the software you use to access or edit the file, it’s possible that temporary copies might be created in unencrypted locations.

Finally, make sure you back up your files regularly. I recommend backing up the files in their unencrypted state and then securing those backups in some other way. This protects you from scenarios where you forget or otherwise lose your passphrase. If you’ve chosen a good passphrase, VeraCrypt cannot recover the data without it.

Data encryption is an important part of an overall security strategy, and VeraCrypt can be a key part of that strategy.

I recommend it.

Podcast audio

Play

Video Narration

Footnotes & references

1: When the option “Preserve modification timestamp of file containers” is not checked in VeraCrypt’s options. This is actually a security/plausible deniability setting that, in essence, “hides” changes occurring within the container from external detection. Unfortunately, it breaks the ability to back up VeraCrypt containers or sync them to cloud storage providers reliably.

7 comments on “VeraCrypt: Free Open Source Industrial Strength Encryption”

  1. Hi Leo…I am wondering if advertisers are sending encrypted emails to me using my yahoo email. the texts are quite lengthy and I can’t read a word. I use Win10, the edge browser first to open my email until I spot all the gobbledy gook. Then I got to the website where I can read without distraction using Yahoo email just fine. Is it a Microsoft browser problem ? I will be adding Veracrypt in the future because of the content in your article. Thanks Judy

    • Are these ads from companies you deal with or spam?
      Lots of spam ads are gibberish that is trying to look legitimate by using random words that are safe but there is a payload that is dangerous in them.

      If it is from someone you have a relationship with, let them know what browser or reader you are using and ask if they have tested their message with it.

  2. Is VeraCrypt the best option for encrypting flash drives?
    If I move my flash drive to another Windows pc, is it mandatory that VeraCrypt be installed on that pc to access files on my flash drive?

    • It’s certainly one option – whether it’s best is really up to you and your usage scenario. Yes, you’ll need to have something installed to be able to read the contents of a VeraCrypt volume or drive.

    • And you’ll need to be logged into an administrator account on that other computer. For those reasons, I’d generally not recommend Veracrypt for portable drive encryption. For USB encryption, I use 7Zip. Those can be opened by almost any computer.

      • The problem with 7Zip is the extra steps needed, as well as the (high) risk of leaving unencrypted copies in unexpected places. Agree VeraCrypt isn’t for all (though it’s great across computers that are in your control), but encryption of portable devices you expect to take to other computers you don’t own is a different can of worms. There’s a strong argument that if the data is important enough to encrypt, then you shouldn’t be taking it to computers that are not 100% in your control.

  3. 1/ “depending on the software you use to access or edit the file, it’s possible that temporary copies might be created in unencrypted locations”.
    I check the “recent” of Microsoft Word, the title of the file is there but not accessible after unmounted (unaccessible in…%appdata% )

    2/ so, if I checked “preserve modification timestamp” then I can sync with the cloud reliably, albeit time comsuming ?

    Thanks

Leave a reply:

Before commenting please:

  • Read the article.
  • Comment on the article.
  • No personal information.
  • No spam.

Comments violating those rules will be removed. Comments that don't add value will be removed, including off-topic or content-free comments, or comments that look even a little bit like spam. All comments containing links and certain keywords will be moderated before publication.

I want comments to be valuable for everyone, including those who come later and take the time to read.