Jul 28, 2015 at 4:30 AM
Edited Jul 28, 2015 at 5:19 AM
From a technical prospective, I do not see this being feasible between reboots of the PC because you would need to store the number of password attempts in the header key which is not possible without the correct password, keyfiles and/or PIM.
However during a given session, the program does keep password attempts for non-system encryption. After two failed attempts, the program automatically uses the backup embedded header key.
I believe it would be possible to have user configurable number of failed mount attempts for a single session and allow user configurable display or not display warning messages so a thief does not know they have limited password attempts. The default would
be unlimited password attempts and this would provide backward compatibility.
I think the user screen for setting the number of password attempts should provide warnings about cloning and that the counter is only for a single session and will start its counter back to 1 if the PC is rebooted.
Wiping the hard drive will take a long time. I am not opposed to the idea. However I would suggest first wiping all the header keys and where applicable the embedded backup header key before starting to wipe the volume(s).
Now to play devils advocate. Once the word get out on the street that any computer encrypted with VeraCrypt needs to be rebooted between password attempts to avoid the "wipe" feature, is this request still a viable feature?
In order to store the user configurable value of number of failed mount attempts, you would need to store the value in the clear (unencrypted) since the header key can only be decrypted with the correct password, keyfiles and/or PIM.
Storing values unencrypted removes plausible deniability for volumes.
I do not believe it will be acceptable to have this feature request implemented since it would introduce storing values unencrypted and removes volume plausible deniability.
From the manual:
Note: If the user fails to supply the correct password (and/or keyfiles) twice in a row when trying to mount a volume, VeraCrypt will automatically try to mount the volume using the embedded backup header (in addition to trying to mount it using
the primary header) each subsequent time that the user attempts to mount the volume (until he or she clicks Cancel).
FYI: Include the PIM in the Tools -> Restore Volume Header section of the manual.
Note: If the user fails to supply the correct password, keyfiles and/or PIM value ....