This project has moved. For the latest updates, please go here.

Improving command-line security

Topics: Feature Requests
Dec 17, 2015 at 1:44 AM
I am interested in using VeraCrypt from scripts and programs, via the command-line interface.

At present, the program supports the /password switch, like this:

/password "My Password"

This approach is pretty insecure, because various system tools and logs can capture program invocations, and the password will be known in such a case.

One simple way to improve this would be to have a switch like this:

/passenv MYPASSWORD

where "MYPASSWORD" is not the password, but an environment variable that contains the password.

Another approach using environment variables would be to define a standard variable name like "VCENV", and if it has been defined, then merge the contents of the variable with whatever else the user specifies on the command line. This approach is more general than the other one, and I've seen it used elsewhere, for example in the command-line interface of WinRAR.

Environment variables are not always secure, for example in cases where the variable's value is stored in a configuration file or in the registry. But it's possible to avoid such storage, and just use the variable for a single session, for example by saying in Windows:

set MYPASSWORD=weoufaouf308dljdaghghakoeiruweq

It seems like this approach would help to improve the security of VeraCrypt, and make it useful in a wider variety of applications.
Dec 17, 2015 at 6:46 AM
Edited Dec 17, 2015 at 6:46 AM
How do you use your CLI-call?
A simple shell-script can be read by other tools as well.
If you set the variable only for the calling script, the value will be inserted during the call, as the VC-CLI cannot use the variable, as it is another process?!