This project has moved. For the latest updates, please go here.

Headerless volumes

Topics: Feature Requests
Jul 12, 2016 at 3:02 PM
Hi,

I'm a long time user of TryeCrypt (still using it) and am not current with new VeraCrypt developments, but I could not find the the feature I'm suggesting, so here it is:

I'm nurturing this idea for some time now. How about allowing the creation of headerless volumes, with the header located elsewhere?

It would be specially useful for notebooks with the entire HD encrypted. The user would boot always from a thumb-drive which contains the bootloader and the volume's header.
There would be no executable code in the HD, thus it would provide even stronger Plausible Deniability. Just destroy your boot thumb-drive and nobody can prove you have an encrypted disk. You just claim that your HD is damaged. Later you just make a new copy of your boot thumb-drive from your back-up.

Isaac
Jul 13, 2016 at 11:56 AM
I'd settle with having the bootloader elsewhere, because the header is encrypted, so there's no point in having it elsewhere. But you have my vote for this. If you want collect votes, there's https://veracrypt.codeplex.com/workitem/list/basic
Jul 13, 2016 at 4:03 PM
Although the header is encrypted, there are advantages in it being kept away from the volume, the first one is protection against weak passwords and poor key derivation algorithms.

Even if in the future somebody find how to break the header encryption, it isn't there to be cracked.

Cheers,

Isaac
Jul 13, 2016 at 9:32 PM
It would add some protection, unless that somebody finds a way how to break it without a header :-) Today it seems quite unlikely. But would you beleive, if someone told you 30 years ago, that for a few dollars, you will have in your pocket machine more powerfull than the whole building of computers and it will run from a battery? ;-)
Jul 13, 2016 at 9:42 PM
testoslav wrote:
unless that somebody finds a way how to break it without a header :-)
But then we could simply give up on-line commerce, home banking, etc.
Indeed, the world would be a warzone.
Jul 14, 2016 at 10:02 PM
Sorry for of topic, but in case you have not noticed, the world is at war already ;-)
Jul 21, 2016 at 1:51 PM
Edited Jul 21, 2016 at 1:54 PM
This feature is too rational, logic and too secure too be implemented apparently.
I've been saying that for years now...

put the "header" somewhere else, and type the number to the location of the header
when you're entering the password. easy.

it's the most interesting feature to add for security and mainly for deniability.
but no, let's add another key derivation...
Developer
Jul 24, 2016 at 3:59 PM
Hello,

Separate encrypted data and key is good idea.

We are testing this possibility for EFI Windows system volumes. (keys on a separate USB volume)

Note: for normal two factors authorization("what I have". "what I know") we need support of TPM and Smart card with non-recallable keys.
Aug 16, 2016 at 6:52 PM
If memory serves me, Scramdicer used to accomplish a similar feat for Scramdisk... Pls correct me if I'm wrong... Can't find any still working links now to detail this however sorry...
Aug 20, 2016 at 11:28 AM
kavsrf wrote:
Hello,

Separate encrypted data and key is good idea.

We are testing this possibility for EFI Windows system volumes. (keys on a separate USB volume)

Note: for normal two factors authorization("what I have". "what I know") we need support of TPM and Smart card with non-recallable keys.
This for me would be a killer feature - the ability to log into a system with a usb and/or a password. Meaning if you so desired, you wouldn't require the password, just a usb.
Aug 20, 2016 at 3:56 PM
I think it is important to have both the header and the bootloader in the thumb-drive, because it would prevent 99.9% of the cases of rootkits. As the first boot code, other than the BIOS, to be executed would be from the thumb-drive, then any possible attack would require tampering with the BIOS.
Developer
Aug 20, 2016 at 7:34 PM
I published the demo video with separate drive for keys. Also Platform ID and USB ID are used to lock password and as extra factors of authorization.
http://sendvid.com/px9jirm6

The video demonstrates following scenario:
  1. Picture password. (If touch screen is available)
  2. OS key on a separate disk. (vbox_hiddenos_key.vhd)
  3. OS key connected -> ask password -> password from encrypted OS (veraen) -> boot OS from disk 1
  4. OS key connected -> ask password -> password from hidden OS (verahid) -> boot OS from disk 2
  5. OS key disconnected -> boot Linux
Notes:
  1. Button “Plt lck”: Means platform lock. To lock password need to change password and choose “Plt lck”. It adds platform key file to password (BIOS id and USB id if available)
  2. Disk partitions: GPT on disk 2 contains the only MS reserved partition with hidden OS. It is possible to mount it from VeraCrypt but the MSR partition is not visible from Windows Disk Manager.
Oct 22, 2016 at 2:51 PM
Any rough timeline on when we may see this in a beta/or a release? Eager to test this feature - Being able to unlock the system drive from a usb rather than the password (like bitlocker can) Is the feature I've been looking for.
Oct 22, 2016 at 5:43 PM
Edited Oct 22, 2016 at 5:46 PM
I would like to see this feature too!

Having a USB thumb drive/ memory card and be able to login with just that would be wonderful, specially if it would be able to prompt for a password to unlock the password file at the external device. Making it something you have with something you know.

Maybe use something to protect the passwords like ARGON2.

Please have in mind that most people I know (like: all) don't have smart cards that they can use to securely store the private key, and is not easy to find anywhere! And if they exist are pricey! But USB drives and memory cards everyone have! Most times several of them.
And I already read about this smartcard standards being flawed on purpose to allow intelligence agency's to bypass them.

If the computer can be boot from them (USB thumb drive, Memory Card, cd/ DVD/ blue-ray) even better! Because it wouldn't expose the Veracrypt loader making it even more difficult to proof the drive is encrypted (and the person can always argue it was some ransomware that took its computer device).

Also good for traveling, even if someone takes the computer at the border people can be safe because they can travel without anything else and download after from somewhere in the Internet like in a 7-zip encrypted file and put the files in a locally purchase USB thumb drive... while who ever duplicates the disk image will be trying to figure it out what they even have! How can they achieve this? Third party computer or travel with some third party live OS DVD to be able to download, open and copy the files to the thumb drive.
Dec 14, 2016 at 1:17 PM
Kavsrf do you have an update on how this is going? I liked where it was heading and interested in seeing it make it's way into Veracrypt. Cheers
Developer
Dec 14, 2016 at 3:26 PM
Hello!

The main problem is configuration. It is rather complex.

Probably functions will be available in 1.20 but configuration will work via EFI shell and DcsCfg tool. I'll try to write brief intro and how to. Might be the wizard will be added later.

About USB instead of smart card - it is possible partially. Password will have possibility to use platform data to lock. (USB serial number and SMBIOS structures as key files) The result - authorization will be possible if computer has the same SMBIOS structures and the same USB serial number. ("what I have")

Main advantage of smart card is non recallable key.(difficult to copy). Ordinary USB has serial number only but it is possible to read.
Dec 23, 2016 at 10:13 AM
Kavsrf - thank you for the reply!

For me the benefit would be being able to turn on the laptop/desktop without entering the password/pressing anything additional. A more secure version of Bitlocker I guess is what I envisage. Whereby I know that if I shut down, and remove the USB no-one will be able to decrpyt any of the HDD's inside my laptop. Essentially, I wouldn't be using if for true 2FA, I would solely be using it as the "what I have" part of it. That being said though, I can see how people would want the true 2FA side of it, the ability to come up with your own combination I think would be the most appreciated. i.e. USB only, password only or both.

Like I mentioned earlier I will happily test. And I appreciate I'm asking without offering much assistance, but this is way beyond my capabilities.