This project has moved and is read-only. For the latest updates, please go here.

Security and the Future of VC

Topics: Users Discussion
Aug 15, 2016 at 3:17 PM
Edited Aug 15, 2016 at 3:17 PM
@idrassi

Forgive me if this has already been addressed previously.
I work in an industry where security is key. I currently use TrueCrypt for certain security needs and now want to change to CipherShed / VeraCrypt and I am have some questions regarding VeraCrypt and its future development.

While I am asking these questions, I have already considering the following:
  1. The open source nature of the software
  2. The fact that France has already recently rejected a proposal regarding backdoors back in January 2016 (http://for.tn/2bblDHZ).
  3. If I remember correctly, I also understand that according to your Twit.tv FLOSS interview (http://bit.ly/2bbk4d2), that “The French government does not have any desire to create backdoor and actually is interested in the use of strong crypto for government operations.” (Paraphrasing your response to their question regarding backdoors.)
  4. French Minister of the Interior (Bernard Cazeneuve) is attempting to rally countrires against crypto for messaging apps (which if it ever did happen could easily attempt to be applied to other software as well.
  5. You (Idrassi) are the primary developer of VeraCrypt. since TC is no longer developed and your commits on GitHub are by far the majority.
  6. Certain aspects of the software such as UEFI support, uses or borrow code from CipherShed or at least it appears that way.
So taking all of that into consideration:
  1. Are there any plans to prevent backdoors or anything of that nature (for example the French government tries to force you to implement one).
  2. Are there any contingency plans to continue the development of VeraCrypt if you have to discontinue your development because of political reasons or other life events (ie get hit by a bus). (In the case of CipherShed they have a relatively diverse team – if I remember correctly that team is geographically dispersed into different countries.)
  3. What are the plans to ensure the UEFI encrypted partitions are just as secure as the MBR encrypted partitions. (It seems like a great deal of work still needs to be done to get it to the same level as the MBR partition encryption.)
  4. Do you have any plans to attempt to get the new code audited? (Especially the code for the UEFI support.)
  5. Is the development of this software primarily done for / or through your company Idrix? Or if your company ceases operation next month / year, is it still something you will be actively developing.
  6. Is there any releasedate or attempted release date for full UEFI support or at least adding a rescue disk to the current Beta UEFI support. (I say attempted release date as I know you don’t want to rush security.)
Sorry for the long post, but I just wanted to attempt to get some questions answered.

Regards,
sburns90
Aug 15, 2016 at 4:13 PM
Hello sburns90,

Mounir is very busy working on getting 1.18 released and I will post links to prior discussions related to some of your questions to take some of the workload off Mounir.

Answers to some of your questions are referenced by the question numbers in your post above.

1) Mounir has publicly stated that he will simply shutdown the VeraCrypt project. On the home page of CodePlex VeraCrypt is a Canary Warrant.
https://veracrypt.codeplex.com/discussions/577281

3) Please clarify your question since the encryption of the C drive remains the same. In both cases (MBR or EFI), the System Reserved partition cannot be encrypted.

4) See Mounir's post at link below regarding an audit.
https://sourceforge.net/p/veracrypt/discussion/technical/thread/c5574f63/#70de/c863/d97e
6) Starting with Beta 11 1.18 version:
Implemented Rescue Disk for EFI system encryption (a zip file that has to be extracted into a FAT USB key).
.
When Mounir has time available, he will need to address your other questions.

Kind Regards.
Aug 16, 2016 at 2:28 PM
Engima2Illusion,

Thanks for such a quick reply and answers to my questions. Reading those links you provided cleared a lot up. It is also good to see OSTIF working with VeraCrypt. You guys will have my support for years to come. I hope to make a donation to VC or OSTIF on behalf of VC in the next few days / week.
  1. Good to know he would just drop the project. I never imagine he would do anything else but it is good to see it in writing. I just realized this question relates to the my 2nd question regarding a contingency plan.
  2. Sorry I didn't mean to post that question. It was an partial question / thought and I can't even remember what it was SPECIFICALLY that I was trying to ask.
  3. Great to hear.
  4. That is great. So pretty much shortly before or after I posted this question the binaries got published.
Downloading those new binaries now for testing! :)