This project has moved and is read-only. For the latest updates, please go here.

Upgrade an existing version: Is it possible?

Topics: Users Discussion
Dec 8, 2016 at 3:46 PM
Suppose I use Veracrypt to encrypt an external empty HDD (I think it is called "encrypting a system partition"?). The encryption is successful.

Next I transfer my data from my laptop's HDD to the encrypted HDD.

The version of Veracrypt that I use is 1.19.

Assume there is a newer version 1.21

Do I need to delete or wipe my encrypted HDD first and then re-do the process of encrypting the said HDD using the newer version 1.21 followed by transferring my data to it?

Some clarifications would be most helpful.
Dec 9, 2016 at 1:19 AM
First dismount all encrypted volumes. Do not worry about dismounting the system encryption of the OS.

Upgrade is simple as download the new software and run the installer.

When prompted, reboot PC. Do not defer the reboot.

Create new rescue disk for system encryption.

https://veracrypt.codeplex.com/workitem/267

https://veracrypt.codeplex.com/workitem/215
Dec 9, 2016 at 3:18 AM
So what you are basically telling me is upgrading to a newer version is done on the installed software itself, NOT on the encrypted partition or HDD.

Assume the software developer decides to increase the cryptographic strength of the software, say, PBKDF2-RIPEMD160 from the current 327661 to 1 million iterations and incorporates the increased strength in a newer version. My HDD was encrypted using the weaker cryptographic strength.

What shall I do?
Dec 9, 2016 at 4:01 AM
vmQdAk6N wrote:
So what you are basically telling me is upgrading to a newer version is done on the installed software itself, NOT on the encrypted partition or HDD.
The software will perform the upgrade.

vmQdAk6N wrote:
Assume the software developer decides to increase the cryptographic strength of the software, say, PBKDF2-RIPEMD160 from the current 327661 to 1 million iterations and incorporates the increased strength in a newer version. My HDD was encrypted using the weaker cryptographic strength.

What shall I do?
For the hash (SHA-512, Whirlpool, SHA-256, Streebog), you can use the change password function to get the new default iterations.

Changing the encryption algorithm (AES, Serpent, Twofish, etc) would require decrypting and re-encrypting.
Dec 9, 2016 at 6:07 AM
Edited Dec 9, 2016 at 6:07 AM
Enigma2Illusion wrote:
The software will perform the upgrade.
My encrypted HDD is not attached to my laptop.

As you said, the newer version will perform the upgrade on the installed Veracrypt 1.19 on Microsoft Windows OS. Is that correct?

Enigma2Illusion wrote:
For the hash (SHA-512, Whirlpool, SHA-256, Streebog), you can use the change password function to get the new default iterations.
  1. What you wrote above, is it documented in the user's guide or ......?
  2. If I wish to increase the number of iterations of hashes other than SHA-512, Whirlpool, SHA-256, Streebog, can I just use the change password function to get the new default iterations? If not, what is the solution?
Enigma2Illusion wrote:
Changing the encryption algorithm (AES, Serpent, Twofish, etc) would require decrypting and re-encrypting.
What you are saying is that if I wish to change the encryption algorithm, I will need to do the following:

A. decrypt the contents of my encrypted HDD
B. transfer them to other location
C. change the encryption algorithm in Veracrypt
D. transfer the decrypted contents from that other location back to my HDD

Is my understanding of the above correct?

Thanks for your help.
Dec 9, 2016 at 3:17 PM
vmQdAk6N wrote:
My encrypted HDD is not attached to my laptop.
Then just upgrade, you can mount containers or partitions created with previous versions of VC.

vmQdAk6N wrote:
  1. What you wrote above, is it documented in the user's guide or ......?
I'm quite sure this is documented. Somewhere ;-)

vmQdAk6N wrote:
  1. If I wish to increase the number of iterations of hashes other than SHA-512, Whirlpool, SHA-256, Streebog, can I just use the change password function to get the new default iterations? If not, what is the solution?
Yes, you can change number of iterations (PIM) along with password.

vmQdAk6N wrote:
What you are saying is that if I wish to change the encryption algorithm, I will need to do the following:

A. decrypt the contents of my encrypted HDD
B. transfer them to other location
C. change the encryption algorithm in Veracrypt
D. transfer the decrypted contents from that other location back to my HDD

Is my understanding of the above correct?
Not necessarily, just decrypt volume and encrypt in place again with desired encryption algorithm. In case you are using file containers, you just create new file container with desired encryption algorithm, mount both, transfer files between them and trash the old file container.
Dec 9, 2016 at 4:36 PM
vmQdAk6N wrote:
What you wrote above, is it documented in the user's guide or ......?
When you change your password, a new header key is created using the hash. In the future, if the developer changes the default iterations of one or more hashes, changing the password would use the new default. Of course, this would break backward comparability for existing volumes using the old default iterations.

https://veracrypt.codeplex.com/wikipage?title=Header%20Key%20Derivation
Dec 10, 2016 at 4:08 AM
testoslav wrote:
Not necessarily, just decrypt volume and encrypt in place again with desired encryption algorithm. In case you are using file containers, you just create new file container with desired encryption algorithm, mount both, transfer files between them and trash the old file container.
Thanks for your tips but my question is more on external HDD.

Assume I encrypt my entire external HDD and wish to change the encryption algorithm to another. Can I just decrypt my external HDD and then encrypt in place again with the desired encryption algorithm. If it cannot be done, what are the correct steps?
Dec 10, 2016 at 4:11 AM
Enigma2Illusion wrote:
Of course, this would break backward comparability for existing volumes using the old default iterations.
Err....Do you mean that I cannot open, read or transfer data in existing volumes? Please explain and thanks for your tips.
Dec 10, 2016 at 5:38 AM
Edited Dec 10, 2016 at 5:47 AM
vmQdAk6N wrote:
Enigma2Illusion wrote:
Of course, this would break backward comparability for existing volumes using the old default iterations.
Err....Do you mean that I cannot open, read or transfer data in existing volumes? Please explain and thanks for your tips.
It means the developer will have to provide transition procedures in the GUI should he decide in the future to change the default hash iterations.
Dec 10, 2016 at 5:48 AM
vmQdAk6N wrote:
testoslav wrote:
Not necessarily, just decrypt volume and encrypt in place again with desired encryption algorithm. In case you are using file containers, you just create new file container with desired encryption algorithm, mount both, transfer files between them and trash the old file container.
Thanks for your tips but my question is more on external HDD.

Assume I encrypt my entire external HDD and wish to change the encryption algorithm to another. Can I just decrypt my external HDD and then encrypt in place again with the desired encryption algorithm. If it cannot be done, what are the correct steps?
Correct.