This project has moved. For the latest updates, please go here.

Switch or add algorithms after containter creation

Topics: Users Discussion
Mar 29 at 12:57 PM
Is it possible to take an existing file-hosted container and add additional security to it? For sake of example I create a file-hosted container, its 500MB and its only AES at the time of creation. Now I'd like to take that container with me, say on a thumb drive but chances of loss are greater than when the file existed on my desktop PC locked in my home. Should someone find the drive and attempt to decrypt the file... well that's just unacceptable (should have stayed at home LOL).

Could I add additional encryption after the fact? Granted the size is small, sure I could just create a new container with AES-Twofish-Serpent in a matter of moments, but if that same 500MB container was 500GB different kettle of fish.

BUT perhaps I'm missing the point? AES is proven and trusted as are cascades of combined ciphers, but is it really the password that matters most? Is that file-hosted container only as good as the password, and the encryption algorithm a secondary consideration?
Mar 29 at 2:37 PM
Edited Mar 29 at 2:40 PM
You cannot change the encryption algorithm of an existing VeraCrypt volume without first decrypting and re-encrypting due to the encryption keys are independent from each other.

The topic regarding non-cascade encryption verses cascade being stronger encryption can be researched by Google searching the merits of cascade encryption to which the conclusion I found from cryptography resources is cascade is no better than single encryption algorithms and cascades may have unintended mathematical cancelling properties to the other encryption algorithms making the final encryption weaker.

Regarding which encryption cipher is the strongest algorithm can be researched via Google and Wikipedia showing the number of rounds for each cipher and the theoretical broken rounds. During the selection process of NIST for AES (Rijndael), Twofish and Serpent, Serpent was considered the strongest but was not selected due to the processing power needed was too high at the time for limited devices like bank cards. See the link below for Serpent.

Indeed the password needs to be strong which can be augmented with keyfiles which have pros/cons. Example, you lose, modify or delete the keyfile(s) and you will no longer be able to mount the volume.


Here is a thread discussing cascade encryption and adding cascade hashing.