This project has moved. For the latest updates, please go here.

Compatibility question and trust question

Topics: Users Discussion
Jan 9, 2015 at 1:03 PM
Hi, I have a few questions.
  1. The latest version would allow me to 'mount' a TC volume but would the volume be writeable or would I have to convert it in order to use it fully?
  2. I understand the French Government have legislation requiring that import/export of cryptographic tools to countries outside the EU has to be explicitly authorized by them
    http://en.wikipedia.org/wiki/Cryptography_law
    Has veracrypt been authorised in this way and have any conditions been placed upon you by the government prior to them authorizing its distribution?
  3. If the French Government approached you with a court order stating that a backdoor had to be implemented and a gagging order preventing you from notifying users, how would you deal with this?
Coordinator
Jan 9, 2015 at 6:52 PM
Hi,
  1. VeraCrypt enables loading TrueCrypt volumes in Read/Write mode.
  2. This law doesn't apply to open source projects. French authorities didn't place any requirement on me for this project. In the past, ANSSI (French regulatory body) certified TrueCrypt 7.1a (http://www.ssi.gouv.fr/IMG/cspn/anssi-cspn_2013-09fr.pdf) for use by French companies and hopefully once VeraCrypt has a stable set of feature, it could also be certified. I believe the French government has friendly policy towards open source projects as it benefits a lot from them and it enables securing French infrastructures and businesses with lower costs.
  3. As you know, I don't have any income from VeraCrypt or any market share. I have nothing to gain from inserting a backdoor, on the contrary, since I made my self public, I have everything to loose. I will not risk loosing my reputation and customers for inserting a backdoor in an open source project (what a stupid idea!). This would be a simple professional suicide. I doubt such legislation exist in France and in my 15 years career on the security business I have never encountered or heard of a case where the French government forced a company to introduce weaknesses or backdoors in encryption products. But even if it exists, if anyone wants to force me to degrade the security of VeraCrypt or introduce any backdoor, I would simply walk out, stop working on this and continue my life as before, contributing to OpenSSL, WINE and other projects. For the already released sources and binaries, I publish a bundle with its checksum and PGP signatrue available on Pastbin (http://pastebin.com/u/veracrypt) and Reddit (https://www.reddit.com/user/veracrypt) so that everybody in the future can check that they didn't change providing that the dates of Pastbin and Reddit posts don't change. I also encourage users to create copies of these checksum values and files for every release so that we can have multiple copies that can't be tampered by an attacker.
Jan 9, 2015 at 8:19 PM
Ok thanks for the detailed responses. The response to question 3 is pretty much what I hoped you would say and based on that i'll probably give it a test run for a while.
Keep up the good work!