This project has moved. For the latest updates, please go here.

General question about encryption - why only the header?

Topics: Technical Issues
May 15, 2015 at 11:39 PM
From what I've read, both with TrueCrypt and VeraCrypt, when you change the password, it only affects the volume header.

Of course that's great if your volume is several terabytes; you don't want to have to re-write all the data just to change a password.

But it also means that if you originally wrote your data using a weak password, and then found out that somebody was trying to access it, so you change your password to a strong one, the data (other than the header) is unchanged. Correct so far?

So, if you already have a full disk, does changing the password do any good, or will it only make data written after the change harder to decrypt?

Thank you.
May 16, 2015 at 3:50 AM
Hello Brocks,

This section in the documentation should answer your questions.

https://veracrypt.codeplex.com/wikipage?title=Changing%20Passwords%20and%20Keyfiles
May 20, 2015 at 2:54 AM
Thank you for the link, but I'm afraid it's still not clear in my mind. Does it mean if you create a volume with a weak password, that any data added to that volume, even after you change the password to a strong one, is only weakly encrypted? And that the only way to have strongly encrypted data is to copy it to a new volume that was created with a strong password?
Coordinator
May 20, 2015 at 11:28 AM
Your understanding is not correct. I think you are missing a key point of how VeraCrypt encryption works. You can find more information on the documentation about it (like here: https://veracrypt.codeplex.com/wikipage?title=Header%20Key%20Derivation).

Basically, the password is not used to derive the encryption master key of the volume. The encryption master key is always randomly generated through an internal strong random generated. The password is used to create the key that will encrypt the encryption master key. This is done this way in order to make the master key independant from the password quality and also to make it possible to change the password without decrypting/encrypting everything.

So, if the password is weak, the encryption master key protection will be weak. But if you change the password to a stronger value, the encryption master protection will be stronger.
May 22, 2015 at 8:14 PM
Thank you very much; I think I understand it now.