This project has moved. For the latest updates, please go here.

Not able to remove keyfiles

Topics: Technical Issues
Aug 3, 2015 at 3:18 PM
Hello,

I have been using TC for a long time and now i'm moving to VeraCrypt. I wanted to do a clean move and as the first step i thought i could remove my keyfiles which i been using.
I'm noob so no point arguing :) but if i remember correct what i have created using TC which i thought was pretty good anyway was to create a Non system partition (i think, its been a few years). So when i connect my HD , windows only sees an empty drive and want to format it.
And for mounting it in TC i have used 2 files and no password (maybe stupid to skip password but it was simpler this way).
So now when i try either of the options
  • Add/Remove keyfiles to/from volume..
  • Remove all keyfiles from Volume...
    I need to provide a password together with the keyfile otherwise the OK button is greyed. So what is up with that?
    Any idea what i need to do?
    I did also try the option "Permanently decrypt system partition..." without luck.
Any help is appreciated.

Also for my new drive creation what is the best option? i just use these external drives for storage so i connect them for downloading and storing.
Is it safe enough to have just 2-3 keyfiles ?

Thanks in advance!
Aug 3, 2015 at 7:34 PM
Can anyone help please?
Aug 4, 2015 at 4:52 PM
This is a bug in TrueCrypt and inherited in the VeraCrypt. Currently, both TrueCrypt and VeraCrypt allow you to create a volume using only keyfiles without a password. However, all the volume tools to change the password, add, remove or change keyfiles on the volume require a password as you discovered.

I have created a ticket regarding this bug that impacts VeraCrypt. I do not know if Mounir will be able to modify the VeraCrypt code to change TrueCrypt volumes to avoid this bug.

https://veracrypt.codeplex.com/workitem/181

Kind Regards.
Aug 4, 2015 at 6:08 PM
Thank you for the confirmation.
I have now formatted the drive and let VeraCrypt create a new "Non System partition" for me.
Although i'm still not sure if i really do need to use password or just go with keyfiles alone. There is little information on this topic on the net. Would appreciate some guidance in this regard.
Aug 4, 2015 at 6:58 PM
Have you read the documentation on keyfiles? Good information and purpose of the keyfiles are explained including "Empty Password & Keyfile".

https://veracrypt.codeplex.com/wikipage?title=Keyfiles%20in%20VeraCrypt
Aug 11, 2015 at 10:33 AM
Thank you for the link, i had not read it (did not find it before) but now i have. Although i'm still not sure if the safety is enough with only keyfiles.
I'm sure its good to have a strong password but for breaking the code there is no mention how safe it is to have only a strong password vs only keyfiles.
Or maybe i just did not understand it good enough
On one hand the doc says "May improve protection against brute force attacks" and then a bit lower down it says:
"Empty Password & Keyfile
When a keyfile is used, the password may be empty, so the keyfile may become the only item necessary to mount the volume (which we do not recommend)".

Its a bit to vague , i mean if i have 3 keyfiles how is it less secure then 1 strong password? and why is it not recommended?
Surely VC can pick a pretty decent & complex password from 3 jpg/mp3/etc files compared to 1 complex password or am i totally wrong in my reasoning?
Aug 11, 2015 at 3:01 PM
Edited Aug 11, 2015 at 3:01 PM
One of the reasons using only keyfiles is not recommended is due to you can configure VeraCrypt to remember the keyfiles which is stored in a plain text file called Default Keyfiles. This means someone can determine the keyfiles you are using and mount your volumes since you are not using a password.

Another possible reason is if someone sees you selecting the keyfiles in the GUI when mounting a volume.

The statement of improving the protection from brute force attacks is the combination of the password and keyfiles that is used to decrypt the header key. Hence, to brute force the volume, the attacker will have to not only try hacking the password, but the correct combination of keyfiles which can be in any order. In other words, the attacker cannot just hack the password.

I hope this simplified explanation helps you.
Aug 11, 2015 at 6:58 PM
Edited Aug 11, 2015 at 7:02 PM
let me give you an idea why it is such a bad idea to have keyfiles ONLY. Suppose you have 1 million files on your PC hard drive (unencrypted) and 3 of these files are your keyfiles to your encrypted volume/partition. Then if I get hold of your PC, even without the slightest idea which are your keyfiles, i will need bruteforcing you 1000000^3, which is almost 2^60, or what equals to 60 bits key. I will probably need 3 days using my own resources to bruteforce your VC encryption. Someone more powerful will probably do it in 30 sec or less :)
Having only 2 keyfiles equals to a key of ONLY 40 bits :)
Aug 12, 2015 at 9:53 AM
Thank you Enigma and Alex for the explanation, i have a better idea the idea behind key vs file.
Aug 16, 2015 at 8:49 PM
Edited Aug 16, 2015 at 8:53 PM
Enigma2Illusion wrote:
This is a bug in TrueCrypt and inherited in the VeraCrypt. Currently, both TrueCrypt and VeraCrypt allow you to create a volume using only keyfiles without a password. However, all the volume tools to change the password, add, remove or change keyfiles on the volume require a password as you discovered.

I have created a ticket regarding this bug that impacts VeraCrypt. I do not know if Mounir will be able to modify the VeraCrypt code to change TrueCrypt volumes to avoid this bug.

https://veracrypt.codeplex.com/workitem/181

Kind Regards.
To all,

There is no bug with changing a volume that was created only with keyfile(s).

Once you have properly selected the old/current keyfile(s), the OK button only becomes available once the user correctly enters the new password twice and/or keyfiles values in the New section.

Confirmed using TrueCrypt 7.1a and VeraCrypt.

Kind Regards.