This project has moved. For the latest updates, please go here.

Are VeraCrypt containers "stronger" than TrueCrypt containers?

Topics: Technical Issues
May 24, 2016 at 11:23 PM
I see from the documentation that VeraCrypt will open legacy TrueCrypt containers. I have many years of backup data stored in TrueCrypt containers (files) burned onto CD and DVD media. Provided I have used a "good" passphrase in TrueCrypt 7.x when I created the containers would I gain any security by copying my data into VeraCrypt containers?


May 25, 2016 at 8:27 AM
VC is much stronger. But if you have used good passphrase like 20 or more random characters, you should be fine. Note, that passphrases should be from words which are not in dictionary, so pass like "The quick brown fox jumps over the lazy dog" is long, but quite useless, because they can guess it using dictionary based attack.
May 25, 2016 at 11:11 AM
Edited May 25, 2016 at 11:23 AM
Hello Ken,

There are two vulnerabilities CVE-2015-7358 and CVE-2015-7359 that affects TrueCrypt software which makes it possible for hacker to attack Windows machines running TrueCrypt.

VeraCrypt resolved these security issues starting with 1.16 and higher versions of VeraCrypt software.

To avoid the security issues of TrueCrypt, you have to uninstall TrueCrypt and manually remove the TrueCrypt driver called truecrypt.sys from the C:\Windows\System32\drivers directory.

There are many improvements and new features added to VeraCrypt that you can peruse at the link below.
May 25, 2016 at 12:54 PM
Thanks testoslav,

I am not sure what you mean by "VC is much stronger." I am not so much concerned with the strength/security of the running program. Rather in the event a black helicopter breaks into my storage building and makes off with my "off site" data backup DVDs... Would the data be better protected if it were in VC created containers/files? Going forward I am storing my data archives in Linux containers/files created with LUKS and dm-crypt so the question pertains to old historical archives.



p.s. Now that you guessed and posted my pass phrase I guess I will have to make new containers in any event :-)
May 25, 2016 at 1:07 PM
Thanks Enigma2Illusion,

I have studied the references which you provided. It appears that these are Windows specific concerns. As I am running CentOS 6 and 7 on my machines I do not think they are of much concern to me. As I mentioned in my previous reply I am primarily concerned with my historical archived data. When the "Don't use TrueCrypt" conspiracy theory business hit I copied all of my critical TC backup containers/files onto a Linux encrypted partition on my server and onto a couple of Linux encrypted external hard drives and destroyed the CDs and DVDs which held the TC containers/files. I guess having three copies on magnetic media is about as good as having two copies on CD/DVD media. Having to enter a 64 character pass phrase on the Linux partition and then a 42 character pass phrase on the TC container is a bit tedious. Perhaps if I gain confidence in VC I will give it a try. A LOT more convenient.

Thanks again,

May 27, 2016 at 12:42 PM
Hehe. Also be sure to use a different color and speed of the fox for backups and different for the live system ;-) VC=veracrypt, TC=truecrypt, I hope that's more clear now. Veracrypt is much stronger because of the higher number of iterations it uses. The flaws described by enigma apply to a system running TC, not the containers, they are still secure (as far as I know). They are bad flaws, but I don't take them as a big risk, because any system accessible by a third person might be easily compromised by other means (keylogger in boot loader, hardware keylogger hidden into keyboard, etc), the described flaws make the attack more easier from remote, but it does not give them any adventage when they can't persuade the user to run their malicious code on the target system. If someone is stupid enough to run screensaver.exe attachment which come via email, I think he will also answer the uac prompt :-) Attackers can still target TC or VC systems by injecting evil code into some setup.exe, where uac prompt is expected (which can be done via infected router, police can to this on the ISP side, etc). And when they can run their code on the target system, every encryption is for nothing.