This project has moved and is read-only. For the latest updates, please go here.

Prevent tempering by users

Topics: Feature Requests
Jul 10, 2016 at 8:26 AM

I would suggest to add the use of the TPM to verify the boot process and to prevent all users (not admins) from offline decryption and tempering with the disk contents. For example one user gave himself admin rights by swapping out utilman.exe with a command line (even though the drive was encrypted). This gave him Systemrights from the Windows login screen, where he was able to join himself to the local admins group...

Also the TPM could be used as a 2nd factor, for a combined key. The TPM could be protected by using a BIOS/UEFI Password and not assigning admin rights to the users.

Furthermore, this would effectively prevent all offline attacks, as the password the user has is not enough for offline decryption in another pc.
Jul 10, 2016 at 3:30 PM

The FAQ has an explanation of why VeraCrypt does not implement TPM.

Search for TPM in your browser.
Jul 10, 2016 at 5:22 PM
I already read that. But I would need such a function anyway...

So how would you solve this problem then?
Jul 10, 2016 at 5:30 PM
I would go to the Microsoft site and post the issue of the user being able to grant himself Admin privileges since this is a Windows security setup issue.
Jul 11, 2016 at 2:38 AM
This bug is known since years. But Microsoft says we won't fix it, because we cannot prevent unauthorized offline access to the drive, so encryption would be the only way...
Jul 24, 2016 at 4:23 PM
TPM is complex to configure (set of correct PCRs) because many vendors does not support normal TCG boot chain.

But as extra factor of authorization TPM is useful because it can contain non-recallable keys. We discussed support of TPM with Mounir.
Aug 19, 2016 at 11:28 AM
I would like to re-emphasize the desire to have TPM integration. Competing software such as BitLocker provides it!

VeraCrypt FDE + TPM integrity protection would be valuable in various scenarios. I can imagine even paying for such a feature, especially if it extended cross-platform, to also function on Linux (unlike BitLocker).
Aug 19, 2016 at 2:24 PM
I have plan to support TPM in boot loader. Some stub code is added already.
What version of TPM do you need? 1.2? 2.0?
Aug 19, 2016 at 2:33 PM
Edited Aug 19, 2016 at 2:33 PM
Well, I believe that latest Windows 10 hardware certification requirements require TPM 2.0, so I suppose it would be most forward-thinking to focus on that version, as 1.2 will probably stop being relevant in the future, except for legacy systems.
Aug 19, 2016 at 2:45 PM
there is serious difference:
TPM 1.2 is separate chip.
TPM 2.0 is firmware implementation in INTEL. Probably it is inside INTEL ME.

Both are supported. It depends of platform.