Desupport OSes No Longer Receiving OS Security Patches
Open source disk encryption with strong security for the Paranoid
Brought to you by:
idrassi
Menu
▾
▴
@idrassi
For the greater good of the VeraCrypt project by reducing your work effort to develop, maintain, test and code VeraCrypt to continue working on desupported OSes, I propose as a go forward solution to only support OSes that have active OS support by the vendor.
In addition to reducing your work effort, a false sense of security is given to the VeraCrypt users of OSes that are no longer receiving vendor security patches that can result in data being compromised by the missing OS security patches.
I do not understand how people think it is a good security practice to use encryption on OSes that are no longer supported and think the missing OS patches will not expose their encrypted volumes from getting compromised.
As always, I thank you for continuing to develop VeraCrypt during your very limited free time while maintaining a fulltime job and your family obligations.
Wishing you and your family the best.
Thank you @enigma2illusion, for your understanding and your kind words. I truly appreciate it.
This proposal indeed makes sense, especially given the difficulties I've encountered in allocating enough resources to the project. Over the years, I've always tried to do as much as possible to satisfy all users. However, this had the unintended consequence of stretching myself thin and eventually it ends up affecting the quality of my work and the time I can devote to enhancing VeraCrypt. I also agree that we should not give a false sense of security to users of outdated OSes.
Certainly, there are some use cases where running outdated OSes still makes sense, like in air-gapped environments, but with the limited resources available, it is not feasible to address them all.
This means that for Windows, the focus will be Windows 10 and Windows 11. This will simplify the testing and also management of Windows driver. For macOS, macOS 11 (Big Sur) will be the minimum supported version. For Linux, Ubuntu 20.04/Debian 10/CentOS7/OpenSUSE15.4 will be the minimum.
I agree, it would be less work for you to focus only on supported operating systems (which receive updates).
Older OSes could be supported using older versions of VeraCrypt, please ensure to keep those older versions on the website.
All of my primary systems are Windows 11 22H2 and with my older systems using Windows 10 22H2. While these OSes have telemetry, it can be turned off or minimized so I don’t believe it’s an issue (a conversation on this is for another thread).
Its fantastic to see you back Mounir, welcome back! Best of luck for the future.
Just my humble opinion...
I doubt anyone interested in security would be using windows 10 or 11 especially for any online use.
The people I correspond with have held firm with Win7 especially for online systems.
As a consequence of the telemetry issues with Win 10 and 11 the day will come when we will all have to move to Linux for any hope of even the most basic privacy. VeraCrypt's lack of whole boot drive encryption for Linux is the single reason I have not yet ditched Windows completely.
I have always hoped that one day VeraCrypt would be a like a YUMI / ventoy type of launcher allowing the user to install any OS on a hard drive and have this VeraCrypt launcher encrypt the entire drive regardless of the OS.
When the user wants to boot they insert the bootable VeraCrypt launcher, probably a USB flash drive, select the hard drive to boot from and boot up.
I hoped this type of launcher might require less maintenance and would incorporate all operating systems, past, present and future as it would appear transparent to the system.
Anyway just my thoughts.
Nice to see you back again Mounir, your break from VeraCrypt has made people realise that you are the only person protecting our data.
Thank you for all your work.
I think for Linux you have LUKS. I used it in the past and it was pretty decent.
Hello @idrassi
If you are planning on making 1.26.x the last VeraCrypt version that supports older OSs, I would like to suggest a notice at the top of the 1.26.x release notes informing VeraCrypt users that future VeraCrypt versions will only be available for the vendor actively supported OS versions.
Currently as of this date, the minimum OS versions are shown below:
.
NOTE: Regarding OSs vs OSes spelling. Google search shows the correct plural for OS is OSs. Sorry for my misspelling in my earlier posts using "es".
Last edit: Enigma2Illusion 2023-07-18
VeraCrypt provides zero protection from the vast majority of malware, so why would it create a false sense of security to allow installation on out-of-service platforms? What attack vector is the concern here? Would the boot loader/module somehow be susceptible to attacks on a Win7 machine that it was not vulnerable to on a Win11 machine? How?
If a Win11 machine is infected, it's no longer your computer and VeraCrypt can do nothing to protect you.
VeraCrypt doesn't provide any security in regards to a running system; it's entire function is data-at-rest and malware is unaffected by volume or system encryption, whether provided by VeraCrypt or any other tool; if a file system is mounted, it's accessible to either malware or physical adversaries.
Blocking upgrades to unsupported OSes simply means that users will continue to use outdated versions of VeraCrypt. They'll use 1.25.9 indefinitely, which doesn't seem desirable. I absolutely want to reduce Mounir's development effort on supporting older operating systems, but legacy support is a matter of compatibility, not security.
VeraCrypt is welcome to warn users about their outdated software and I support that idea, but it shouldn't refuse to install just because someone is using Windows 10 21H2. Users are still the biggest vulnerability on any computer and blocking installation on unsupported platforms will do nothing to protect them, as it will force them to continue using outdated versions of VeraCrypt or nothing at all.
If you don't have the time to support Windows 7/8, that's perfectly okay, but place limits based on compatibility, not vendor support. It's okay if you can't test the release on unsupported platforms and it's okay to deny support to users if their reported issue is not relevant to supported operating systems.
Some of the bug fixes for 1.25.9 are valid for older operating systems and blocking installation of newer versions will prevent those bugs from ever being fixed for many users. There should be some distinction between fixing bugs and adding new features. Known bugs in older versions should be fixed before a project moves on to a new feature release, but that's almost never happening these days.
THANK YOU, Idrassi and Enigma for your work and years of commitment to VeraCrypt, whose first release was a full decade ago! I do not intend this message to be impolite or ungrateful as I truly appreciate all of the work that has gone into keeping the TrueCrypt legacy alive and evolving. I've used TrueCrypt since 2008 and donate to the project each year, but it worries me that you're considering blocking the use of your software on operating systems no longer receiving updates from Microsoft, who's not even doing a competent job of fixing bugs in recent years.
If you need to drop legacy support, then do so, but don't pretend that it's because of some "false sense of security". VeraCrypt is not an anti-virus program; it protects data stored on unmounted file systems. If Win11 users are imagining that this provides some sense of security while their machine is running, it is they who are perceiving the false sense of security.
There will always be user opposition to a software vendor removing support from various OSes and discontinuing bug fixes for the unsupported OSes. This is a standard software practice.
Regarding your points about “false sense of security” not being a valid reason for excluding the installation of newer VeraCrypt software due to the lack of security patching on the unsupported OSes.
One reason for excluding the installation on unsupported OSes is to make VeraCrypt more secure by preventing threat actors from using these known vulnerabilities in the OS vendor’s unsupported OSes that are no longer receiving security patches from targeting the computers that are still running those operating systems.
I agree that VeraCrypt is not an anti-virus/malware product. However, it is not uncommon for software vendors to stop supporting their software on OS vendor’s unsupported OSes regardless of their software compatibility.
As an example, Windows 11 upgrade restricted various software versions and hardware components to eliminate known security weaknesses and security holes in order to make Windows 11 OS more secure.
The Windows 11 upgrade requirements prevented me from being able to upgrade to Windows 11 on what I consider a fully capable PC hardware. This will require me to buy a new PC when Windows 10 ends patching support on October 14, 2025.
Windows 10 21H2 is already no longer receiving security updates after June 13, 2023 and Windows 11 21H2 will no longer receive security updates after October 10, 2023.
Hence, the reason for making for both Windows 10 & 11 version 22H2 the minimum version for the Windows platform.
Another reason for blocking the installation of newer VeraCrypt versions on the unsupported OSes is to reduce Mounir’s work effort which will require code removal for the unsupported OSes from the VeraCrypt driver and other parts of the VeraCrypt code.
Hence, the newer VeraCrypt driver will not be able to run on the unsupported OSes and VeraCrypt should prevent users from installing the newer software on their unsupported OSes.
Without the code removal, we defeat the purpose of reducing Mounir’s work effort by having unwanted code from the older OSes and users will encounter problems with the newer software not working properly on the unsupported OSes. This issue is already being reported on the Windows XP cannot use version 1.26.x.
https://sourceforge.net/p/veracrypt/discussion/general/thread/263a8d11aa/?page=1&limit=25#5927
Thank you for your continued financial donations to help support Mounir’s work efforts.
Note: This post focuses on Windows as that's the primary target platform of VeraCrypt and the only one where system encryption is possible. The author recognizes that many issues also apply to MacOS and Linux.
We disagree on this. Is it better that users of unsupported OSes have unencrypted file systems or use obsolete versions of VeraCrypt? How is it VeraCrypt's responsibility to protect users from operating system vulnerabilities when other software is not expected to do so? It is not VeraCrypt's responsibility nor scope to refuse to work on systems which remain compatible, but are no longer vendor-supported.
Imagine if a fire exstinguisher refused to operate because it was below it's nominal pressure. It might still put out a fire, but the company didn't want to give any "false sense of security" and therefore installed a mechanism to disable the unit when under-pressured. Would that make any sense at all? No. When there's a fire, the exstinguisher should provide whatever capability that it has remaining; that's its job. However, it would be perfectly reasonable to repeatedly warn users that it needs recharged.
It was almost exactly this argument that was used to deprecate and disable the original TrueCrypt a decade ago. The website claimed that TrueCrypt was "no longer safe to use" and disabled all volume creation in the final version, but as far as we know the level of security had not changed at all. VeraCrypt CANNOT protect users from OS vulnerabilities or vulnerabilities in other software and it's simply bad philosophy to pretend otherwise. That is the false sense of security being created here; that running VeraCrypt only on vendor-supported platforms makes VeraCrypt users secure.
However, it is VeraCrypt's responsibility to focus its developmental efforts towards targeted platforms and that cannot include all operating systems throughout history.
True, but those vendors are often wrong to do so. At some point, it makes sense, however. Firefox has recently dropped support for Win7/8/8.1 and I suspect that it's a combination of factors, including some that apply to VeraCrypt as well. It eventually becomes unreasonable to even configure compiler options for very old platforms if doing so incurs a performance or security cost on newer platforms.
I'm not claiming that VeraCrypt should not drop support for older operating systems. I just contend that this has little to nothing to do with protecting legacy users from any "false sense of security." Refusing to support older operating systems harms those users, even if it's necessary.
Users must eventually be abandoned when legacy support becomes infeasible, but we should not pretend that this is done for those users' sake. It might be done for the sake of "modern" users, however, if dropping legacy support allows better performance, security, and/or features for the majority of the user base.
From my perspective, Win11 is a great example of how arbitrary requirements can be pointless and even harmful. The minimum requirements for Win11 did/do little to nothing to improve user security and Microsoft even relaxed some of those requirements over time with the claim that they were "expanding compatibility". Mostly, they just relaxed the requirements because of the negative industry and public response.
However, it is true that Win11 uses some performance features that are not available on the old hardware that I can afford to use (typing this on a 2012 laptop). Windows-hosted software, such as VeraCrypt, may also want or need to use features that are unavailable on older hardware and I consider that a valid compatibility issue.
I accept compatibility as a valid reason for dropping legacy support.
Yes. I just recently upgraded to Win10 22H2 as 21H2 went out of support in June. I never use the latest feature release as it almost always rolls out under-tested and causes major problems, but typical users will accept Microsoft's automated upgrade path and I understand that. I will almost certainly be using Win10 well past 2025, though, which means that I'll no longer be able to install newer versions of VeraCrypt after that date. Will that make me more secure? No. Would being able to run the latest version of VeraCrypt give me a false sense of security? No. Will it be my own fault when my system is infected by malware? Yes.
I agree with you here. VeraCrypt has maintained support for Win7/8 longer than most software, whether commercial or open source. I don't like losing support for Win7, which remains a more productive and stable OS than Win10/11, in my opinion, but I acknowledge that Mounir has done a good job of supporting older operating systems.
However, I think that this support was appropriate given that many of VeraCrypt's users are likely to be using older operating systems. The kind of user that chooses Veracrypt over BitLocker is the kind of user that prefers proven, independent software. Someone who stays on the cutting edge of OS evolution is much more likely to use OS-native encryption services. People with legacy platforms are likely to be using legacy software such as VeraCrypt.
I'm okay with dropping Win7/8, but I don't think it good for users to drop support for Win10 21H2 and earlier. 21H2 is not quite 2 years old, yet VeraCrypt might refuse to install on it? That seems extreme and even abnormal. There are very few open source programs that refuse to install just because users are on the "wrong" version of Windows 10. Traditionally, software has dropped legacy support according to major OS versions, not annual feature upgrades. This is partly Microsoft's fault for creating so many versions of Windows 10, however.
Microsoft has had some horrible vulnerability responses in recent years and they've been caught multiple times just breaking proof-of-concepts without fixing the underlying bugs; such behavior has become so commonplace from Microsoft that it cannot be a mistake and there is a growing backlash from the security industry over this that may ultimately result in government investigations or lawsuits. Microsoft was once a leader in vulnerability response out of necessity, but now they are an embarrassment.
Vendor support is critical in today's malware-dominated world, but neither users nor VeraCrypt is safe just because they are receiving support from Microsoft. It's the best we can do to constantly patch our systems, however.
A similar argument applies to dropping TrueCrypt support. It's perfectly fine to refuse to create TrueCrypt/RIPEMD volumes and I believe that VeraCrypt has not allowed the creation of TrueCrypt-compatible volumes since it first adopted it's own format. It's also the case that very few, if any, users still have TrueCrypt volumes in 2023; I certainly don't.
However, LUKS/tcplay will continue to decrypt TrueCrypt volumes in Linux, probably forever, and there usually no reason to drop decryption support unless the programs needs to be smaller or because vulnerabilities are found in a necessary library and patched versions will never become available. Dropping decryption support for older formats and algorithms is unlikely to improve user security; it just drops features that perhaps no one is using or should be using.
Users can theoretically go back and use an older version of VeraCrypt, but they can't if their Windows system is encrypted under a newer release. VeraCrypt cannot execute, even in portable mode, if a newer version is in use. If I had a TrueCrypt volume that I wanted to convert and my system was encrypted with VeraCrypt 1.35, how then would I convert that volume? I'd probably need to create a virtual machine for this purpose, but many users may not know how.
Thus, most users cannot use older versions of VeraCrypt to make use of features that are no longer available. Telling them to use 1.25.9 to convert a RIPEMD-160 volume does them no good after they've upgraded an encrypted system to 1.26.x or later! They must convert such volumes before upgrading.
With that said, I do understand that BLAKE2 effectively replaces RIPEMD-160, especially in regards to system encryption. Perhaps it was necessary to remove RIPEMD in order for the bootloader/module to work properly.
I also think that it's worthwhile to remove the "TrueCrypt mode" checkbox and text area from the mount window; VeraCrypt should be simplified as the TrueCrypt mount interface was marvelously simple. In my opinion, VeraCrypt has too many options and many of them do nothing to improve user security. Keep It Simple Stupid should always be the mantra of cryptographic tools.
Next to go should be the PIM feature ;).
I appreciate your detailed response and will not continue to belabor this matter. I will never agree that refusing to install on out-of-service operating systems is a "benefit" to those users, however. Dropping legacy support must sometimes be done, but refusing to provide bug fixes to legacy users does not benefit them. It is sometimes necessary to abandon legacy users, however.
Thank you and I hope the rest of your day goes great.
Last edit: RobAllenB 2023-09-02
Hi Rob,
I disagree and therefore we will agree to disagree.
By the way, you can use an older version of VeraCrypt in Portable Mode with a newer version of VeraCrypt installed.
https://www.veracrypt.fr/en/Portable%20Mode.html
You can still mount the TrueCrypt volumes using an older VeraCrypt version in Portable Mode. Or you can convert or create new volumes using the older version.
https://sourceforge.net/p/veracrypt/discussion/general/thread/263a8d11aa/?limit=25#4f0a/d5b9/2fb1/2a1b
The RIPEMD-160 needed to be deprecated.
https://sourceforge.net/p/veracrypt/discussion/general/thread/8bf650d8ce/?limit=25#2277/df44/97e1
Hi @roballenb,
Thank you for your thoughtful and comprehensive response. Your points highlight a range of perspectives and concerns that are commonly found in our user base, and I appreciate the time and effort you put into articulating them.
Before addressing the points raised, it's important to clarify some specifics regarding VeraCrypt's build environment, as this has direct implications on which platforms can be supported.
As of version 1.26, VeraCrypt is built using Visual Studio 2010 and the Windows 7 DDK for x86/x64 architectures (for ARM64 Visual Studio 2019 is used). Due to this build environment, version 1.26 is still compatible with Windows 7. Although our focus has shifted to newer operating systems, we will not actively prevent VeraCrypt 1.26 from running on Windows 7. However, starting from this version, Windows 7 will not be part of the regular testing cycle, and users should proceed with caution if they continue to use VeraCrypt on this outdated operating system.
After the release of VeraCrypt 1.26, the build environment will undergo a significant update to either Visual Studio 2019 or 2022 and will incorporate the Windows 10 WDK 22H2. This change is important for several reasons:
The move to the new toolset will render VeraCrypt incompatible with anything below Windows 10. It's not just a decision based on developer convenience; it's also a matter of security, maintainability, and forward-compatibility.
Now, let's delve into the issues raised in your detailed response:
I understand that my decision to drop support for older versions will not please everyone. However, it's a decision aimed at ensuring the long-term viability and security of VeraCrypt. Once again, thank you for your feedback. It helps inform and improve the project's direction.
thank you for everything.
Do you have any update on us regarding any progress fixing nvme ssd write/read speed problems? It's been several years since this problem is well known and seems that a fix will never come.
Mounir addressed this question in the post below 6 days ago.
https://sourceforge.net/p/veracrypt/discussion/general/thread/263a8d11aa/?page=1#9779
I am pretty sure that most serious users of VeraCrypt don't use Windows 10+, because of its blatant spyware called telemetry. I suppose that even more serious VeraCrypt users do not care about Windows updates because they use it on offline/airgapped machines. The only entities benefiting from "let's drop support for older OSes and embrace the brave new world of newest Windows" will be the various institutions behind mass surveillance. What is the benefit of disk encryption if the OS itself works against user?
Google search shows that Windows telemetry exists in Windows 7, 8 and 8.1 and is harder to remove or disable than Windows 10 & 11.
Experiments show that Windows telemetry in Windows 10/11 is much wider and harder to disable than in WIndows 7. Simply compare some privacy tools for Windows 7 and Windows 10/11, see how many more "implants" one has to remove in Windows 10/11.
Another experiment: on clean Windows 10/11 disable all telemetry and other spying using options nice and easy options available in system configuration applet. Then run some independent privacy tool (e.g. Priv10) and verify how much spying was really disabled and how much was still lurking in background, regardless of fake "disabled" status displayed by Windows.
Example comparison of "privacy" of Windows 11 compared with Windows XP:
https://www.youtube.com/watch?v=IT4vDfA_4NI