I have finalized what I consider to be a Release Candidates for the upcoming official 1.26 release. Compared to 1.26.5 version, I worked enhancing the security of VeraCrypt on Windows by enabling memory protection by default and adding process mitigation policy to block code injection attacks. I also replaced legacy file/dir selection APIs with modern IFileDialog interface in order to help solve compatibility issues on Windows 11 Insiders builds.
The changes compared to 1.26.5 are:
Enable memory protection by default. Add option under Performance/Driver Configuration to disable it if needed.
Add process mitigation policy to prevent VeraCrypt from being injected by other processes
Replace legacy file/dir selection APIs with modern IFileDialog interface for better Windows 11 compatibility
Enhancements to dependency dlls safe loading, including delay loading.
Remove recommendation of keyfiles files extensions and update documentation to mention risks of third-party file extensions.
I plan to officially release version 1.26 on October 1st. Your feedback is invaluable, so please feel free to test this Release Candidate and share your thoughts, bug reports, or suggestions.
MOD EDIT: Added missing bullet to the list of bullet items.
❤️
1
Last edit: Enigma2Illusion 2023-09-21
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
When installing or upgrading, a new setup option "Disable memory protection in VeraCrypt" is listed, however when I click on the Help button to determine what is this option's purpose, I am taken to the main documentation page.
In the case upgrading, the documentation is the current version "old". Hence, even if the option is documented in 1.26.6 version, I will not see it.
Can you provide a terse purpose of the new option next to the option?
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Another idea is to remove the "Disable memory protection in VeraCrypt" option from the install/upgrade screen if a clear terse statement cannot be provided on the installer screen.
Also, there is no documentation on the new "Disable memory protection in VeraCrypt" option that I can find in the documentation nor the CHM help files.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Was the reason for this new option due to VeraCrypt GUI is now using protected memory and this option was to revert to previous behavior?
The new option needs to be documented and the specific use cases that would cause a user to disable the protected memory for VeraCrypt and the security impact of enabling this new option.
In my opinion, including the new option on the install/upgrade screen without the ability to read the specific documentation regarding the option is going to confuse users. :-)
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
There is a change in version 1.24 where we added a security mechanism that prohibits non-admin processes from accessing VeraCrypt application memory. This was done to protect again attacks by malicious software that tries to read sensitive data form VeraCrypt memory.
This was disabled in 1.24 Update 4 due to Windows Screen Reader being unable to read all the VeraCrypt GUI.
The Command Line Interface still has the now unneeded /protectMemory switch. Does the /protectMemory switch need to be replaced by /noprotectMemory switch in the CLI?
Idea number 3 regarding the new "Disable memory protection in VeraCrypt" option to allow visually impaired users to enable this option from the install/upgrade screen is to change the description to:
It would be more helpful if the "See documentation" directly linked to the topic in the documentation to provide more details about the option and the security risks like what sensitive data from VeraCrypt memory can be read.
However during the install/upgrade, need to link to the new documentation topic.
In the case upgrading, the documentation is the current version "old". Hence, even if the option is documented in 1.26.6 version, I will not see it.
👍
1
Last edit: Enigma2Illusion 2023-09-22
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
@enigma2illusion: Thank you for pointing out this issue. Your observation is accurate and I appreciate the feedback. Let me clarify:
The "Disable memory protection in VeraCrypt" option was introduced for users who rely on Accessibility software. With the memory protection mechanism enabled by default, certain Accessibility tools (like Screen Readers) will be unable to read VeraCrypt's UI, thus possibly leaving these users unable to interact with it. This option was included in the installer to ensure that such users have the ability to revert VeraCrypt to its previous behavior immediately, without further complications.
However, I completely understand your concern regarding the lack of immediate documentation for this new feature. It's essential for users to grasp the implications of enabling or disabling a security-related option, especially during installation or upgrade.
I acknowledge that introducing a significant feature without accompanying documentation within easy reach can be confusing. To address this, I plan to enhance the documentation with a dedicated section elaborating on the security mechanisms I have implemented in VeraCrypt. This will encompass details on the memory protection, the purpose behind its introduction, and the circumstances under which one might consider disabling it.
Furthermore, I'm thinking about integrating a tooltip or pop-up help that appears when users hover over this particular option, offering a succinct explanation. I will check how complicated it will be to implement this approach.
Finally, regarding the "Help" button in the setup installer, you've made an important observation. Currently, the button opens the "old" help file stored on the disk, which may not reflect the latest changes and features of the version being installed. To ensure that users always access the most up-to-date documentation, I'll implement a change in the code to open the online help whenever the "Help" button is clicked. This mirrors the behavior that users experience if VeraCrypt is not yet installed on their system. It's a step towards ensuring consistency and clarity throughout the installation process.
👍
2
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
What are your thoughts regarding the Command Line Interface switches I mentioned in my post?
The Command Line Interface still has the now unneeded /protectMemory switch. Does the /protectMemory switch need to be replaced by /noprotectMemory switch in the CLI?
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
@enigma2illusion: I missed your post since you posted it while I was writing mine!
Regarding the Command Line Interface (CLI), you raise a valid point. The way the memory protection mechanism is implemented ensures that it's activated very early when the process starts, even before parsing command line arguments. Therefore, unfortunately, it won't be feasible to control it directly through the command line as you've suggested with a potential /noprotectMemory switch. However, the /protectMemory switch can still be utilized in scenarios where memory protection has been disabled through settings, allowing users to activate it on-demand for that specific instance.
Your suggestion for the description of the "Disable memory protection in VeraCrypt" option is insightful. Reframing it in the context of Windows Screen Reader does make it clearer. I will adapt the string based on your recommendation. As for the "See documentation" part, I absolutely agree that a direct link to the relevant topic in the documentation would be invaluable. I'll be exploring how I can integrate this direct link.
👍
1
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
@enigma2illusion: I made the following improvements to VeraCrypt based on your suggestions:
Description Change: The checkbox option has been renamed to "Disable memory protection for Accessibility tools compatibility", making it more contextual for users relying on Accessibility tools.
Tooltip Warning: When users hover the mouse over this checkbox, a tooltip is now displayed with the message:
"WARNING: Disabling memory protection significantly reduces security. Enable this option ONLY if you rely on Accessibility tools, like Screen Readers, to interact with VeraCrypt's UI."
Dedicated Documentation Page: A new page specifically addressing memory protection and this checkbox option has been added to the VeraCrypt documentation. You can access this page directly online at https://veracrypt.fr/en/VeraCrypt%20Memory%20Protection.html.
Direct Link to Documentation: Adjacent to the checkbox option, there's now a small "?" button. Upon clicking this, users will be directed to the aforementioned documentation page for a detailed understanding. For those undergoing the setup, it will always point to the online version of the documentation, ensuring you access the most recent information even if you're upgrading from an older version.
I have attached screenshots showing the result.
I hope these changes address your concerns and provide a more intuitive experience for all VeraCrypt users. Thank you again for your constructive feedback, and please let me know if you have further suggestions or concerns.
Thank you @idrassi for your outstanding implementation and documentation!
Since you are wanting to release 1.26.x by October 1, I have some questions and feedback I would like to provide to make sure the new option is ready for the production 1.26.x release.
Installation/Upgrade Questions
During the VeraCrypt software installation, is a Windows OS reboot needed if the user disables Memory Protection like in post-installation?
I assume during a VeraCrypt software upgrade that the new option will be enabled/disabled automatically based on current setting from the old version if it exists. Correct?
Does changing the setting during the upgrade installation require an OS reboot?
Depending on your answers may result in more documentation changes in the "How to Enable/Disable the Memory Protection Mechanism?" section.
Post-Installation Documentation Improvement
After installation using Settings > Performance/Driver Configuration and the user enables/disables Memory Protection will result in a pop-up box informing that an OS reboot is needed for the setting to take effect.
However in the documentation in the section called "How to Enable/Disable the Memory Protection Mechanism?", there is no mention of the OS reboot being required for changing the setting.
One possible idea is to include this information in the second bullet as shown below.
Post-Installation:
* Open VeraCrypt main UI and navigate to the menu Settings -> "Performance/Driver Configuration".
* Locate and check/uncheck the "Disable memory protection for Accessibility tools compatibility" option as per your needs which will inform you that a reboot of the OS is needed for the new setting to take effect.
* Click OK.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
During the VeraCrypt software installation: No, a reboot of the Windows OS is not needed if the user disables Memory Protection during installation. VeraCrypt will start with the correct setting for this option immediately after the installation.
During a VeraCrypt software upgrade: You brought up a crucial point. Originally, the setup was not correctly reflecting the current setting from the older version in the setup UI during an upgrade. However, thanks to your observation, I've made adjustments to correct this oversight: https://sourceforge.net/p/veracrypt/code/ci/a313347e8e8b931df811be9fef639bb733b7a02b/. Now, the upgrade process will properly reflect the existing setting from the previous version.
As for changing the setting during the upgrade installation: after your feedback and further consideration, a reboot will indeed be required if the user changes this setting during the upgrade process. This change is included in the commit mentionned above.
Post-Installation Documentation Improvement:
I completely agree with your suggestion regarding the documentation. I'll be incorporate it.
👍
1
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
@idrassi, I saw that you made a commit 937c5cd so that Veracrypt always opens the online help. I am not always on the web. I'm almost always in airplane mode or not connected to the web. I greatly appreciate(d) having the local help open up whenever I needed to access the documentation. I was thinking of making a comment on github on that commit.. but wasn't sure if you read those comments or if here was better. I see now that it's only during Veracrypt setup... but what if someone is not connected to the web? Will the local documentation refuse to open? Or maybe just put a warning in the local documentation that the local documentation may be outdated. It used to bug me a lot whenever Veracrypt would always try to go online for documentation, and in fact, when other software programs always try to go online to access the documentation instead of providing documentation with the program.
@iminj If you encrypted your non-system volume with RIPEMD160 or GOST89, or encrypted it using TrueCrypt, then use your existing Veracrypt to decrypt the volume, and then encrypt again with a different algorithm than the ones just mentioned, not forgetting to also create a new emergency boot disk.
@idrassi, since you're at it, will you be making encryption of keys in RAM standard? I think you ought to, since programs like ElcomSoft's can easily find those keys in RAM.
Last edit: DDD 2023-09-24
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Regarding the online documentation issue during VeraCrypt Setup:
You're correct, the change was applied solely to the VeraCrypt Setup process. Your concerns about users who may be offline during setup are valid. To clarify:
If VeraCrypt is already installed and a user is offline, the local documentation is readily available to them through the installed VeraCrypt application. So, they can easily access it without needing to go online.
If VeraCrypt is not yet installed and a user tries to access the help during setup, there wouldn't be any local documentation available. In this case, attempting to access online documentation would indeed fail if they're offline.
However, based on your feedback, I'll be working on adding a check during the Setup process to determine if the PC has network access (without making any actual internet queries). If it's determined that the PC is offline and VeraCrypt is already installed, we will then open the local help. Additionally, the idea of appending a note or warning to the local documentation stating that it may be outdated is a great suggestion. We'll look into integrating that as well.
As for the encryption of keys in RAM:
You've touched upon an essential topic. Indeed, software like ElcomSoft's highlights the need for this. While VeraCrypt does offer the option of encrypting keys in RAM, the only thing holding me back from making it the default setting is the performance overhead it can bring, especially on certain CPUs. For every access to the master key in RAM, VeraCrypt must perform a fast key derivation and a decryption operation. This is noticeably different from the memory protection feature, which incurs no computational cost.
👍
1
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
I see you added the reboot information to the section "How to Enable/Disable the Memory Protection Mechanism" in the Memory Protection documentation for post-installation.
Just a friendly reminder that number 3 for Repair/Reinstall/Upgrade steps should be created with the reboot information.
I just noticed that when performing an upgrade of VeraCrypt, the screen does not mention Upgrade. Only Repair/Reinstall. Should Upgrade be added as follows? Repair/Reinstall/Upgrade
Reboot Information: I'll add a third point about Repair/Reinstall/Upgrade steps.
Upgrade Mention:
Your observation is correct. The reason you don't see the "Upgrade" option when moving from version 1.26.5 to 1.26.6 is due to the way VeraCrypt internally checks and interprets versions. Specifically, VeraCrypt looks only at the major and minor fields of the version (in this case, 1 and 26), without considering the third field. Because of this, VeraCrypt Setup interprets your upgrade action as a reinstall of the same version.
This behavior is linked to the way VeraCrypt driver encodes the version number, using only two bytes (e.g., 0x0126 for version 1.26). Given this encoding scheme, it's currently not straightforward to enhance this part without making significant changes.
I recognize the potential confusion this might cause. I'll be taking this into account for future versions and will evaluate ways to provide clearer user messaging during such upgrade scenarios.
👍
2
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
@idrassi, With today's CPUs, is there that much computational overhead? I mean, there are people who just can not or have not done their due diligence in exploring the whole need for encryption, and so there's a level of trust that people give you to make the right decisions for them. If you make encrypting of keys in RAM on by default, which I think you should, a more knowledgeable user can always choose to turn it off, but I think that most people who are on the forums, when they hear of Elcomsoft's software being able to find the Veracrypt keys in RAM, would have it on. In fact, I bet a number of people would even find it suspicious that it is not on by default, wondering if you are in cahoots with these three-letter agencies. The whole point of encryption is to make your system somewhat safer, right? That CPU overhead is just part of the whole process. We pay overhead for our homes, vehicles, food, and so forth, but it's a necessary expense, or we'd all be living in cardboard boxes, and how good would that be? The encryption of the keys in RAM is not what's causing computers to freeze, so it just makes sense to have it on by default. We're not running on super old computers anymore.
👍
2
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Make RAM Encryption enable by default starting with 1.27 version since Mounir plans to compile the VeraCrypt software with MS tools that only supports Windows 10 & 11.
Anyone running Windows 10 or 11 on their PC should have plenty of CPU power to handle the overhead. Certain requirements are the Windows OS must be running 64-bit, disable Windows Hibernate and Fast Startup in order to enable RAM Encryption.
I have RAM Encryption enabled on my 11 year old PC running 64-bit Windows Pro 10 and the Windows Task Manager shows I am using ~3% CPU usage while the PC is idle with VeraCrypt volumes mounted.
This is a 3rd generation Intel(R) Core(TM) i7-3720QM Processor @ 2.6 GHz, 6MB L3 Cache with 4 Cores, 8 Logical Processors.
👍
1
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
@idrassiThanks for your ongoing development of VeraCrypt. I have a program on my Windows 10 desktop called Windowblinds (www.stardock.com/products/windowblinds) which "customizes the look and feel of your Windows 10 and Windows 11 start menu, taskbar, window frames, and more". I have been using Windowsblinds with a theme (BetterAero 7X from Deviant Art) to make the OS UI look like Windows 7 ie the window titlebars are semi- transparent as in Windows 7 and the window caption buttons (minimize, maximize and close buttons) look similar to those in a real Windows 7 OS. However, when I installed 1.26.6, the VeraCrypt window titlebar and caption buttons were no longer themed and reverted to the default theme that comes with Windows 10. I assume that this has happened due to " Add process mitigation policy to prevent VeraCrypt from being injected by other processes". (I have already turned off memory protection in the vain hope this would allow the VeraCrypt window to retain the WindowBlinds theme but I know it's probably this process mitigation policy that is preventing WindowBlinds from injecting into VeraCrypt's Window/UI. Is there a registry setting that I can change to turn off this process mitigation policy, or, if not, could you introduce a setting in future VeraCrypt settings to disable this feature or is this a "will not change" feature? I would quite understand if it's a "will not change" feature, for if you were to make public how to turn off this process mitigation policy there would be no point in you adding the feature to VeraCrypt in the first place and it would make VeraCrypt less secure.
I have finalized what I consider to be a Release Candidates for the upcoming official 1.26 release. Compared to 1.26.5 version, I worked enhancing the security of VeraCrypt on Windows by enabling memory protection by default and adding process mitigation policy to block code injection attacks. I also replaced legacy file/dir selection APIs with modern IFileDialog interface in order to help solve compatibility issues on Windows 11 Insiders builds.
The changes compared to 1.26.5 are:
I have uploaded Windows installers for 1.26.6 to Nightly Builds folder.
I plan to officially release version 1.26 on October 1st. Your feedback is invaluable, so please feel free to test this Release Candidate and share your thoughts, bug reports, or suggestions.
MOD EDIT: Added missing bullet to the list of bullet items.
Last edit: Enigma2Illusion 2023-09-21
Encrypting RAM, disabling memory protection, all need to be installed;
It is recommended that the portable mode also works. @idrassi
Hi @idrassi
When installing or upgrading, a new setup option "Disable memory protection in VeraCrypt" is listed, however when I click on the Help button to determine what is this option's purpose, I am taken to the main documentation page.
In the case upgrading, the documentation is the current version "old". Hence, even if the option is documented in 1.26.6 version, I will not see it.
Can you provide a terse purpose of the new option next to the option?
@idrassi
Another idea is to remove the "Disable memory protection in VeraCrypt" option from the install/upgrade screen if a clear terse statement cannot be provided on the installer screen.
Also, there is no documentation on the new "Disable memory protection in VeraCrypt" option that I can find in the documentation nor the CHM help files.
@enigma2illusion Memory protection blocks non-admin processes from reading VeraCrypt memory.
Last edit: Mikael 2023-09-21
@sorrow1
That does not explain why someone wants or should disable memory protection in VeraCrypt.
Even the source code comment shown below is not clear to me. What is considered Accessibility software?
The source code change has:
@enigma2illusion
according to the changelog "It may block Screen Readers (Accessibility support) from reading VeraCrypt UI, in which case it can be disabled"
@sorrow1 @idrassi
Thank you for that clarification.
Was the reason for this new option due to VeraCrypt GUI is now using protected memory and this option was to revert to previous behavior?
The new option needs to be documented and the specific use cases that would cause a user to disable the protected memory for VeraCrypt and the security impact of enabling this new option.
In my opinion, including the new option on the install/upgrade screen without the ability to read the specific documentation regarding the option is going to confuse users. :-)
Searching the source code, I discovered that in 1.24 through 1.24 Update 3 version had memory protection for VeraCrypt program.
https://github.com/veracrypt/VeraCrypt/issues/536#issuecomment-548873739
This was disabled in 1.24 Update 4 due to Windows Screen Reader being unable to read all the VeraCrypt GUI.
https://github.com/veracrypt/VeraCrypt/commit/b6c290e4fd77c5d4ae1f5fb68e69006d49e1ad52
@idrassi
The Command Line Interface still has the now unneeded /protectMemory switch. Does the /protectMemory switch need to be replaced by /noprotectMemory switch in the CLI?
Idea number 3 regarding the new "Disable memory protection in VeraCrypt" option to allow visually impaired users to enable this option from the install/upgrade screen is to change the description to:
It would be more helpful if the "See documentation" directly linked to the topic in the documentation to provide more details about the option and the security risks like what sensitive data from VeraCrypt memory can be read.
However during the install/upgrade, need to link to the new documentation topic.
Last edit: Enigma2Illusion 2023-09-22
@enigma2illusion: Thank you for pointing out this issue. Your observation is accurate and I appreciate the feedback. Let me clarify:
The "Disable memory protection in VeraCrypt" option was introduced for users who rely on Accessibility software. With the memory protection mechanism enabled by default, certain Accessibility tools (like Screen Readers) will be unable to read VeraCrypt's UI, thus possibly leaving these users unable to interact with it. This option was included in the installer to ensure that such users have the ability to revert VeraCrypt to its previous behavior immediately, without further complications.
However, I completely understand your concern regarding the lack of immediate documentation for this new feature. It's essential for users to grasp the implications of enabling or disabling a security-related option, especially during installation or upgrade.
I acknowledge that introducing a significant feature without accompanying documentation within easy reach can be confusing. To address this, I plan to enhance the documentation with a dedicated section elaborating on the security mechanisms I have implemented in VeraCrypt. This will encompass details on the memory protection, the purpose behind its introduction, and the circumstances under which one might consider disabling it.
Furthermore, I'm thinking about integrating a tooltip or pop-up help that appears when users hover over this particular option, offering a succinct explanation. I will check how complicated it will be to implement this approach.
Finally, regarding the "Help" button in the setup installer, you've made an important observation. Currently, the button opens the "old" help file stored on the disk, which may not reflect the latest changes and features of the version being installed. To ensure that users always access the most up-to-date documentation, I'll implement a change in the code to open the online help whenever the "Help" button is clicked. This mirrors the behavior that users experience if VeraCrypt is not yet installed on their system. It's a step towards ensuring consistency and clarity throughout the installation process.
Thank you @idrassi for your explanations.
What are your thoughts regarding the Command Line Interface switches I mentioned in my post?
@enigma2illusion: I missed your post since you posted it while I was writing mine!
Regarding the Command Line Interface (CLI), you raise a valid point. The way the memory protection mechanism is implemented ensures that it's activated very early when the process starts, even before parsing command line arguments. Therefore, unfortunately, it won't be feasible to control it directly through the command line as you've suggested with a potential
/noprotectMemoryswitch. However, the/protectMemoryswitch can still be utilized in scenarios where memory protection has been disabled through settings, allowing users to activate it on-demand for that specific instance.Your suggestion for the description of the "Disable memory protection in VeraCrypt" option is insightful. Reframing it in the context of Windows Screen Reader does make it clearer. I will adapt the string based on your recommendation. As for the "See documentation" part, I absolutely agree that a direct link to the relevant topic in the documentation would be invaluable. I'll be exploring how I can integrate this direct link.
Thank you @idrassi
We both posted before seeing each other's ideas. :)
@enigma2illusion: I made the following improvements to VeraCrypt based on your suggestions:
Tooltip Warning: When users hover the mouse over this checkbox, a tooltip is now displayed with the message:
Dedicated Documentation Page: A new page specifically addressing memory protection and this checkbox option has been added to the VeraCrypt documentation. You can access this page directly online at https://veracrypt.fr/en/VeraCrypt%20Memory%20Protection.html.
Direct Link to Documentation: Adjacent to the checkbox option, there's now a small "?" button. Upon clicking this, users will be directed to the aforementioned documentation page for a detailed understanding. For those undergoing the setup, it will always point to the online version of the documentation, ensuring you access the most recent information even if you're upgrading from an older version.
I have attached screenshots showing the result.
I hope these changes address your concerns and provide a more intuitive experience for all VeraCrypt users. Thank you again for your constructive feedback, and please let me know if you have further suggestions or concerns.
Thank you @idrassi for your outstanding implementation and documentation!
Since you are wanting to release 1.26.x by October 1, I have some questions and feedback I would like to provide to make sure the new option is ready for the production 1.26.x release.
Installation/Upgrade Questions
During the VeraCrypt software installation, is a Windows OS reboot needed if the user disables Memory Protection like in post-installation?
I assume during a VeraCrypt software upgrade that the new option will be enabled/disabled automatically based on current setting from the old version if it exists. Correct?
Does changing the setting during the upgrade installation require an OS reboot?
Depending on your answers may result in more documentation changes in the "How to Enable/Disable the Memory Protection Mechanism?" section.
Post-Installation Documentation Improvement
After installation using Settings > Performance/Driver Configuration and the user enables/disables Memory Protection will result in a pop-up box informing that an OS reboot is needed for the setting to take effect.
However in the documentation in the section called "How to Enable/Disable the Memory Protection Mechanism?", there is no mention of the OS reboot being required for changing the setting.
One possible idea is to include this information in the second bullet as shown below.
@enigma2illusion: Thank you for this feedback, it was helpful.
To address your questions:
Installation/Upgrade Questions:
Post-Installation Documentation Improvement:
I completely agree with your suggestion regarding the documentation. I'll be incorporate it.
@idrassi, I saw that you made a commit 937c5cd so that Veracrypt always opens the online help. I am not always on the web. I'm almost always in airplane mode or not connected to the web. I greatly appreciate(d) having the local help open up whenever I needed to access the documentation. I was thinking of making a comment on github on that commit.. but wasn't sure if you read those comments or if here was better. I see now that it's only during Veracrypt setup... but what if someone is not connected to the web? Will the local documentation refuse to open? Or maybe just put a warning in the local documentation that the local documentation may be outdated. It used to bug me a lot whenever Veracrypt would always try to go online for documentation, and in fact, when other software programs always try to go online to access the documentation instead of providing documentation with the program.
@iminj If you encrypted your non-system volume with RIPEMD160 or GOST89, or encrypted it using TrueCrypt, then use your existing Veracrypt to decrypt the volume, and then encrypt again with a different algorithm than the ones just mentioned, not forgetting to also create a new emergency boot disk.
@idrassi, since you're at it, will you be making encryption of keys in RAM standard? I think you ought to, since programs like ElcomSoft's can easily find those keys in RAM.
Last edit: DDD 2023-09-24
@ehheh1000: Thank you for your feedback.
Regarding the online documentation issue during VeraCrypt Setup:
You're correct, the change was applied solely to the VeraCrypt Setup process. Your concerns about users who may be offline during setup are valid. To clarify:
However, based on your feedback, I'll be working on adding a check during the Setup process to determine if the PC has network access (without making any actual internet queries). If it's determined that the PC is offline and VeraCrypt is already installed, we will then open the local help. Additionally, the idea of appending a note or warning to the local documentation stating that it may be outdated is a great suggestion. We'll look into integrating that as well.
As for the encryption of keys in RAM:
You've touched upon an essential topic. Indeed, software like ElcomSoft's highlights the need for this. While VeraCrypt does offer the option of encrypting keys in RAM, the only thing holding me back from making it the default setting is the performance overhead it can bring, especially on certain CPUs. For every access to the master key in RAM, VeraCrypt must perform a fast key derivation and a decryption operation. This is noticeably different from the memory protection feature, which incurs no computational cost.
Hi @idrassi
I see you added the reboot information to the section "How to Enable/Disable the Memory Protection Mechanism" in the Memory Protection documentation for post-installation.
Just a friendly reminder that number 3 for Repair/Reinstall/Upgrade steps should be created with the reboot information.
I just noticed that when performing an upgrade of VeraCrypt, the screen does not mention Upgrade. Only Repair/Reinstall. Should Upgrade be added as follows? Repair/Reinstall/Upgrade
See attached screenshot.
Last edit: Enigma2Illusion 2023-09-24
@enigma2illusion: Thank you for these observations.
Reboot Information: I'll add a third point about Repair/Reinstall/Upgrade steps.
Upgrade Mention:
Your observation is correct. The reason you don't see the "Upgrade" option when moving from version 1.26.5 to 1.26.6 is due to the way VeraCrypt internally checks and interprets versions. Specifically, VeraCrypt looks only at the major and minor fields of the version (in this case, 1 and 26), without considering the third field. Because of this, VeraCrypt Setup interprets your upgrade action as a reinstall of the same version.
This behavior is linked to the way VeraCrypt driver encodes the version number, using only two bytes (e.g., 0x0126 for version 1.26). Given this encoding scheme, it's currently not straightforward to enhance this part without making significant changes.
I recognize the potential confusion this might cause. I'll be taking this into account for future versions and will evaluate ways to provide clearer user messaging during such upgrade scenarios.
@idrassi, With today's CPUs, is there that much computational overhead? I mean, there are people who just can not or have not done their due diligence in exploring the whole need for encryption, and so there's a level of trust that people give you to make the right decisions for them. If you make encrypting of keys in RAM on by default, which I think you should, a more knowledgeable user can always choose to turn it off, but I think that most people who are on the forums, when they hear of Elcomsoft's software being able to find the Veracrypt keys in RAM, would have it on. In fact, I bet a number of people would even find it suspicious that it is not on by default, wondering if you are in cahoots with these three-letter agencies. The whole point of encryption is to make your system somewhat safer, right? That CPU overhead is just part of the whole process. We pay overhead for our homes, vehicles, food, and so forth, but it's a necessary expense, or we'd all be living in cardboard boxes, and how good would that be? The encryption of the keys in RAM is not what's causing computers to freeze, so it just makes sense to have it on by default. We're not running on super old computers anymore.
@idrassi @ehheh1000
Let me propose a compromise solution.
Make RAM Encryption enable by default starting with 1.27 version since Mounir plans to compile the VeraCrypt software with MS tools that only supports Windows 10 & 11.
Anyone running Windows 10 or 11 on their PC should have plenty of CPU power to handle the overhead. Certain requirements are the Windows OS must be running 64-bit, disable Windows Hibernate and Fast Startup in order to enable RAM Encryption.
I have RAM Encryption enabled on my 11 year old PC running 64-bit Windows Pro 10 and the Windows Task Manager shows I am using ~3% CPU usage while the PC is idle with VeraCrypt volumes mounted.
This is a 3rd generation Intel(R) Core(TM) i7-3720QM Processor @ 2.6 GHz, 6MB L3 Cache with 4 Cores, 8 Logical Processors.
The default hash and cipher helps the attacker a lot too.
https://blog.elcomsoft.com/2021/06/breaking-veracrypt-obtaining-and-extracting-on-the-fly-encryption-keys/
@idrassiThanks for your ongoing development of VeraCrypt. I have a program on my Windows 10 desktop called Windowblinds (www.stardock.com/products/windowblinds) which "customizes the look and feel of your Windows 10 and Windows 11 start menu, taskbar, window frames, and more". I have been using Windowsblinds with a theme (BetterAero 7X from Deviant Art) to make the OS UI look like Windows 7 ie the window titlebars are semi- transparent as in Windows 7 and the window caption buttons (minimize, maximize and close buttons) look similar to those in a real Windows 7 OS. However, when I installed 1.26.6, the VeraCrypt window titlebar and caption buttons were no longer themed and reverted to the default theme that comes with Windows 10. I assume that this has happened due to " Add process mitigation policy to prevent VeraCrypt from being injected by other processes". (I have already turned off memory protection in the vain hope this would allow the VeraCrypt window to retain the WindowBlinds theme but I know it's probably this process mitigation policy that is preventing WindowBlinds from injecting into VeraCrypt's Window/UI. Is there a registry setting that I can change to turn off this process mitigation policy, or, if not, could you introduce a setting in future VeraCrypt settings to disable this feature or is this a "will not change" feature? I would quite understand if it's a "will not change" feature, for if you were to make public how to turn off this process mitigation policy there would be no point in you adding the feature to VeraCrypt in the first place and it would make VeraCrypt less secure.
Last edit: isvik 2023-09-27
@isvik
There is already a setting to disable Memory Protection in the Settings > Performance/Driver Configuration.
Enable the "Disable memory protection in VeraCrypt" and you will receive a pop-up that a reboot is needed to enable the setting.