Primary and Secondary XTS Keys
Open source disk encryption with strong security for the Paranoid
Brought to you by:
idrassi
Menu
▾
▴
In the latest version of VeraCrypt, is there a mechanism in place to check if the primary and secondary XTS keys for already created volumes are distinct during an upgrade? Or is this check only done during volume creation?
If it is only done during creation, should volumes be decrypted and created again?
Last edit: Phillip Shumway 2024-04-09
Currently, this check is only performed at the time of volume creation. However, adding it during the mounting process is feasible, although we would need to determine how to handle a failure of the check.
How about just informing the user (after boot if it is a system partition)? Or there could be an entry in volume properties for whether the volume has any issues like this, in the event that more are discovered in the future.
Regarding existing volumes, the probability of primary and secondary XTS keys being identical is extremely low due to the robustness of VeraCrypt random number generator. However, without performing the check, a 100% certainty cannot be guaranteed. So, if absolute guarantee is needed, recreating volumes using the latest version of VeraCrypt is advisable.
For the suggestion of informing users about potential issues, incorporating a check status for the XTS keys within the volume properties is an excellent idea. Thank you for this. For system encryption, we can reuse an existing mechanism within the VeraCrypt driver to report issues. This will allow the implementation of a warning message that alerts users to a failed XTS check during system boot.
Additional question: does that "different keys topic" affect the creation of all Veracrypt volumes? Also file-based volumes? All encryption algorithms? All hash algorithms?