Does Veracrypt expander re-encrypted container ?

[Phạm Hoàng Long]

When using expander, i saw the result after used look like container is re-encrypted. So i want to ask to make sure : Does my container re-encrypted after using expander?

Follow this doc : https://www.veracrypt.fr/en/Changing%20Passwords%20and%20Keyfiles.html

The idea is we don't need to create a new container and transfer files from old to this new, just change pass (keyfile) and then use expander to re-encrypted container, this way is faster.

Sorry for my not good English. Thank you.

[Mounir IDRASSI]

Thank you for this interesting question.

To clarify: When you use VeraCrypt Expander, the entire container is not re-encrypted. Instead, the Expander primarily works by recreating the header of the volume to encode the new volume size. As a result, this will change the header key. However, the master key of the volume (the one used to encrypt the actual data) remains unchanged.

This means that if, for any reason, the master key of the original container is compromised, the expanded container will also be at risk, since the original master key is kept as is.

Therefore, the recommendation mentioned in the documentation still stands: If there's any suspicion that your master key has been compromised, the best and most secure practice is to create a new container and transfer the files from the old container to the new one.

I hope this clears things up. And don't worry about your English; your question was clear and understandable!