Has Mounir Idrassi gone authoritarian?
Open source disk encryption with strong security for the Paranoid
Brought to you by:
idrassi
Menu
▾
▴
The blocking of pkcs#11, which is told to us via the error message:
'The operation was blocked as the process prohibits dynamic code generation'
is not, imho, Mounir's decision to make.
In my case the ase dll was suddenly blocked, though I'd been using it for years!
I get that MI thinks dynamic code generation is terribly dangerous, and he might be right; however, he has no right to mess up peoples' veracrypts.
If I might suggest, the error could still occur, but there is a choice for the user to override if the user so wishes. Else, where will this end?
EDIT - want to point out that MI is obviously an accomplished developer, and I'm VERY grateful for all the unpaid work he's done since TrueCrypt.
Last edit: Baa-meh 2025-11-04
Security decisions made by Mounir are made in the best interests of the users of VeraCrypt while avoiding options to allow users to override the necessary changes for security.
The decisions made are not always going to be popular.
For example, Microsoft's Win 11 hardware requirements that are causing people to purchase new PC's due to older hardware's security vulnerabilities. This is impacts me and I am not happy about Microsoft's decision. However, I understand why Microsoft had to make that decision to force users to newer hardware.
Mounir explains the issue you are encountering at the thread below.
https://sourceforge.net/p/veracrypt/discussion/technical/thread/e0a060cb1e/?limit=25#e903
Hopefully someone can help recommend Smart Cards to you that do not use dynamic code generation which can lead to injection attacks by malicious software.
Last edit: Enigma2Illusion 2025-11-04
I do not think that is up to anyone but the user. Yes, in the case of Windows hardware changes, their is little choice and if Veracrypt cannot use modules with dcg due to MS security policies, then fine.
However, that does not seem to be the case, according to MI:
'Throughout my extensive testing with major PKCS#11 libraries, I did not encounter this unusual behavior. Furthermore, it's uncommon and somewhat suspicious for a PKCS#11 library to modify executable code at runtime.'
Obviously, the extensive testing was not extensive enough since at least two modules use it (given they weren't hacked). And uncommon and somewhat suspicious is not enough to judge a module guilty.
The module I used was originally on media from the suppliers, so cannot have been hacked. The company was reputable and sold millions of smart cards. So why they would use the dynamic generation I don't know.
I do know my host is only on the internet briefly for MS updates, so highly unlikely there is any malicious code. If I had been allowed to override this temporarily it would have saved me a lot of grief.
I completely understand your frustration at upgrading from 1.25.x to 1.26.x and not being aware of the security change that impacted accessing your volume(s) with your Smart Cards and troubleshooting what was causing the "the operation was blocked as the process prohibits dynamic code generation source: Veracrypt:security token:init library 534" error message.
We will have to agree to disagree. I already stated there will be decisions where security changes must be made that are not optional and Mounir cannot make everyone happy.
.
No one said this security change was due to a Microsoft's security policy. You misunderstood what I wrote.
To get a larger overview of the risks of dynamic code generation with the library in question, Google search using the following search terms:
I was surprised at the various threat vectors.
Keep in mind that Mounir is open minded and he appreciates constructive user feedback along with civil discussions on the pros & cons of features and enhancement requests,
Last edit: Enigma2Illusion 2025-11-05
Yes, I agree with the disagree to thing.
I hope I have kept this civil, and as earlier stated I have the utmost respect for Mounir.
I was anyway getting new smart cards (easier said than done) from Microcosm.uk. I wrote to them about this matter, and they said they did not know because the module was made by an OEM (Feitian). I will update on how this works out, if anyone's interested.
Anyway, thanks for your feedback, and I would probably have said the same, if not personally affected by this.