Warn 1.26 users about no more supported RIPEMD-160 and GOST89 algorithm
Open source disk encryption with strong security for the Paranoid
Brought to you by:
idrassi
Menu
▾
▴
#561 Warn 1.26 users about no more supported RIPEMD-160 and GOST89 algorithm
I am a long-term happy user of veraCrypt / trueCrypt and my 2year old laptop unfortunately had an SSD crash.
I bought a new SSD, installed veraCrypt fresh, restored all volumes and wanted to mount them, but the software said the that the password is incorrect, etc.
Big shock - did I loose all my data ????
Now I realize that this due to the non-backward compatibiliy of the 1.26.
==> wouldn't be possible to amend the error message to tell that "Algorithm X is no longer supported - to convert your volume to current state-of-the-art, please consult the following instructions https://..." ?
(this would have save me quite some sleepless nights :==) )
Thank for the report. Indeed, such situation can be confusing.
But at the same time, VeraCrypt 1.26 has no knowledge about RIPEMD-160/GOST89 since they were removed and so it is not possible to differentiate between a wrong password and the volume using an unsupported algorithm.
The only thing we can do is a add a new reason the error dialog stating that one of the failure possibilities is the use of an old algorithm that was removed. For example:
I don't know if there is a better way.
@idrassi
Also there should be another error line item:
Does not support TrueCrypt volumes not converted to VeraCrypt volumes.
Or shorter statement:
Does not support TrueCrypt volumes.
Or:
No longer supports TrueCrypt volumes.
Last edit: Enigma2Illusion 2024-06-26
that would be a GREAT improvement - even better if it mentions that IDRIX has assembled further information on how to cope with that challenge (possibly adding an URL?)
@idrassi
Hi Mounir,
Link or no link for the old algorithm in the error message, I would like to suggest including in both the offline and online VeraCrypt documentation a new documentation topic using the information in the How To thread I created called How to Convert TrueCrypt to VeraCrypt and Replace Deprecated Hash & Encryption Algorithms.
@idrassi
Reviewing your example screenshot above needs a carriage return between the error conditions and the line with "Source:". :)
@idrassi
In addition to the proposed solutions above, it would be advantageous if the installer of VeraCrypt 1.26 and newer versions started with an information screen telling the user about the deprecated TrueCrypt mode, deprecated hash & encryption algorithms with links to the documentation for remediation and to cancel the current installation until the user has completed the necessary remediation(s).
Another visual clue to alert the users that a major change has occurred is to change the version from 1.26 to 2.00 version.
@enigma2illusion:
Thank you for your feedback, it is very helpful. Indeed, in the error message, we should also mention TrueCrypt support since it was dropped. Your thread is a good proposal for documentation. I will prepare a page for it.
The idea of adding an information screen that asks users to complete remediation before installation looks too scary for the average user. I believe most users are not affected by these deprecations, so adding such a screen to the installation seems too much to me. One alternative is to add an information popup after the first VeraCrypt launch that informs the user about the deprecation of TrueCrypt and other algorithms, with links to the documentation.
@idrassi
Hi Mounir,
Thank you for explaining your thoughts on the various ideas I submitted.
The issue of giving a one-time information popup first VeraCrypt launch after an install or upgrade is that the remediation has to occur using the older VeraCrypt version since you cannot use Portable Mode of an older version with the newer version installed.
https://sourceforge.net/p/veracrypt/discussion/technical/thread/6785f85d57/?limit=25#56d2
Last edit: Enigma2Illusion 2024-06-27
@idrassi
Hi Mounir,
I have been thinking how to implement adding an information screen that asks users to complete remediation before installation or upgrade using the VeraCrypt installer.
To alleviate new users being scared by the information screen, what if the installer first asks the question of "Do you have any preexisting VeraCrypt or TrueCrypt non-system volumes?" with Yes/No buttons?
If the user clicks the No button, proceed with the installation/upgrade.
If the user clicks the Yes button, then display the information screen that contains the buttons to Install/Cancel along with links to the online documentation since the newer offline document has not been installed or is the older version, to remediate any potential non-system volumes before proceeding to install the newer version since the older version must be used for remediation.
This approach will provide a better user experience for both new and existing users.
Consider existing users that use system encryption that does not need remediation for system encryption but the user does need remediation for their non-system volumes. This saves the user from having to decrypt the system encryption so they can downgrade to the 1.25.9 version, remediate their non-system volumes, upgrade + reboot, then re-encrypt the system again.
Last edit: Enigma2Illusion 2024-07-01
@enigma2illusion
I agree that this approach is better but I'm still not comfortable with it because many users will not be able to judge if their volumes are affected or not and so they will not upgrade.
Actually things would have been much simpler if I had finished the standalone conversion tool that I started. The objective of this tool is to allow upgrading volumes from the TrueCrypt format and old algorithms to the VeraCrypt format with current algorithms. In this case we could handle the mount failure case by displaying a link to documentation that explains how to use the tool to upgrade volumes.
At this stage I feel I have no choice other than to finish this tool. I will finalize the GitHub CI change and then I will work on it.
@idrassi
Is it possible to convert both the outer and hidden TrueCrypt volume to the VeraCrypt format without creating a new VeraCrypt volume?
Using "Converting TrueCrypt volumes and partitions" procedures in the documentation, how do you convert TrueCrypt's outer and hidden volume to VeraCrypt format?
Do you perform the change password twice? Once for outer password and then a second time for the hidden volume password?
If the above does not work for converting TrueCrypt volume with hidden volume, would it be feasible to convert TrueCrypt volumes with hidden volumes by using the same logic and pop-up messages as backing-up the headers in which the application asks if the volume has a hidden volume at the start of change password where the user has to provide both during the entire convert process? Once for outer and then for the hidden like in the process flow of the backup header?
The documentation and the conversion tool do not specify how to convert TrueCrypt -> VeraCrypt hidden volumes. Nor warn if converting the outer volume may/does destroy the hidden volume.
Both should be updated to guide the user on how to perform the TrueCrypt with hidden volume to the VeraCrypt format for both outer and hidden volumes.
Yes, it is possible to convert both normal and hidden volumes from TrueCrypt to VeraCrypt format by performing the “Change Password” operation twice: once for the outer volume and once for the hidden volume, each using its dedicated password.
The documentation should indeed be updated to mention that if the TrueCrypt volume contains a hidden volume, the user must repeat the same process, this time using the hidden volume password, in order to convert it as well.
Regarding displaying a popup about the presence of a hidden volume during TrueCrypt conversion, this feature can be added to the new tool, VCPassChanger, which I uploaded yesterday to the “Contrib" folder. However, I’m not yet sure when I will be able to implement this change.
For now, updating the documentation is the first step.
I have updated my thread How to Convert TrueCrypt to VeraCrypt and Replace Deprecated Hash & Encryption Algorithms with user friendly bullet points, reduced wording and reference to the VCPassChanger tool for Windows for your inclusion to the VeraCrypt documentation.
Enhancement #2 to the VCPassChanger tool is requested to include the "Volume Properties" button to display the volume's properties.
For Windows users that successfully upgraded their VeraCrypt system encryption to 1.26 or newer version but are encountering non-system volume(s) failure to mount can check the non-system volume's properties to see if any of the deprecated items shown below are causing the issue.
If so, they can remediate TrueCrypt Mode and/or hash algorithm using the VCPassChanger tool verses system decrypting the newer version, install 1.25.9, check volume properties of non-system volume(s), remediate, upgrade to latest version and re-encrypt the system.
Last edit: Enigma2Illusion 2 days ago