Activity for Kurt Fitzner
-
Kurt Fitzner posted a comment on discussion Technical Topics
The idea of "PIM" is just so different for argon2id vs PBKDF. Part of the problem has been trying to shoehorn argon2id's setable parameters into the pbkdf single-iteration paradigm.
-
The concept of a single "PIM" is, I think, not truly compatible with Argon2id. Not without handicapping the best features of argon2id. Your typical key derivation will add about 20-bits of effective strength to a password. After that, for every added bit of effective strength you want to add, costs you double the processing time. One of the strengths of argon2id is the ability to add parallelism to this process. You get a free bit of effective password strength ever time you double the cores. Throwing...
-
The concept of a single "PIM" is, I think, truly compatible with Argon2id. Not without handicapping the best feature of argon2id. Your typical key derivation will add about 20-bits of effective strength to a password. After that, for every added bit of effective strength you want to add, costs you double the processing time. One of the strengths of argon2id is the ability to add parallelism to this process. You get a free bit of effective password strength ever time you double the cores. PIM formulas...
-
Just tried out the beta. Following bugs still exist: 1) Preboot-authentication overwrites password with a single * to obfuscate the length, but it does not replace the PIM with a single * - this is a very long standing bug, having existed since the beginning of EFI. 2) Booting from the rescue disk does not read DcsProp from the rescue disk - it reads from the system drive's EFI folder. I also note that EFI bootloader is byte-for-byte identical with previous version. I take it then that Argon2id is...
-
For Argon2id, it shows up in the list of features for Windows but is conspicuously absent from Linux. Does this mean that Linux can no longer open a volume so created? If this is the case, then it needs to be noted in rather large print. Linux is a common recovery platform, and if it can no longer open a Windows container/drive/system-drive that uses argon2id, then people will need to know that before they make the switch.
-
A 512 bit hash doesn't offer any security margin in VeraCrypt over a 256 bit hash. The hash is used solely to derive the (256 bit) header keys from the passphrase. Where collision resistance is an issue, it's true that a hash of length n only offers n/2 bits of security. However hashes are not used in VeraCrypt in any way that exposes that limitation. Hashes are not used in VeraCrypt in a way that requires collision resistance. Blake2S is as secure as SHA512 in this context. If you ask me, more so....
-
When I boot from a rescue disk, if I select "V" to "Boot Veracrypt loader from rescue disk", it reads the DcsProp from my system hard drive. This makes me worry that it is also booting from the loader that is on the hard drive. Why is the VeraCrypt rescue disk loader reading the hard drive DcsProp and not the rescue disk DcsProp? Also there appears to be a bug in the current release where when you edit the bootloader configuration, it adds duplicated text to the end of the configuration. It duplicates...
-
Is there any plan to address the lack of discard / trim capability for VeraCrypt in Linux? Bug #1186. The documentation is explicit that discard is not supposed to be blocked.
-
Is this tool safe for SSD too ? For some definitions of safe, yes. It won't damage an SSD, but neither can it guarantee the data is completely overwritten. It is never safe to rely on wiping old data on an SSD. Even writing every possible cell is not completely safe as there are wear levelling systems that rotate cells in and out of service. The best thing you can do is put any data which you know will later need to be "wiped" inside an encrypted container, then when you no longer want the data,...
-
Can the command line be tweaked with some changes: 1. Ability to specify a file that contains the name of the keyfiles and/or the ability to stream the filenames over stdin before or after the password. Giving away to every user on a system which file is being used as a keyfile makes the keyfile a target. Please allow the ability to keep the key filenames private. I recommend --keyfile=@/path/to/keyfile/list.txt to read the list of keyfiles from a file and --keyfile=@- to read the list of keyfiles...
-
Can Veracrypt please be updated to check to see if it is being asked to create an container into a file that already exists and a) not report that there is insufficient space, and b) actually use that file without truncating it. This will allow existing tools to be used to pre-allocate the file space in a way that creates fewer fragments and which can be manually tweaked to remove the worst fragmenting when present. Also, can VeraCrypt please be updated so that when it creates the container file...
-
DEADJOE does not represent the file in the editor when it's killed
-
For some time joe's DEADJOE, which used to write out the contents of the file I had in the editor when I, say, lost an ssh connection, no longer does that. Since like Debian 8 or so - whatever joe version that was. Now, it seems to write out a bunch of useless stuff. It says it's stuff that were in in joe, but it appears to be: 1) Unknown users 2) A list of the last 11 files joe was used on 3) A startup log I can find no reference anywhere on what DEADJOE's current behaviour is supposed to be or...
-
It was line 7957 on mine. The fix is in and working perfectly now. Thanks so much for finding this so quickly!
-
My database employs a key file, in case that makes a difference.
-
If I start with a new database, it works as advertised. If I use my existing KDBX4 database, it doesn't: kp Provide the master password: ************************* KeePass CLI (kpcli) v4.0 is ready for operation. Type 'help' for a description of available commands. Type 'help <command>' for details on individual commands. kpcli:/keepass> mkdir T1 Database was modified. Do you want to save it now? [y/N]: kpcli:/keepass> cd T1 kpcli:/keepass/T1> new Adding new entry to "/keepass/T1" Title: Test1 Username:...
-
Using v4.0
-
Can't create TOTP - "No OTP for this entry"
-
This is very old, but I'd like to use it. Having troubles getting it to work. A connection seems to get made, but ssh won't work through it.
-
-
Request support to refer to an entry by its number inside a path
-
Request support for ~ (tilde) in file paths
-
This is still really slick software in 2023. I am really considering forking this and trying to maintain it. It would be a shame to let this die. Some things this needs today: * Up-to-date crypto libs * A way for the server to lock to a single port forward. I don't like that it essentially creates a mandatory open relay for any user that authenticates to go anywhere. I would like to to tell the server to forward only to a particular address at a particular port and nothing else. That way I don't...
-
If anyone else manages to get working encryption on Windows, please post the method.
-
Thank-you kindly for the quick fix - I got home from work and there is already a new release. It works great on all my databases.
-
I have attempted this with both 128 byte key files (which are used raw) and larger keyfiles (which are hashed first).
-
kpcli uses keyfiles in incompatible way
-
How does one use the "new" contour strategy? The instructions say it is not "yet" linked into the GUI, but I see others mention it. Is it possible to patch it into the GUI?
-
You need to use the latest version of PyCam from git. None of the releases will work with any modern version of Debian/Ubuntu/Mint.
-
I was pulling my hair out. I had put up with this for ages when configuring OpenWrt devices over serial. I got fed up today and finally found this. Thanks for posting the solution.
-
Turning flash off has no effect
-
Request: Incorporate libblkid for UUID support
-
Is there a version of this against 1.3.0? Or an up-to-date minidlna fork that incorporates it?
-
A lot of people are downloading an older version of postfixadmin because the download page links the "Download Latest Version" button to version 3.3.1 rather than 3.3.8.
-
Who is responsible for the debian maintenance? Is one of the developers here maintaining it?
-
Sync always results in saving both the target and active database whether there were changes in the database or not. This is unexpected and in a word unfortunate. The idea of a distributed database was obviously in mind when synchronization was added, it's unfortunate that it was implemented in such a way as to preclude automated uptake of changes. Obviously I am advocating for changes to make automatic distribution and uptake of remote changes possible. The usage case I am targeting is of a single...
-
The advantage is you don't need to remember to manually synchronize. The advantage is that I click save over there and I don't need to think about manually synchronizing on all my other devices. They will all reload. I share one password database with six devices. I don't want to have to remember which devices I've synchronized with. I have unintentionally caused more problems because of working on an old database that wasn't synchronized. There is no infinite loop detection needed. All you need...
-
I don't think I'm asking for something odd. It's a normal usage case of wanting to save the database on one device and have the changes propagate to another. If I save it over there, it should reload over here. There should be no race condition. Machine 1's KeePasss saves to local.kdbx and KeePass also synchronizes the change with the file remote.kdbx. This updates the timestamp on remote.kdbx. Remote.kdbx is sent to machine 2 because it changed by some methox (dropbox, syncthing, etc etc) Machine...
-
I'm rather surprised that such care and attention was paid to having a synchronization system but then have it made to be really only useful in the case of saving with no thought to other instances actually adopting the changes. Performing a local synchronization and reload on the database when the timestamp on a synchronization target changes seems incredibly trivial. Is this a patch that would be accepted? What version of KP adopted the periodic event? I don't see it in 2.44 (version included in...
-
I have a database synchronization system set up, but I am having trouble figuring out the one piece of the puzzle that would actually make it useful. There are triggers to synchronize on opening and saving, which is great for the device making a change to the databse. What I can't figure out is how to cause a synchronize when the "remote" copy changes. What is the method for having KP trigger a synchronization and reload when the synchronized database changes?
-
Remove brace expansion from loops checking multiple Python versions, add single version list at the top of the macro to make editing simpler in the future.
-
Re-add non-versioned directories into the python directory search list. Behaviour should now be identical to before change #18669.
-
Fix SF bug #750 Server compile failure, metaserver.c, regression caused update 18667.
-
Fix problem where initialization of the metaserver mutex was behind #IFDEF HAVE_CURL_CURL_H, but usage of it wasn't. This causes hangs on some platforms.
-
Updated for current (1.70 + Trunk) clients and most recent versions of GTK+. Mentions all-in-one dependencies that have been prepared and are available for download at:
-
Add @GTK_CFLAGS@ to AM_CFLAGS. Should have little effect in Linux/Unix where GTK include files will be in standard places anyway. In Windows under MinGW (and any other system where the include files are in a non-standard location) it will be required.
-
Update deprecated MINGW macro to __MINGW32__
-
Remove dependency on X for OpenGL - there is generally not X in Win32, and if a Linux/Unix system is trying to configure and it doesn't have X then there are bigger problems with that build than whether or not OpenGL is enabled.
-
Neither keepassx or keepassxc exhibit the same slowdown. I have verified that the problem does seem to be inside libgcrypt - I did some quick tests and it seems that KeePass is still finding and using libgcrypt.
-
Can you help this person? He emailed me yesterday and I've been working with him. He is the reason why I started this thread, as I'm pretty sure it was the remmant VeraCrypt bootloader file in the Windows EFI folder that was causing his problems. Most users will be confused about this message and what action, if any, they are supposed to take after seeing the message. So, with respect to the message, I would strongly submit that it is simply not ethical for one piece of software to materially change...
-
Thank-you for the thread link. Why isn't this behaviour documented and why isn't it disclosed on install? There are serious implications for this for the operating system, and this should be indicated in big, bright letters "THIS WILL MODIFY THE EXISTING WINDOWS BOOTLOADER".
-
Why is VeraCrypt messing around with the Windows EFI folder? On installation VeraCrypt is installing its own EFI boot folder. This is, of course, fine and to be expected. What is not to be expected is the fact that VeraCrypt isn't just installing its own EFI folder but reaching into other EFI folders to put its bootloader in them too. It is going into the Windows EFI folder, renaming the old Windows EFI bootloader and then putting its own bootloader in the Windows EFI folder. Why is this being done,...
-
The library is named the same. Just located somewhere different. I am looking at the code and it is checking for MonoWorkarounds.IsRequired(1468) - the number for this bug report. Is there a way to force that to be true for testing purposes?
-
Hi Paul, Here is the situation: I have several almost identical Linux Mint systems. Most of them are running Linux Mint 19.3. One of them was upgraded to Linux Mint 20. KeePass's native AES-KDF is now no longer working on Linux Mint 20. It takes 22 seconds to open up a database on Linux Mint 20, and 2.5 seconds in Linux Mint 19.3 for the same database. As part of the upgrade KeePass was updated from v2.38 to v2.44. Also, libgcrypt was updated from libgcrypt.so.20.2.1 to 20.2.5. However, I have also...
-
I just updated to Linux Mint 20 with KeePass 2.44 and whatever change was made in KeePass 2 back then does not seem to be in it now. I have verified that libgcrypt.so,20 is available. Are there any other requirements now? EDIT: I just ran the original test cversion you made back in 2017, and verified it no longer has the speed improvement either. This may be an issue with libgcrypt.so.20. The version that was on my old (working) installation was libgcrypt.so.20.2.1. On the upgrade is libgcrypt.so.20.2.5....
-
I just updated to Linux Mint 20 with KeePass 2.44 and whatever change was made in KeePass 2 back then does not seem to be in it now. I have verified that libgcrypt.so,20 is available. Are there any other requirements now?
-
Hmm... not sure what you mean by usable... By "usable" I meant "partitions that you would use on a day to day basis and for which there is a drive letter assigned". Because you can't encrypt the entire drive wieh UEFI any more, this has some people thinking that this is somehow a loss of functionality. It isn't. The whole idea of encrypting the "entire" drive the old way was only even relevant if you had multiple usable partitions with their own drive letters. This way both partitions were encrypted...
-
Is your compputer an MBR system (ie: is your rescue disk a CD/DVD or a USB stick?)
-
Why not using same drive letter as DiskCryptor is doing that? Because you can accomplish the exact same thing with more versatility in VeraCrypt. If you don't want Windows to make a drive letter for the host partition, then just tell Windows not to make a drive letter for the host partition. However there are cases for retaining that drive letter, such as if you want access to that drive letter for creating an image of the raw (undecrypted) partition for backup purposes, so having VeraCrypt hide...
-
How many usable partitions are there on your drive?
-
I am also at a loss to explain it. The write speed, how are you measuring it? Is this through VeraCrypt when it is encrypting?
-
I realize you are talking about VeraCrypy encryption. I was wondering if it was previously a VeraCrypt-encrypted system drive on a previous computer. These are some strange symptoms you are reporting. When you attach the drive via USB, if the power supply is not connected to the USB adapter then you are able, after a significant delay, to mount the drive with VeraCrypt. But if the USB adapter's power supply is connected, you cannot? And when the drive is connected by the SATA connector to your computer...
-
When the drive was encrypted before, was it encrypted using system encryption? Was it a bootable drive before?
-
Are you using a cascade cypher? What is going on with the CPU when you are doing heavy writes? Is it anywhere close to 100% on all cores?
-
So the keyboard is not working after it asks you for your password? Does pressing [ESC] work? Did you make the rescue disk that was suggested just before the pre-test?
-
Windows is trying to make a drive letter available for the unencrypted partition because the partition type is showing as being one that Windows should be able to mount. You should be able to unassign the inaccessible drive letter through disk management. Then, once that drive letter is no longer being assigned you should then be able to use the old drive letter for the encrypted partition.
-
Windows is trying to make a drive letter available for the unencrypted partition because the partition type is showing as being one that Windows should be able to mount. You should be able to remove the inaccessible drive letter through disk management. Then, once that drive letter is no longer being assigned you should then be able to use the old drive letter for the encrypted partition.
-
You cannot encrypt the entire drive for system encryption on EFI computers. This is because the boot loader files exist in a partition that must remain unencrypted. Also, you would not want to encrypt any recovery partitions that modern computers have. If you have other partitions that contain date, you can encrypt them individually and have VeraCrypt mount them automatically at boot time. I do not know what the other options are you are trying to do - can you switch the language to english temporarily...
-
You can create a new backup header at any time. You do not need the original one if you make a new one.
-
Hi Jacobov, Without being able to duplicate your problem it's hard to diagnose. I just made myself a 20GiB outer container and a 10GiB inner container and was able to copy large amounts of files to it with no issues. I am getting sustained write speeds of about 90MiB/s, which is quite a bit slower than my drive (sustained write speed about ~240MiB/s), but then again I tested my inner container with the slowest cypher combination there is (Kuznyecik(Serpent(Camellia))), plus the container resides...
-
Background Quantum computing is not a particular danger to most modern assymetric encryption algorythms. A quantum computer can search through a keyspace of size 2n in 2n/2 operations. This means a 256 bit key can be searched through in 2128 operations. First of all, 2128 operations is still infeasible at any obtainable search speed. Secondly, these aren't regular operations, these are quantum operations, so this isn't something where you can use ASICs or PGAs or GPUs to speed up the search. We can...
-
Background Quantum computing is not a particular danger to most modern assymetric encryption algorythms. A quantum computer can search through a keyspace of size 2n in 2n/2 operations. This means a 256 bit key can be searched through in 2128 operations. First of all, 2128 operations is still infeasible at any obtainable search speed. Secondly, these aren't regular operations, these are quantum operations, so this isn't something where you can use ASICs or PGAs or GPUs to speed up the search. We can...
-
Hi Sebastian, I'm afraid I'm having a hard time following the sequence of events. You mention a new windows system - do you mean you are trying (or did try) to upgrade to a new version of windows? Then you talk about switching drives, but that the computer does not see the new drive? From what I understand, then you have a VeraCrypt encrypted system disk. Something happened and it is not booting any more and you are seeing the following symptoms: - When the drive is attached to its normal computer,...
-
Hi Hula, First of all, I highly recommend making a disk image backup of your system drive before you do anything else. It is much easier to make a mistake that makes things worse when you have a drive in this condition. The following assumes you are using an EFI computer. Without the rescue disk things are far more difficult. Windows update may have just replaced the EFI boot files. You can test this by booting into a live Linux distribution, installing VeraCrypt for Linux and seeing if you can mount...
-
The first thing I would do is make a disk image. You are going to have to take a couple chances here, and it will be good if you have a baseline to go back to if anything goes further wrong from here. When an encrypted drive is in this state, it's easy to make things worse. Once you have a full image backup, then what I would suggest doing it to use the VeraCrypt rescue USB stick to restore the header keys (option "r") and maybe also the configuration files (option "c") and then once that is done...
-
Hi Klaus, I'm afraid I'm not quite sure what you're asking here. Yes, it is possible to encrypt a non-system drive in-place, similar to the system drive. If you already have the system drive encrypted, and if the password is the same on the non-system drive, then you can have it so that when Windows boots up then the encrypted non-system drive will also be available.
-
You just gave gpg the public key and not the signature, and didn't really tell it what to do with the key. First of all you need to import the public key, then use the public key to check the signature: ~ $ gpg --import VeraCrypt_PGP_public_key.asc gpg: key 821ACD02680D16DE: 1 signature not checked due to a missing key gpg: key 821ACD02680D16DE: public key "VeraCrypt Team (2018 - Supersedes Key ID=0x54DDD393) <veracrypt@idrix.fr>" imported gpg: Total number processed: 1 gpg: imported: 1 gpg: no ultimately...
-
Hit send to early, sorry. By way of advice, the first thing I'd look at is your BIOS/firmware settings. Mine allows me to set whether my USB ports remain powered at S3/S4/S5. Also, you can look at disabling USB selective suspend. When a USB device goes into low power and enters a selective suspent state while the computer is on, then it does not get any notice that the computer goes into sleep mode. So it's possible your USB device, if it already placed itself in low power mode, is not playing nicely...
-
This is almost impossible to remotely debug. This problem may not affect file handles at all - file handles are at a higher level, and they won't close unless there is an error that occurs during activity on any one of those particular handles. Disk controller errors, however, will cause VeraCrypt to automatically unmount the volume. What is causing the controller error could be any number of things. Different USB devices require different power levels during S3 sleep. Some can get by unpowered....
-
Hi Maria, I have done this myself where I have chosen a password I thought would be simple to remember but where I then forget certain parts of it (like what parts were capitalized). Unfortunately, without the exact password the data will not be accessible.
-
Hi Oscar, hings that seem very specific to my problem is that when I type in the password I see the amount of keys that I typed, but when I press enter it replaces all keys with just one key. This is normal. This is to hide the number of keystrokes used in a password after you hit enter. Everytime I press the escape button I'm asked for a password once again This is not normal. Are you hitting ESC when it first asks for you the password? Did you create a rescue disc or USB stick according to the...
-
Is the second volume hosted in a VeraCrypt container file, or is it hosted on a partition?
-
Mounting the partition doesn't work, or resuming after mounting? If mounting the partition doesn't work with either the regular or backup header, then there is likely something going on with the drive that is more serious than just a problem with VeraCrypt being interrupted. The next step I would try is to boot the computer in Linux using a live linux DVD (Linux Mint is a good choice), install the Linux version of VeraCrypt and see if the partition can be mounted from within VeraCrypt in Linux.
-
Your password is definitely less than 64 characters? Does it use normal ASCII characters? Are there any national (non US alphabet) characters in the password?
-
Now, after reading some more about ext3 vs. ext4, though, maybe because of the journaling ext3 would be a better option? I may be a little confused by what you mean. In general here is the difference between the various ext filesystems: - ext2 = baseline filesystem, very resistant to fragmentation - ext3 = ext2 + journaling + minor tidbits - ext4 = ext3 + extents + 64-bit block numbers + huge file support So ext4 has all the features of ext3, including the journal, plus more. They both have journaling....
-
Hi Chris, The first thing I would do is encrypt the system partition (C:). Then, if there are other parititions on the same drive or different drives that you also want to encrypt, add them one by one. If you want them to be. You can add each partition that you add to your system favourites. If you also enable the setting to cache your preboot password (the system encryption password) and if all the other encrypted partitions that you make use the same password, then when you boot your computer,...
-
The reason you can't change the permissions is that I suggested (in step 9) that you mount the VeraCrypt partition as read-only. This was to protect against inadvertant damage or changes until you could see if it was going to work. You can change this and mount it writeable and remove that limitation if you need to. You don't need to decrypt it to change the permissions. Keep in mind if you intend to ever boot from this device again that messing with the user permissions for the user folders might...
-
The reason you can't change the permissions is that I suggested (in step 9) that you mount the VeraCrypt partition as read-only. This was to protect against inadvertant damage or changes until you could see if it was going to work. You can change this and mount it writeable and remove that limitation if you need to. You don't need to decrypt it to change the permissions. Keep in mind if you intend to ever boot from this device again that messing with the user permissions for the user folders might...
-
Hi Chris, You can't encrypt the entire drive in one part, but you can encrypt as many partitions as you like. The limitation of not being able to encrypt the "whole drive" is because you can't encrypt the first "UEFI" partition, and you shouldn't encrypt any recovery partitions. Besides that, it's open season. You can encrypt your Windows partition and as many others as you like. If you use the same password and PIM for your other partitions as you use for your system (Windows) partition, then VeraCrypt...
-
Using the rescue disc should be a last resort. Was using Linux not an option? The rescue disc is operating outside a normal OS where the CPU and hardware is only configured in a very basic way. It is always very slow. Was using Linux not an option? A live Linux DVD may have been a better, faster option. With respect to the device error, it sounds like the water leak caused some problems on the SSD. Did you make a disk image before trying to decrypt? It may have also been a good idea to bury the SSD...
-
Ok, what your describing sounds normal so far. First I'll describe what's happening and why, and then how to get at your data. When you connect the drive, Windows is seeing the partitions but when it goes to try and look at the filesystem formatting it just looks like random garbage because it's encrypted. Windows doesn't understand the encryption, so it's saying that it needs to be formatted. Windows doesn't think it's formatted, but it is still attaching a drive letter to the partition. When it...
-
without having Administrator status? No. VeraCrypt requires administrative privileges. It is not an encrypted container "browser". It is an encryption device - it will added an encrypted container as a drive letter, and this requires admin privs. If you are on Windows 10, this means it will pop up a dialog asking "Do you want to allow VeraCrypt to make changes to your system". If you are a normal (non-admin) user then you will have to provide the password of an admin user to proceed. If you are an...
-
There is no solution. You cannot encrypt the entire drive in one large block for GPT/UEFI the way you can with an old MBR/BIOS system. This is not a limitation of VeraCrypt, this is a limitation of UEFI. Wouldn't encrypting only the windows partition and my other major one leave me open to a whole range of attacks on my BIOS and bootloader? VeraCrypt does now now, nor did it (or TrueCrypt before it) ever protect your BIOS. Nor did it ever protect your bootloader, nor could it. The code to load your...
-
You can get back in to your computer by hitting ESC when it asks you for the password. You can also use the F5 key when it asks you for the password so you can see what you are typing. Is it possible there are european characters in your password?
-
Hi Ramon, The only Windows driver that even partially works with ext4 is ext2fsd. From the 0.69 release message), the following ext3/4 features are unsupported: 1. 64BIT mode (to support 2^64 blocks) 2. journal: log-based operations, external journal 3. EA (extended attributes), ACL support Uing the above list, I was able to use mkefs.ext4 to create a filesystem that would work with ext2fsd on Windows: $ mkfs.ext4 -t ext4 -L testext4 -O ^extents,^ext_attr,^64bit teste4.img This omits some good features...
-
Do you have system encryption on your boot drive? Is teh system drive set to cache the pre-boot authentication password? Is the second drive using the same password?
1 >
