Confidentiality and integrity are increasingly important when it comes to security. The ability to encrypt data carriers is decisive in this battle, especially for mobile devices. This article shows you how to reliably protect your data and operating system with the open source VeraCrypt tool, as well as how to completely hide the encrypted containers if necessary.

In response to the increase in awareness of IT security, Microsoft began developing the software later known as BitLocker [1] for encrypting files, partitions, or entire hard disks in 2004. BitLocker came under suspicion during the Snowden incident, when it was suspected of possibly providing backdoors or master keys for intelligence services. However, this has never been confirmed and is unlikely to be confirmed any time soon. BitLocker is therefore often used in corporate settings because it gives administrators the ability to create backup keys and store them in Active Directory, for example.

Created at virtually the same time, the free TrueCrypt [2] encryption tool was based on Encryption for the Masses (E4M) source code (which was allegedly stolen from SecurStar) [3]. While it took BitLocker another three years to find its way into Windows, TrueCrypt enjoyed great popularity right from the start, although the developers remained anonymous for a long time and its source code was not freely available. Rumors later confirmed that TrueCrypt's development originally came from criminal circles. TrueCrypt announced the end of development in 2014.

In 2013, VeraCrypt, a fork based on an older, audited version of TrueCrypt, was launched. Today, VeraCrypt is developed by the open source community. Of particular interest, VeraCrypt supports the different Linux derivatives and macOS as operating systems in addition to Windows. As an added bonus, legacy TrueCrypt containers can easily be recycled thanks to VeraCrypt.

Encryption for Data Protection

Data confidentiality and system integrity are fundamental protection goals of IT security and must therefore be taken into account whenever an operating system is installed. Regardless of the industry, virtually everywhere you look there is sensitive data that needs protecting (often for legal reasons). Whether construction plans, customer data, customer projects, or simply internal documents and communication, you don't want this information falling into the wrong hands.

Mobile devices and data carriers in particular are exposed to a greater risk of loss or theft, especially if you have to hand the device over briefly, say, during international travel. In these cases, an encrypted system partition protects against uncontrolled manipulation, such as the installation of malware or spyware. Above all, however, it protects against unauthorized access, for example, to industrial secrets or personal data on the hard drive.

Of course, confidentiality and integrity are only ensured when the computer is switched off. If a device is switched on and the encrypted data is unlocked for daily work with a password, access is possible. A loss of confidentiality due to user error or manipulation by malware is then possible.

Setup and First Steps

Some corporate environments already use VeraCrypt. There are different configurations, depending on the intended use. Various scenarios are outlined below. To get started, you first need to download VeraCrypt for installation on your operating system. Use the official download page [4] provided by the IDRIX developers. This way you can count on having a valid, signed version and avoid the trickery of dubious download platforms.

The installation is child's play: Launch the downloaded file with admin authorization or confirm the prompt during the install. Then select the language that suits you and install VeraCrypt with the standard options. Alternatively, you can download the source code provided on GitHub [5] and create VeraCrypt on your own system.

When you launch VeraCrypt, the program comes up with a tidy interface (Figure 1). You will see an overview of the mounted drives; VeraCrypt uses the classic drive letters from A to Z on Windows and also offers the option of mounting or creating a container or an encrypted partition.

Figure 1: VeraCrypt comes up with a very tidy interface when first launched.

Pressing the Create Volume button opens a dialog that guides you through the process. The first step is to select the type of storage you want for the volume. You can choose between a container file, an encrypted partition on your hard disk, or an encrypted system partition of your Windows operating system. For first time users, it makes sense to create an encrypted container.

Next you need to define your container's volume type. You have two volume options: standard and hidden (Figure 2). Hidden volumes support two protection objectives: plausible deniability and confidentiality. A hidden volume makes it possible to deny the very existence of the encrypted data if someone tries to force you to hand over the data. To do this, you need to create a hidden volume on a standard volume. VeraCrypt creates the matching structures in the container headers regardless of which volume type you choose, so the existence of these structures alone is not credible proof of the existence of a hidden volume. Technically, the internal volume is simply a storage area within a standard volume and is protected with another secret.

Figure 2: Plausible deniability is definitely an option with VeraCrypt.

If you enter both secrets when mounting the volumes, VeraCrypt determines the byte limits of the two volumes within the container and you can safely access both volumes as required. If you only specify the secret for decrypting the outer volume, there is a risk of overwriting the hidden volume. VeraCrypt then knows nothing about the corresponding byte limits and simply fills up the container, possibly also using up the area containing the hidden volume.

Security vs. Performance

For my example, I'll select Standard VeraCrypt volume and then press Next. Then I need to select the container file's storage location and specify the encryption parameters. VeraCrypt offers a choice of algorithms. AES is the globally recognized standard for block encryption. The alternatives, Serpent and Twofish, were also candidates for the AES standard at the time, so they are comparatively secure.

If you do not trust any algorithm on its own, you can also select a cascade of several methods. You have to decide for yourself whether this makes sense cryptographically and for your application. Ultimately, cascading increases key material and eliminates the mathematical uncertainties of individual procedures in an attack scenario. The same applies to the choice of the hash method; again different variants are available. Under normal circumstances, AES and SHA-512 are safe choices that achieve a good compromise between security and performance. I will use these two methods in my example.

As the next step, you need to define the size of the volume based on your estimated needs. Otherwise, you might use up a large amount of storage space on your data carrier just to encrypt a few files or a bunch of small files. VeraCrypt also offers dynamic containers if you can't estimate the exact requirements right now. These containers do not grab the entire storage space when they are created, but simply grow to the specified maximum size as required. Incidentally, you need to choose dynamic containers carefully, because if they end up exceeding the actual hard disk capacity, there is a risk of data loss. I will be using a container size of 1GB.

You now need to select the secret for accessing the volume you created by filling out the two input fields with your choice of password. Be sure to read the info at the bottom of the dialog to help you choose a secure password. Good passwords should not only consist of many different characters, but should also be as long as possible. Password length has a major influence on security (see the "Password Security" box), although you are likely to find different recommendations for this in different places. VeraCrypt warns you if your password has fewer than 20 characters.

As an alternative or in addition to the password, you can select further "secrets" to protect your volume. In addition to a smartcard, any file or the files of an entire folder can be defined as keyfiles (Figure 3). Of course, this increases the size of the input variable for encryption immensely, but limits the secret to be remembered to this one file or the selected combination of files. Because an attacker with access to your computer could try out any file as a secret, it is not a good idea to solely rely on one file as the secret.

Figure 3: Keyfiles can also be used in addition to passwords.

You can enhance security even further by defining the Personal Iterations Multiplier (PIM) yourself and selecting the Use PIM option. This lets you change the number of iterations of the key derivation function that generates cryptographic keys from your input, thus making brute force attacks more difficult. Having said this, the default number of iterations (500,000 rounds) offers a good compromise between performance and security, so I wouldn't change anything here.