Ceci est une ancienne révision du document !
I was having a discussion with Gaza on Telegram and it just became too involved, plus I thought I should maybe share it with more people, as it is important. (One of our regular readers also sent me an email regarding this in a round-about way). Too long for Q&A, and too short for a tutorial.
Veracrypt is great software. Ever since I was introduced to TrueCrypt, I have been a fan. The discussion flowed from a question: What can we do to make Veracrypt more secure?
For those NOT in the know, VeraCrypt is encryption software that is a fork of the discontinued TrueCrypt encryption software. It can best be described as a continuation of TrueCrypt that supports all features that TrueCrypt supported, plus a set of improved or new features. We have covered Veracrypt in past issues – go grab it now if you have not read them: https://fullcirclemagazine.org/downloads/
When it comes to security, the hidden container is the best, but that eats up a lot of space. Usually the weakest link is the password. People like to have memorable passwords. The password length in the latest Veracrypt is 128 at the time of writing. So, if you do not have a password manager, how would you have a *strong password? (That you can copy / paste as needed?).
Before I start here, the reason I am making these suggestions is - so that you can copy / paste the password, with “minimal” hassles, and still be reasonably secure: • Using PGP keys: — I suggest that you download any application of your choice, plus its corresponding public PGP key, not just* the PGP key, as that could stand out (unless you have lots!), if anyone were to analyse all your computer files. — Now, perhaps change (not insert/remove) a few recognisable characters inside the PGP key and save the file. (This is so that you easily remember where to start within the file, if your memory is not 100%) - like having two plusses (++) where you should start. In the image, you will see we used line 20, for 2020, and started just after the plus - now I won't forget. If you change the PGP file, then, if possible, retain the original date on the revised file (in case someone goes forensic on your computer, an application from 2006 with a 2020 date on the PGP key would be suspect…). — Now copy 128 characters from that position in the file, and use it as your password - don’t use the first or last 128 characters, for obvious reasons! If you use a nice editor that shows you the number of characters, you can grab 128 from your predetermined point. • Using PDFs: Another nice option is to open any document in your documents collection and copy a long sentence (of text) from it. (Thank you @Kal N). • Using Steam: Though, using one of your long steam keys may seem like a good idea, logging into steam, finding the game, copying the details, etc, is a long process and relies on steam working. (Thank you for the suggestion mr. A!). • I have had suggestions of putting the PGP key inside a jpeg with steganography, but again, this defeats the “easy” part. • Another option is to use an online ‘password generator’. If permitted, you should configure the generator to use A-Z, a-z, 0-9, and all printable symbols. As with all options here, you must conceal the chosen password securely within your own private files and within your backups. Perhaps check these: — https://www.grc.com/passwords.htm. Steve Gibson’s very highly recommended website. Use the middle of the three generators, save the 64-char password into your private file, hit Refresh to generate a second one, and append that to the first one - to get 128 chars in total. — https://www.strongpasswordgenerator.org/. Tick all four options, set the length to 128, hit Generate, and copy the full generated password (not just the displayed bit!) to your private file. — https://www.msdservices.com/apg/index.php. Set the Algo to Random, tick all four symbol sets, set the min and max lengths to 128 and the count to 1, type a phrase into the Seed, hit Generate, and copy/paste the full password to your private file. • None of these password idea’s are set in stone, they are just “easy” ways that – should you forget / lose the key – you can go grab it again without the need to remember it. This way, the key is hiding in plain sight, but might as well not be there. Remember we want a “strong” password, that is “easy” to recover, without having to remember much (if you do not use password managers), and that you can copy & paste as needed. Whew. If you are scared that you might lose it, say in a disk failure, then burn your key/password to a DVD or put it on a thumb drive that you lock away as backup.
That takes care of a strong, long password.
Veracrypt also has a Personal Iterations Multiplier - PIM . (Yes, not a Personal Information manager, I too, at first , thought this was a short passkey to unlock your longer password, so I did not use it.) This field’s value controls the number of iterations used by the header key derivation function. If you value your security, you can see why changing this is a good idea. PIM is used by volumes even if the creator of the volume did not specify a value. It is an optional component that improves security, it adds another step to the authentication process similar to two-factor authentication. This is good… Napster bad… (Okay, I will see myself out).
However, the PIM is static. There is no auto-generated randomness here. This means that even if someone sees your password, they still need the PIM. In layman's terms, VeraCrypt's PIM defines the number of times your password is hashed before being used to decrypt the disk.
Mounir from IDRASSI states: “If the PIM value is small, iteration count is also small and this implies quicker mounting/booting but it brings a decrease in security. VeraCrypt implements validation checks on the PIM in order to ensure that the overall security is not inadvertently reduced by the user. Thus, when the password is less than 20 characters, PIM can't be smaller than 485 in order to maintain a minimal security level. And when the password is 20 characters or more, PIM can be set to any value from 1 upwards.”
When PIM is left empty or set to 0, VeraCrypt will use the default iterations which translate to the default PIM values. Defaults are never good, Shodan has taught us this.
The PIM however, does nothing for your password, it only makes brute forcing your password impractical / uneconomical, as you need to brute force the PIM first. You would be surprised how much of a deterrent this can be.
I would suggest using this for non-system volumes only, and if you need to keep things REALLY, REALLY secure, have another, say Zebracrypt or whatever, inside that fully encrypted disk. I don’t have death star plans, but if I did, I would encrypt the volume with Veracrypt using both a strong password and a PIM, and have an encrypted folder inside that named “corrupted data backup” that used another strong encryption algorithm. You can go completely KGB if you want, but remember, all of this takes time, and you need to weigh up the security value against your time. However, you can also now sell your disk once you have formatted it, and know, with confidence, that even IF someone manages to rescue some of it, it will be totally useless to them. This is a popular question with FCM readers as well as on our company Q&A.
Changing the PIM and the password is straight-forward; however, the drive must not be mounted if you wish to change the password or PIM. If you did not use a PIM before, when you go through the password change routine, simply click the “use PIM” checkbox and enter your PIM.
Do you disagree with me on any of this, or have an easier / faster method? Let me know at: misc@fullcirclemagazine.org