Encrypting Data-At-Rest With VeraCrypt
Current events prove that 2020 will see the unfortunate continuation of the fight for privacy as a basic human right across the globe. Technology created by just a handful of major organizations continue to weave together the fabrics of our lives, and the commercial value of the data collected therein validate the fact that people are largely ignorant to deeper implications. Authorities already have the ability to query this information at will, and recent violent crimes are now providing politicians with a platform to pressure tech companies into providing skeleton keys to commercial products used by the general public. The sole purpose of encryption is to make it difficult to perform the unauthorized collection of data. It’s one of the best means by which data is kept safe and is standard in many devices whether end users realize it or not. Individuals like Attorney General Barr would allow the government access into everyone’s digital lives as soon as they smell smoke. Imagine a society where new homeowners were forced to provide their local law enforcement with keys to their home – just in case they ever decided to become criminals. Imagine the anarchy and fear that would be induced if those keys fell into the hands of people with ill-intentions. Today’s war on encryption is this scenario in a digital space.
In continuation of my recent article on cryptology, this write-up provides a hands-on opportunity to perform encryption using an open-source tool known as VeraCrypt. Branching off from the discontinued TrueCrypt, VeraCrypt affords users the ability to store data in encrypted volumes which are then read from and written to using on-the-fly-encryption (OTFE). This means chunks of the data are quickly processed in RAM, therefore enabling data to be handled without ever actually being decrypted on its host device. Removable media using OTFE would be useless to a thief, even if they quickly removed it while in use. On Windows devices particularly this process occurs very quickly thanks to VeraCrypt’s use of pipelining, and so data processing occurs at speeds comparable to a non-encrypted counterpart.
VeraCrypt supports a number of block ciphers including AES, Serpent and Twofish. All the ciphers function exclusively using the XTS mode of operation, which provides further instructions for securely applying a cryptographic algorithm repeatedly. Hashing and salt functions further protect a volume’s master key, dramatically reducing vulnerability to brute-force attacks. Further technical information as well as details regarding compliance with various standards and specifications can be found here, and by reviewing the source code.
VeraCrypt supports a variety of implementations:
System drive encryption – of all the options we will discuss, this provides the highest degree of security and privacy. This is due to the fact that any audit trail created by your activity, such as those found in Event Viewer, will be encrypted. This implementation will require pre-boot authentication before the operating system can be loaded. Only the last several versions of Windows and Windows Server, excluding Server 2016, are supported. A rescue disk will be made during this process to ensure corrupt boot loaders or master key files do not prevent you from restoring your data.
Encrypted file containers – a single master-key locked VeraCrypt volume that can be read and written to. Similar to a password-protected folder, after authentication you can navigate it or transfer files to/from it like any other directory.
Hidden volumes – basically a VeraCrypt volume nested within another. A standard volume autofills free space with random data, and a hidden volume will be concealed within this junk space. This allows for what is called “plausible deniability”, in this context meaning it would be difficult for an adversary to determine there may be a hidden secondary volume after gaining access to the first. This feature in particular may be a suitable option for journalists, government and military personnel, or special operators working in exceptionally hazardous environments. Its effectiveness is contingent on a number of requirements.
Non-system drive encryption – whole-drive encryption for storage media not hosting an operating system
Portable drive encryption – Similar to encrypted file containers, but it does not require VeraCrypt to be installed on the machine reading the disk. This is ideal for removable media such as CD/DVDs and USB hard drives.
Before transitioning to the demonstration portion of this article, it is worth taking some extra time to discuss a number of items we will see during the process. First and foremost is the matter of selecting a master password. As discussed in previous articles, the old notion of password complexity is quickly becoming a dated concept. This is due to an understanding of how password attacks work. It is much more advisable to select a passphrase containing 15-20 characters or more. Essentially we want to ensure a brute force attack will take longer than a malicious actor will ever have to spend on cracking the password. HowSecureIsMyPassword is a good resource when choosing passphrases. During the password creation phase, you will also have to choose the pseudo-random function (PRF), or hashing algorithm, you will want to use to protect the password. SHA-512 is approved for use on federal systems and is a good choice. Next is the cipher you will choose to encrypt your media. There are a number of reputable options, though they all use the same key and block sizes, and mode of operation. Despite some alternative views, AES is generally considered the industry standard for data protection and so it may be best to stick with it unless there is a specific reason not to. Also note that newer processors are AES-NI enabled, allowing for hardware acceleration and therefore faster encryption/decryption. Lastly, the volume format you select should be NTFS unless you happen to be running a version of Windows 2000. If this is your situation then you have issues bigger than encrypting your data.
For our demonstration we will be creating an encrypted drive in portable mode. Many of the following steps will be replicated regardless of your implementation so it should still be easy enough to follow along. Launch VeraCrypt and select Create Volume. Choose Create an encrypted file container in the following window.
From there you will have the option to create either a standard or hidden volume. I will choose standard for now and select the location on my external drive in which to place it. The process for creating a hidden volume is identical except it will walk you through the process twice – once for the outer volume and once for the inner.
With the advice from earlier in mind we will select our encryption and hash algorithms.
Before creating our volume we will first need to determine its size. This is largely up to you with respect to your specific needs. If you only want part of your disk encrypted, then block only the desired amount. If you’d rather encrypt the entire drive then enter in its full capacity, bearing in mind that you will want 50MB left over for the portable software we will create later.
Verify the volume information and then choose your password. You may also opt to generate a keyfile to be used in conjunction with your password. You should consider, however, that the loss of your keyfile makes it impossible to recover your data. Change your Filesystem to NTFS in the following window and then move your mouse around randomly for 30 seconds. This will help increase the strength of your encryption keys.
Following the completion of this process verify your volume has been successfully created. Back in VeraCrypt navigate to Tools > Traveler Disk Setup. Browse to the same location as your VeraCrypt volume and leave the remaining default settings and hit Create.
When placing this device into another computer you can now launch VeraCrypt whether or not the application is installed on the host device. To mount your newly created volume you will choose Select File > Browse to the location of the VeraCrypt volume > Select a Volume letter to mount it as > and select Mount. Upon doing so you can add, delete, drag-and-drop or modify files within the volume as you see fit. Files written to the volume will automatically be encrypted, and files moved out of it will be decrypted. Again, thanks to OTFE, the contents of your volume will never be left in an unencrypted state.
Outside of the things mentioned above, the tool provides a number of additional features to help customize your experience. Favorite Volumes allows for the ability to specify the nature by which volumes are mounted, whereas System Volume Favorites can be configured for network drives or other directories needing to be decrypted before system/application services start or before users start logging on. From the application homepage you can quickly modify volume sizes, change master passwords, create rescue disks, and integrate VeraCrypt with existing security token and smart card infrastructure. The developers provide instructions for securely backing up your data, though the process largely includes creating a secondary volume, preferably on secondary hardware, and copying the contents for redundancy. FreeFileSync is an excellent tool for removing human error from this procedure. Lastly, you are able to fully and permanently decrypt fully-encrypted drives. For encrypted containers, you must move its contents to another location and then delete it as you would any other file.
The creators of VeraCrypt maintain that their tool only provide security and privacy to the extent that best practices are followed. OTFE means all your data is handled in RAM. As forensic analysts know, a lot of valuable information can be retrieved from a computer’s memory. Though VeraCrypt will automatically purge master keys from memory whenever a volume is dismounted, it will not, by default, encrypt master keys in RAM due to performance overhead. This can be manually enabled under Settings > Performance/Driver Configuration in exchange for a 5-15% performance hit. Various other forms of data leakage exist, and so, again, those that absolutely require the protection of plausible deniability need to carefully read the Security Requirements and Precautions for Hidden Volumes.