VeraCrypt 1.19 is the newest version of the popular open source data encryption program that many users switched to after TrueCrypt was discontinued back in 2014.
The application is based on TrueCrypt code but has since then been updated regularly with new features, improvements and most notable security fixes.
The VeraCrypt team fixed security vulnerabilities that a TrueCrypt audit brought to light, and has fixed several vulnerabilities or issues since then.
The team announced back in August 2016 that VeraCrypt would receive a security audit of its own thanks to the Open Source Technology Improvement fund.
The scope of the audit was twofold. First, to verify that TrueCrypt related issues are fixed, and second, that features introduced by VeraCrypt did not introduce issues of their own.
A first step consisted in verifying that the problems and vulnerabilities identified in TrueCrypt 7.1a had been taken into account and fixed.
Then, the remaining study was to identify potential security problems in the code specific
to VeraCrypt. Contrary to other TrueCrypt forks, the goal of VeraCrypt is not only to fix
the public vulnerabilities of TrueCrypt, but also to bring new features to the software.
VeraCrypt 1.19
The security audit of VeraCrypt and its bootloaders by QuarksLab has been completed. The company found a total of 26 different vulnerabilities or issues of which eight were rated critically. The remaining vulnerabilities received a rating of medium (3) and low or informational (15).
VeraCrypt released version 1.19 of the encryption software that addresses the majority of issues found by QuarksLab. This includes among others a fix that protects against the leaking of the password length in the MBR bootloader inherited from TrueCrypt on Windows machines.
The technical documentation of the audit reveals that some vulnerabilities have not been fixed yet because of their complexity as they require either major modifications to existing code or the project architecture.
This includes for instance a problem with the AES implementation which makes it susceptible for cache-timing attacks. The only way to resolve the issue is to rewrite the AES implementation which takes time.
The release brings other improvements, for instance a 2.5 times performance increase of the Serpent algorithm on 64-bit systems, EFI system encryption support on 32-bit versions of Windows, and a fix for EFS data access issues on Windows 10.
The documentation has been updated to inform users about potential security issues. See the tokenpin command line parameter for instance as an example.
VeraCrypt users who are interested in the audit find the technical report here (pdf document). The release notes of the new version are posted on the official VeraCrypt project website.
Closing Words
VeraCrypt security has improved significantly thanks to the audit. While there is still work that needs to be done to address the issues that are too complex to be fixed in a short period of time.
Since it is one of the few remaining TrueCrypt forks or successor projects that is still updated regularly, it may be a good idea to migrate to it if that has not been done already.
Now You: Do you use an encryption software? If so which and why?