When the TrueCrypt encryption software project was abandoned two years ago, it left many folks looking for an open source encryption system. VeraCrypt appeared on the scene as a TrueCrypt alternative. VeraCrypt is a fork of the original TrueCrypt code, and the project is run and managed almost single handedly by French IT security consultant Mounir Idrassi.
Idrassi’s motivation for developing VeraCrypt stems back to 2012 when he was asked to integrate TrueCrypt with a client’s product. Before doing this he carried out a security audit of the code and discovered some issues. “There were no big problems, no backdoors or anything like that. But there were some small things, so we decided to start VeraCrypt,” he said.
Idrassi is not the only one who has discovered problems. A security researcher on Google’s Project Zero bug hunting team in 2015 found two critical vulnerabilities in TrueCrypt.
Improving on TrueCrypt
Idrassi’s main concern was that TrueCrypt was not secure against brute force attacks, an issue he addressed by beefing up the transformation process.
While VeraCrypt is a popular TrueCrypt alternative, it has reached a crossroads and major changes may be afoot. The project has become too much for Idrassi, as he is only able to devote around 10 hours a week to it.
“To be honest from a maintenance point of view, it is too big and costly to run,” he said. “I can’t handle it any more unless I recruit dedicated engineers.”
Most open source projects rely on contributions from volunteers. In the case of VeraCrypt, though, that isn’t possible, Idrassi explained. “Many people offer to help, but a lack of skill is the blocking factor. Most people just don’t have the know-how to implement such low level software, so very few people can actually contribute.”
He also believes that many U.S.-based experts may be put off working on VeraCrypt. “If you contribute to a project like this, then you will be on a watch list in the U.S. … That’s why not a lot of people contribute,” he said when the project began in 2014.
Enterprise Version of VeraCrypt?
One possibility that Idrassi is considering is producing an enterprise version of the software that includes extra features or services which businesses would be prepared to pay for. Idrassi points to Red Hat’s model of charging for Red Hat Enterprise Linux as an example.
“The main encryption product would be free, but we would charge for extras to help drive development and full time support,” he said.
Another possibility is to decouple the underlying encryption engine from the user interface. “VeraCrypt would become just an engine, and someone else (or other teams) could provide the user interface for it,” he said.
Idrassi believes that decoupling the encryption engine from the user interface may be a good idea in any case because the current one – which is unchanged from the original TrueCrypt design – is too difficult for many people to use.
“Unfortunately the user interface at the moment is too technical and too complicated for ordinary users,” he said. “I need other people to help so I don’t have to make the interface.”
The positive side of the complexity coin is that VeraCrypt’s current interface means that people have to have some security knowledge to use it, or at least to teach themselves how to use the software.
“If the software was too easy to use then people could undermine their own security (by not using it correctly), but the challenge is to create an easy to use interface that still guarantees security. As it stands VeraCrypt is not ready for the masses, and it’s mostly used by IT people protecting company assets, ” Idrassi said.
An obvious question to ask is why, since VeraCrypt is difficult to use, “the masses” should be interested in using VeraCrypt instead of a simple point-and-click encryption solution such as Microsoft’s BitLocker? “The problem with BitLocker is that no one has any idea of the code behind it,” he said.
Another problem with one-click security is that people don’t understand the importance of a good password, he added. “The most important way to get good security is through education.”
More Transparent than TrueCrypt
Before VeraCrypt, everything behind TrueCrypt was “obscure and anonymous,” Idrassi pointed out. “I wanted an open and transparent project that could be easily updated, and that I could be confident of its provenance,” he said. “When TrueCrypt dies, this became important as there was no alternative.”
Talking of provenance, it’s important to try to establish whether law enforcement or security agencies have tried to interfere with the development of VeraCrypt. Idrassi said he was contacted by the French ANSSI, a government agency responsible for IT security, and that while he was invited to make a presentation about the project to the agency, he has not been asked to make any changes to the code.
Still, he doesn’t rule out the possibility that authorities are taking a close interest in the project. He said previously that “for more than 10 years, law enforcement agencies have developed an infrastructure and tools to do forensic analysis of TrueCrypt volumes.”
Given that, you would expect VeraCrypt to come under similar scrutiny. “From the questions I receive on the forum, many people out there are looking at it under the hood so I would not be surprised,” he said.
Since VeraCrypt first appeared in June 2014, Idrassi has made regular updates to the software, the most recent being version 1.17 released in February 2016. Most changes have been security fixes to the original TrueCrypt code and optimizations (such as an optimization in version 1.17 that attempts to address criticism about how slow VeraCrypt is at opening an encrypting volume by cutting mount/boot time in half).
The major feature that Idrassi has been working on, with help from a Russian contributor, is support for UEFI, which enables full support for operating systems such as Windows 10 as well as support for smart cards and USB keys in place of passwords.
(One technical drawback for UEFI support is that precludes full disk encryption because UEFI boots from a partition that can’t be encrypted. “You can only offer partial encryption,” said Idrassi, “but that’s not a big problem.”)
A preview version of VeraCrypt with support for UEFI is available today, although this version does not include many VeraCrypt features (such as hidden operating systems). Idrassi is hopeful that a full version of VeraCrypt that supports UEFI will be available by the end of 2016.
Plans to include other features such as steganography (concealing messages in photos or other digital files) appear to have been dropped; Idrassi confirms that he has not been working on them over the past two years.
Paul Rubens has been covering enterprise technology for over 20 years. In that time he has written for leading UK and international publications including The Economist, The Times, Financial Times, the BBC, Computing and ServerWatch.