VeraCrypt 1.24 release, open source encryption software

VeraCrypt 1.24 release, VeraCrypt is  TrueCrypt  branch, was released in June 2013, the main developer of the project is from the French security consultant Mounir Idrassi. Idrassi create VeraCrypt branch motivation in 2012 he was asked to TrueCrypt integration in customers' products, he assessed the TrueCrypt after the code found it has some problems, the main weakness is that TrueCrypt does not protect against brute force attacks. When encrypting the system partition, TrueCrypt algorithm using PBKDF2-RIPEMD160 1000 iterations; standard containers and for non-system partition, TrueCrypt up to 2,000 iterations. In contrast, VeraCrypt use PBKDF2-RIPEMD160 iterative algorithm for the system partition 327,661 times, for a standard container and non-system partition, the number of iterations is further increased to 655,331 times, a substantial increase in the difficulty of brute force. As a result, VeraCrypt open the encrypted partition slightly slower, but it's encrypted format is not compatible with TrueCrypt. Another TrueCrypt branch  CipherShed  project is compatible with efforts TrueCrypt encrypted format. (Content from the above description  Solidot )

VeraCrypt enhance the security of the algorithm for the system and partition encryption, making it against brute force attacks. VeraCrypt also addresses a number of vulnerabilities and security issues TrueCryp t found. The following post describes some of the improvements and corrections: https://veracrypt.codeplex.com/discussions/569777#PostContent_1313325

VeraCrypt on the fly encrypting the system partition :

VeraCrypt creating an encrypted volume :

Complete record improvements include:

• All OSs:
  • Increase password maximum length to 128 bytes in UTF-8 encoding for non-system volumes.
    • Add option to use legacy maximum password length (64) instead of new one for compatibility reasons.
  • Use Hardware RNG based on CPU timing jitter "Jitterentropy" by Stephan Mueller as a good alternative to CPU RDRAND (http://www.chronox.de/jent.html)
  • Speed optimization of XTS mode on 64-bit machine using SSE2 (up to 10% faster).
  • Fix detection of CPU features AVX2/BMI2. Add detection of RDRAND/RDSEED CPU features. Detect Hygon CPU as AMD one.
• Windows:
  • Implement RAM encryption for keys and passwords using ChaCha12 cipher, t1ha non-cryptographic fast hash and ChaCha20 based CSPRNG.
    • Available only on 64-bit machines.
    • Disabled by default. Can be enabled using option in UI.
    • Less than 10% overhead on modern CPUs.
    • Side effect: Windows Hibernate is not possible if VeraCrypt System Encryption is also being used.
  • Mitigate some memory attacks by making VeraCrypt applications memory inaccessible to non-admin users (based on KeePassXC implementation)
  • New security features:
    • Erase system encryption keys from memory during shutdown/reboot to help mitigate some cold boot attacks
    • Add option when system encryption is used to erase all encryption keys from memory when a new device is connected to the system.
    • Add new driver entry point that can be called by applications to erase encryption keys from memory in case of emergency.
  • MBR Bootloader: dynamically determine boot loader memory segment instead of hardcoded values (proposed by neos6464)
  • MBR Bootloader: workaround for issue affecting creation of hidden OS on some SSD drives.
  • Fix issue related to Windows Update breaking VeraCrypt UEFI bootloader.
  • Several enhancements and fixes for EFI bootloader:
    • Implement timeout mechanism for password input. Set default timeout value to 3 minutes and default timeout action to "shutdown".
    • Implement new actions "shutdown" and "reboot" for EFI DcsProp config file.
    • Enhance Rescue Disk implementation of restoring VeraCrypt loader.
    • Fix ESC on password prompt during Pre-Test not starting Windows.
    • Add menu entry in Rescue Disk that enables starting original Windows loader.
    • Fix issue that was preventing Streebog hash from being selected manually during Pre-Boot authentication.
    • If "VeraCrypt" folder is missing from Rescue Disk, it will boot PC directly from bootloader stored on hard drive
      • This makes it easy to create a bootable disk for VeraCrypt from Rescue Disk just by removing/renaming its "VeraCrypt" folder.
  • Add option (disabled by default) to use CPU RDRAND or RDSEED as an additional entropy source for our random generator when available.
  • Add mount option (both UI and command line) that allows mounting a volume without attaching it to the specified drive letter.
  • Update libzip to version 1.5.2
  • Do not create uninstall shortcut in startmenu when installing VeraCrypt. (by Sven Strickroth)
  • Enable selection of Quick Format for file containers creation. Separate Quick Format and Dynamic Volume options in the wizard UI.
  • Fix editor of EFI system encryption configuration file not accepting ENTER key to add new lines.
  • Avoid simultaneous calls of favorites mounting, for example if corresponding hotkey is pressed multiple times.
  • Ensure that only one thread at a time can create a secure desktop.
  • Resize some dialogs in Format and Mount Options to fix some text truncation issues with non-English languages.
  • Fix high CPU usage when using favorites and add switch to disable periodic check on devices to reduce CPU load.
  • Minor UI changes.
  • Updates and corrections to translations and documentation.
• MacOSX:
  • Add check on size of file container during creation to ensure it's smaller than available free disk space. Add CLI switch --no-size-check to disable this check.
• Linux:
  • Make CLI switch --import-token-keyfiles compatible with Non-Interactive mode.
  • Add check on size of file container during creation to ensure it's smaller than available free disk space. Add CLI switch --no-size-check to disable this check.