New Post: Portable version auto dismount on Windows Explorer closing

April 26, 2016, 1:31 pm

≫ Next: New Post: Is there a way to speed up mounting of external HDD on a Windows XP desktop?

≪ Previous: Commented Unassigned: Ability to Deploy VC Installation MSI Installer [235]

I had been using TrueCrypt portable on a USB flash drive and had 2 batch files to mount and dismount volumes. The volumes would show up as normal drive letters in Windows Explorer. If I closed all Windows Explorer windows the drives would remain mounted. They would only be dismounted if I ran the dismount batch file.

In Veracrypt 1.17 the Mount batch file has the following command:

VeraCrypt\VeraCrypt.exe /q background /tc /e /m rm /v "EncryptedViolumeFileName"

When I close all the Windows Explorer windows the drive automatically dismounts. As well instead of the volume showing up as a normal hard drive letter its showing up a B: floppy drive letter.

Why is Veracrypt dismounting the volume automatically and why is it mounting it as a Floppy Drive letter?

These are the settings in Veracrypt:

↧

New Post: Is there a way to speed up mounting of external HDD on a Windows XP desktop?

April 26, 2016, 1:37 pm

≫ Next: New Post: BUG: long Unicode passwords are broken!

≪ Previous: New Post: Portable version auto dismount on Windows Explorer closing

testoslav wrote:

Long boot time leads people to sleep their machines / leave them running instead turning them off...

Yeah, good point. Say, if I leave my machine running but locked up with a Windows account password. What could an attacker realistically do if I'm not around? (My encrypted drive is an external HDD connected via a USB cable.)

PS. I understand that there's a "Cold boot attack" but honestly, it sounds more plausible on paper than in reality. Obviously if I was an enemy of the state, then yes. But again, I'm talking about a "realistic" scenario.

↧

New Post: BUG: long Unicode passwords are broken!

April 28, 2016, 2:40 pm

≫ Next: New Post: DiskCryptor and Veracrypt on same PC

≪ Previous: New Post: Is there a way to speed up mounting of external HDD on a Windows XP desktop?

When trying to make a new volume with a long Unicode password (45+ characters), Veracrypt treats the password as invalid, or not matching.

Try this please:
1) Press the button to create a new encrypted file container.
2) On the "Volume Password" screen, try pasting this password in:

ô7hÝá“3#3bža%Ñ‘¼¬<Þ%$T,‰Žžnv´!ÇZ^ÒƒÈþgH1ûßîjX

3) Notice that the "Next" button is grayed out on the bottom. This password doesn't work!
4) Now paste this password instead. It should work fine:

Dsw[#hZ.r8ikIbV1Yh]sk2iX&1{LF0k.<T]CyD.nXIb3f

This only happens when there are Unicode characters in a long password (45+ characters). Shorter passwords, even with Unicode characters, usually work fine.
The error is not consistent however. I think there is a bug in the "password verification" code.

↧

New Post: DiskCryptor and Veracrypt on same PC

April 28, 2016, 3:09 pm

≫ Next: New Post: Portable version auto dismount on Windows Explorer closing

≪ Previous: New Post: BUG: long Unicode passwords are broken!

Hello,

I know RevolutionOS is much better than Windows but i want to encrypt my HDDs with hardware but i dont have money :) I love security, encryption and privacy. Now, that time i will decrypt with DiskCryptor, then remove it and use VC. But i am waiting from idrassi is it crackable :)?

Thanks.

↧

New Post: Portable version auto dismount on Windows Explorer closing

April 28, 2016, 3:36 pm

≫ Next: New Post: BUG: long Unicode passwords are broken!

≪ Previous: New Post: DiskCryptor and Veracrypt on same PC

Hi,

First of all, A: or B: are not dismounted when you close all Explorer instances, they become just invisible. You can still access them by typing A:\ or B:\ in Explorer address bar or by right clicking on VeraCrypt icon on the system tray to display its menu and then select "Open A:" or "Open B:".

What you seeing here is an issue in Windows Explorer that doesn't handle correctly volumes mounted as removable media in A: or B:. In this case, Explorer doesn't refresh correctly the drives list to include A: or B:.

Easiest way to solve the issue is to avoid mounting as removable media: this way, A: and B: will behave as normal disks.

Also, you can choose the drive letter explicitly to avoid using A: or B:.

In your command line, you are not specifying a drive letter and that's why VeraCrypt chooses A: since it is the first available drive letter. In order to avoid cases like yours, I have made a change in the drive letters selection algorithm in order to make VeraCrypt choose A: or B: only when there are no other free drive letters: https://veracrypt.codeplex.com/SourceControl/changeset/c2f285d2b4d587c9a0d7635db57de62e05f1f023

I have uploaded a new build of version 1.18-BETA that includes this modification. You can get it here: https://sourceforge.net/projects/veracrypt/files/VeraCrypt%20Nightly%20Builds/

You can use it if you don't want to change your command line but beware that the issue will appear again if the only free drive letter is A: or B: since the roor cause of this is Windows Explorer refresh issue for removable media mounted in A: or B:.

Thank you for sharing this issue.

↧

New Post: BUG: long Unicode passwords are broken!

April 28, 2016, 4:01 pm

≫ Next: New Post: 1.18 Beta Release - Feedback or Issues

≪ Previous: New Post: Portable version auto dismount on Windows Explorer closing

This is not a bug but a simple case of a password whose bytes encoding exceeds the 64-bytes limit imposed on the input of the key derivation function.

VeraCrypt added support for Unicode password as a way to strengthen password easily but at the end the password must be converted to bytes and the maximum size of input in bytes is 64.

By using for example the following web site, you can check the effective length of the password after conversion to bytes: https://mothereff.in/utf-8

First password is 45 Unicode characters: encoded using 70 bytes which exceeds the 64 bytes limit => "Next" button grayed.
Second password is 45 ASCII characters => encoded using 45 bytes which is below the 64 bytes limit => "Next" button activated.

In the future, it is planned to increase the 64-bytes maximum limit but there are some compatibility and performance issues that must be taken into account before making such change.

↧

New Post: 1.18 Beta Release - Feedback or Issues

April 28, 2016, 4:07 pm

≫ Next: New Post: BUG: long Unicode passwords are broken!

≪ Previous: New Post: BUG: long Unicode passwords are broken!

April 28, 2016 version 1.18 BETA 5 for Windows has been released. Click on the link below to see all the changes.

https://sourceforge.net/p/veracrypt/discussion/technical/thread/9e760c29/

↧

New Post: BUG: long Unicode passwords are broken!

April 28, 2016, 4:33 pm

≫ Next: New Post: DiskCryptor and Veracrypt on same PC

≪ Previous: New Post: 1.18 Beta Release - Feedback or Issues

Thanks for the quick response!

But why not just run the password input through SHA-512, then pass the 64-byte digest into the key derivation function? :)

↧

New Post: DiskCryptor and Veracrypt on same PC

April 29, 2016, 1:21 am

≫ Next: New Post: DiskCryptor and Veracrypt on same PC

≪ Previous: New Post: BUG: long Unicode passwords are broken!

idrassi wrote:

Alex512 meant that you can use VeraCrypt on the same machine to encrypt disks/partitions while you can leave DiskCryptor for Windows encryption and pre-boot authentication. I agree that this is possible.

What is not possible is encrypting Windows system with both DiskCryptor and VeraCrypt at the same time.

Absolutely right idrassi.

I am encrypting the partition (not the system partition) with DiskCryptor and then on THAT (encrypted) partition i use VC to create encrypted containers. It works perfectly since many years (even before with TC instead of VC). Absolutely safe with no problems with virtually all versions of VC!

I also have one VC container inside another VC container. Never had issues with VC not being able to cope with that. Works perfectly!

I once tried using DiskCryptor to encrypt the whole system (the C: drive actually), it worked fine for a couple of days and then I lost my data. So no more DiskCryptor for system encryption for sure!

↧

New Post: DiskCryptor and Veracrypt on same PC

April 29, 2016, 2:39 am

≫ Next: Created Unassigned: Security Issue - PSExec [443]

≪ Previous: New Post: DiskCryptor and Veracrypt on same PC

Alex512 wrote:

idrassi wrote:
Alex512 meant that you can use VeraCrypt on the same machine to encrypt disks/partitions while you can leave DiskCryptor for Windows encryption and pre-boot authentication. I agree that this is possible.

What is not possible is encrypting Windows system with both DiskCryptor and VeraCrypt at the same time.
Absolutely right idrassi.

I am encrypting the partition (not the system partition) with DiskCryptor and then on THAT (encrypted) partition i use VC to create encrypted containers. It works perfectly since many years (even before with TC instead of VC). Absolutely safe with no problems with virtually all versions of VC!

I also have one VC container inside another VC container. Never had issues with VC not being able to cope with that. Never bothered to manually dismount the inner container first and then the outer... simply shut down and go... Works perfectly!

I once tried using DiskCryptor to encrypt the whole system (the C: drive actually), it worked fine for a couple of days and then I lost my data. So no more DiskCryptor for system encryption for sure!

I am using DiskCryptor since a long time and I didn't live any problem with him. But i love security, therefore i want to use more and more encryption on my Disk.

Alex512, could you please help me about setting-up VC accurately. Please e-mail me malware@protonmail.ch

I need your help my friend, i dont want to make wrong on my disks.

↧

Created Unassigned: Security Issue - PSExec [443]

April 29, 2016, 9:40 am

≫ Next: Commented Unassigned: Security Issue - PSExec [443]

≪ Previous: New Post: DiskCryptor and Veracrypt on same PC

↧

Commented Unassigned: Security Issue - PSExec [443]

April 29, 2016, 10:09 am

≫ Next: Closed Unassigned: Security Issue - PSExec [443]

≪ Previous: Created Unassigned: Security Issue - PSExec [443]

I discovered that when I mount an encrypted volume using a drive letter on my machine, anyone with admin access to my machine can use PSExec to start a remote command prompt and access the volume by browsing to the drive letter I mounted.
Comments: This is a Windows security setup issue and not a VeraCrypt issue. http://www.howtogeek.com/school/sysinternals-pro/lesson8/all/

↧

Closed Unassigned: Security Issue - PSExec [443]

April 29, 2016, 11:14 am

≫ Next: New Post: BUG: long Unicode passwords are broken!

≪ Previous: Commented Unassigned: Security Issue - PSExec [443]

I discovered that when I mount an encrypted volume using a drive letter on my machine, anyone with admin access to my machine can use PSExec to start a remote command prompt and access the volume by browsing to the drive letter I mounted.
Comments: Confirming Enigma2Illusion statement. Someone with admin right on a machine have full control and nothing can limit its actions. Please read: - https://veracrypt.codeplex.com/wikipage?title=Malware - https://veracrypt.codeplex.com/wikipage?title=Multi-User%20Environment

↧

New Post: BUG: long Unicode passwords are broken!

April 29, 2016, 11:36 am

≫ Next: Commented Unassigned: Focus stealing [441]

≪ Previous: Closed Unassigned: Security Issue - PSExec [443]

Actually hashing is already implemented in derive_key_XXX functions in Pkcs5.c (below an extract of derive_key_sha512)
One idea that has been proposed already is to activate the hash at the top of the logic using the same hash as the PRF and do it only for passwords exceeding the 64 bytes limit in order to retain compatibility with existing containers. The implementation has never made it to the official sources and more time is needed to study it.

void derive_key_sha512 (char *pwd, int pwd_len, char *salt, int salt_len, uint32 iterations, char *dk, int dklen)
{
    hmac_sha512_ctx hmac;
    sha512_ctx* ctx;
    char* buf = hmac.k; /* there is enough space to hold SHA512_BLOCKSIZE (128) bytes
                               * because k is followed by u in hmac_sha512_ctx
                                */
    int b, l, r;
    char key[SHA512_DIGESTSIZE];

   /* If the password is longer than the hash algorithm block size,
       let pwd = sha512(pwd), as per HMAC specifications. */
    if (pwd_len > SHA512_BLOCKSIZE)
    {
        sha512_ctx tctx;

        sha512_begin (&tctx);
        sha512_hash ((unsigned char *) pwd, pwd_len, &tctx);
        sha512_end ((unsigned char *) key, &tctx);

        pwd = key;
        pwd_len = SHA512_DIGESTSIZE;

        burn (&tctx, sizeof(tctx));        // Prevent leaks
    }

↧

Commented Unassigned: Focus stealing [441]

April 30, 2016, 2:27 pm

≫ Next: New Post: Specific Hard Drive Support

≪ Previous: New Post: BUG: long Unicode passwords are broken!

While mounting multiple favourite volumes, with the same password, keeping the password cached during that time, Veracrypt will steal focus from any application when mounting the next volume.

This problem I first discovered in version 1.11 and was fixed when I updated to 1.16 (so that's not neccesarily the version that fixed it - I just skipped the versions in between). Anyway, now it's back in 1.17. In other words, it's a regression.

This is Windows 10 x64, latest stable version, and VC 1.17 x64. Driver is installed, program runs as admin.
Comments: I can't reproduce it here. Can please give a detailed step by step of what you are doing or better post a video of the issue? On my side, I tested using 3 favorites on Windows 10 Pro x64 and mounting all favorites using either a hotkey or the menu after checking the option to cache the password during multiple favorite mount operation. I also tested with VeraCrypt window minimized to the system tray. After the password dialog is displayed, I enter the password, click OK and then the waiting dialog appear. After that, I switch to another application (text editor in my case) and I start typing. At no moment, the focus on the text editor was lost and the waiting dialog was always on the background.

↧

New Post: Specific Hard Drive Support

April 30, 2016, 3:08 pm

≫ Next: New Post: Specific Hard Drive Support

≪ Previous: Commented Unassigned: Focus stealing [441]

Sorry to return to this thread again and so late, but believe it or not I have only just received these drives, it's a long storey !

Monuir

and avoiding encryption of RAW disk should be enough.

I have realised that "RAW" mode is what I was intending to use, as I wanted to encrypt the entire slave drive and not simply make a container file.

Monuir

Of course, this issue must be addressed to avoid issues in special cases. I have already done some modifications but since this part of code is very sensitive, I will not release anything before doing extensive testing and debugging.

Has there been any progress on this recently ? I would very much like to use RAW mode on these 4TB drives as soon as you say it is safe to do so.

Also I am unsure how to format the opened drive, as far as I understand NTFS cannot, or perhaps should not, be used on drives larger than 2TB. So I suppose I need to RAW encrypt the entire drive, open it and then format the opened drive as GPT. I guess I need to do this manually through windows disk management after encrypting with VeraCrypt ?

Thanks for your work on VeraCrypt Monuir.

↧

New Post: Specific Hard Drive Support

April 30, 2016, 3:17 pm

≫ Next: Updated Wiki: Issues and Limitations

≪ Previous: New Post: Specific Hard Drive Support

Thanks for the update.

I think there is a misunderstanding about the word "RAW". By RAW, I mean a non-partitioned disk where a drive is encrypted in whole without first create a partition on it. The opposite to "RAW" is not using file containers but rather creating a unique partition on the disk that will take all free space.

In this context, do you really need to encrypt the disk in "RAW" mode without any partition or is it acceptable for your to create a unique partition on it (GPT) and then encrypt this partition using VeraCrypt?

As for using NTFS, you can choose it as filesystem even for such big disk. During the disk encryption process in VeraCrypt, just choose NTFS and VeraCrypt will do it for you.

Anyway, as I said earlier, partitioning your disk and encrypting this partition alongside using NTFS for the filesystem should be enough to avoid any issues.

Concerning the modification in VeraCrypt to adapt to native 4096 bytes alignement, no advancement has been made on this since the priority now is UEFI support which is advancing quite well and an experimental version should be available very soon.

↧

Updated Wiki: Issues and Limitations

April 30, 2016, 3:32 pm

≫ Next: Updated Wiki: Command Line Usage

≪ Previous: New Post: Specific Hard Drive Support

Known Issues & Limitations

Known Issues

On Windows, it may happen that two drive letters are assigned to a mounted volume instead of a single one. This is caused by an issue with Windows Mount Manager cache and it can be solve by typing the command "mountvole.exe /r" in an elevated command prompt (run as an administrator) before mounting any volume. If the issue persists after rebooting, the following procedure can be used to solve it:
- Check the registry key "HKEY_LOCAL_MACHINE\SYSTEM\MountedDevices" using regedit. Scroll down and you'll find entries starting with "\DosDevices\" or "\Global??\" which indicate the drive letters that are taken by the system. Before mounting any volume, double click on each one and remove the ones contains the name "VeraCrypt" and "TrueCrypt".
  Also, there are other entries whose name start with "#{" and "\??\Volume{": double click on each one of them and remove the ones whose data value contains the name "VeraCrypt" and "TrueCrypt".

Limitations

[Note: This limitation does not apply to users of Windows Vista and later versions of Windows.] On Windows XP/2003, VeraCrypt does not support encrypting an entire system drive that contains extended (logical) partitions. You can encrypt an entire system drive provided that it contains only primary partitions. Extended (logical) partitions must not be created on any system drive that is partially or fully encrypted (only primary partitions may be created on it).Note: If you need to encrypt an entire drive containing extended partitions, you can encrypt the system partition and, in addition, create partition-hosted VeraCrypt volumes within any non- system partitions on the drive. Alternatively, you may want to consider upgrading to Windows Vista or a later version of Windows.
VeraCrypt currently does not support encrypting a system drive that has been converted to a dynamic disk.
To work around a Windows XP issue, the VeraCrypt boot loader is always automatically configured for the version of the operating system under which it is installed. When the version of the system changes (for example, the VeraCrypt boot loader is installed when Windows Vista is running but it is later used to boot Windows XP) you may encounter various known and unknown issues (for example, on some notebooks, Windows XP may fail to display the log-on screen). Note that this affects multi-boot configurations, VeraCrypt Rescue Disks, and decoy/hidden operating systems (therefore, if the hidden system is e.g. Windows XP, the decoy system should be Windows XP too).
The ability to mount a partition that is within the key scope of system encryption without pre- boot authentication (for example, a partition located on the encrypted system drive of another operating system that is not running), which can be done e.g. by selecting System> Mount Without Pre-Boot Authentication, is limited to primary partitions (extended/logical partitions cannot be mounted this way).
Due to a Windows 2000 issue, VeraCrypt does not support the Windows Mount Manager under Windows 2000. Therefore, some Windows 2000 built-in tools, such as Disk Defragmenter, do not work on VeraCrypt volumes. Furthermore, it is not possible to use the Mount Manager services under Windows 2000, e.g., assign a mount point to a VeraCrypt volume (i.e., attach a VeraCrypt volume to a folder).
VeraCrypt does not support pre-boot authentication for operating systems installed within VHD files, except when booted using appropriate virtual-machine software such as Microsoft Virtual PC.
The Windows Volume Shadow Copy Service is currently supported only for partitions within the key scope of system encryption (e.g. a system partition encrypted by VeraCrypt, or a non- system partition located on a system drive encrypted by VeraCrypt, mounted when the encrypted operating system is running). Note: For other types of volumes, the Volume Shadow Copy Service is not supported because the documentation for the necessary API is not available.
Windows boot settings cannot be changed from within a hidden operating system if the system does not boot from the partition on which it is installed. This is due to the fact that, for security reasons, the boot partition is mounted as read-only when the hidden system is running. To be able to change the boot settings, please start the decoy operating system.
Encrypted partitions cannot be resized except partitions on an entirely encrypted system drive that are resized while the encrypted operating system is running.
When the system partition/drive is encrypted, the system cannot be upgraded (for example, from Windows XP to Windows Vista) or repaired from within the pre-boot environment (using a Windows setup CD/DVD or the Windows pre-boot component). In such cases, the system partition/drive must be decrypted first. Note: A running operating system can beupdated (security patches, service packs, etc.) without any problems even when the system partition/drive is encrypted.
System encryption is supported only on drives that are connected locally via an ATA/SCSI interface (note that the term ATA also refers to SATA and eSATA).
When system encryption is used (this also applies to hidden operating systems), VeraCrypt does not support multi-boot configuration changes (for example, changes to the number of operating systems and their locations). Specifically, the configuration must remain the same as it was when the VeraCrypt Volume Creation Wizard started to prepare the process of encryption of the system partition/drive (or creation of a hidden operating system).

Note: The only exception is the multi-boot configuration where a running VeraCrypt-encrypted operating system is always located on drive #0, and it is the only operating system located on the drive (or there is one VeraCrypt-encrypted decoy and one VeraCrypt-encrypted hidden operating system and no other operating system on the drive), and the drive is connected or disconnected before the computer is turned on (for example, using the power switch on an external eSATA drive enclosure). There may be any additional operating systems (encrypted or unencrypted) installed on other drives connected to the computer (when drive #0 is disconnected, drive #1 becomes drive #0, etc.)
When the notebook battery power is low, Windows may omit sending the appropriate messages to running applications when the computer is entering power saving mode. Therefore, VeraCrypt may fail to auto-dismount volumes in such cases.
Preserving of any timestamp of any file (e.g. a container or keyfile) is not guaranteed to be reliably and securely performed (for example, due to filesystem journals, timestamps of file attributes, or the operating system failing to perform it for various documented and undocumented reasons). Note: When you write to a file-hosted hidden volume, the timestamp of the container may change. This can be plausibly explained as having been caused by changing the (outer) volume password. Also note that VeraCrypt never preserves timestamps of system favorite volumes (regardless of the settings).
Special software (e.g., a low-level disk editor) that writes data to a disk drive in a way that circumvents drivers in the driver stack of the class ‘DiskDrive’ (GUID of the class is 4D36E967- E325-11CE-BFC1-08002BE10318) can write unencrypted data to a non-system drive hosting a mounted VeraCrypt volume (‘Partition0’) and to encrypted partitions/drives that are within the key scope of active system encryption (VeraCrypt does not encrypt such data written that way). Similarly, software that writes data to a disk drive circumventing drivers in the driver stack of the class ‘Storage Volume’ (GUID of the class is 71A27CDD-812A-11D0-BEC7-08002BE2092F) can write unencrypted data to VeraCrypt partition-hosted volumes (even if they are mounted).
For security reasons, when a hidden operating system is running, VeraCrypt ensures that all local unencrypted filesystems and non-hidden VeraCrypt volumes are read-only. However, this does not apply to filesystems on CD/DVD-like media and on custom, atypical, or non-standard devices/media (for example, any devices/media whose class is other than the Windows device class ‘Storage Volume’ or that do not meet the requirements of this class (GUID of the class is 71A27CDD-812A-11D0-BEC7-08002BE2092F)).
Device-hosted VeraCrypt volumes located on floppy disks are not supported. Note: You can still create file-hosted VeraCrypt volumes on floppy disks.
Windows Server editions don't allow the use of mounted VeraCrypt volumes as a path for server backup. This can solved by activating sharing on the VeraCrypt volume through Explorer interface (of course, you have to put the correct permission to avoid unauthorized access) and then choosing the option "Remote shared folder" (it is not remote of course but Windows needs a network path). There, you can type the path of the shared drive (for example \\ServerName\sharename) and the backup will be configured correctly.
Due to Microsoft design flaws in NTFS sparse files handling, you may encounter system errors when writing data to large Dynamic volumes (more than few hundreds GB). To avoid this, the recommended size for a Dynamic volume container file for maximum compatibility is 300 GB. The following link gives more details concerning this limitation: http://www.flexhex.com/docs/articles/sparse-files.phtml#msdn
Windows 8 introduced a new feature called "Hybrid boot and shutdown" to give users the impression that booting is quick. This feature is enabled by default and it has side effects on VeraCrypt volumes usage. It is advised to disable this feature (e.g. this link explains how). Some examples of issues:
- after a shutdown and a restart, mounted volume will continue to be mounted without typing the password: this due to the fact the new Windows 8 shutdown is not a real shutdown but a disguised hibernate/sleep.
- when using system encryption and when there are System Favorites configured to be mounted at boot time: after shutdown and restart, these system favorites will not be mounted.
Windows system Repair/Recovery Disk can't be created when a VeraCrypt volume is mounted as a fixed disk (which is the default). To solve this, either dismount all volumes or mount volumes are removable media.
Further limitations are listed in the section Security Model.

↧

Updated Wiki: Command Line Usage

April 30, 2016, 4:09 pm

≫ Next: Updated Wiki: Command Line Usage

≪ Previous: Updated Wiki: Issues and Limitations

Command Line Usage

Note that this section applies to the Windows version of VeraCrypt. For information on command line usage applying to theLinux and Mac OS X versions, please run: veracrypt –h

/help or /?	Display command line help.
/truecrypt or /tc	Activate TrueCrypt compatibility mode which enables mounting volumes created with TrueCrypt 6.x and 7.x series.
/hash	It must be followed by a parameter indicating the PRF hash algorithm to use when mounting the volume. Possible values for /hash parameter are: sha256, sha-256, sha512, sha-512, whirlpool, ripemd160 and ripemd-160. When /hash is omitted, VeraCrypt will try all possible PRF algorithms thus lengthening the mount operation time.
/volume or /v	It must be followed by a parameter indicating the file and path name of a VeraCrypt volume to mount (do not use when dismounting) or the Volume ID of the disk/partition to mount. The syntax of the volume ID is ID:XXXXXX...XX where the XX part is a 64 hexadecimal characters string that represent the 32-Bytes ID of the desired volume to mount. To mount a partition/device-hosted volume, use, for example, /v \Device\Harddisk1\Partition3 (to determine the path to a partition/device, run VeraCrypt and clickSelect Device). You can also mount a partition or dynamic volume using its volume name (for example, /v \\?\Volume{5cceb196-48bf-46ab-ad00-70965512253a}\). To determine the volume name use e.g. mountvol.exe. Also note that device paths are case-sensitive. /v ID: `53B9A8D59CC84264004DA8728FC8F3E2EE6C130145ABD3835695C29FD601EDCA`. The Volume ID value can be retrieved using the volume properties dialog of the mounted disk/partition.
/letter or /l	It must be followed by a parameter indicating the driver letter to mount the volume as. When /l is omitted and when /a is used, the first free drive letter is used.
/explore or /e	Open an Explorer window after a volume has been mounted.
/beep or /b	Beep after a volume has been successfully mounted or dismounted.
/auto or /a	If no parameter is specified, automatically mount the volume. If devices is specified as the parameter (e.g., /a devices), auto-mount all currently accessible device/partition-hosted VeraCrypt volumes. If favorites is specified as the parameter, auto-mount favorite volumes. Note that /auto is implicit if /quit and /volume are specified. If you need to prevent the application window from appearing, use /quit.
/dismount or /d	Dismount volume specified by drive letter (e.g., /d x). When no drive letter is specified, dismounts all currently mounted VeraCrypt volumes.
/force or /f	Forces dismount (if the volume to be dismounted contains files being used by the system or an application) and forces mounting in shared mode (i.e., without exclusive access).
/keyfile or /k	It must be followed by a parameter specifying a keyfile or a keyfile search path. For multiple keyfiles, specify e.g.: /k c:\keyfile1.dat /k d:\KeyfileFolder /k c:\kf2 To specify a keyfile stored on a security token or smart card, use the following syntax: token://slot/SLOT_NUMBER/file/FILE_NAME
/tryemptypass	ONLY when default keyfile configured or when a keyfile is specified in the command line. If it is followed by y or yes or if no parameter is specified: try to mount using an empty password and the keyfile before displaying password prompt. if it is followed by n or no: don't try to mount using an empty password and the keyfile, and display password prompt right away.
/tokenlib	It must be followed by a parameter indicating the PKCS #11 library to use for security tokens and smart cards. (e.g.: /tokenlib c:\pkcs11lib.dll)
/cache or /c	If it is followed by y or yes or if no parameter is specified: enable password cache; if it is followed by n or no: disable password cache (e.g., /c n). if it is followed by f or favorites: temporary cache password when mounting multiple favorites (e.g., /c f). Note that turning the password cache off will not clear it (use /w to clear the password cache).
/history or /h	if it is followed by y or no parameter: enables saving history of mounted volumes; if it is followed byn: disables saving history of mounted volumes (e.g., /h n).
/wipecache or /w	Wipes any passwords cached in the driver memory.
/password or /p	It must be followed by a parameter indicating the volume password. If the password contains spaces, it must be enclosed in quotation marks (e.g., /p ”My Password”). Use /p ”” to specify an empty password.Warning: This method of entering a volume password may be insecure, for example, when an unencrypted command prompt history log is being saved to unencrypted disk.
/pim	It must be followed by a positive integer indicating the PIM (Personal Iterations Multiplier) to use for the volume.
/quit or /q	Automatically perform requested actions and exit (main VeraCrypt window will not be displayed). If preferences is specified as the parameter (e.g., /q preferences), then program settings are loaded/saved and they override settings specified on the command line. /q background launches the VeraCrypt Background Task (tray icon) unless it is disabled in the Preferences.
/silent or /s	If /q is specified, suppresses interaction with the user (prompts, error messages, warnings, etc.). If /q is not specified, this option has no effect.
/mountoption or /m	It must be followed by a parameter which can have one of the values indicated below. ro or readonly: Mount volume as read-only. rm or removable: Mount volume as removable medium (see sectionVolume Mounted as Removable Medium). ts or timestamp: Do not preserve container modification timestamp. sm or system: Without pre-boot authentication, mount a partition that is within the key scope of system encryption (for example, a partition located on the encrypted system drive of another operating system that is not running). Useful e.g. for backup or repair operations. Note: If you supply a password as a parameter of /p, make sure that the password has been typed using the standard US keyboard layout (in contrast, the GUI ensures this automatically). This is required due to the fact that the password needs to be typed in the pre-boot environment (before Windows starts) where non-US Windows keyboard layouts are not available. bk or headerbak: Mount volume using embedded backup header. Note: All volumes created by VeraCrypt contain an embedded backup header (located at the end of the volume). recovery: Do not verify any checksums stored in the volume header. This option should be used only when the volume header is damaged and the volume cannot be mounted even with the mount option headerbak. Example: /m ro. label=LabelValue: Use the given string value LabelValue as a label of the mounted volume in Windows Explorer. The maximum length forLabelValue is 32 characters for NTFS volumes and 11 characters for FAT volumes. For example,/m label=MyDrive will set the label of the drive in Explorer to MyDrive. Please not that this switch may be present several times in the command line in order to specify multiple mount options (e.g.: /m rm /m ts)

VeraCrypt Format.exe (VeraCrypt Volume Creation Wizard):

/create	Create a container based volume in command line mode. It must be followed by the file name of the container to be created.
/size	(Only with /create) It must be followed by a parameter indicating the size of the container file that will be created. This parameter is a number indicating the size in Bytes. It can have a suffixe 'K', 'M', 'G' or 'T' to indicate that the value is in Kilobytes, Megabytes, Gigabytes or Terabytes respectively. For example: /size 5000000: the container size will be 5000000 bytes /size 25K: the container size will be 25 KiloBytes. /size 100M: the container size will be 100 MegaBytes. /size 2G: the container size will be 2 GigaBytes. /size 1T: the container size will be 1 TeraBytes.
/password	(Only with /create) It must be followed by a parameter indicating the password of the container that will be created.
/hash	(Only with /create) It must be followed by a parameter indicating the PRF hash algorithm to use when creating the volume. It has the same syntax as VeraCrypt.exe.
/encryption	(Only with /create) It must be followed by a parameter indicating the encryption algorithm to use. The default is AES if this switch is not specified. The parameter can have the following values (case insensitive): AES Serpent Twofish AES(Twofish) AES(Twofish(Serpent)) Serpent(AES) Serpent(Twofish(AES)) Twofish(Serpent)
/filesystem	(Only with /create) It must be followed by a parameter indicating the file system to use for the volume. The parameter can have the following values: None: don't use any filesystem FAT: format using FAT/FAT32 NTFS: format using NTFS. Please not that in this case a UAC prompt will be displayed unless the process is run with full administrative privileges.
/dynamic	(Only with /create) It has no parameters and it indicates that the volume will be created as a dynamic volume.
/force	(Only with /create) It has no parameters and it indicates that overwrite will be forced without requiring user confirmation.
/silent	(Only with /create) It has no parameters and it indicates that no message box or dialog will be displayed to the user. If there is any error, the operation will fail silently.
/noisocheck or /n	Do not verify that VeraCrypt Rescue Disks are correctly burned. WARNING: Never attempt to use this option to facilitate the reuse of a previously created VeraCrypt Rescue Disk. Note that every time you encrypt a system partition/drive, you must create a new VeraCrypt Rescue Disk even if you use the same password. A previously created VeraCrypt Rescue Disk cannot be reused as it was created for a different master key.

Syntax

VeraCrypt.exe [/tc] [/hash {sha256, sha-256, sha512, sha-512,whirlpool, ripemd160, ripemd-160}] [/a [devices|favorites]] [/b] [/c [y|n|f]] [/d [drive letter]] [/e] [/f] [/h [y|n]] [/k keyfile or search path] [/tryemptypass [y|n]] [/l drive letter] [/m {bk|rm|recovery|ro|sm|ts}] [/p password] [/q [background|preferences]] [/s] [/tokenlib path] [/v volume] [/w]

"VeraCrypt Format.exe" [/n] [/create] [/size number[{K, M, G, T}]] [/p password] [/encryption {AES, Serpent, Twofish, AES(Twofish), AES(Twofish(Serpent)), Serpent(AES), Serpent(Twofish(AES)), Twofish(Serpent)}] [/hash {sha256, sha-256, sha512, sha-512,whirlpool, ripemd160, ripemd-160}]

[/hash {sha256, sha-256, sha512, sha-512,whirlpool, ripemd160, ripemd-160}] [/filesystem {None, FAT, NTFS}] [/dynamic] [/force] [/silent]

Note that the order in which options are specified does not matter.

Examples

Mount the volume d:\myvolume as the first free drive letter, using the password prompt (the main program window will not be displayed):

veracrypt /q /v d:\myvolume

Dismount a volume mounted as the drive letter X (the main program window will not be displayed):

veracrypt /q /d x

Mount a volume called myvolume.tc using the password MyPassword, as the drive letterX. VeraCrypt will open an explorer window and beep; mounting will be automatic:

veracrypt /v myvolume.tc /l x /a /p MyPassword /e /b

Create a 10 MB file container using the password test and formatted using FAT:

"C:\Program Files\VeraCrypt\VeraCrypt Format.exe" /create c:\Data\test.hc /password test /hash sha512 /encryption serpent /filesystem FAT /size 10M /force

↧

Updated Wiki: Command Line Usage

April 30, 2016, 4:10 pm

≫ Next: Updated Wiki: Command Line Usage

≪ Previous: Updated Wiki: Command Line Usage

Command Line Usage

Note that this section applies to the Windows version of VeraCrypt. For information on command line usage applying to theLinux and Mac OS X versions, please run: veracrypt –h

/help or /?	Display command line help.
/truecrypt or /tc	Activate TrueCrypt compatibility mode which enables mounting volumes created with TrueCrypt 6.x and 7.x series.
/hash	It must be followed by a parameter indicating the PRF hash algorithm to use when mounting the volume. Possible values for /hash parameter are: sha256, sha-256, sha512, sha-512, whirlpool, ripemd160 and ripemd-160. When /hash is omitted, VeraCrypt will try all possible PRF algorithms thus lengthening the mount operation time.
/volume or /v	It must be followed by a parameter indicating the file and path name of a VeraCrypt volume to mount (do not use when dismounting) or the Volume ID of the disk/partition to mount. The syntax of the volume ID is ID:XXXXXX...XX where the XX part is a 64 hexadecimal characters string that represent the 32-Bytes ID of the desired volume to mount. To mount a partition/device-hosted volume, use, for example, /v \Device\Harddisk1\Partition3 (to determine the path to a partition/device, run VeraCrypt and clickSelect Device). You can also mount a partition or dynamic volume using its volume name (for example, /v \\?\Volume{5cceb196-48bf-46ab-ad00-70965512253a}\). To determine the volume name use e.g. mountvol.exe. Also note that device paths are case-sensitive. /v ID:`53B9A8D59CC84264004DA8728FC8F3E2EE6C130145ABD3835695C29FD601EDCA`. The Volume ID value can be retrieved using the volume properties dialog of the mounted disk/partition.
/letter or /l	It must be followed by a parameter indicating the driver letter to mount the volume as. When /l is omitted and when /a is used, the first free drive letter is used.
/explore or /e	Open an Explorer window after a volume has been mounted.
/beep or /b	Beep after a volume has been successfully mounted or dismounted.
/auto or /a	If no parameter is specified, automatically mount the volume. If devices is specified as the parameter (e.g., /a devices), auto-mount all currently accessible device/partition-hosted VeraCrypt volumes. If favorites is specified as the parameter, auto-mount favorite volumes. Note that /auto is implicit if /quit and /volume are specified. If you need to prevent the application window from appearing, use /quit.
/dismount or /d	Dismount volume specified by drive letter (e.g., /d x). When no drive letter is specified, dismounts all currently mounted VeraCrypt volumes.
/force or /f	Forces dismount (if the volume to be dismounted contains files being used by the system or an application) and forces mounting in shared mode (i.e., without exclusive access).
/keyfile or /k	It must be followed by a parameter specifying a keyfile or a keyfile search path. For multiple keyfiles, specify e.g.: /k c:\keyfile1.dat /k d:\KeyfileFolder /k c:\kf2 To specify a keyfile stored on a security token or smart card, use the following syntax: token://slot/SLOT_NUMBER/file/FILE_NAME
/tryemptypass	ONLY when default keyfile configured or when a keyfile is specified in the command line. If it is followed by y or yes or if no parameter is specified: try to mount using an empty password and the keyfile before displaying password prompt. if it is followed by n or no: don't try to mount using an empty password and the keyfile, and display password prompt right away.
/tokenlib	It must be followed by a parameter indicating the PKCS #11 library to use for security tokens and smart cards. (e.g.: /tokenlib c:\pkcs11lib.dll)
/cache or /c	If it is followed by y or yes or if no parameter is specified: enable password cache; if it is followed by n or no: disable password cache (e.g., /c n). if it is followed by f or favorites: temporary cache password when mounting multiple favorites (e.g., /c f). Note that turning the password cache off will not clear it (use /w to clear the password cache).
/history or /h	if it is followed by y or no parameter: enables saving history of mounted volumes; if it is followed byn: disables saving history of mounted volumes (e.g., /h n).
/wipecache or /w	Wipes any passwords cached in the driver memory.
/password or /p	It must be followed by a parameter indicating the volume password. If the password contains spaces, it must be enclosed in quotation marks (e.g., /p ”My Password”). Use /p ”” to specify an empty password.Warning: This method of entering a volume password may be insecure, for example, when an unencrypted command prompt history log is being saved to unencrypted disk.
/pim	It must be followed by a positive integer indicating the PIM (Personal Iterations Multiplier) to use for the volume.
/quit or /q	Automatically perform requested actions and exit (main VeraCrypt window will not be displayed). If preferences is specified as the parameter (e.g., /q preferences), then program settings are loaded/saved and they override settings specified on the command line. /q background launches the VeraCrypt Background Task (tray icon) unless it is disabled in the Preferences.
/silent or /s	If /q is specified, suppresses interaction with the user (prompts, error messages, warnings, etc.). If /q is not specified, this option has no effect.
/mountoption or /m	It must be followed by a parameter which can have one of the values indicated below. ro or readonly: Mount volume as read-only. rm or removable: Mount volume as removable medium (see sectionVolume Mounted as Removable Medium). ts or timestamp: Do not preserve container modification timestamp. sm or system: Without pre-boot authentication, mount a partition that is within the key scope of system encryption (for example, a partition located on the encrypted system drive of another operating system that is not running). Useful e.g. for backup or repair operations. Note: If you supply a password as a parameter of /p, make sure that the password has been typed using the standard US keyboard layout (in contrast, the GUI ensures this automatically). This is required due to the fact that the password needs to be typed in the pre-boot environment (before Windows starts) where non-US Windows keyboard layouts are not available. bk or headerbak: Mount volume using embedded backup header. Note: All volumes created by VeraCrypt contain an embedded backup header (located at the end of the volume). recovery: Do not verify any checksums stored in the volume header. This option should be used only when the volume header is damaged and the volume cannot be mounted even with the mount option headerbak. Example: /m ro. label=LabelValue: Use the given string value LabelValue as a label of the mounted volume in Windows Explorer. The maximum length forLabelValue is 32 characters for NTFS volumes and 11 characters for FAT volumes. For example,/m label=MyDrive will set the label of the drive in Explorer to MyDrive. Please not that this switch may be present several times in the command line in order to specify multiple mount options (e.g.: /m rm /m ts)

VeraCrypt Format.exe (VeraCrypt Volume Creation Wizard):

/create	Create a container based volume in command line mode. It must be followed by the file name of the container to be created.
/size	(Only with /create) It must be followed by a parameter indicating the size of the container file that will be created. This parameter is a number indicating the size in Bytes. It can have a suffixe 'K', 'M', 'G' or 'T' to indicate that the value is in Kilobytes, Megabytes, Gigabytes or Terabytes respectively. For example: /size 5000000: the container size will be 5000000 bytes /size 25K: the container size will be 25 KiloBytes. /size 100M: the container size will be 100 MegaBytes. /size 2G: the container size will be 2 GigaBytes. /size 1T: the container size will be 1 TeraBytes.
/password	(Only with /create) It must be followed by a parameter indicating the password of the container that will be created.
/hash	(Only with /create) It must be followed by a parameter indicating the PRF hash algorithm to use when creating the volume. It has the same syntax as VeraCrypt.exe.
/encryption	(Only with /create) It must be followed by a parameter indicating the encryption algorithm to use. The default is AES if this switch is not specified. The parameter can have the following values (case insensitive): AES Serpent Twofish AES(Twofish) AES(Twofish(Serpent)) Serpent(AES) Serpent(Twofish(AES)) Twofish(Serpent)
/filesystem	(Only with /create) It must be followed by a parameter indicating the file system to use for the volume. The parameter can have the following values: None: don't use any filesystem FAT: format using FAT/FAT32 NTFS: format using NTFS. Please not that in this case a UAC prompt will be displayed unless the process is run with full administrative privileges.
/dynamic	(Only with /create) It has no parameters and it indicates that the volume will be created as a dynamic volume.
/force	(Only with /create) It has no parameters and it indicates that overwrite will be forced without requiring user confirmation.
/silent	(Only with /create) It has no parameters and it indicates that no message box or dialog will be displayed to the user. If there is any error, the operation will fail silently.
/noisocheck or /n	Do not verify that VeraCrypt Rescue Disks are correctly burned. WARNING: Never attempt to use this option to facilitate the reuse of a previously created VeraCrypt Rescue Disk. Note that every time you encrypt a system partition/drive, you must create a new VeraCrypt Rescue Disk even if you use the same password. A previously created VeraCrypt Rescue Disk cannot be reused as it was created for a different master key.

Syntax

[/hash {sha256, sha-256, sha512, sha-512,whirlpool, ripemd160, ripemd-160}] [/filesystem {None, FAT, NTFS}] [/dynamic] [/force] [/silent]

Note that the order in which options are specified does not matter.

Examples

Mount the volume d:\myvolume as the first free drive letter, using the password prompt (the main program window will not be displayed):

veracrypt /q /v d:\myvolume

Dismount a volume mounted as the drive letter X (the main program window will not be displayed):

veracrypt /q /d x

Mount a volume called myvolume.tc using the password MyPassword, as the drive letterX. VeraCrypt will open an explorer window and beep; mounting will be automatic:

veracrypt /v myvolume.tc /l x /a /p MyPassword /e /b

Create a 10 MB file container using the password test and formatted using FAT:

"C:\Program Files\VeraCrypt\VeraCrypt Format.exe" /create c:\Data\test.hc /password test /hash sha512 /encryption serpent /filesystem FAT /size 10M /force

↧