VeraCrypt version 1.24-Update4

Binaries for Windows, Linux and MacOSX are available at Launchpad, Sourceforge and Bitbucket

Changes between 1.24-Update2 and 1.24-Update4 (23 January 2020) :

• Windows:

  • Fix regression in Expander and Format when RAM encryption is enable that was causing volume headers to be corrupted.
  • Fix failure of Screen Readers (Accessibility support) to read UI by disabling newly introduced memory protection by default and adding a CLI switch (/protectMemory) to enable it when needed.
  • Fix side effects related to the fix for CVE-2019-19501 which caused links in UI not to open.
  • Add switch /signalExit to support notifying WAITFOR Windows command when VeraCrypt.exe exits if /q was specified in CLI (cf documentation for usage).
  • Don't display mount/dismount examples in help dialog for command line in Format and Expander.
  • Documentation and translation updates.

• Linux:

  • Fix console-only build to remove dependency on GTK that is not wanted on headless servers.
  • Fix regression that limited the size available for hidden volumes created on disk or partition.

• MacOSX:

  • Fix regression that limited the size available for hidden volumes created on disk or partition.

VeraCrypt version 1.24-Update2

Binaries for Windows, Linux and MacOSX are available at Launchpad, Sourceforge and Bitbucket

Changes between 1.24-Hotfix1 and 1.24-Update2 (16 Decembre 2019) :

• All OSs:

  • clear AES key from stack memory when using non-optimized implementation. Doesn't apply to VeraCrypt official build (Reported and fixed by Hanno Böck)
  • Update Jitterentropy RNG Library to version 2.2.0
  • Start following IEEE 1541 agreed naming of bytes (KiB, MiB, GiB, TiB, PiB).
  • Various documentation enhancements.

• Windows:

  • Fix possible local privilege escalation vulnerability during execution of VeraCrypt Expander (CVE-2019-19501)
  • MBR bootloader:
    • workaround for SSD disks that don't allow write operations in BIOS mode with buffers less than 4096 bytes.
    • Don't restore MBR to VeraCrypt value if it is coming from a loader different from us or different from Microsoft one.
  • EFI bootloader:
    • Fix "ActionFailed" not working and add "ActionCancelled" to customize handling of user hitting ESC on password prompt
    • Fix F5 showing previous password after failed authentication attempt. Ensure that even wrong password value are cleared from memory.
  • Fix multi-OS boot compatibility by only setting VeraCrypt as first bootloader of the system if the current first bootloader is Windows one.
  • Add new registry flags for SystemFavoritesService to control updating of EFI BIOS boot menu on shutdown.
  • Allow system encrypted drive to be mounted in WindowsPE even if changing keyboard layout fails (reported and fixed by Sven Strickroth)
  • Enhancements to the mechanism preserving file timestamps, especially for keyfiles.
  • Fix RDRAND instruction not detected on AMD CPUs.
  • Detect cases where RDRAND is flawed (e.g. AMD Ryzen) to avoid using it if enabled by user.
  • Don't write extra 0x00 byte at the end of DcsProp file when modifying it through UI
  • Reduce memory usage of IOCTL_DISK_VERIFY handler used in disk verification by Windows.
  • Add switch /FastCreateFile for VeraCrypt Format.exe to speedup creation of large file container if quick format is selected.
  • Fix the checkbox for skipping verification of Rescue Disk not reflecting the value of /noisocheck switch specified in VeraCrypt Format command line.
  • check "TrueCrypt Mode" in password dialog when mounting a file container with .tc extension
  • Update XML languages files.

• Linux:

  • Fix regression causing admin password to be requested too many times in some cases
  • Fix off by one buffer overflow in function Process::Execute (Reported and fixed by Hanno Böck)
  • Make sure password gets deleted in case of internal error when mounting volume (Reported and fixed by Hanno Böck)
  • Fix passwords using Unicode characters not recognized in text mode.
  • Fix failure to run VeraCrypt binary built for console mode on headless machines.
  • Add switch to force the use of legacy maximum password length (64 UTF8 bytes)
  • Add CLI switch (--use-dummy-sudo-password) to force use of old sudo behavior of sending a dummy password
  • During uninstall, output error message to STDERR instead of STDOUT for better compatibility with package managers.
  • Make sector size mismatch error when mounting disks more verbose.
  • Speedup SHA256 in 64-bit mode by using assembly code.

• MacOSX:

  • Add switch to force the use of legacy maximum password length (64 UTF8 bytes)
  • Fix off by one buffer overflow in function Process::Execute (Reported and fixed by Hanno Böck)
  • Fix passwords using Unicode characters not recognized in text mode.
  • Make sector size mismatch error when mounting disks more verbose.
  • Speedup SHA256 in 64-bit mode by using assembly code.

VeraCrypt version 1.24-Hotfix1

Binaries for Windows, Linux and MacOSX are available at Launchpad, Sourceforge and Bitbucket

Changes between 1.24 and 1.24-Hotfix1 (27 October 2019) :

• All OSs:

  • Fix 1.24 regression that caused system favorites not to mount at boot if VeraCrypt freshly installed.
  • Fix failure to encrypt system if the current Windows username contains a Unicode non-ASCII character.
  • Make VeraCrypt Expander able to resume expansion of volumes whose previous expansion was aborted before it finishes.
  • Add "Quick Expand" option to VeraCrypt Expander to accelarate the expansion of large file containers.
  • Add several robustness checks and validation in case of system encryption to better handle some corner cases.
  • Minor UI and documentation changes.

• Linux:

  • Workaround gcc 4.4.7 bug under CentOS 6 that caused VeraCrypt built under CentOS 6 to crash when Whirlpool hash is used.
  • Fix "incorrect password attempt" written to /var/log/auth.log when mounting volumes.
  • Fix dropping file in UI not showing its correct path , specifically under GTK-3.
  • Add missing JitterEntropy implementation/

• MacOSX:

  • Fix some devices and partitions not showing in the device selection dialog under OSX 10.13 and newer.
  • Fix keyboard tab navigation between password fields in "Volume Password" page of volume creation wizard.
  • Add missing JitterEntropy implementation/
  • Support APFS filesystem for creation volumes.
  • Support Dark Mode.

VeraCrypt version 1.24

Binaries for Windows, Linux and MacOSX are available at Launchpad, Sourceforge and Bitbucket

Changes between 1.23-Hotfix-2 and 1.24 (6 October 2019) :

• All OSs:
  • Increase password maximum length to 128 bytes in UTF-8 encoding for non-system volumes.
  • Add option to use legacy maximum password length (64) instead of new one for compatibility reasons.
  • Use Hardware RNG based on CPU timing jitter "Jitterentropy" by Stephan Mueller as a good alternative to CPU RDRAND (http://www.chronox.de/jent.html)
  • Speed optimization of XTS mode on 64-bit machine using SSE2 (up to 10% faster).
  • Fix detection of CPU features AVX2/BMI2. Add detection of RDRAND/RDSEED CPU features. Detect Hygon CPU as AMD one.
• Windows:
  • Implement RAM encryption for keys and passwords using ChaCha12 cipher, t1ha non-cryptographic fast hash and ChaCha20 based CSPRNG.
    • Available only on 64-bit machines.
    • Disabled by default. Can be enabled using option in UI.
    • Less than 10% overhead on modern CPUs.
    • Side effect: Windows Hibernate is not possible if VeraCrypt System Encryption is also being used.
  • Mitigate some memory attacks by making VeraCrypt applications memory inaccessible to non-admin users (based on KeePassXC implementation)
  • New security features:
    • Erase system encryption keys from memory during shutdown/reboot to help mitigate some cold boot attacks
    • Add option when system encryption is used to erase all encryption keys from memory when a new device is connected to the system.
    • Add new driver entry point that can be called by applications to erase encryption keys from memory in case of emergency.
  • MBR Bootloader: dynamically determine boot loader memory segment instead of hardcoded values (proposed by neos6464)
  • MBR Bootloader: workaround for issue affecting creation of hidden OS on some SSD drives.
  • Fix issue related to Windows Update breaking VeraCrypt UEFI bootloader.
  • Several enhancements and fixes for EFI bootloader:
    • Implement timeout mechanism for password input. Set default timeout value to 3 minutes and default timeout action to "shutdown".
    • Implement new actions "shutdown" and "reboot" for EFI DcsProp config file.
    • Enhance Rescue Disk implementation of restoring VeraCrypt loader.
    • Fix ESC on password prompt during Pre-Test not starting Windows.
    • Add menu entry in Rescue Disk that enables starting original Windows loader.
    • Fix issue that was preventing Streebog hash from being selected manually during Pre-Boot authentication.
    • If "VeraCrypt" folder is missing from Rescue Disk, it will boot PC directly from bootloader stored on hard drive
      • This makes it easy to create a bootable disk for VeraCrypt from Rescue Disk just by removing/renaming its "VeraCrypt" folder.
  • Add option (disabled by default) to use CPU RDRAND or RDSEED as an additional entropy source for our random generator when available.
  • Add mount option (both UI and command line) that allows mounting a volume without attaching it to the specified drive letter.
  • Update libzip to version 1.5.2
  • Do not create uninstall shortcut in startmenu when installing VeraCrypt. (by Sven Strickroth)
  • Enable selection of Quick Format for file containers creation. Separate Quick Format and Dynamic Volume options in the wizard UI.
  • Fix editor of EFI system encryption configuration file not accepting ENTER key to add new lines.
  • Avoid simultaneous calls of favorites mounting, for example if corresponding hotkey is pressed multiple times.
  • Ensure that only one thread at a time can create a secure desktop.
  • Resize some dialogs in Format and Mount Options to fix some text truncation issues with non-English languages.
  • Fix high CPU usage when using favorites and add switch to disable periodic check on devices to reduce CPU load.
  • Minor UI changes.
  • Updates and corrections to translations and documentation.
• MacOSX:
  • Add check on size of file container during creation to ensure it's smaller than available free disk space. Add CLI switch --no-size-check to disable this check.
• Linux:
  • Make CLI switch --import-token-keyfiles compatible with Non-Interactive mode.
  • Add check on size of file container during creation to ensure it's smaller than available free disk space. Add CLI switch --no-size-check to disable this check.

VeraCrypt version 1.23

Binaries for Windows, Linux and MacOSX are available at Launchpad, Sourceforge and Bitbucket

Changes between 1.22 and 1.23 (12 September 2018) :

• Windows:
  • VeraCrypt is now compatible with default EFI SecureBoot configuration for system encryption.
  • Fix EFI system encryption issues on some machines (e.g. HP, Acer).
  • Support EFI system encryption on Windows LTSB.
  • Add compatibility of system encryption with Windows 10 upgrade using ReflectDrivers mechanism
  • Make EFI Rescue Disk decrypt partition correctly when Windows Repair overwrites first partition sector.
  • Add Driver option in the UI to explicitly allow Windows 8.1 and Windows 10 defragmenter to see VeraCrypt encrypted disks.
  • Add internal verification of binaries embedded signature to protect against some types to tampering attacks.
  • Fix Secure Desktop not working for favorites set to mount at logon on Windows 10 under some circumstances.
  • when Secure Desktop is enabled, use it for Mount Options dialog if it is displayed before password dialog.
  • when extracting files in Setup or Portable mode, decompress zip files docs.zip and Languages.zip in order to have ready to use configuration.
  • Display a balloon tip warning message when text pasted to password field is longer than maximum length and so it will be truncated.
  • Implement language selection mechanism at the start of the installer to make easier for international users.
  • Add check on size of file container during creation to ensure it's smaller than available free disk space.
  • Fix buttons at the bottom not shown when user sets a large system font under Window 7.
  • Fix compatibility issues with some disk drivers that don't support IOCTL_DISK_GET_DRIVE_GEOMETRY_EX ioctl.
• MacOSX:
  • Support pasting values to password fields using keyboard (CMD+V and CMD+A now working properly).
  • Add CheckBox in mount option dialog to force the use of embedded backup header during mount.
  • When performing backup of volume header, automatically try to use embedded backup header if using the main header fails.
  • Implement benchmarking UI for Hash and PKCS-5 PRF algorithms.
• Linux:
  • Don't allow waiting dialog to be closed before the associated operation is finished. This fix a crash under Lubuntu 16.04.
  • Add CheckBox in mount option dialog to force the use of embedded backup header during mount.
  • When performing backup of volume header, automatically try to use embedded backup header if using the main header fails.
  • Implement benchmarking UI for Hash and PKCS-5 PRF algorithms.
  • Remove limitation of hidden volume protection on disk with sector size larger than 512 bytes.

VeraCrypt version 1.22

Binaries for Windows, Linux and MacOSX are available at Launchpad, Sourceforge and Bitbucket

Changes between 1.21 and 1.22 (30 March 2018) :

• All OSs:

  • SIMD speed optimization for Kuznyechik cipher implementation (up to 2x speedup).
  • Add 5 new cascades of cipher algorithms: Camellia-Kuznyechik, Camellia-Serpent, Kuznyechik-AES, Kuznyechik-Serpent-Camellia and Kuznyechik-Twofish.

• Windows:

  • MBR Bootloader: Fix failure to boot hidden OS on some machines.
  • MBR Bootloader: Reduce CPU usage during password prompt.
  • Security enhancement: Add option to block TRIM command for system encryption on SSD drives.
  • Implement TRIM support for non-system SSD drives and add option to enable it (TRIM is disabled by default for non-system volumes).
  • Better fix for "Parameter Incorrect" issues during EFI system encryption in some machines.
  • Driver: remove unnecessary dependency to wcsstr which can cause issues on some machines.
  • Driver: Fix "Incorrect Parameter" error when mounting volumes on some machines.
  • Fix failure to mount system favorites during boot on some machines.
  • Fix current application losing focus when VeraCrypt is run in command line with /quit /silent switches.
  • Fix some cases of external applications freezing during mount/dismount.
  • Fix rare cases of secure desktop for password dialog not visible which caused UI to block.
  • Update libzip to version 1.5.0 that include fixes for some security issues.
  • Extend Secure Desktop feature to smart card PIN entry dialog.
  • Fix truncated license text in installer wizard.
  • Add portable package that allows extracting binaries without asking for admin privileges.
  • Simplify format of language XML files.
  • Workaround for cases where password dialog doesn't get keyboard focus if Secure Desktop is not enabled.

• Linux:

  • Fix failure to install GUI version under recent versions of KDE.
  • Fix wxWidgets assertion failed when backing up/restoring volume header.

• MacOSX:

  • Fix issue preventing some local help files from opening in the browser.

VeraCrypt version 1.21

Binaries for Windows, Linux and MacOSX are available at Launchpad, Sourceforge and Bitbucket

Changes between 1.20 and 1.21 (9 July 2017) :

• All OSs:
  • Fix 1.20 regression crash when running on CPU not supporting extended features.
• Windows:
  • Fix 1.20 regression that caused PIM value stored in favorites to be ignored during mount.
  • Fix 1.20 regression that causes system favorites not to mount in some cases.
  • Fix some cases of "Parameter Incorrect" error during EFI system encryption wizard.
  • Install PDF documents related to EFI system encryption configuration for advanced users:
    • disk_encryption_v1_2.pdf related to EFI hidden OS and full fisk encryption
    • dcs_tpm_owner_02.pdf related to TPM configuration for EFI system encryption.
• FreeBSD:
  • Add support for building on FreeBSD.

VeraCrypt version 1.20

Binaries for Windows, Linux and MacOSX are available at Launchpad, Sourceforge and Bitbucket

Changes between 1.19 and 1.20 (29 June 2017) :

• All OSs:
  • Use 64-bit optimized assembly implementation of Twofish and Camellia by Jussi Kivilinna.
    • Camellia 2.5 faster when AES-NI supported by CPU. 30% faster without it.
  • Use optimized implementation for SHA-512/SHA256.
    • 33% speedup on 64-bit systems.
  • Deploy local HTML documentation instead of User Guide PDF.
  • Change links in UI from ones on Codeplex to ones hosted at veracrypt.fr
  • Security: build binaries with support for Address Space Layout Randomization (ASLR).
• Windows:
  • Several fixes and modifications for EFI System Encryption:
    • Fix bug in EFI system decryption using EFI Rescue Disk
    • Add support for TPM 1.2 and TPM 2.0 (experimental) through DCS low level configuration.
      • https://dc5.sourceforge.io/docs/dcs_tpm_owner_02.pdf
    • Add Support for EFI full disk encryption and hidden OS using manual procedure (not exposed in UI).
      • https://dc5.sourceforge.io/docs/disk_encryption_v1_2.pdf
  • Enable using Secure Desktop for password entry. Add preferences option and command line switch (/secureDesktop) to activate it.
  • Use default mount parameters when mounting multiple favorites with password caching.
  • Enable specifying PRF and TrueCryptMode for favorites.
  • Preliminary driver changes to support EFI hidden OS functionality.
  • Fix Streebog not recognized by /hash command line.
  • Add support for ReFS filesystem on Windows 10 when creating normal volumes
  • Fix high CPU usage when favorite configured to mount with VolumeID on arrival.
  • Use CHM file for User Guide instead of PDF.
  • Fix false warning in case of EFI system encryption about Windows not installed on boot drive.
  • Enhancements to driver handling of various disk IOCTL.
  • Enhancements to EFI bootloader. Add possibility to manually edit EFI configuration file.
  • Driver Security: Use enhanced protection of NX pool under Windows 8 and later.
  • Reduce performance impact of internal check for disconnected network drives.
  • Minor fixes.
• MacOSX:
  • OSX 10.7 or newer is required to run VeraCrypt.
  • Make VeraCrypt default handler of .hc & .tc files.
  • Add custom VeraCrypt icon to .hc and .tc files in Finder.
  • Check TrueCryptMode in password dialog when opening container file with .tc extension.
• Linux:
  • Check TrueCryptMode in password dialog when opening container file with .tc extension.
  • Fix executable stack in resulting binary which was caused by crypto assembly files missing the GNU-stack note.

VeraCrypt version 1.19

Binaries for Windows, Linux and MacOSX are available at Launchpad, Sourceforge and Codeplex

Changes between 1.18 and 1.19 (17 October 2016) :

• All OSs:
  • Fix issues raised by Quarkslab audit.
    • Remove GOST89 encryption algorithm.
    • Make PBKDF2 and HMAC code clearer and easier to analyze.
    • Add test vectors for Kuznyechik.
    • Update documentation to warn about risks of using command line switch ”tokenpin”.
  • Use SSE2 optimized Serpent algorithm implementation from Botan project (2.5 times faster on 64-bit platforms).
• Windows:
  • Fix keyboard issues in EFI Boot Loader.
  • Fix crash on 32-bit machines when creating a volume that uses Streebog as PRF.
  • Fix false positive detection of Evil-Maid attacks in some cases (e.g. hidden OS creation)
  • Fix failure to access EFS data on VeraCrypt volumes under Windows 10.
  • Fix wrong password error in the process of copying hidden OS.
  • Fix issues raised by Quarkslab audit:
    • Fix leak of password length in MBR bootloader inherited from TrueCrypt.
    • EFI bootloader: Fix various leaks and erase keyboard buffer after password is typed.
    • Use libzip library for handling zip Rescue Disk file instead of vulnerable XUnzip library.
  • Support EFI system encryption for 32-bit Windows.
  • Perform shutdown instead of reboot during Pre-Test of EFI system encryption to detect incompatible motherboards.
  • Minor GUI and translations fixes.
• MacOSX:
  • Remove dependency to MacFUSE compatibility layer in OSXFuse.

VeraCrypt version 1.18a

Binaries for Windows, Linux and MacOSX are available at Launchpad, Sourceforge and Codeplex

Changes between 1.17 and 1.18a (17 August 2016) :

• All OSs:
  • Support Japanese encryption standard Camellia, including for Windows system encryption (MBR & EFI).
  • Support Russian encryption and hash standards Kuznyechik, Magma and Streebog, including for Windows EFI system encryption.
• Windows:
  • Support EFI Windows system encryption (limitations: no hidden os, no boot custom message)
  • Fix TrueCrypt vulnerability allowing detection of hidden volumes presence(reported by Ivanov Aleksey Mikhailovich, alekc96 [at] mail dot ru)
  • Enhanced protection against dll hijacking attacks.
  • Fix boot issues on some machines by increasing required memory by 1 KiB
  • Add benchmarking of hash algorithms and PRF with PIM (including for pre-boot).
  • Move build system to Visual C++ 2010 for better stability.
  • Workaround for AES-NI support under Hyper-V on Windows Server 2008 R2.
  • Correctly remove driver file veracrypt.sys during uninstall on Windows 64-bit.
  • Implement passing smart card PIN as command line argument (/tokenpin) when explicitly mounting a volume.
  • When no drive letter specified, choose A: or B: only when no other free drive letter is available.
  • Reduce CPU usage caused by the option to disable use of disconnected network drives.
  • Add new volume ID mechanism to be used to identify disks/partitions instead of their device name.
  • Add option to avoid PIM prompt in pre-boot authentication by storing PIM value unencrypted in MBR.
  • Add option and command line switch to hide waiting dialog when performing operations.
  • Add checkbox in "VeraCrypt Format" wizard GUI to skip Rescue Disk verification during system encryption procedure.
  • Allow files drag-n-drop when VeraCrypt is running as elevated process.
  • Minor GUI and translations fixes.
• Linux:
  • Fix mount issue on Fedora 23.
  • Fix mount failure when compiling source code using gcc 5.x.
  • Adhere to XDG Desktop Specification by using XDG_CONFIG_HOME to determine location of configuration files.
• MacOSX:
  • Solve compatibility issue with newer versions of OSXFuse.