I get it that VC doesn't use tpm chip but I'm wondering about the other setup of leveraging a TPM (dTPM version) with a good pin + bitlocker, what your thoughts are on such a setup compared to VC only?
Is it possible? Compatible? Wanna use them both for as much security as possible. And yeah, I'm okay with typing two passwords
I don't need the basics of the two cryptographic platforms. Though I'm not an expert either but I did a bit of research. I'm still confused or need further elaboration on this: (recap of my research + questions)
I read that veracrypt gets the win on choosing encryption. Because of it being open-sourced. And the fact that it doesn't use TPM (which I'll get into later). Bitlocker being closed sourced, uses TPM and backs up master-keys to your Microsoft (MS) accounts cloud. Which technically, a privacy concern. May be tied to that being the "backdoor" rather than it being a secret method for anyone (hacker, spying, NSA etc). To me privacy should be that solid definition: privacy. No prying eyes or backdoors.
From my understanding, if I use bitlocker over veracrypt, to protect my privacy, I should choose to save my MS backup masterkey on USB rather than Microsoft account cloud. This should be then, secure? I'm guessing those that had their bitlocker data compromised because the masterkey was obtained through the connected MS account rather than it being a "secret backdoor". It was more of the user being ignorant or stupid. However, if saving the masterkey on a USB and all is fine and dandy now that no one has access to the masterkey. It brings to question the next security flaw.
Bitlocker uses TPM. According to Google, "TPM securely stores encryption keys and verifies system integrity during boot-up, ensuring the drive cannot be accessed if moved to another" The point in how TPM works is that it's storing master-keys when requested/working. As far as I got into this, it seems though TPM sounds like a privacy backdoor for bitlocker. It seems the issue is that an attack can only occur if the computer is on whilst the master-keys requested from the TPM are temporarily stored in the system's RAM. I'm not sure if the master keys of the bitlocker are stored elsewhere like the drive itself? Reading further it does not imply keys are in the drive itself for example external hard disk drives. And that the master-keys are only in the TPM chip itself. So technically, should bitlocker be safe? It seems if the claims are true, then yes?
As far as veracrypt the fact that it doesn't use TPM and is open sourced seems to be a tad more trustworthy. I tried both and bitlocker seems to be easier to use. Whilst veracrypt you have to manually open the drive/s. Any thoughts on this and my research/ understanding? Anything I misunderstood and in 2026 is bitlocker ok to use to protect data without actual backdoors?
Edit: Seems the only way people get backdoored on bitlocker is by ignorance. Giving your key away in the cloud and possibly leaving a computer on to your encrypted data because it's either unlocked or locked but TPM may have the key in RAM. Not sure if that key in ram stays for long. Shutting down would be safer. But then again, cold boots would require both the PC and the drive to start the attack. It would be harder and useless to only have the bitlocker drive alone.
Veracrypt seems solid as I haven't read any way people backdoored it(?)...
I use VeraCrypt in portable mode and it's worked well for the most part. Today I tried to open it and while it shows in the tray and on the taskbar, I can't get it to gain focus. I tried moving the window using Win Key and the arrow keys, it doesn't respond to that. It's open in the tray but the menu on the tray icon does not work. I effectively can't use the program or mount my volumes. I tried rebooting, doesn't fix anything either. I'm on Windows 11 25H2 26200.8457 & VeraCrypt 1.26.24 Any tips?
I've been reviewing the Veracrypt documentation regarding wear leveling on SSDs (link).
As I understand it, unless you fully encrypt a brand-new SSD before putting sensitive data on it, then Veracrypt cannot guarantee that sensitive data is fully encrypted; if already added data is encrypted in-place, then some unencrypted data may exist in unused sectors.
Suppose that you encrypted an SSD in-place with sensitive data already on it. Could you somehow wipe the SSD and copy data back onto it to ensure wear-leveled sectors do not contain sensitive data unencrypted?
For instance, performing the following steps:
Would this prevent the leaks mentioned in the Veracrypt documentation regarding wear leveling?
I am using Fedora 44 and I installed Veracrypt 1.26.24 but sometimes veracrypt reverts back to the 1.26.7 version from Oct 2023.
Why does this happen and should I be concerned with using an older version?
I'm just getting into using VeraCrypt, but now I'm reconsidering how good it will be for how I do backups. For my use, some files will be changed at times, and/or more added or deleted to the volume. I do backups nightly using FreeFileSync. Can the entire volume be backed up just by copying it to another drive? And does that mean anytime there's a minor file change within the VeraCrypt Volume, that the entire volume will have to be recopied since it's really one file?
Hello all,
I know a bit about encryption and have been using veracrypt to encrypt files for about a month, but am wondering if it is possible to install the veracrypt app onto a usb drive along with encrypted files so that I can access them no matter where I am and what computer I am using?
For context I am using Debian 13/Linux and want to use the usb drive on tails or another linux distro
Hi all,
Has anyone experienced extreme NAND write amplification when using veracrpyt?
My 256gb sata m.2 system drive has reported total NAND writes of 435TB yet only reports 43TB has been written by the host? Could this be write amplification due to TRIM, or is the number just off?
Many thanks in advance