Manual VeraCrypt 1.16 (page 141 of 162) (English)

658731

141

Zoom out

Zoom in

1/162

137

Encryption Scheme

When mounting a VeraCrypt volume (assume there are no cached passwords/keyfiles) or when

performing pre-boot authentication, the following steps are performed:

1. The first 512 bytes of the volume (i.e., the standard volume header) are read into RAM, out

of which the first 64 bytes are the salt (see VeraCrypt Volume Format Specification). For

system encryption (see the chapter System Encryption), the last 512 bytes of the first logical

drive track are read into RAM (the VeraCrypt Boot Loader is stored in the first track of the

system drive and/or on the VeraCrypt Rescue Disk).

2. Bytes 65536–66047 of the volume are read into RAM (see the section VeraCrypt Volume

Format Specification). For system encryption, bytes 65536–66047 of the first partition

located behind the active partition

are read (see the section Hidden Operating System). If

there is a hidden volume within this volume (or within the partition behind the boot

partition), we have read its header at this point; otherwise, we have just read random data

(whether or not there is a hidden volume within it has to be determined by attempting to

decrypt this data; for more information see the section Hidden Volume).

3. Now VeraCrypt attempts to decrypt the standard volume header read in (1). All data used

and generated in the course of the process of decryption are kept in RAM (VeraCrypt never

saves them to disk). The following parameters are unknown

†

and have to be determined

through the process of trial and error (i.e., by testing all possible combinations of the

following):

a. PRF used by the header key derivation function (as specified in PKCS #5 v2.0; see

the section Header Key Derivation, Salt, and Iteration Count), which can be one of

the following:

HMAC-SHA-512, HMAC-SHA-256, HMAC-RIPEMD-160, HMAC-Whirlpool. If a

PRF is explicitly specified by the user, it will be used directly without trying the other

possibilities.

A password entered by the user (to which one or more keyfiles may have been

applied – see the section Keyfiles), a PIM value (if specified) and the salt read in (1)

are passed to the header key derivation function, which produces a sequence of

values (see the section Header Key Derivation, Salt, and Iteration Count) from

which the header encryption key and secondary header key (XTS mode) are

formed. (These keys are used to decrypt the volume header.)

b. Encryption algorithm: AES-256, Serpent, Twofish, AES-Serpent, AES-Twofish-

Serpent, etc.

c. Mode of operation: only XTS is supported.

d. Key size(s)

If the size of the active partition is less than 256 MB, then the data is read from the second partition behind the active one

(Windows 7 and later, by default, do not boot from the partition on which they are installed).

†

These parameters are kept secret not in order to increase the complexity of an attack, but primarily to make VeraCrypt volumes

unidentifiable (indistinguishable from random data), which would be difficult to achieve if these parameters were stored unencrypted

within the volume header. Also note that if a non-cascaded encryption algorithm is used for system encryption, the algorithm is

known (it can be determined by analyzing the contents of the unencrypted VeraCrypt Boot Loader stored in the first logical drive

track or on the VeraCrypt Rescue Disk).

Report abuse

Libble takes abuse of its services very seriously. We're committed to dealing with such abuse according to the laws in your country of residence. When you submit a report, we'll investigate it and take the appropriate action. We'll get back to you only if we require additional details or have more information to share.

Product:

Forumrules

To achieve meaningful questions, we apply the following rules:

First, read the manual;
Check if your question has been asked previously;
Try to ask your question as clearly as possible;
Did you already try to solve the problem? Please mention this;
Is your problem solved by a visitor then let him/her know in this forum;
To give a response to a question or answer, do not use this form but click on the button 'reply to this question';
Your question will be posted here and emailed to our subscribers. Therefore, avoid filling in personal details.

new questions and answers
new manuals

You will receive an email to register for one or both of the options.

Get your user manual by e-mail

Enter your email address to receive the manual of VeraCrypt 1.16 in the language / languages: English as an attachment in your email.

The manual is 2,98 mb in size.

You will receive the manual in your email within minutes. If you have not received an email, then probably have entered the wrong email address or your mailbox is too full. In addition, it may be that your ISP may have a maximum size for emails to receive.

The manual is sent by email. Check your email

If you have not received an email with the manual within fifteen minutes, it may be that you have a entered a wrong email address or that your ISP has set a maximum size to receive email that is smaller than the size of the manual.

The email address you have provided is not correct.

Please check the email address and correct it.

Your question is posted on this page

Would you like to receive an email when new answers and questions are posted? Please enter your email address.

Info

VeraCrypt 1.16 Manual

Product: