VeraCrypt
aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--doc/html/BLAKE2s-256.html (renamed from doc/html/RIPEMD-160.html)16
-rw-r--r--doc/html/Command Line Usage.html6
-rw-r--r--doc/html/Documentation.html2
-rw-r--r--doc/html/Encryption Scheme.html2
-rw-r--r--doc/html/FAQ.html11
-rw-r--r--doc/html/Hash Algorithms.html4
-rw-r--r--doc/html/Header Key Derivation.html21
-rw-r--r--doc/html/Program Menu.html2
-rw-r--r--doc/html/Random Number Generator.html4
9 files changed, 33 insertions, 35 deletions
diff --git a/doc/html/RIPEMD-160.html b/doc/html/BLAKE2s-256.html
index a67c8dc6..097b714f 100644
--- a/doc/html/RIPEMD-160.html
+++ b/doc/html/BLAKE2s-256.html
@@ -1,45 +1,51 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<meta http-equiv="content-type" content="text/html; charset=utf-8" />
<title>VeraCrypt - Free Open source disk encryption with strong security for the Paranoid</title>
<meta name="description" content="VeraCrypt is free open-source disk encryption software for Windows, Mac OS X and Linux. In case an attacker forces you to reveal the password, VeraCrypt provides plausible deniability. In contrast to file encryption, data encryption performed by VeraCrypt is real-time (on-the-fly), automatic, transparent, needs very little memory, and does not involve temporary unencrypted files."/>
<meta name="keywords" content="encryption, security"/>
<link href="styles.css" rel="stylesheet" type="text/css" />
</head>
<body>
<div>
<a href="Documentation.html"><img src="VeraCrypt128x128.png" alt="VeraCrypt"/></a>
</div>
<div id="menu">
<ul>
<li><a href="Home.html">Home</a></li>
<li><a href="/code/">Source Code</a></li>
<li><a href="Downloads.html">Downloads</a></li>
<li><a class="active" href="Documentation.html">Documentation</a></li>
<li><a href="Donation.html">Donate</a></li>
<li><a href="https://sourceforge.net/p/veracrypt/discussion/" target="_blank">Forums</a></li>
</ul>
</div>
<div>
<p>
<a href="Documentation.html">Documentation</a>
<img src="arrow_right.gif" alt=">>" style="margin-top: 5px">
<a href="Hash%20Algorithms.html">Hash Algorithms</a>
<img src="arrow_right.gif" alt=">>" style="margin-top: 5px">
-<a href="RIPEMD-160.html">RIPEMD-160</a>
+<a href="BLAKE2s-256.html">BLAKE2s-256</a>
</p></div>
<div class="wikidoc">
-<h1>RIPEMD-160</h1>
+<h1>BLAKE2s-256</h1>
<div style="text-align:left; margin-top:19px; margin-bottom:19px; padding-top:0px; padding-bottom:0px">
-RIPEMD-160, published in 1996, is a hash algorithm designed by Hans Dobbertin, Antoon Bosselaers, and Bart Preneel in an open academic community. The size of the output of RIPEMD-160 is 160 bits. RIPEMD-160 is a strengthened version of the RIPEMD hash algorithm
- that was developed in the framework of the European Union's project RIPE (<em style="text-align:left">RACE Integrity Primitives Evaluation</em>), 1988-1992. RIPEMD-160 was adopted by the International Organization for Standardization (ISO) and the IEC in the
- ISO/IEC 10118-3:2004 international standard [21].</div>
+<p>
+BLAKE2 is a cryptographic hash function based on BLAKE, created by Jean-Philippe Aumasson, Samuel Neves, Zooko Wilcox-O'Hearn, and Christian Winnerlein. It was announced on December 21, 2012. The design goal was to replace the widely used, but broken, MD5 and SHA-1 algorithms in applications requiring high performance in software. BLAKE2 provides better security than SHA-2 and similar to that of SHA-3 (e.g. immunity to length extension, indifferentiability from a random oracle, etc...).<br/>
+BLAKE2 removes addition of constants to message words from BLAKE round function, changes two rotation constants, simplifies padding, adds parameter block that is XOR'ed with initialization vectors, and reduces the number of rounds from 16 to 12 for BLAKE2b (successor of BLAKE-512), and from 14 to 10 for BLAKE2s (successor of BLAKE-256).<br/>
+BLAKE2b and BLAKE2s are specified in RFC 7693.
+</p>
+<p>
+VeraCrypt uses only BLAKE2s with its maximum output size of 32-bytes (256 bits).
+</p>
+</div>
<div style="text-align:left; margin-top:19px; margin-bottom:19px; padding-top:0px; padding-bottom:0px">
<a href="SHA-256.html" style="text-align:left; color:#0080c0; text-decoration:none; font-weight:bold.html">Next Section &gt;&gt;</a></div>
</div><div class="ClearBoth"></div></body></html>
diff --git a/doc/html/Command Line Usage.html b/doc/html/Command Line Usage.html
index d244df1e..4b8f828d 100644
--- a/doc/html/Command Line Usage.html
+++ b/doc/html/Command Line Usage.html
@@ -1,325 +1,325 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<meta http-equiv="content-type" content="text/html; charset=utf-8" />
<title>VeraCrypt - Free Open source disk encryption with strong security for the Paranoid</title>
<meta name="description" content="VeraCrypt is free open-source disk encryption software for Windows, Mac OS X and Linux. In case an attacker forces you to reveal the password, VeraCrypt provides plausible deniability. In contrast to file encryption, data encryption performed by VeraCrypt is real-time (on-the-fly), automatic, transparent, needs very little memory, and does not involve temporary unencrypted files."/>
<meta name="keywords" content="encryption, security"/>
<link href="styles.css" rel="stylesheet" type="text/css" />
</head>
<body>
<div>
<a href="Documentation.html"><img src="VeraCrypt128x128.png" alt="VeraCrypt"/></a>
</div>
<div id="menu">
<ul>
<li><a href="Home.html">Home</a></li>
<li><a href="/code/">Source Code</a></li>
<li><a href="Downloads.html">Downloads</a></li>
<li><a class="active" href="Documentation.html">Documentation</a></li>
<li><a href="Donation.html">Donate</a></li>
<li><a href="https://sourceforge.net/p/veracrypt/discussion/" target="_blank">Forums</a></li>
</ul>
</div>
<div>
<p>
<a href="Documentation.html">Documentation</a>
<img src="arrow_right.gif" alt=">>" style="margin-top: 5px">
<a href="Command%20Line%20Usage.html">Command Line Usage</a>
</p></div>
<div class="wikidoc">
<div>
<h1>Command Line Usage</h1>
<p>Note that this section applies to the Windows version of VeraCrypt. For information on command line usage applying to the
<strong>Linux and Mac OS X versions</strong>, please run: veracrypt &ndash;h</p>
<table border="1" cellspacing="0" cellpadding="1">
<tbody>
<tr>
<td><em>/help</em> or <em>/?</em></td>
<td>Display command line help.</td>
</tr>
<tr>
<td><em>/truecrypt or /tc</em></td>
<td>Activate TrueCrypt compatibility mode which enables mounting volumes created with TrueCrypt 6.x and 7.x series.</td>
</tr>
<tr>
<td><em>/hash</em></td>
-<td>It must be followed by a parameter indicating the PRF hash algorithm to use when mounting the volume. Possible values for /hash parameter are: sha256, sha-256, sha512, sha-512, whirlpool, ripemd160 and ripemd-160. When /hash is omitted, VeraCrypt will try
+<td>It must be followed by a parameter indicating the PRF hash algorithm to use when mounting the volume. Possible values for /hash parameter are: sha256, sha-256, sha512, sha-512, whirlpool, blake2s and blake2s-256. When /hash is omitted, VeraCrypt will try
all possible PRF algorithms thus lengthening the mount operation time.</td>
</tr>
<tr>
<td id="volume"><em>/volume</em> or <em>/v</em></td>
<td>
<p>It must be followed by a parameter indicating the file and path name of a VeraCrypt volume to mount (do not use when dismounting) or the Volume ID of the disk/partition to mount.<br>
The syntax of the volume ID is <strong>ID:XXXXXX...XX</strong> where the XX part is a 64 hexadecimal characters string that represent the 32-Bytes ID of the desired volume to mount.<br>
<br>
To mount a partition/device-hosted volume, use, for example, /v \Device\Harddisk1\Partition3 (to determine the path to a partition/device, run VeraCrypt and click
<em>Select Device</em>). You can also mount a partition or dynamic volume using its volume name (for example, /v \\?\Volume{5cceb196-48bf-46ab-ad00-70965512253a}\). To determine the volume name use e.g. mountvol.exe. Also note that device paths are case-sensitive.<br>
<br>
You can also specify the Volume ID of the partition/device-hosted volume to mount, for example: /v ID:53B9A8D59CC84264004DA8728FC8F3E2EE6C130145ABD3835695C29FD601EDCA. The Volume ID value can be retrieved using the volume properties dialog.</p>
</td>
</tr>
<tr>
<td><em>/letter</em> or <em>/l</em></td>
<td>It must be followed by a parameter indicating the driver letter to mount the volume as. When /l is omitted and when /a is used, the first free drive letter is used.</td>
</tr>
<tr>
<td><em>/explore</em> or <em>/e</em></td>
<td>Open an Explorer window after a volume has been mounted.</td>
</tr>
<tr>
<td><em>/beep</em> or <em>/b</em></td>
<td>Beep after a volume has been successfully mounted or dismounted.</td>
</tr>
<tr>
<td><em>/auto</em> or <em>/a</em></td>
<td>If no parameter is specified, automatically mount the volume. If devices is specified as the parameter (e.g., /a devices), auto-mount all currently accessible device/partition-hosted VeraCrypt volumes. If favorites is specified as the parameter, auto-mount
favorite volumes. Note that /auto is implicit if /quit and /volume are specified. If you need to prevent the application window from appearing, use /quit.</td>
</tr>
<tr>
<td><em>/dismount</em> or <em>/d</em></td>
<td>Dismount volume specified by drive letter (e.g., /d x). When no drive letter is specified, dismounts all currently mounted VeraCrypt volumes.</td>
</tr>
<tr>
<td><em>/force</em> or <em>/f</em></td>
<td>Forces dismount (if the volume to be dismounted contains files being used by the system or an application) and forces mounting in shared mode (i.e., without exclusive access).</td>
</tr>
<tr>
<td><em>/keyfile</em> or <em>/k</em></td>
<td>It must be followed by a parameter specifying a keyfile or a keyfile search path. For multiple keyfiles, specify e.g.: /k c:\keyfile1.dat /k d:\KeyfileFolder /k c:\kf2 To specify a keyfile stored on a security token or smart card, use the following syntax:
token://slot/SLOT_NUMBER/file/FILE_NAME</td>
</tr>
<tr id="tryemptypass">
<td><em>/tryemptypass&nbsp;&nbsp; </em></td>
<td>ONLY when default keyfile configured or when a keyfile is specified in the command line.<br>
If it is followed by <strong>y</strong> or <strong>yes</strong> or if no parameter is specified: try to mount using an empty password and the keyfile before displaying password prompt.<br>
if it is followed by <strong>n </strong>or<strong> no</strong>: don't try to mount using an empty password and the keyfile, and display password prompt right away.</td>
</tr>
<tr>
<td><em>/nowaitdlg</em></td>
<td>If it is followed by <strong>y</strong> or <strong>yes</strong> or if no parameter is specified: don&rsquo;t display the waiting dialog while performing operations like mounting volumes.<br>
If it is followed by <strong>n</strong> or <strong>no</strong>: force the display waiting dialog is displayed while performing operations.</td>
</tr>
<tr>
<td><em>/secureDesktop</em></td>
<td>If it is followed by <strong>y</strong> or <strong>yes</strong> or if no parameter is specified: display password dialog and token PIN dialog in a dedicated secure desktop to protect against certain types of attacks.<br>
If it is followed by <strong>n</strong> or <strong>no</strong>: the password dialog and token PIN dialog are displayed in the normal desktop.</td>
</tr>
<tr>
<td><em>/tokenlib</em></td>
<td>It must be followed by a parameter indicating the PKCS #11 library to use for security tokens and smart cards. (e.g.: /tokenlib c:\pkcs11lib.dll)</td>
</tr>
<tr>
<td><em>/tokenpin</em></td>
<td>It must be followed by a parameter indicating the PIN to use in order to authenticate to the security token or smart card (e.g.: /tokenpin 0000). Warning: This method of entering a smart card PIN may be insecure, for example, when an unencrypted command
prompt history log is being saved to unencrypted disk.</td>
</tr>
<tr>
<td><em>/cache</em> or <em>/c</em></td>
<td>If it is followed by <strong>y</strong> or <strong>yes</strong> or if no parameter is specified: enable password cache;
<br>
If it is followed by <strong>p </strong>or<strong> pim</strong>: enable both password and PIM cache (e.g., /c p).<br>
If it is followed by <strong>n </strong>or<strong> no</strong>: disable password cache (e.g., /c n).<br>
If it is followed by <strong>f </strong>or<strong> favorites</strong>: temporary cache password when mounting multiple favorites&nbsp; (e.g., /c f).<br>
Note that turning the password cache off will not clear it (use /w to clear the password cache).</td>
</tr>
<tr>
<td><em>/history</em> or <em>/h</em></td>
<td>If it is followed by <strong>y</strong> or no parameter: enables saving history of mounted volumes; if it is followed by
<strong>n</strong>: disables saving history of mounted volumes (e.g., /h n).</td>
</tr>
<tr>
<td><em>/wipecache</em> or <em>/w</em></td>
<td>Wipes any passwords cached in the driver memory.</td>
</tr>
<tr>
<td><em>/password</em> or <em>/p</em></td>
<td>It must be followed by a parameter indicating the volume password. If the password contains spaces, it must be enclosed in quotation marks (e.g., /p &rdquo;My Password&rdquo;). Use /p &rdquo;&rdquo; to specify an empty password.
<em>Warning: This method of entering a volume password may be insecure, for example, when an unencrypted command prompt history log is being saved to unencrypted disk.</em></td>
</tr>
<tr>
<td><em>/pim</em></td>
<td>It must be followed by a positive integer indicating the PIM (Personal Iterations Multiplier) to use for the volume.</td>
</tr>
<tr>
<td><em>/quit</em> or <em>/q</em></td>
<td>Automatically perform requested actions and exit (main VeraCrypt window will not be displayed). If preferences is specified as the parameter (e.g., /q preferences), then program settings are loaded/saved and they override settings specified on the command
line. /q background launches the VeraCrypt Background Task (tray icon) unless it is disabled in the Preferences.</td>
</tr>
<tr>
<td><em>/silent</em> or <em>/s</em></td>
<td>If /q is specified, suppresses interaction with the user (prompts, error messages, warnings, etc.). If /q is not specified, this option has no effect.</td>
</tr>
<tr>
<td><em>/mountoption</em> or <em>/m</em></td>
<td>
<p>It must be followed by a parameter which can have one of the values indicated below.</p>
<p><strong>ro</strong> or<strong> readonly</strong>: Mount volume as read-only.</p>
<p><strong>rm</strong> or <strong>removable</strong>: Mount volume as removable medium (see section
<a href="Removable%20Medium%20Volume.html">
<em>Volume Mounted as Removable Medium</em></a>).</p>
<p><strong>ts</strong> or <strong>timestamp</strong>: Do not preserve container modification timestamp.</p>
<p><strong>sm</strong> or <strong>system</strong>: Without pre-boot authentication, mount a partition that is within the key scope of system encryption (for example, a partition located on the encrypted system drive of another operating system that is not running).
Useful e.g. for backup or repair operations. Note: If you supply a password as a parameter of /p, make sure that the password has been typed using the standard US keyboard layout (in contrast, the GUI ensures this automatically). This is required due to the
fact that the password needs to be typed in the pre-boot environment (before Windows starts) where non-US Windows keyboard layouts are not available.</p>
<p><strong>bk</strong> or <strong>headerbak</strong>: Mount volume using embedded backup header. Note: All volumes created by VeraCrypt contain an embedded backup header (located at the end of the volume).</p>
<p><strong>recovery</strong>: Do not verify any checksums stored in the volume header. This option should be used only when the volume header is damaged and the volume cannot be mounted even with the mount option headerbak. Example: /m ro</p>
<p><strong>label=LabelValue</strong>: Use the given string value <strong>LabelValue</strong> as a label of the mounted volume in Windows Explorer. The maximum length for
<strong>LabelValue&nbsp;</strong> is 32 characters for NTFS volumes and 11 characters for FAT volumes. For example,
<em>/m label=MyDrive</em> will set the label of the drive in Explorer to <em>MyDrive</em>.</p>
<p><strong>noattach</strong>: Only create virtual device without actually attaching the mounted volume to the selected drive letter.</p>
<p>Please note that this switch may be present several times in the command line in order to specify multiple mount options (e.g.: /m rm /m ts)</p>
</td>
</tr>
<tr>
<td><em>/DisableDeviceUpdate</em>&nbsp;</td>
<td>Disables periodic internel check on devices connected to the system that is used for handling favorites identified with VolumeID and replace it with on-demande checks.</td>
</tr>
<tr>
<td><em>/protectMemory</em>&nbsp;</td>
<td>Activates a mechanism that protects VeraCrypt process memory from being accessed by other non-admin processes.</td>
</tr>
<tr>
<td><em>/signalExit</em>&nbsp;</td>
<td>It must be followed by a parameter specifying the name of the signal to send to unblock a waiting <a href="https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/waitfor" target="_blank">WAITFOR.EXE</a> command when VeraCrypt exists.<br>
The name of signal must be the same as the one specified to WAITFOR.EXE command (e.g."veracrypt.exe /q /v test.hc /l Z /signal SigName" followed by "waitfor.exe SigName"<br>
This switch is ignored if /q is not specified</td>
</tr>
</tbody>
</table>
<h4>VeraCrypt Format.exe (VeraCrypt Volume Creation Wizard):</h4>
<table border="1" cellspacing="0" cellpadding="0">
<tbody>
<tr>
<td>/create</td>
<td>Create a container based volume in command line mode. It must be followed by the file name of the container to be created.</td>
</tr>
<tr>
<td>/size</td>
<td>
<p>(Only with /create)<br>
It must be followed by a parameter indicating the size of the container file that will be created. This parameter is a number indicating the size in Bytes. It can have a suffixe 'K', 'M', 'G' or 'T' to indicate that the value is in Kilobytes, Megabytes, Gigabytes
or Terabytes respectively. For example:</p>
<ul>
<li>/size 5000000: the container size will be 5000000 bytes </li><li>/size 25K: the container size will be 25 KiloBytes. </li><li>/size 100M: the container size will be 100 MegaBytes. </li><li>/size 2G: the container size will be 2 GigaBytes. </li><li>/size 1T: the container size will be 1 TeraBytes. </li></ul>
</td>
</tr>
<tr>
<td>&nbsp;/password</td>
<td>&nbsp;(Only with /create)<br>
It must be followed by a parameter indicating the password of the container that will be created.</td>
</tr>
<tr>
<td>&nbsp;/keyfile or /k</td>
<td>&nbsp;(Only with /create)<br>
It must be followed by a parameter specifying a keyfile or a keyfile search path. For multiple keyfiles, specify e.g.: /k c:\keyfile1.dat /k d:\KeyfileFolder /k c:\kf2 To specify a keyfile stored on a security token or smart card, use the following syntax:
token://slot/SLOT_NUMBER/file/FILE_NAME</td>
</tr>
<tr>
<td><em>/tokenlib</em></td>
<td>&nbsp;(Only with /create)<br>
It must be followed by a parameter indicating the PKCS #11 library to use for security tokens and smart cards. (e.g.: /tokenlib c:\pkcs11lib.dll)</td>
</tr>
<tr>
<td><em>/tokenpin</em></td>
<td>&nbsp;(Only with /create)<br>
It must be followed by a parameter indicating the PIN to use in order to authenticate to the security token or smart card (e.g.: /tokenpin 0000). Warning: This method of entering a smart card PIN may be insecure, for example, when an unencrypted command
prompt history log is being saved to unencrypted disk.</td>
</tr>
<tr>
<td>&nbsp;<em>/hash</em></td>
<td>(Only with /create)<br>
It must be followed by a parameter indicating the PRF hash algorithm to use when creating the volume. It has the same syntax as VeraCrypt.exe.</td>
</tr>
<tr>
<td>/encryption</td>
<td>(Only with /create)<br>
It must be followed by a parameter indicating the encryption algorithm to use. The default is AES if this switch is not specified. The parameter can have the following values (case insensitive):
<ul>
<li>AES </li><li>Serpent </li><li>Twofish </li><li>Camellia </li><li>Kuznyechik </li><li>AES(Twofish) </li><li>AES(Twofish(Serpent)) </li><li>Serpent(AES) </li><li>Serpent(Twofish(AES)) </li><li>Twofish(Serpent) </li>
<li>Camellia(Kuznyechik) </li>
<li>Kuznyechik(Twofish) </li>
<li>Camellia(Serpent) </li>
<li>Kuznyechik(AES) </li>
<li>Kuznyechik(Serpent(Camellia)) </li>
</ul>
</td>
</tr>
<tr>
<td>/filesystem</td>
<td>(Only with /create)<br>
It must be followed by a parameter indicating the file system to use for the volume. The parameter can have the following values:
<ul>
<li>None: don't use any filesystem </li><li>FAT: format using FAT/FAT32 </li><li>NTFS: format using NTFS. Please note that in this case a UAC prompt will be displayed unless the process is run with full administrative privileges.
</li>
<li>ExFAT: format using ExFAT. This switch is available starting from Windows Vista SP1 </li>
<li>ReFS: format using ReFS. This switch is available starting from Windows 10 </li>
</ul>
</td>
</tr>
<tr>
<td>/dynamic</td>
<td>(Only with /create)<br>
It has no parameters and it indicates that the volume will be created as a dynamic volume.</td>
</tr>
<tr>
<td>/force</td>
<td>(Only with /create)<br>
It has no parameters and it indicates that overwrite will be forced without requiring user confirmation.</td>
</tr>
<tr>
<td>/silent</td>
<td>(Only with /create)<br>
It has no parameters and it indicates that no message box or dialog will be displayed to the user. If there is any error, the operation will fail silently.</td>
</tr>
<tr>
<td><em>/noisocheck</em> or <em>/n</em></td>
<td>Do not verify that VeraCrypt Rescue Disks are correctly burned. <strong>WARNING</strong>: Never attempt to use this option to facilitate the reuse of a previously created VeraCrypt Rescue Disk. Note that every time you encrypt a system partition/drive,
you must create a new VeraCrypt Rescue Disk even if you use the same password. A previously created VeraCrypt Rescue Disk cannot be reused as it was created for a different master key.</td>
</tr>
<tr>
<td>/nosizecheck</td>
<td>Don't check that the given size of the file container is smaller than the available disk free. This applies to both UI and command line.</td>
</tr>
<tr>
<td>/quick</td>
<td>Perform quick formatting of volumes instead of full formatting. This applies to both UI and command line.</td>
</tr>
<tr>
<td>/FastCreateFile</td>
<td>Use a faster but potentially insecure way to create file containers. This applies to both UI and command line.</td>
</tr>
<tr>
<td><em>/protectMemory</em>&nbsp;</td>
<td>Activates a mechanism that protects VeraCrypt Format process memory from being accessed by other non-admin processes.</td>
</tr>
<tr>
<td><em>/secureDesktop</em></td>
<td>If it is followed by <strong>y</strong> or <strong>yes</strong> or if no parameter is specified: display password dialog and token PIN dialog in a dedicated secure desktop to protect against certain types of attacks.<br>
If it is followed by <strong>n</strong> or <strong>no</strong>: the password dialog and token PIN dialog are displayed in the normal desktop.</td>
</tr>
</tbody>
</table>
<h4>Syntax</h4>
-<p>VeraCrypt.exe [/tc] [/hash {sha256|sha-256|sha512|sha-512|whirlpool |ripemd160|ripemd-160}][/a [devices|favorites]] [/b] [/c [y|n|f]] [/d [drive letter]] [/e] [/f] [/h [y|n]] [/k keyfile or search path] [tryemptypass [y|n]] [/l drive letter] [/m {bk|rm|recovery|ro|sm|ts|noattach}]
+<p>VeraCrypt.exe [/tc] [/hash {sha256|sha-256|sha512|sha-512|whirlpool |blake2s|blake2s-256}][/a [devices|favorites]] [/b] [/c [y|n|f]] [/d [drive letter]] [/e] [/f] [/h [y|n]] [/k keyfile or search path] [tryemptypass [y|n]] [/l drive letter] [/m {bk|rm|recovery|ro|sm|ts|noattach}]
[/p password] [/pim pimvalue] [/q [background|preferences]] [/s] [/tokenlib path] [/v volume] [/w]</p>
-<p>&quot;VeraCrypt Format.exe&quot; [/n] [/create] [/size number[{K|M|G|T}]] [/p password]&nbsp; [/encryption {AES | Serpent | Twofish | Camellia | Kuznyechik | AES(Twofish) | AES(Twofish(Serpent)) | Serpent(AES) | Serpent(Twofish(AES)) | Twofish(Serpent) | Camellia(Kuznyechik) | Kuznyechik(Twofish) | Camellia(Serpent) | Kuznyechik(AES) | Kuznyechik(Serpent(Camellia))}] [/hash {sha256|sha-256|sha512|sha-512|whirlpool|ripemd160|ripemd-160}]
+<p>&quot;VeraCrypt Format.exe&quot; [/n] [/create] [/size number[{K|M|G|T}]] [/p password]&nbsp; [/encryption {AES | Serpent | Twofish | Camellia | Kuznyechik | AES(Twofish) | AES(Twofish(Serpent)) | Serpent(AES) | Serpent(Twofish(AES)) | Twofish(Serpent) | Camellia(Kuznyechik) | Kuznyechik(Twofish) | Camellia(Serpent) | Kuznyechik(AES) | Kuznyechik(Serpent(Camellia))}] [/hash {sha256|sha-256|sha512|sha-512|whirlpool|blake2s|blake2s-256}]
[/filesystem {None|FAT|NTFS|ExFAT|ReFS}] [/dynamic] [/force] [/silent] [/noisocheck] [FastCreateFile] [/quick]</p>
<p>Note that the order in which options are specified does not matter.</p>
<h4>Examples</h4>
<p>Mount the volume <em>d:\myvolume</em> as the first free drive letter, using the password prompt (the main program window will not be displayed):</p>
<p>veracrypt /q /v d:\myvolume</p>
<p>Dismount a volume mounted as the drive letter <em>X</em> (the main program window will not be displayed):</p>
<p>veracrypt /q /d x</p>
<p>Mount a volume called <em>myvolume.tc</em> using the password <em>MyPassword</em>, as the drive letter
<em>X</em>. VeraCrypt will open an explorer window and beep; mounting will be automatic:</p>
<p>veracrypt /v myvolume.tc /l x /a /p MyPassword /e /b</p>
<p>Create a 10 MB file container using the password <em>test</em> and formatted using FAT:</p>
<p><code>&quot;C:\Program Files\VeraCrypt\VeraCrypt Format.exe&quot; /create c:\Data\test.hc /password test /hash sha512 /encryption serpent /filesystem FAT /size 10M /force</code></p>
</div>
</div><div class="ClearBoth"></div></body></html>
diff --git a/doc/html/Documentation.html b/doc/html/Documentation.html
index 5626301b..f9315c22 100644
--- a/doc/html/Documentation.html
+++ b/doc/html/Documentation.html
@@ -1,147 +1,147 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<meta http-equiv="content-type" content="text/html; charset=utf-8" />
<title>VeraCrypt - Free Open source disk encryption with strong security for the Paranoid</title>
<meta name="description" content="VeraCrypt is free open-source disk encryption software for Windows, Mac OS X and Linux. In case an attacker forces you to reveal the password, VeraCrypt provides plausible deniability. In contrast to file encryption, data encryption performed by VeraCrypt is real-time (on-the-fly), automatic, transparent, needs very little memory, and does not involve temporary unencrypted files."/>
<meta name="keywords" content="encryption, security"/>
<link href="styles.css" rel="stylesheet" type="text/css" />
</head>
<body>
<div>
<a href="Documentation.html"><img src="VeraCrypt128x128.png" alt="VeraCrypt"/></a>
</div>
<div id="menu">
<ul>
<li><a href="Home.html">Home</a></li>
<li><a href="/code/">Source Code</a></li>
<li><a href="Downloads.html">Downloads</a></li>
<li><a class="active" href="Documentation.html">Documentation</a></li>
<li><a href="Donation.html">Donate</a></li>
<li><a href="https://sourceforge.net/p/veracrypt/discussion/" target="_blank">Forums</a></li>
</ul>
</div>
<div class="wikidoc">
<h1>Table of Contents</h1>
<p><em style="text-align:left">This documentation is not guaranteed to be error-free and is provided &quot;as is&quot; without warranty of any kind. For more information, see
<a href="Disclaimers.html">Disclaimers</a>.</em></p>
<ul>
<li><a title="Preface" href="Preface.html"><strong>Preface</strong></a>
</li><li><strong><a href="Introduction.html">Introduction</a></strong>
</li><li><strong><a href="Beginner%27s%20Tutorial.html">Beginner's Tutorial</a></strong>
</li><li><strong><a href="VeraCrypt%20Volume.html">VeraCrypt Volume</a></strong>
<ul>
<li><a href="Creating%20New%20Volumes.html">Creating a New VeraCrypt Volume</a>
</li><li><a href="Favorite%20Volumes.html">Favorite Volumes</a>
</li><li><a href="System%20Favorite%20Volumes.html">System Favorite Volumes</a>
</li></ul>
</li><li><strong><a href="System%20Encryption.html">System Encryption</a></strong>
<ul>
<li><a href="Hidden%20Operating%20System.html">Hidden Operating System</a>
</li><li><a href="Supported%20Systems%20for%20System%20Encryption.html">Operating Systems Supported for System Encryption</a>
</li><li><a href="VeraCrypt%20Rescue%20Disk.html">VeraCrypt Rescue Disk</a>
</li></ul>
</li><li><strong><a href="Plausible%20Deniability.html">Plausible Deniability</a></strong><br>
<ul>
<li><a href="Hidden%20Volume.html">Hidden Volume</a>
<ul>
<li><a href="Protection%20of%20Hidden%20Volumes.html">Protection of Hidden Volumes Against Damage</a>
</li><li><a href="Security%20Requirements%20for%20Hidden%20Volumes.html">Security Requirements and Precautions Pertaining to Hidden Volumes</a>
</li></ul>
</li><li><a href="VeraCrypt%20Hidden%20Operating%20System.html">Hidden Operating System</a>
</li></ul>
</li><li><strong><a href="Main%20Program%20Window.html">Main Program Window</a></strong>
<ul>
<li><a href="Program%20Menu.html">Program Menu</a>
</li><li><a href="Mounting%20VeraCrypt%20Volumes.html">Mounting Volumes</a>
</li></ul>
</li><li><strong><a href="Parallelization.html">Parallelization</a></strong>
</li><li><strong><a href="Pipelining.html">Pipelining</a></strong>
</li><li><strong><a href="Hardware%20Acceleration.html">Hardware acceleration</a></strong>
</li><li><strong><a href="Hot%20Keys.html">Hot keys</a></strong>
</li><li><strong><a href="Keyfiles%20in%20VeraCrypt.html">Keyfiles</a></strong>
</li><li><strong><a href="Security%20Tokens%20%26%20Smart%20Cards.html">Security Tokens &amp; Smart Cards</a></strong>
</li><li><strong><a href="Portable%20Mode.html">Portable Mode</a></strong>
</li><li><strong><a href="TrueCrypt%20Support.html">TrueCrypt Support</a></strong>
</li><li><strong><a href="Converting%20TrueCrypt%20volumes%20and%20partitions.html">Converting TrueCrypt Volumes &amp; Partitions</a></strong>
</li><li><strong><a href="Default%20Mount%20Parameters.html">Default Mount Parameters</a></strong>
</li><li><strong><a href="Language%20Packs.html">Language Packs</a></strong>
</li><li><strong><a href="Encryption%20Algorithms.html">Encryption Algorithms</a></strong>
<ul>
<li><a href="AES.html">AES</a> </li><li><a href="Camellia.html">Camellia</a>
</li><li><a href="Kuznyechik.html">Kuznyechik</a>
</li><li><a href="Serpent.html">Serpent</a> </li><li><a href="Twofish.html">Twofish</a> </li><li><a href="Cascades.html">Cascades of ciphers</a>
</li></ul>
</li><li><strong><a href="Hash%20Algorithms.html">Hash Algorithms</a></strong>
<ul>
-<li><a href="RIPEMD-160.html">RIPEMD-160</a>
+<li><a href="BLAKE2s-256.html">BLAKE2s-256</a>
</li><li><a href="SHA-256.html">SHA-256</a> </li><li><a href="SHA-512.html">SHA-512</a> </li><li><a href="Whirlpool.html">Whirlpool</a>
</li><li><a href="Streebog.html">Streebog</a></li></ul>
</li><li><strong><a href="Supported%20Operating%20Systems.html">Supported Operating Systems</a></strong>
</li><li><strong><a href="Command%20Line%20Usage.html">Command Line Usage</a></strong>
</li><li><strong><a href="Security%20Model.html">Security Model</a></strong>
</li><li><strong><a href="Security%20Requirements%20and%20Precautions.html">Security Requirements And Precautions<br>
</a></strong>
<ul>
<li><a href="Data%20Leaks.html">Data Leaks</a>
<ul>
<li><a href="Paging%20File.html">Paging File</a>
</li><li><a href="Memory%20Dump%20Files.html">Memory Dump Files</a>
</li><li><a href="Hibernation%20File.html">Hibernation File</a>
</li></ul>
</li><li><a href="Unencrypted%20Data%20in%20RAM.html">Unencrypted Data in RAM</a>
</li><li><a href="Physical%20Security.html">Physical Security</a>
</li><li><a href="Malware.html">Malware</a> </li><li><a href="Multi-User%20Environment.html">Multi-User Environment</a>
</li><li><a href="Authenticity%20and%20Integrity.html">Authenticity and Integrity</a>
</li><li><a href="Choosing%20Passwords%20and%20Keyfiles.html">Choosing Passwords and Keyfiles</a>
</li><li><a href="Changing%20Passwords%20and%20Keyfiles.html">Changing Passwords and Keyfiles</a>
</li><li><a href="Trim%20Operation.html">Trim Operation</a>
</li><li><a href="Wear-Leveling.html">Wear-Leveling</a>
</li><li><a href="Reallocated%20Sectors.html">Reallocated Sectors</a>
</li><li><a href="Defragmenting.html">Defragmenting</a>
</li><li><a href="Journaling%20File%20Systems.html">Journaling File Systems</a>
</li><li><a href="Volume%20Clones.html">Volume Clones</a>
</li><li><a href="Additional%20Security%20Requirements%20and%20Precautions.html">Additional Security Requirements and Precautions</a>
</li></ul>
</li><li><strong><a href="How%20to%20Back%20Up%20Securely.html">How To Back Up Securely</a></strong>
</li><li><strong><a href="Miscellaneous.html">Miscellaneous</a></strong>
<ul>
<li><a href="Using%20VeraCrypt%20Without%20Administrator%20Privileges.html">Using VeraCrypt Without Administrator Privileges</a>
</li><li><a href="Sharing%20over%20Network.html">Sharing Over Network</a>
</li><li><a href="VeraCrypt%20Background%20Task.html">VeraCrypt Background Task</a>
</li><li><a href="Removable%20Medium%20Volume.html">Volume Mounted as Removable Medium</a>
</li><li><a href="VeraCrypt%20System%20Files.html">VeraCrypt System Files &amp; Application Data</a>
</li><li><a href="Removing%20Encryption.html">How To Remove Encryption</a>
</li><li><a href="Uninstalling%20VeraCrypt.html">Uninstalling VeraCrypt</a>
</li><li><a href="Digital%20Signatures.html">Digital Signatures</a>
</li></ul>
</li><li><strong><a href="Troubleshooting.html">Troubleshooting</a></strong>
</li><li><strong><a href="Incompatibilities.html">Incompatibilities</a></strong>
</li><li><strong><a href="Issues%20and%20Limitations.html">Known Issues and Limitations</a></strong>
</li><li><strong><a href="FAQ.html">Frequently Asked Questions</a></strong>
</li><li><strong><a href="Technical%20Details.html">Technical Details</a></strong>
<ul>
<li><a href="Notation.html">Notation</a>
</li><li><a href="Encryption%20Scheme.html">Encryption Scheme</a>
</li><li><a href="Modes%20of%20Operation.html">Modes of Operation</a>
</li><li><a href="Header%20Key%20Derivation.html">Header Key Derivation, Salt, and Iteration Count</a>
</li><li><a href="Random%20Number%20Generator.html">Random Number Generator</a>
</li><li><a href="Keyfiles.html">Keyfiles</a>
</li><li><a title="PIM" href="Personal%20Iterations%20Multiplier%20(PIM).html">PIM</a>
</li><li><a href="VeraCrypt%20Volume%20Format%20Specification.html">VeraCrypt Volume Format Specification</a>
</li><li><a href="Standard%20Compliance.html">Compliance with Standards and Specifications</a>
</li><li><a href="Source%20Code.html">Source Code</a>
</li></ul>
</li><li><strong><a href="Contact.html">Contact</a></strong>
</li><li><strong><a href="Legal%20Information.html">Legal Information</a></strong>
</li><li><strong><a href="Release%20Notes.html">Version History</a></strong>
</li><li><strong><a href="Acknowledgements.html">Acknowledgements</a></strong>
</li><li><strong><a href="References.html">References</a></strong>
</li></ul>
</div>
</body></html>
diff --git a/doc/html/Encryption Scheme.html b/doc/html/Encryption Scheme.html
index e159c7e8..88c586a2 100644
--- a/doc/html/Encryption Scheme.html
+++ b/doc/html/Encryption Scheme.html
@@ -1,89 +1,89 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<meta http-equiv="content-type" content="text/html; charset=utf-8" />
<title>VeraCrypt - Free Open source disk encryption with strong security for the Paranoid</title>
<meta name="description" content="VeraCrypt is free open-source disk encryption software for Windows, Mac OS X and Linux. In case an attacker forces you to reveal the password, VeraCrypt provides plausible deniability. In contrast to file encryption, data encryption performed by VeraCrypt is real-time (on-the-fly), automatic, transparent, needs very little memory, and does not involve temporary unencrypted files."/>
<meta name="keywords" content="encryption, security"/>
<link href="styles.css" rel="stylesheet" type="text/css" />
</head>
<body>
<div>
<a href="Documentation.html"><img src="VeraCrypt128x128.png" alt="VeraCrypt"/></a>
</div>
<div id="menu">
<ul>
<li><a href="Home.html">Home</a></li>
<li><a href="/code/">Source Code</a></li>
<li><a href="Downloads.html">Downloads</a></li>
<li><a class="active" href="Documentation.html">Documentation</a></li>
<li><a href="Donation.html">Donate</a></li>
<li><a href="https://sourceforge.net/p/veracrypt/discussion/" target="_blank">Forums</a></li>
</ul>
</div>
<div>
<p>
<a href="Documentation.html">Documentation</a>
<img src="arrow_right.gif" alt=">>" style="margin-top: 5px">
<a href="Technical%20Details.html">Technical Details</a>
<img src="arrow_right.gif" alt=">>" style="margin-top: 5px">
<a href="Encryption%20Scheme.html">Encryption Scheme</a>
</p></div>
<div class="wikidoc">
<h1>Encryption Scheme</h1>
<p>When mounting a VeraCrypt volume (assume there are no cached passwords/keyfiles) or when performing pre-boot authentication, the following steps are performed:</p>
<ol>
<li>The first 512 bytes of the volume (i.e., the standard volume header) are read into RAM, out of which the first 64 bytes are the salt (see
<a href="VeraCrypt%20Volume%20Format%20Specification.html">
<em>VeraCrypt Volume Format Specification</em></a>). For system encryption (see the chapter
<a href="System%20Encryption.html"><em>System Encryption</em></a>), the last 512 bytes of the first logical drive track are read into RAM (the VeraCrypt Boot Loader is stored in the first track of the system drive and/or
on the VeraCrypt Rescue Disk). </li><li>Bytes 65536&ndash;66047 of the volume are read into RAM (see the section <a href="VeraCrypt%20Volume%20Format%20Specification.html">
<em>VeraCrypt Volume Format Specification</em></a>). For system encryption, bytes 65536&ndash;66047 of the first partition located behind the active partition* are read (see the section
<a href="Hidden%20Operating%20System.html">
Hidden Operating System</a>). If there is a hidden volume within this volume (or within the partition behind the boot partition), we have read its header at this point; otherwise, we have just read random data (whether or not there is a hidden volume within
it has to be determined by attempting to decrypt this data; for more information see the section
<a href="Hidden%20Volume.html"><em>Hidden Volume</em></a>).
</li><li>Now VeraCrypt attempts to decrypt the standard volume header read in (1). All data used and generated in the course of the process of decryption are kept in RAM (VeraCrypt never saves them to disk). The following parameters are unknown&dagger; and have
to be determined through the process of trial and error (i.e., by testing all possible combinations of the following):
<ol type="a">
<li>PRF used by the header key derivation function (as specified in PKCS #5 v2.0; see the section
<a href="Header%20Key%20Derivation.html">
<em>Header Key Derivation, Salt, and Iteration Count</em></a>), which can be one of the following:
-<p>HMAC-SHA-512, HMAC-SHA-256, HMAC-RIPEMD-160, HMAC-Whirlpool. If a PRF is explicitly specified by the user, it will be used directly without trying the other possibilities.</p>
+<p>HMAC-SHA-512, HMAC-SHA-256, HMAC-BLAKE2S-256, HMAC-Whirlpool. If a PRF is explicitly specified by the user, it will be used directly without trying the other possibilities.</p>
<p>A password entered by the user (to which one or more keyfiles may have been applied &ndash; see the section
<a href="Keyfiles%20in%20VeraCrypt.html">
<em>Keyfiles</em></a>), a PIM value (if specified) and the salt read in (1) are passed to the header key derivation function, which produces a sequence of values (see the section
<a href="Header%20Key%20Derivation.html">
<em>Header Key Derivation, Salt, and Iteration Count</em></a>) from which the header encryption key and secondary header key (XTS mode) are formed. (These keys are used to decrypt the volume header.)</p>
</li><li>Encryption algorithm: AES-256, Serpent, Twofish, AES-Serpent, AES-Twofish- Serpent, etc.
</li><li>Mode of operation: only XTS is supported </li><li>Key size(s) </li></ol>
</li><li>Decryption is considered successful if the first 4 bytes of the decrypted data contain the ASCII string &ldquo;VERA&rdquo;, and if the CRC-32 checksum of the last 256 bytes of the decrypted data (volume header) matches the value located at byte #8 of the
decrypted data (this value is unknown to an adversary because it is encrypted &ndash; see the section
<a href="VeraCrypt%20Volume%20Format%20Specification.html">
<em>VeraCrypt Volume Format Specification</em></a>). If these conditions are not met, the process continues from (3) again, but this time, instead of the data read in (1), the data read in (2) are used (i.e., possible hidden volume header). If the conditions
are not met again, mounting is terminated (wrong password, corrupted volume, or not a VeraCrypt volume).
</li><li>Now we know (or assume with very high probability) that we have the correct password, the correct encryption algorithm, mode, key size, and the correct header key derivation algorithm. If we successfully decrypted the data read in (2), we also know that
we are mounting a hidden volume and its size is retrieved from data read in (2) decrypted in (3).
</li><li>The encryption routine is reinitialized with the primary master key** and the secondary master key (XTS mode &ndash; see the section
<a href="Modes%20of%20Operation.html"><em>Modes of Operation</em></a>), which are retrieved from the decrypted volume header (see the section
<a href="VeraCrypt%20Volume%20Format%20Specification.html">
<em>VeraCrypt Volume Format Specification</em></a>). These keys can be used to decrypt any sector of the volume, except the volume header area (or the key data area, for system encryption), which has been encrypted using the header keys. The volume is mounted.
</li></ol>
<p>See also section <a href="Modes%20of%20Operation.html">
<em>Modes of Operation</em></a> and section <a href="Header%20Key%20Derivation.html">
<em>Header Key Derivation, Salt, and Iteration Count</em></a> and also the chapter
<a href="Security%20Model.html"><em>Security Model</em></a>.</p>
<p>* If the size of the active partition is less than 256 MB, then the data is read from the
<em>second</em> partition behind the active one (Windows 7 and later, by default, do not boot from the partition on which they are installed).</p>
<p>&dagger; These parameters are kept secret <em>not</em> in order to increase the complexity of an attack, but primarily to make VeraCrypt volumes unidentifiable (indistinguishable from random data), which would be difficult to achieve if these parameters
were stored unencrypted within the volume header. Also note that in the case of legacy MBR boot mode, if a non-cascaded encryption algorithm is used for system encryption, the algorithm
<em>is</em> known (it can be determined by analyzing the contents of the unencrypted VeraCrypt Boot Loader stored in the first logical drive track or on the VeraCrypt Rescue Disk).</p>
<p>** The master keys were generated during the volume creation and cannot be changed later. Volume password change is accomplished by re-encrypting the volume header using a new header key (derived from a new password).</p>
<p>&nbsp;</p>
<p><a href="Modes%20of%20Operation.html" style="text-align:left; color:#0080c0; text-decoration:none; font-weight:bold.html">Next Section &gt;&gt;</a></p>
</div><div class="ClearBoth"></div></body></html>
diff --git a/doc/html/FAQ.html b/doc/html/FAQ.html
index 8b2fabc7..24e2cc57 100644
--- a/doc/html/FAQ.html
+++ b/doc/html/FAQ.html
@@ -1,734 +1,725 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<meta http-equiv="content-type" content="text/html; charset=utf-8" />
<title>VeraCrypt - Free Open source disk encryption with strong security for the Paranoid</title>
<meta name="description" content="VeraCrypt is free open-source disk encryption software for Windows, Mac OS X and Linux. In case an attacker forces you to reveal the password, VeraCrypt provides plausible deniability. In contrast to file encryption, data encryption performed by VeraCrypt is real-time (on-the-fly), automatic, transparent, needs very little memory, and does not involve temporary unencrypted files."/>
<meta name="keywords" content="encryption, security"/>
<link href="styles.css" rel="stylesheet" type="text/css" />
</head>
<body>
<div>
<a href="Documentation.html"><img src="VeraCrypt128x128.png" alt="VeraCrypt"/></a>
</div>
<div id="menu">
<ul>
<li><a href="Home.html">Home</a></li>
<li><a href="/code/">Source Code</a></li>
<li><a href="Downloads.html">Downloads</a></li>
<li><a class="active" href="Documentation.html">Documentation</a></li>
<li><a href="Donation.html">Donate</a></li>
<li><a href="https://sourceforge.net/p/veracrypt/discussion/" target="_blank">Forums</a></li>
</ul>
</div>
<div>
<p>
<a href="Documentation.html">Documentation</a>
<img src="arrow_right.gif" alt=">>" style="margin-top: 5px">
<a href="FAQ.html">Frequently Asked Questions</a>
</p></div>
<div class="wikidoc">
<h1>Frequently Asked Questions</h1>
<div style="text-align:left; margin-bottom:19px; padding-top:0px; padding-bottom:0px; margin-top:0px">
Last Updated July 2nd, 2017</div>
<div style="text-align:left; margin-top:19px; margin-bottom:19px; padding-top:0px; padding-bottom:0px">
<em style="text-align:left">This document is not guaranteed to be error-free and is provided &quot;as is&quot; without warranty of any kind. For more information, see
<a href="Disclaimers.html" target="_blank" style="text-align:left; color:#0080c0; text-decoration:none.html">
Disclaimers</a>.</em></div>
<div style="text-align:left; margin-top:19px; margin-bottom:19px; padding-top:0px; padding-bottom:0px">
<div style="text-align:left; margin-top:19px; margin-bottom:19px; padding-top:0px; padding-bottom:0px">
<strong style="text-align:left">Can TrueCrypt and VeraCrypt be running on the same machine?</strong></div>
<div style="text-align:left; margin-top:19px; margin-bottom:19px; padding-top:0px; padding-bottom:0px">
Yes. There are generally no conflicts between TrueCrypt and VeraCrypt, thus they can be installed and used on the same machine. On Windows however, if they are both used to mount the same volume, two drives may appear when mounting it. This can be solved by
running the following command in an elevated command prompt (using Run as an administrator) before mounting any volume:
<strong>mountvol.exe /r</strong>.</div>
<div style="text-align:left; margin-top:19px; margin-bottom:19px; padding-top:0px; padding-bottom:0px">
<div style="text-align:left; margin-top:19px; margin-bottom:19px; padding-top:0px; padding-bottom:0px">
<strong style="text-align:left">Can I use my TrueCrypt volumes in VeraCrypt?</strong></div>
Yes. Starting from version 1.0f, VeraCrypt supports mounting TrueCrypt volumes.</div>
<div style="text-align:left; margin-top:19px; margin-bottom:19px; padding-top:0px; padding-bottom:0px">
<div style="text-align:left; margin-top:19px; margin-bottom:19px; padding-top:0px; padding-bottom:0px">
<strong style="text-align:left">Can I convert my TrueCrypt volumes to VeraCrypt format?</strong></div>
Yes. Starting from version 1.0f, VeraCrypt offers the possibility to convert TrueCrypt containers and non-system partitions to VeraCrypt format. This can achieved using the &quot;Change Volume Password&quot; or &quot;Set Header Key Derivation Algorithm&quot; actions. Just check
the &quot;TrueCrypt Mode&quot;, enter you TrueCrypt password and perform the operation. After that, you volume will have the VeraCrypt format.<br>
Before doing the conversion, it is advised to backup the volume header using TrueCrypt. You can delete this backup safely once the conversion is done and after checking that the converted volume is mounted properly by VeraCrypt.</div>
<div style="text-align:left; margin-top:19px; margin-bottom:19px; padding-top:0px; padding-bottom:0px">
<div style="text-align:left; margin-top:19px; margin-bottom:19px; padding-top:0px; padding-bottom:0px">
<strong style="text-align:left">What's the difference between TrueCrypt and VeraCrypt?</strong></div>
<div style="text-align:left; margin-top:19px; margin-bottom:19px; padding-top:0px; padding-bottom:0px">
VeraCrypt adds enhanced security to the algorithms used for system and partitions encryption making it immune to new developments in brute-force attacks.<br>
It also solves many vulnerabilities and security issues found in TrueCrypt.<br>
As an example, when the system partition is encrypted, TrueCrypt uses PBKDF2-RIPEMD160 with 1000 iterations whereas in VeraCrypt we use
<span style="text-decoration:underline">327661</span>. And for standard containers and other partitions, TrueCrypt uses at most 2000 iterations but VeraCrypt uses
-<span style="text-decoration:underline">655331 </span>for RIPEMD160 and <span style="text-decoration:underline">
-500000 </span>iterations for SHA-2 and Whirlpool.<br>
+<span style="text-decoration:underline">500000 </span>iterations.<br>
This enhanced security adds some delay only to the opening of encrypted partitions without any performance impact to the application use phase. This is acceptable to the legitimate owner but it makes it much harder for an attacker to gain access to the encrypted
data.</div>
</div>
<br id="PasswordLost" style="text-align:left">
<strong style="text-align:left">I forgot my password &ndash; is there any way ('backdoor') to recover the files from my VeraCrypt volume?</strong></div>
<div style="text-align:left; margin-top:19px; margin-bottom:19px; padding-top:0px; padding-bottom:0px">
We have not implemented any 'backdoor' in VeraCrypt (and will never implement any even if asked to do so by a government agency), because it would defeat the purpose of the software. VeraCrypt does not allow decryption of data without knowing the correct password
or key. We cannot recover your data because we do not know and cannot determine the password you chose or the key you generated using VeraCrypt. The only way to recover your files is to try to &quot;crack&quot; the password or the key, but it could take thousands or
millions of years (depending on the length and quality of the password or keyfiles, on the software/hardware performance, algorithms, and other factors). Back in 2010, there was news about the
<a href="http://www.webcitation.org/query?url=g1.globo.com/English/noticia/2010/06/not-even-fbi-can-de-crypt-files-daniel-dantas.html" target="_blank">
FBI failing to decrypt a TrueCrypt volume after a year of trying</a>. While we can't verify if this is true or just a &quot;psy-op&quot; stunt, in VeraCrypt we have increased the security of the key derivation to a level where any brute-force of the password is virtually
impossible, provided that all security requirements are respected.</div>
<div style="text-align:left; margin-top:19px; margin-bottom:19px; padding-top:0px; padding-bottom:0px">
<br style="text-align:left">
<strong style="text-align:left">Is there a &quot;Quick Start Guide&quot; or some tutorial for beginners?</strong></div>
<div style="text-align:left; margin-top:19px; margin-bottom:19px; padding-top:0px; padding-bottom:0px">
Yes. The first chapter, <strong style="text-align:left"><a href="Beginner%27s%20Tutorial.html" target="_blank" style="text-align:left; color:#0080c0; text-decoration:none.html">Beginner's Tutorial</a></strong>, in the VeraCrypt
User Guide contains screenshots and step-by-step instructions on how to create, mount, and use a VeraCrypt volume.</div>
<div style="text-align:left; margin-top:19px; margin-bottom:19px; padding-top:0px; padding-bottom:0px">
<br style="text-align:left">
<strong style="text-align:left">Can I encrypt a partition/drive where Windows is installed?</strong></div>
<div style="text-align:left; margin-top:19px; margin-bottom:19px; padding-top:0px; padding-bottom:0px">
Yes, see the chapter <a href="System%20Encryption.html" target="_blank" style="text-align:left; color:#0080c0; text-decoration:none.html">
System Encryption</a> in the VeraCrypt User Guide.</div>
<div id="BootingHang" style="text-align:left; margin-top:19px; margin-bottom:19px; padding-top:0px; padding-bottom:0px">
<strong>The system encryption Pre Test fails because the bootloader hangs with the messaging &quot;booting&quot; after successfully verifying the password. How to make the Pre Test succeed?</strong></div>
<div style="text-align:left; margin-top:19px; margin-bottom:19px; padding-top:0px; padding-bottom:0px">
There two known workarounds for this issue (Both require having a Windows Installation disk):</div>
<div style="text-align:left; margin-top:19px; margin-bottom:19px; padding-top:0px; padding-bottom:0px">
<ol>
<li>Boot your machine using a Windows Installation disk and select to repair your computer. Choose &quot;Command Prompt&quot; option and when it opens, type the commands below and then restart your system:
<ul>
<li>BootRec /fixmbr </li><li>BootRec /FixBoot </li></ul>
</li><li>Delete the 100 MB System Reserved partition located at the beginning of your drive and set the system partition next to it as the active partition (both can be done using diskpart utility available in Windows Installation disk repair option). After that,
run Startup Repair after rebooting on Windows Installation disk. The following link contains detailed instructions:
<a href="https://www.sevenforums.com/tutorials/71363-system-reserved-partition-delete.html" target="_blank">
https://www.sevenforums.com/tutorials/71363-system-reserved-partition-delete.html</a>
</li></ol>
</div>
<div style="text-align:left; margin-top:19px; margin-bottom:19px; padding-top:0px; padding-bottom:0px">
<div id="PreTestFail" style="text-align:left; margin-top:19px; margin-bottom:19px; padding-top:0px; padding-bottom:0px">
<strong>The system encryption Pre Test fails even though the password was correctly entered in the bootloader. How to make the Pre Test succeed?</strong></div>
<div style="text-align:left; margin-top:19px; margin-bottom:19px; padding-top:0px; padding-bottom:0px">
This can be caused by the TrueCrypt driver that clears BIOS memory before VeraCrypt is able to read it. In this case, uninstalling TrueCrypt solves the issue.<br>
This can also be caused by some hardware drivers and other software that access BIOS memory. There is no generic solution for this and affected users should identify such software and remove it from the system.</div>
<div style="text-align:left; margin-top:19px; margin-bottom:19px; padding-top:0px; padding-bottom:0px">
<br style="text-align:left">
<strong style="text-align:left">Can I directly play a video (.avi, .mpg, etc.) stored on a VeraCrypt volume?</strong></div>
</div>
<div style="text-align:left; margin-top:19px; margin-bottom:19px; padding-top:0px; padding-bottom:0px">
Yes, VeraCrypt-encrypted volumes are like normal disks. You provide the correct password (and/or keyfile) and mount (open) the VeraCrypt volume. When you double click the icon of the video file, the operating system launches the application associated with
the file type &ndash; typically a media player. The media player then begins loading a small initial portion of the video file from the VeraCrypt-encrypted volume to RAM (memory) in order to play it. While the portion is being loaded, VeraCrypt is automatically
decrypting it (in RAM). The decrypted portion of the video (stored in RAM) is then played by the media player. While this portion is being played, the media player begins loading another small portion of the video file from the VeraCrypt-encrypted volume to
RAM (memory) and the process repeats.<br style="text-align:left">
<br style="text-align:left">
The same goes for video recording: Before a chunk of a video file is written to a VeraCrypt volume, VeraCrypt encrypts it in RAM and then writes it to the disk. This process is called on-the-fly encryption/decryption and it works for all file types (not only
for video files).</div>
<div style="text-align:left; margin-top:19px; margin-bottom:19px; padding-top:0px; padding-bottom:0px">
<br style="text-align:left">
<strong style="text-align:left">Will VeraCrypt be open-source and free forever?</strong></div>
<div style="text-align:left; margin-top:19px; margin-bottom:19px; padding-top:0px; padding-bottom:0px">
Yes, it will. We will never create a commercial version of VeraCrypt, as we believe in open-source and free security software.</div>
<div style="text-align:left; margin-top:19px; margin-bottom:19px; padding-top:0px; padding-bottom:0px">
<br style="text-align:left">
<strong style="text-align:left">Is it possible to donate to the VeraCrypt project?</strong></div>
<div style="text-align:left; margin-top:19px; margin-bottom:19px; padding-top:0px; padding-bottom:0px">
Yes. You can use the donation buttons at <a href="https://www.veracrypt.fr/en/Donation.html" target="_blank">
https://www.veracrypt.fr/en/Donation.html</a>.</div>
<div style="text-align:left; margin-top:19px; margin-bottom:19px; padding-top:0px; padding-bottom:0px">
<br style="text-align:left">
<strong style="text-align:left">Why is VeraCrypt open-source? What are the advantages?</strong></div>
<div style="text-align:left; margin-top:19px; margin-bottom:19px; padding-top:0px; padding-bottom:0px">
As the source code for VeraCrypt is publicly available, independent researchers can verify that the source code does not contain any security flaw or secret 'backdoor'. If the source code were not available, reviewers would need to reverse-engineer the executable
files. However, analyzing and understanding such reverse-engineered code is so difficult that it is practically
<em style="text-align:left">impossible</em> to do (especially when the code is as large as the VeraCrypt code).<br style="text-align:left">
<br style="text-align:left">
Remark: A similar problem also affects cryptographic hardware (for example, a self-encrypting storage device). It is very difficult to reverse-engineer it to verify that it does not contain any security flaw or secret 'backdoor'.</div>
<div style="text-align:left; margin-top:19px; margin-bottom:19px; padding-top:0px; padding-bottom:0px">
<br style="text-align:left">
<strong style="text-align:left">VeraCrypt is open-source, but has anybody actually reviewed the source code?</strong></div>
<div style="text-align:left; margin-top:19px; margin-bottom:19px; padding-top:0px; padding-bottom:0px">
Yes. An <a href="http://blog.quarkslab.com/security-assessment-of-veracrypt-fixes-and-evolutions-from-truecrypt.html" target="_blank">
audit</a> has been performed by <a href="https://quarkslab.com/" target="_blank">
Quarkslab</a>. The technical report can be downloaded from <a href="http://blog.quarkslab.com/resources/2016-10-17-audit-veracrypt/16-08-215-REP-VeraCrypt-sec-assessment.pdf">here</a>. VeraCrypt 1.19 addressed the issues found by this audit.</div>
<div style="text-align:left; margin-top:19px; margin-bottom:19px; padding-top:0px; padding-bottom:0px">
<br style="text-align:left">
<strong style="text-align:left">As VeraCrypt is open-source software, independent researchers can verify that the source code does not contain any security flaw or secret 'backdoor'. Can they also verify that the official executable files were built from the
published source code and contain no additional code?</strong></div>
<div style="text-align:left; margin-top:19px; margin-bottom:19px; padding-top:0px; padding-bottom:0px">
Yes, they can. In addition to reviewing the source code, independent researchers can compile the source code and compare the resulting executable files with the official ones. They may find some differences (for example, timestamps or embedded digital signatures)
but they can analyze the differences and verify that they do not form malicious code.</div>
<div id="UsbFlashDrive" style="text-align:left; margin-top:19px; margin-bottom:19px; padding-top:0px; padding-bottom:0px">
<br style="text-align:left">
<strong style="text-align:left">How can I use VeraCrypt on a USB flash drive? </strong>
</div>
<div style="text-align:left; margin-top:19px; margin-bottom:19px; padding-top:0px; padding-bottom:0px">
You have three options:</div>
<ol style="text-align:left; margin-top:18px; margin-bottom:19px; padding-top:0px; padding-bottom:0px">
<li style="text-align:left; margin-top:0px; margin-bottom:0px; padding-top:0px; padding-bottom:0px">
Encrypt the entire USB flash drive. However, you will not be able run VeraCrypt from the USB flash drive.
</li><li style="text-align:left; margin-top:0px; margin-bottom:0px; padding-top:0px; padding-bottom:0px">
Create two or more partitions on your USB flash drive. Leave the first partition non encrypted and encrypt the other partition(s). You can store VeraCrypt on the first partition in order to run it directly from the USB flash drive.<br style="text-align:left">
Note: Windows can only access the primary partition of a USB flash drive, nevertheless the extra partitions remain accessible through VeraCrypt.
</li><li style="text-align:left; margin-top:0px; margin-bottom:0px; padding-top:0px; padding-bottom:0px">
Create a VeraCrypt file container on the USB flash drive (for information on how to do so, see the chapter
<strong style="text-align:left"><a href="Beginner%27s%20Tutorial.html" style="text-align:left; color:#0080c0; text-decoration:none.html">Beginner's Tutorial</a></strong>, in the
<a href="https://www.veracrypt.fr/en/Documentation.html" target="_blank" style="text-align:left; color:#0080c0; text-decoration:none">
VeraCrypt User Guide</a>). If you leave enough space on the USB flash drive (choose an appropriate size for the VeraCrypt container), you will also be able to store VeraCrypt on the USB flash drive (along with the container &ndash; not
<em style="text-align:left">in</em> the container) and you will be able to run VeraCrypt from the USB flash drive (see also the chapter
<a href="Portable%20Mode.html" target="_blank" style="text-align:left; color:#0080c0; text-decoration:none.html">
Portable Mode</a> in the <a href="https://www.veracrypt.fr/en/Documentation.html" target="_blank" style="text-align:left; color:#0080c0; text-decoration:none">
VeraCrypt User Guide</a>). </li></ol>
<div style="text-align:left; margin-top:19px; margin-bottom:19px; padding-top:0px; padding-bottom:0px">
<br style="text-align:left">
<strong style="text-align:left">Does VeraCrypt also encrypt file names and folder names?
</strong></div>
<div style="text-align:left; margin-top:19px; margin-bottom:19px; padding-top:0px; padding-bottom:0px">
Yes. The entire file system within a VeraCrypt volume is encrypted (including file names, folder names, and contents of every file). This applies to both types of VeraCrypt volumes &ndash; i.e., to file containers (virtual VeraCrypt disks) and to VeraCrypt-encrypted
partitions/devices.</div>
<div style="text-align:left; margin-top:19px; margin-bottom:19px; padding-top:0px; padding-bottom:0px">
<br style="text-align:left">
<strong style="text-align:left">Does VeraCrypt use parallelization?</strong></div>
<div style="text-align:left; margin-top:19px; margin-bottom:19px; padding-top:0px; padding-bottom:0px">
Yes. Increase in encryption/decryption speed is directly proportional to the number of cores/processors your computer has. For more information, please see the chapter
<a href="Parallelization.html" target="_blank" style="text-align:left; color:#0080c0; text-decoration:none.html">
Parallelization</a> in the <a href="https://www.veracrypt.fr/en/Documentation.html" target="_blank" style="text-align:left; color:#0080c0; text-decoration:none">
documentation</a>.</div>
<div style="text-align:left; margin-top:19px; margin-bottom:19px; padding-top:0px; padding-bottom:0px">
<br style="text-align:left">
<strong style="text-align:left">Can data be read from and written to an encrypted volume/drive as fast as if the drive was not encrypted?</strong></div>
<div style="text-align:left; margin-top:19px; margin-bottom:19px; padding-top:0px; padding-bottom:0px">
Yes, since VeraCrypt uses pipelining and parallelization. For more information, please see the chapters
<a href="Pipelining.html" target="_blank" style="text-align:left; color:#0080c0; text-decoration:none.html">
Pipelining</a> and <a href="Parallelization.html" target="_blank" style="text-align:left; color:#0080c0; text-decoration:none.html">
Parallelization</a> in the <a href="https://www.veracrypt.fr/en/Documentation.html" style="text-align:left; color:#0080c0; text-decoration:none">
documentation</a>.</div>
<div style="text-align:left; margin-top:19px; margin-bottom:19px; padding-top:0px; padding-bottom:0px">
<br style="text-align:left">
<strong style="text-align:left">Does VeraCrypt support hardware-accelerated encryption?</strong></div>
<div style="text-align:left; margin-top:19px; margin-bottom:19px; padding-top:0px; padding-bottom:0px">
Yes. For more information, please see the chapter <a href="Hardware%20Acceleration.html" target="_blank" style="text-align:left; color:#0080c0; text-decoration:none.html">
Hardware Acceleration</a> in the <a href="https://www.veracrypt.fr/en/Documentation.html" target="_blank" style="text-align:left; color:#0080c0; text-decoration:none">
documentation</a>.</div>
<div style="text-align:left; margin-top:19px; margin-bottom:19px; padding-top:0px; padding-bottom:0px">
<br style="text-align:left">
<strong style="text-align:left">Is it possible to boot Windows installed in a hidden VeraCrypt volume?</strong></div>
<div style="text-align:left; margin-top:19px; margin-bottom:19px; padding-top:0px; padding-bottom:0px">
Yes, it is. For more information, please see the section <a href="Hidden%20Operating%20System.html" target="_blank" style="text-align:left; color:#0080c0; text-decoration:none.html">
Hidden Operating System</a> in the <a href="https://www.veracrypt.fr/en/Documentation.html" target="_blank" style="text-align:left; color:#0080c0; text-decoration:none">
documentation</a>.</div>
<div style="text-align:left; margin-top:19px; margin-bottom:19px; padding-top:0px; padding-bottom:0px">
<br style="text-align:left">
<strong style="text-align:left">Will I be able to mount my VeraCrypt volume (container) on any computer?</strong></div>
<div style="text-align:left; margin-top:19px; margin-bottom:19px; padding-top:0px; padding-bottom:0px">
Yes, <a href="VeraCrypt%20Volume.html" target="_blank" style="text-align:left; color:#0080c0; text-decoration:none.html">
VeraCrypt volumes</a> are independent of the operating system. You will be able to mount your VeraCrypt volume on any computer on which you can run VeraCrypt (see also the question '<em style="text-align:left">Can I use VeraCrypt on Windows if I do not have
administrator privileges?</em>').</div>
<div style="text-align:left; margin-top:19px; margin-bottom:19px; padding-top:0px; padding-bottom:0px">
<br style="text-align:left">
<strong style="text-align:left">Can I unplug or turn off a hot-plug device (for example, a USB flash drive or USB hard drive) when there is a mounted VeraCrypt volume on it?</strong></div>
<div style="text-align:left; margin-top:19px; margin-bottom:19px; padding-top:0px; padding-bottom:0px">
Before you unplug or turn off the device, you should always dismount the VeraCrypt volume in VeraCrypt first, and then perform the '<em style="text-align:left">Eject</em>' operation if available (right-click the device in the '<em style="text-align:left">Computer</em>'
or '<em style="text-align:left">My Computer</em>' list), or use the '<em style="text-align:left">Safely Remove Hardware</em>' function (built in Windows, accessible via the taskbar notification area). Otherwise, data loss may occur.</div>
<div style="text-align:left; margin-top:19px; margin-bottom:19px; padding-top:0px; padding-bottom:0px">
<br style="text-align:left">
<strong style="text-align:left">What is a hidden operating system?</strong></div>
<div style="text-align:left; margin-top:19px; margin-bottom:19px; padding-top:0px; padding-bottom:0px">
See the section <a href="Hidden%20Operating%20System.html" target="_blank" style="text-align:left; color:#0080c0; text-decoration:none.html">
Hidden Operating System</a> in the <a href="https://www.veracrypt.fr/en/Documentation.html" target="_blank" style="text-align:left; color:#0080c0; text-decoration:none">
documentation</a>.</div>
<div style="text-align:left; margin-top:19px; margin-bottom:19px; padding-top:0px; padding-bottom:0px">
<br style="text-align:left">
<strong style="text-align:left">What is plausible deniability?</strong></div>
<div style="text-align:left; margin-top:19px; margin-bottom:19px; padding-top:0px; padding-bottom:0px">
See the chapter <a href="Plausible%20Deniability.html" target="_blank" style="text-align:left; color:#0080c0; text-decoration:none.html">
Plausible Deniability</a> in the <a href="https://www.veracrypt.fr/en/Documentation.html" target="_blank" style="text-align:left; color:#0080c0; text-decoration:none">
documentation</a>.</div>
<div id="SystemReinstallUpgrade" style="text-align:left; margin-top:19px; margin-bottom:19px; padding-top:0px; padding-bottom:0px">
<br style="text-align:left">
<strong style="text-align:left">Will I be able to mount my VeraCrypt partition/container after I reinstall or upgrade the operating system?</strong></div>
<div style="text-align:left; margin-top:19px; margin-bottom:19px; padding-top:0px; padding-bottom:0px">
Yes, <a href="VeraCrypt%20Volume.html" target="_blank" style="text-align:left; color:#0080c0; text-decoration:none.html">
VeraCrypt volumes</a> are independent of the operating system. However, you need to make sure your operating system installer does not format the partition where your VeraCrypt volume resides.<br style="text-align:left">
<br style="text-align:left">
Note: If the system partition/drive is encrypted and you want to reinstall or upgrade Windows, you need to decrypt it first (select
<em style="text-align:left">System</em> &gt; <em style="text-align:left">Permanently Decrypt System Partition/Drive</em>). However, a running operating system can be
<em style="text-align:left">updated</em> (security patches, service packs, etc.) without any problems even when the system partition/drive is encrypted.</div>
<div style="text-align:left; margin-top:19px; margin-bottom:19px; padding-top:0px; padding-bottom:0px">
<br style="text-align:left">
<strong style="text-align:left">Can I upgrade from an older version of VeraCrypt to the latest version without any problems?</strong></div>
<div style="text-align:left; margin-top:19px; margin-bottom:19px; padding-top:0px; padding-bottom:0px">
Generally, yes. However, before upgrading, please read the <a href="Release%20Notes.html" target="_blank" style="text-align:left; color:#0080c0; text-decoration:none.html">
release notes</a> for all versions of VeraCrypt that have been released since your version was released. If there are any known issues or incompatibilities related to upgrading from your version to a newer one, they will be listed in the
<a href="Release%20Notes.html" target="_blank" style="text-align:left; color:#0080c0; text-decoration:none.html">
release notes</a>.</div>
<div style="text-align:left; margin-top:19px; margin-bottom:19px; padding-top:0px; padding-bottom:0px">
<br style="text-align:left">
<strong style="text-align:left">Can I upgrade VeraCrypt if the system partition/drive is encrypted or do I have to decrypt it first?</strong></div>
<div style="text-align:left; margin-top:19px; margin-bottom:19px; padding-top:0px; padding-bottom:0px">
Generally, you can upgrade to the latest version without decrypting the system partition/drive (just run the VeraCrypt installer and it will automatically upgrade VeraCrypt on the system). However, before upgrading, please read the
<a href="Release%20Notes.html" target="_blank" style="text-align:left; color:#0080c0; text-decoration:none.html">
release notes</a> for all versions of VeraCrypt that have been released since your version was released. If there are any known issues or incompatibilities related to upgrading from your version to a newer one, they will be listed in the
<a href="Release%20Notes.html" target="_blank" style="text-align:left; color:#0080c0; text-decoration:none.html">
release notes</a>. Note that this FAQ answer is also valid for users of a <a href="Hidden%20Operating%20System.html" target="_blank" style="text-align:left; color:#0080c0; text-decoration:none.html">
hidden operating system</a>. Also note that you cannot <em style="text-align:left">
down</em>grade VeraCrypt if the system partition/drive is encrypted.</div>
<div style="text-align:left; margin-top:19px; margin-bottom:19px; padding-top:0px; padding-bottom:0px">
<br style="text-align:left">
<strong style="text-align:left">I use pre-boot authentication. Can I prevent a person (adversary) that is watching me start my computer from knowing that I use VeraCrypt?</strong></div>
<div style="text-align:left; margin-top:19px; margin-bottom:19px; padding-top:0px; padding-bottom:0px">
Yes. To do so, boot the encrypted system, start VeraCrypt, select <em style="text-align:left">
Settings</em> &gt; <em style="text-align:left">System Encryption</em>, enable the option '<em style="text-align:left">Do not show any texts in the pre-boot authentication screen</em>' and click
<em style="text-align:left">OK</em>. Then, when you start the computer, no texts will be displayed by the VeraCrypt boot loader (not even when you enter the wrong password). The computer will appear to be &quot;frozen&quot; while you can type your password. It is, however,
important to note that if the adversary can analyze the content of the hard drive, he can still find out that it contains the VeraCrypt boot loader.</div>
<div style="text-align:left; margin-top:19px; margin-bottom:19px; padding-top:0px; padding-bottom:0px">
<br style="text-align:left">
<strong style="text-align:left">I use pre-boot authentication. Can I configure the VeraCrypt Boot Loader to display only a fake error message?</strong></div>
<div style="text-align:left; margin-top:19px; margin-bottom:19px; padding-top:0px; padding-bottom:0px">
Yes. To do so, boot the encrypted system, start VeraCrypt, select <em style="text-align:left">
Settings</em> &gt; <em style="text-align:left">System Encryption</em>, enable the option '<em style="text-align:left">Do not show any texts in the pre-boot authentication screen</em>' and enter the fake error message in the corresponding field (for example,
the &quot;<em style="text-align:left">Missing operating system</em>&quot; message, which is normally displayed by the Windows boot loader if it finds no Windows boot partition). It is, however, important to note that if the adversary can analyze the content of the hard
drive, he can still find out that it contains the VeraCrypt boot loader.</div>
<div style="text-align:left; margin-top:19px; margin-bottom:19px; padding-top:0px; padding-bottom:0px">
<br style="text-align:left">
<strong style="text-align:left">Can I configure VeraCrypt to mount automatically whenever Windows starts a non-system VeraCrypt volume that uses the same password as my system partition/drive (i.e. my pre-boot authentication password)?</strong></div>
<div style="text-align:left; margin-top:19px; margin-bottom:19px; padding-top:0px; padding-bottom:0px">
Yes. To do so, follow these steps:</div>
<ol style="text-align:left; margin-top:18px; margin-bottom:19px; padding-top:0px; padding-bottom:0px">
<li style="text-align:left; margin-top:0px; margin-bottom:0px; padding-top:0px; padding-bottom:0px">
Mount the volume (to the drive letter to which you want it to be mounted every time).
</li><li style="text-align:left; margin-top:0px; margin-bottom:0px; padding-top:0px; padding-bottom:0px">
Right-click the mounted volume in the drive list in the main VeraCrypt window and select '<em style="text-align:left">Add to System Favorites</em>'.
</li><li style="text-align:left; margin-top:0px; margin-bottom:0px; padding-top:0px; padding-bottom:0px">
The System Favorites Organizer window should appear now. In this window, enable the option '<em style="text-align:left">Mount system favorite volumes when Windows starts</em>' and click
<em style="text-align:left">OK</em>. </li></ol>
<div style="text-align:left; margin-top:19px; margin-bottom:19px; padding-top:0px; padding-bottom:0px">
For more information, see the chapter <a href="System%20Favorite%20Volumes.html" target="_blank" style="text-align:left; color:#0080c0; text-decoration:none.html">
System Favorite Volumes</a>.</div>
<div style="text-align:left; margin-top:19px; margin-bottom:19px; padding-top:0px; padding-bottom:0px">
<br style="text-align:left">
<strong style="text-align:left">Can a volume be automatically mounted whenever I log on to Windows?</strong></div>
<div style="text-align:left; margin-top:19px; margin-bottom:19px; padding-top:0px; padding-bottom:0px">
Yes. To do so, follow these steps:</div>
<ol style="text-align:left; margin-top:18px; margin-bottom:19px; padding-top:0px; padding-bottom:0px">
<li style="text-align:left; margin-top:0px; margin-bottom:0px; padding-top:0px; padding-bottom:0px">
Mount the volume (to the drive letter to which you want it to be mounted every time).
</li><li style="text-align:left; margin-top:0px; margin-bottom:0px; padding-top:0px; padding-bottom:0px">
Right-click the mounted volume in the drive list in the main VeraCrypt window and select '<em style="text-align:left">Add to Favorites</em>'.
</li><li style="text-align:left; margin-top:0px; margin-bottom:0px; padding-top:0px; padding-bottom:0px">
The <a href="Favorite%20Volumes.html" target="_blank" style="text-align:left; color:#0080c0; text-decoration:none.html">
Favorites</a> Organizer window should appear now. In this window, enable the option '<em style="text-align:left">Mount selected volume upon logon</em>' and click
<em style="text-align:left">OK</em>. </li></ol>
<div style="text-align:left; margin-top:19px; margin-bottom:19px; padding-top:0px; padding-bottom:0px">
Then, when you log on to Windows, you will be asked for the volume password (and/or keyfiles) and if it is correct, the volume will be mounted.<br style="text-align:left">
<br style="text-align:left">
Alternatively, if the volumes are partition/device-hosted and if you do not need to mount them to particular drive letters every time, you can follow these steps:</div>
<ol style="text-align:left; margin-top:18px; margin-bottom:19px; padding-top:0px; padding-bottom:0px">
<li style="text-align:left; margin-top:0px; margin-bottom:0px; padding-top:0px; padding-bottom:0px">
Select <em style="text-align:left">Settings</em> &gt; <em style="text-align:left">
Preferences. </em>The <em style="text-align:left">Preferences</em> window should appear now.
</li><li style="text-align:left; margin-top:0px; margin-bottom:0px; padding-top:0px; padding-bottom:0px">
In the section '<em style="text-align:left">Actions to perform upon logon to Windows</em>', enable the option '<em style="text-align:left">Mount all devices-hosted VeraCrypt volumes</em>' and click
<em style="text-align:left">OK</em>. </li></ol>
<div style="text-align:left; margin-top:19px; margin-bottom:19px; padding-top:0px; padding-bottom:0px">
Note: VeraCrypt will not prompt you for a password if you have enabled caching of the
<a href="System%20Encryption.html" target="_blank" style="text-align:left; color:#0080c0; text-decoration:none.html">
pre-boot authentication</a> password (<em style="text-align:left">Settings</em> &gt; '<em style="text-align:left">System Encryption</em>') and the volumes use the same password as the system partition/drive.</div>
<div style="text-align:left; margin-top:19px; margin-bottom:19px; padding-top:0px; padding-bottom:0px">
<br style="text-align:left">
<strong style="text-align:left">Can a volume be automatically mounted whenever its host device gets connected to the computer?</strong></div>
<div style="text-align:left; margin-top:19px; margin-bottom:19px; padding-top:0px; padding-bottom:0px">
Yes. For example, if you have a VeraCrypt container on a USB flash drive and you want VeraCrypt to mount it automatically when you insert the USB flash drive into the USB port, follow these steps:</div>
<ol style="text-align:left; margin-top:18px; margin-bottom:19px; padding-top:0px; padding-bottom:0px">
<li style="text-align:left; margin-top:0px; margin-bottom:0px; padding-top:0px; padding-bottom:0px">
Mount the volume (to the drive letter to which you want it to be mounted every time).
</li><li style="text-align:left; margin-top:0px; margin-bottom:0px; padding-top:0px; padding-bottom:0px">
Right-click the mounted volume in the drive list in the main VeraCrypt window and select '<em style="text-align:left">Add to Favorites</em>'.
</li><li style="text-align:left; margin-top:0px; margin-bottom:0px; padding-top:0px; padding-bottom:0px">
The <a href="Favorite%20Volumes.html" target="_blank" style="text-align:left; color:#0080c0; text-decoration:none.html">
Favorites</a> Organizer window should appear now. In this window, enable the option '<em style="text-align:left">Mount selected volume when its host device gets connected</em>' and click
<em style="text-align:left">OK</em>. </li></ol>
<div style="text-align:left; margin-top:19px; margin-bottom:19px; padding-top:0px; padding-bottom:0px">
Then, when you insert the USB flash drive into the USB port, you will be asked for the volume password (and/or keyfiles) (unless it is cached) and if it is correct, the volume will be mounted.<br style="text-align:left">
<br style="text-align:left">
Note: VeraCrypt will not prompt you for a password if you have enabled caching of the
<a href="System%20Encryption.html" target="_blank" style="text-align:left; color:#0080c0; text-decoration:none.html">
pre-boot authentication</a> password (<em style="text-align:left">Settings</em> &gt; '<em style="text-align:left">System Encryption</em>') and the volume uses the same password as the system partition/drive.</div>
<div style="text-align:left; margin-top:19px; margin-bottom:19px; padding-top:0px; padding-bottom:0px">
<br style="text-align:left">
<strong style="text-align:left">Can my pre-boot authentication password be cached so that I can use it mount non-system volumes during the session?</strong></div>
<div style="text-align:left; margin-top:19px; margin-bottom:19px; padding-top:0px; padding-bottom:0px">
Yes. Select <em style="text-align:left">Settings</em> &gt; '<em style="text-align:left">System Encryption</em>' and enable the following option: '<em style="text-align:left">Cache pre-boot authentication password in driver memory</em>'.</div>
<div style="text-align:left; margin-top:19px; margin-bottom:19px; padding-top:0px; padding-bottom:0px">
<a name="notraces" style="text-align:left; color:#0080c0; text-decoration:none"></a><br style="text-align:left">
<strong style="text-align:left">I live in a country that violates basic human rights of its people. Is it possible to use VeraCrypt without leaving any 'traces' on unencrypted Windows?</strong></div>
<div style="text-align:left; margin-top:19px; margin-bottom:19px; padding-top:0px; padding-bottom:0px">
Yes. This can be achieved by running VeraCrypt in <a href="Portable%20Mode.html" target="_blank" style="text-align:left; color:#0080c0; text-decoration:none.html">
portable mode</a> under <a href="http://www.nu2.nu/pebuilder/" target="_blank" style="text-align:left; color:#0080c0; text-decoration:none">
BartPE</a> or in a similar environment. BartPE stands for &quot;Bart's Preinstalled Environment&quot;, which is essentially the Windows operating system prepared in a way that it can be entirely stored on and booted from a CD/DVD (registry, temporary files, etc., are
stored in RAM &ndash; hard drive is not used at all and does not even have to be present). The freeware
<a href="http://www.nu2.nu/pebuilder/" target="_blank" style="text-align:left; color:#0080c0; text-decoration:none">
Bart's PE Builder</a> can transform a Windows XP installation CD into a BartPE CD. Note that you do not even need any special VeraCrypt plug-in for BartPE. Follow these steps:</div>
<ol style="text-align:left; margin-top:18px; margin-bottom:19px; padding-top:0px; padding-bottom:0px">
<li style="text-align:left; margin-top:0px; margin-bottom:0px; padding-top:0px; padding-bottom:0px">
Create a BartPE CD and boot it. (Note: You must perform each of the following steps from within BartPE.)
</li><li style="text-align:left; margin-top:0px; margin-bottom:0px; padding-top:0px; padding-bottom:0px">
Download the VeraCrypt self-extracting package to the RAM disk (which BartPE automatically creates).
<br style="text-align:left">
<br style="text-align:left">
<strong style="text-align:left">Note</strong>: If the adversary can intercept data you send or receive over the Internet and you need to prevent the adversary from knowing you downloaded VeraCrypt, consider downloading it via
<a href="https://geti2p.net/en/" target="_blank" style="text-align:left; color:#0080c0; text-decoration:none">
<strong style="text-align:left">I2P</strong></a>, <a href="http://www.torproject.org/" target="_blank" style="text-align:left; color:#0080c0; text-decoration:none">
<strong style="text-align:left">Tor</strong></a>, or a similar anonymizing network.
</li><li style="text-align:left; margin-top:0px; margin-bottom:0px; padding-top:0px; padding-bottom:0px">
Verify the digital signatures of the downloaded file (see <a href="Digital%20Signatures.html" target="_blank" style="text-align:left; color:#0080c0; text-decoration:none.html">
this</a> section of the documentation for more information). </li><li style="text-align:left; margin-top:0px; margin-bottom:0px; padding-top:0px; padding-bottom:0px">
Run the downloaded file, and select <em style="text-align:left">Extract</em> (instead of
<em style="text-align:left">Install</em>) on the second page of the VeraCrypt Setup wizard. Extract the contents to the RAM disk.
</li><li style="text-align:left; margin-top:0px; margin-bottom:0px; padding-top:0px; padding-bottom:0px">
Run the file <em style="text-align:left">VeraCrypt.exe</em> from the RAM disk. </li></ol>
<div style="text-align:left; margin-top:19px; margin-bottom:19px; padding-top:0px; padding-bottom:0px">
Note: You may also want to consider creating a hidden operating system (see the section
<a href="Hidden%20Operating%20System.html" target="_blank" style="text-align:left; color:#0080c0; text-decoration:none.html">
Hidden Operating System</a> in the <a href="https://www.veracrypt.fr/en/Documentation.html" target="_blank" style="text-align:left; color:#0080c0; text-decoration:none">
documentation</a>). See also the chapter <a href="Plausible%20Deniability.html" target="_blank" style="text-align:left; color:#0080c0; text-decoration:none.html">
Plausible Deniability</a>.</div>
<div style="text-align:left; margin-top:19px; margin-bottom:19px; padding-top:0px; padding-bottom:0px">
<br style="text-align:left">
<strong style="text-align:left">Can I encrypt my system partition/drive if I don't have a US keyboard?</strong></div>
<div style="text-align:left; margin-top:19px; margin-bottom:19px; padding-top:0px; padding-bottom:0px">
Yes, VeraCrypt supports all keyboard layouts. Because of BIOS requirement, the pre-boot password is typed using
<strong>US keyboard layout. </strong>During the system encryption process, VeraCrypt automatically and transparently switches the keyboard to US layout in order to ensure that the password value typed will match the one typed in pre-boot mode. Thus, in order
to avoid wrong password errors, one must type the password using the same keys as when creating the system encryption.</div>
<div style="text-align:left; margin-top:19px; margin-bottom:19px; padding-top:0px; padding-bottom:0px">
<br style="text-align:left">
<strong style="text-align:left">Can I save data to the decoy system partition without risking damage to the hidden system partition?</strong></div>
<div style="text-align:left; margin-top:19px; margin-bottom:19px; padding-top:0px; padding-bottom:0px">
Yes. You can write data to the decoy system partition anytime without any risk that the hidden volume will get damaged (because the decoy system is
<em style="text-align:left">not</em> installed within the same partition as the hidden system). For more information, see the section
<a href="Hidden%20Operating%20System.html" target="_blank" style="text-align:left; color:#0080c0; text-decoration:none.html">
Hidden Operating System</a> in the <a href="https://www.veracrypt.fr/en/Documentation.html" target="_blank" style="text-align:left; color:#0080c0; text-decoration:none">
documentation</a>.</div>
<div style="text-align:left; margin-top:19px; margin-bottom:19px; padding-top:0px; padding-bottom:0px">
<br style="text-align:left">
<strong style="text-align:left">Can I use VeraCrypt on Windows if I do not have administrator privileges?</strong></div>
<div style="text-align:left; margin-top:19px; margin-bottom:19px; padding-top:0px; padding-bottom:0px">
See the chapter '<a href="Using%20VeraCrypt%20Without%20Administrator%20Privileges.html" target="_blank" style="text-align:left; color:#0080c0; text-decoration:none.html">Using VeraCrypt Without Administrator Privileges</a>'
in the <a href="https://www.veracrypt.fr/en/Documentation.html" target="_blank" style="text-align:left; color:#0080c0; text-decoration:none">
documentation</a>.</div>
<div style="text-align:left; margin-top:19px; margin-bottom:19px; padding-top:0px; padding-bottom:0px">
<br style="text-align:left">
<strong style="text-align:left">Does VeraCrypt save my password to a disk?</strong></div>
<div style="text-align:left; margin-top:19px; margin-bottom:19px; padding-top:0px; padding-bottom:0px">
No.</div>
<div style="text-align:left; margin-top:19px; margin-bottom:19px; padding-top:0px; padding-bottom:0px">
<br style="text-align:left">
<strong style="text-align:left">How does VeraCrypt verify that the correct password was entered?</strong></div>
<div style="text-align:left; margin-top:19px; margin-bottom:19px; padding-top:0px; padding-bottom:0px">
See the section <a href="Encryption%20Scheme.html" target="_blank" style="text-align:left; color:#0080c0; text-decoration:none.html">
Encryption Scheme</a> (chapter <a href="Technical%20Details.html" target="_blank" style="text-align:left; color:#0080c0; text-decoration:none.html">
Technical Details</a>) in the <a href="https://www.veracrypt.fr/en/Documentation.html" target="_blank" style="text-align:left; color:#0080c0; text-decoration:none">
documentation</a>.</div>
<div id="encrypt-in-place" style="text-align:left; margin-top:19px; margin-bottom:19px; padding-top:0px; padding-bottom:0px">
<br style="text-align:left">
<strong style="text-align:left">Can I encrypt a partition/drive without losing the data currently stored on it?</strong></div>
<div style="text-align:left; margin-top:19px; margin-bottom:19px; padding-top:0px; padding-bottom:0px">
Yes, but the following conditions must be met:</div>
<ul style="text-align:left; margin-top:18px; margin-bottom:19px; padding-top:0px; padding-bottom:0px">
<li style="text-align:left; margin-top:0px; margin-bottom:0px; padding-top:0px; padding-bottom:0px">
If you want to encrypt an entire system drive (which may contain multiple partitions) or a system partition (in other words, if you want to encrypt a drive or partition where Windows is installed), you can do so provided that you use Windows XP or a later version
of Windows (such as Windows 7) <span style="text-align:left; font-size:10px; line-height:12px">
(select '<em style="text-align:left">System</em>' &gt; '<em style="text-align:left">Encrypt System Partition/Drive</em>' and then follow the instructions in the wizard)</span>.
</li><li style="text-align:left; margin-top:0px; margin-bottom:0px; padding-top:0px; padding-bottom:0px">
If you want to encrypt a non-system partition in place, you can do so provided that it contains an NTFS filesystem and that you use Windows Vista or a later version of Windows (for example, Windows 7)
<span style="text-align:left; font-size:10px; line-height:12px">(click '<em style="text-align:left">Create Volume</em>' &gt; '<em style="text-align:left">Encrypt a non-system partition</em>' &gt; '<em style="text-align:left">Standard volume</em>' &gt; '<em style="text-align:left">Select
Device</em>' &gt; '<em style="text-align:left">Encrypt partition in place</em>' and then follow the instructions in the wizard)</span>.
</li></ul>
<div style="text-align:left; margin-top:19px; margin-bottom:19px; padding-top:0px; padding-bottom:0px">
<br style="text-align:left">
<strong style="text-align:left">Can I run VeraCrypt if I don't install it?</strong></div>
<div style="text-align:left; margin-top:19px; margin-bottom:19px; padding-top:0px; padding-bottom:0px">
Yes, see the chapter <a href="Portable%20Mode.html" target="_blank" style="text-align:left; color:#0080c0; text-decoration:none.html">
Portable Mode</a> in the <a href="https://www.veracrypt.fr/en/Documentation.html" target="_blank" style="text-align:left; color:#0080c0; text-decoration:none">
VeraCrypt User Guide</a>.</div>
<div style="text-align:left; margin-top:19px; margin-bottom:19px; padding-top:0px; padding-bottom:0px">
<a name="tpm" style="text-align:left; color:#0080c0; text-decoration:none"></a><br style="text-align:left">
<strong style="text-align:left">Some encryption programs use TPM to prevent attacks. Will VeraCrypt use it too?</strong></div>
<div style="text-align:left; margin-top:19px; margin-bottom:19px; padding-top:0px; padding-bottom:0px">
No. Those programs use TPM to protect against attacks that <em style="text-align:left">
require</em> the attacker to have administrator privileges, or physical access to the computer, and the attacker needs you to use the computer after such an access.
<em style="text-align:left">However, if any of these conditions is met, it is actually impossible to secure the computer</em> (see below) and, therefore, you must stop using it (instead of relying on TPM).
<br style="text-align:left">
<br style="text-align:left">
If the attacker has administrator privileges, he can, for example, reset the TPM, capture the content of RAM (containing master keys) or content of files stored on mounted VeraCrypt volumes (decrypted on the fly), which can then be sent to the attacker over
the Internet or saved to an unencrypted local drive (from which the attacker might be able to read it later, when he gains physical access to the computer).
<br style="text-align:left">
<br style="text-align:left">
If the attacker can physically access the computer hardware (and you use it after such an access), he can, for example, attach a malicious component to it (such as a hardware keystroke logger) that will capture the password, the content of RAM (containing master
keys) or content of files stored on mounted VeraCrypt volumes (decrypted on the fly), which can then be sent to the attacker over the Internet or saved to an unencrypted local drive (from which the attacker might be able to read it later, when he gains physical
access to the computer again). <br style="text-align:left">
<br style="text-align:left">
The only thing that TPM is almost guaranteed to provide is a false sense of security (even the name itself, &quot;Trusted Platform Module&quot;, is misleading and creates a false sense of security). As for real security, TPM is actually redundant (and implementing redundant
features is usually a way to create so-called bloatware). <br style="text-align:left">
<br style="text-align:left">
For more information, please see the sections <a title="Physical%20Security&quot;" style="text-align:left; color:#0080c0; text-decoration:none">
Physical Security</a> and <a href="Malware.html" style="text-align:left; color:#0080c0; text-decoration:none.html">
Malware</a> in the <a href="https://www.veracrypt.fr/en/Documentation.html" target="_blank" style="text-align:left; color:#0080c0; text-decoration:none">
documentation</a>.</div>
<div style="text-align:left; margin-top:19px; margin-bottom:19px; padding-top:0px; padding-bottom:0px">
<br style="text-align:left">
<strong style="text-align:left">Do I have to dismount VeraCrypt volumes before shutting down or restarting Windows?</strong></div>
<div style="text-align:left; margin-top:19px; margin-bottom:19px; padding-top:0px; padding-bottom:0px">
No. VeraCrypt automatically dismounts all mounted VeraCrypt volumes on system shutdown/restart.</div>
<div style="text-align:left; margin-top:19px; margin-bottom:19px; padding-top:0px; padding-bottom:0px">
<br style="text-align:left">
<strong style="text-align:left">Which type of VeraCrypt volume is better &ndash; partition or file container?</strong></div>
<div style="text-align:left; margin-top:19px; margin-bottom:19px; padding-top:0px; padding-bottom:0px">
<a href="VeraCrypt%20Volume.html" target="_blank" style="text-align:left; color:#0080c0; text-decoration:none.html">File containers</a> are normal files so you can work with them as with any normal files (file containers
can be, for example, moved, renamed, and deleted the same way as normal files). <a href="VeraCrypt%20Volume.html" target="_blank" style="text-align:left; color:#0080c0; text-decoration:none.html">
Partitions/drives</a> may be better as regards performance. Note that reading and writing to/from a file container may take significantly longer when the container is heavily fragmented. To solve this problem, defragment the file system in which the container
is stored (when the VeraCrypt volume is dismounted).</div>
<div style="text-align:left; margin-top:19px; margin-bottom:19px; padding-top:0px; padding-bottom:0px">
<br style="text-align:left">
<strong style="text-align:left">What's the recommended way to back up a VeraCrypt volume?</strong></div>
<div style="text-align:left; margin-top:19px; margin-bottom:19px; padding-top:0px; padding-bottom:0px">
See the chapter <a href="How%20to%20Back%20Up%20Securely.html" style="text-align:left; color:#0080c0; text-decoration:none.html">
How to Back Up Securely</a> in the <a href="https://www.veracrypt.fr/en/Documentation.html" target="_blank" style="text-align:left; color:#0080c0; text-decoration:none">
documentation</a>.</div>
<div style="text-align:left; margin-top:19px; margin-bottom:19px; padding-top:0px; padding-bottom:0px">
<br style="text-align:left">
<strong style="text-align:left">What will happen if I format a VeraCrypt partition?</strong></div>
<div style="text-align:left; margin-top:19px; margin-bottom:19px; padding-top:0px; padding-bottom:0px">
See the question '<em style="text-align:left"><a href="#changing-filesystem" style="text-align:left; color:#0080c0; text-decoration:none">Is it possible to change the file system of an encrypted volume?</a></em>'</div>
<div style="text-align:left; margin-top:19px; margin-bottom:19px; padding-top:0px; padding-bottom:0px">
<br style="text-align:left">
<strong style="text-align:left"><a name="changing-filesystem" style="text-align:left; color:#0080c0; text-decoration:none"></a>Is it possible to change the file system of an encrypted volume?</strong></div>
<div style="text-align:left; margin-top:19px; margin-bottom:19px; padding-top:0px; padding-bottom:0px">
Yes, when mounted, VeraCrypt volumes can be formatted as FAT12, FAT16, FAT32, NTFS, or any other file system. VeraCrypt volumes behave as standard disk devices so you can right-click the device icon (for example in the '<em style="text-align:left">Computer</em>'
or '<em style="text-align:left">My Computer</em>' list) and select '<em style="text-align:left">Format</em>'. The actual volume contents will be lost. However, the whole volume will remain encrypted. If you format a VeraCrypt-encrypted partition when the VeraCrypt
volume that the partition hosts is not mounted, then the volume will be destroyed, and the partition will not be encrypted anymore (it will be empty).</div>
<div style="text-align:left; margin-top:19px; margin-bottom:19px; padding-top:0px; padding-bottom:0px">
<br style="text-align:left">
<strong style="text-align:left">Is it possible to mount a VeraCrypt container that is stored on a CD or DVD?</strong></div>
<div style="text-align:left; margin-top:19px; margin-bottom:19px; padding-top:0px; padding-bottom:0px">
Yes. However, if you need to mount a VeraCrypt volume that is stored on a read-only medium (such as a CD or DVD) under Windows 2000, the file system within the VeraCrypt volume must be FAT (Windows 2000 cannot mount an NTFS file system on read-only media).</div>
<div style="text-align:left; margin-top:19px; margin-bottom:19px; padding-top:0px; padding-bottom:0px">
<br style="text-align:left">
<strong style="text-align:left">Is it possible to change the password for a hidden volume?</strong></div>
<div style="text-align:left; margin-top:19px; margin-bottom:19px; padding-top:0px; padding-bottom:0px">
Yes, the password change dialog works both for standard and <a href="Hidden%20Volume.html" target="_blank" style="text-align:left; color:#0080c0; text-decoration:none.html">
hidden volumes</a>. Just type the password for the hidden volume in the 'Current Password' field of the 'Volume Password Change' dialog.</div>
<div style="text-align:left; margin-top:19px; margin-bottom:19px; padding-top:0px; padding-bottom:0px; font-size:10px; line-height:12px">
Remark: VeraCrypt first attempts to decrypt the standard <a href="VeraCrypt%20Volume%20Format%20Specification.html" target="_blank" style="text-align:left; color:#0080c0; text-decoration:none.html">
volume header</a> and if it fails, it attempts to decrypt the area within the volume where the hidden volume header may be stored (if there is a hidden volume within). In case it is successful, the password change applies to the hidden volume. (Both attempts
use the password typed in the 'Current Password' field.)</div>
<div style="text-align:left; margin-top:19px; margin-bottom:19px; padding-top:0px; padding-bottom:0px">
<br style="text-align:left">
-<strong style="text-align:left">When I use HMAC-RIPEMD-160, is the size of the header encryption key only 160 bits?</strong></div>
-<div style="text-align:left; margin-top:19px; margin-bottom:19px; padding-top:0px; padding-bottom:0px">
-No, VeraCrypt never uses an output of a hash function (nor of a HMAC algorithm) directly as an encryption key. See the section
-<a href="Header%20Key%20Derivation.html" target="_blank" style="text-align:left; color:#0080c0; text-decoration:none.html">
-Header Key Derivation, Salt, and Iteration Count</a> in the <a href="https://www.veracrypt.fr/en/Documentation.html" target="_blank" style="text-align:left; color:#0080c0; text-decoration:none">
-documentation</a> for more information.</div>
-<div style="text-align:left; margin-top:19px; margin-bottom:19px; padding-top:0px; padding-bottom:0px">
-<br style="text-align:left">
<strong style="text-align:left">How do I burn a VeraCrypt container larger than 2 GB onto a DVD?</strong><br style="text-align:left">
<br style="text-align:left">
The DVD burning software you use should allow you to select the format of the DVD. If it does, select the UDF format (ISO format does not support files larger than 2 GB).</div>
<div id="disk_defragmenter" style="text-align:left; margin-top:19px; margin-bottom:19px; padding-top:0px; padding-bottom:0px">
<br style="text-align:left">
<strong style="text-align:left">Can I use tools like <em style="text-align:left">
chkdsk</em>, Disk Defragmenter, etc. on the contents of a mounted VeraCrypt volume?</strong></div>
<div style="text-align:left; margin-top:19px; margin-bottom:19px; padding-top:0px; padding-bottom:0px">
Yes, VeraCrypt volumes behave like real physical disk devices, so it is possible to use any filesystem checking/repairing/defragmenting tools on the contents of a mounted VeraCrypt volume.</div>
<div style="text-align:left; margin-top:19px; margin-bottom:19px; padding-top:0px; padding-bottom:0px">
<br style="text-align:left">
<strong style="text-align:left">Does VeraCrypt support 64-bit versions of Windows?</strong></div>
<div style="text-align:left; margin-top:19px; margin-bottom:19px; padding-top:0px; padding-bottom:0px">
Yes, it does. <span style="text-align:left; font-size:10px; line-height:12px">Note: 64-bit versions of Windows load only drivers that are digitally signed with a digital certificate issued by a certification authority approved for issuing kernel-mode code signing
certificates. VeraCrypt complies with this requirement (the VeraCrypt driver is <a href="Digital%20Signatures.html" style="text-align:left; color:#0080c0; text-decoration:none.html">
digitally signed</a> with the digital certificate of IDRIX, which was issued by the certification authority Thawte).</span></div>
<div style="text-align:left; margin-top:19px; margin-bottom:19px; padding-top:0px; padding-bottom:0px">
<br style="text-align:left">
<strong style="text-align:left">Can I mount my VeraCrypt volume under Windows, Mac OS X, and Linux?</strong></div>
<div style="text-align:left; margin-top:19px; margin-bottom:19px; padding-top:0px; padding-bottom:0px">
Yes, VeraCrypt volumes are fully cross-platform.</div>
<div style="text-align:left; margin-top:19px; margin-bottom:19px; padding-top:0px; padding-bottom:0px">
<strong style="text-align:left">How can I uninstall VeraCrypt on Linux?</strong>
<div style="text-align:left; margin-top:19px; margin-bottom:19px; padding-top:0px; padding-bottom:0px">
To uninstall VeraCrypt on Linux, run the following command in Terminal as root: <strong>
veracrypt-uninstall.sh</strong>. On Ubuntu, you can use &quot;<strong>sudo veracrypt-uninstall.sh</strong>&quot;.</div>
</div>
<div style="text-align:left; margin-top:19px; margin-bottom:19px; padding-top:0px; padding-bottom:0px">
<br style="text-align:left">
<strong style="text-align:left">Is there a list of all operating systems that VeraCrypt supports?</strong></div>
<div style="text-align:left; margin-top:19px; margin-bottom:19px; padding-top:0px; padding-bottom:0px">
Yes, see the chapter <a href="Supported%20Operating%20Systems.html" target="_blank" style="text-align:left; color:#0080c0; text-decoration:none.html">
Supported Operating Systems</a> in the <a href="https://www.veracrypt.fr/en/Documentation.html" target="_blank" style="text-align:left; color:#0080c0; text-decoration:none">
VeraCrypt User Guide</a>.</div>
<div style="text-align:left; margin-top:19px; margin-bottom:19px; padding-top:0px; padding-bottom:0px">
<br style="text-align:left">
<strong style="text-align:left">Is it possible to install an application to a VeraCrypt volume and run it from there?</strong></div>
<div style="text-align:left; margin-top:19px; margin-bottom:19px; padding-top:0px; padding-bottom:0px">
Yes.</div>
<div style="text-align:left; margin-top:19px; margin-bottom:19px; padding-top:0px; padding-bottom:0px">
<br style="text-align:left">
<strong style="text-align:left">What will happen when a part of a VeraCrypt volume becomes corrupted?</strong></div>
<div style="text-align:left; margin-top:19px; margin-bottom:19px; padding-top:0px; padding-bottom:0px">
In encrypted data, one corrupted bit usually corrupts the whole ciphertext block in which it occurred. The ciphertext block size used by VeraCrypt is 16 bytes (i.e., 128 bits). The
<a href="Modes%20of%20Operation.html" target="_blank" style="text-align:left; color:#0080c0; text-decoration:none.html">
mode of operation</a> used by VeraCrypt ensures that if data corruption occurs within a block, the remaining blocks are not affected. See also the question '<em style="text-align:left">What do I do when the encrypted filesystem on my VeraCrypt volume is corrupted?</em></div>
<div style="text-align:left; margin-top:19px; margin-bottom:19px; padding-top:0px; padding-bottom:0px">
<br style="text-align:left">
<strong style="text-align:left">What do I do when the encrypted filesystem on my VeraCrypt volume is corrupted?</strong></div>
<div style="text-align:left; margin-top:19px; margin-bottom:19px; padding-top:0px; padding-bottom:0px">
File system within a VeraCrypt volume may become corrupted in the same way as any normal unencrypted file system. When that happens, you can use filesystem repair tools supplied with your operating system to fix it. In Windows, it is the '<em style="text-align:left">chkdsk</em>'
tool. VeraCrypt provides an easy way to use this tool on a VeraCrypt volume: Right-click the mounted volume in the main VeraCrypt window (in the drive list) and from the context menu select '<em style="text-align:left">Repair Filesystem</em>'.</div>
<div id="reset_volume_password" style="text-align:left; margin-top:19px; margin-bottom:19px; padding-top:0px; padding-bottom:0px">
<br style="text-align:left">
<strong style="text-align:left">We use VeraCrypt in a corporate/enterprise environment. Is there a way for an administrator to reset a volume password or pre-boot authentication password when a user forgets it (or loses a keyfile)?</strong></div>
<div style="text-align:left; margin-top:19px; margin-bottom:19px; padding-top:0px; padding-bottom:0px">
Yes. Note that there is no &quot;backdoor&quot; implemented in VeraCrypt. However, there is a way to &quot;reset&quot; volume passwords/<a href="Keyfiles.html" target="_blank" style="text-align:left; color:#0080c0; text-decoration:none.html">keyfiles</a>
and <a href="System%20Encryption.html" target="_blank" style="text-align:left; color:#0080c0; text-decoration:none.html">
pre-boot authentication</a> passwords. After you create a volume, back up its header to a file (select
<em style="text-align:left">Tools</em> -&gt; <em style="text-align:left">Backup Volume Header</em>) before you allow a
<a href="Using%20VeraCrypt%20Without%20Administrator%20Privileges.html" style="text-align:left; color:#0080c0; text-decoration:none.html">
non-admin user</a> to use the volume. Note that the <a href="VeraCrypt%20Volume%20Format%20Specification.html" target="_blank" style="text-align:left; color:#0080c0; text-decoration:none.html">
volume header</a> (which is encrypted with a <a href="Header%20Key%20Derivation.html" target="_blank" style="text-align:left; color:#0080c0; text-decoration:none.html">
header key</a> derived from a password/keyfile) contains the <a href="Encryption%20Scheme.html" style="text-align:left; color:#0080c0; text-decoration:none.html">
master key</a> with which the volume is encrypted. Then ask the user to choose a password, and set it for him/her (<em style="text-align:left">Volumes</em> -&gt;
<em style="text-align:left">Change Volume Password</em>); or generate a user keyfile for him/her. Then you can allow the user to use the volume and to change the password/keyfiles without your assistance/permission. In case he/she forgets his/her password or
loses his/her keyfile, you can &quot;reset&quot; the volume password/keyfiles to your original admin password/keyfiles by restoring the volume header from the backup file (<em style="text-align:left">Tools</em> -&gt;
<em style="text-align:left">Restore Volume Header</em>). <br style="text-align:left">
<br style="text-align:left">
Similarly, you can reset a <a href="System%20Encryption.html" target="_blank" style="text-align:left; color:#0080c0; text-decoration:none.html">
pre-boot authentication</a> password<a href="System%20Encryption.html" style="text-align:left; color:#0080c0; text-decoration:none.html">.
</a>To create a backup of the master key data (that will be stored on a <a href="VeraCrypt%20Rescue%20Disk.html" target="_blank" style="text-align:left; color:#0080c0; text-decoration:none.html">
VeraCrypt Rescue Disk</a> and encrypted with your administrator password), select '<em style="text-align:left">System</em>' &gt; '<a href="VeraCrypt%20Rescue%20Disk.html" target="_blank" style="text-align:left; color:#0080c0; text-decoration:none"><em style="text-align:left.html">Create
Rescue Disk</em></a>'. To set a user <a href="System%20Encryption.html" target="_blank" style="text-align:left; color:#0080c0; text-decoration:none.html">
pre-boot authentication</a> password, select '<em style="text-align:left">System</em>' &gt; '<em style="text-align:left">Change Password</em>'. To restore your administrator password, boot the VeraCrypt Rescue Disk, select '<em style="text-align:left">Repair
Options</em>' &gt; '<em style="text-align:left">Restore key data</em>' and enter your administrator password.
<br style="text-align:left">
<span style="text-align:left; font-size:10px; line-height:12px">Note: It is not required to burn each
<a href="VeraCrypt%20Rescue%20Disk.html" target="_blank" style="text-align:left; color:#0080c0; text-decoration:none.html">
VeraCrypt Rescue Disk</a> ISO image to a CD/DVD. You can maintain a central repository of ISO images for all workstations (rather than a repository of CDs/DVDs). For more information see the section
<a href="Command%20Line%20Usage.html" target="_blank" style="text-align:left; color:#0080c0; text-decoration:none.html">
Command Line Usage</a> (option <em style="text-align:left">/noisocheck</em>).</span></div>
<div style="text-align:left; margin-top:19px; margin-bottom:19px; padding-top:0px; padding-bottom:0px">
<br style="text-align:left">
<strong style="text-align:left">Can our commercial company use VeraCrypt free of charge?</strong></div>
<div style="text-align:left; margin-top:19px; margin-bottom:19px; padding-top:0px; padding-bottom:0px">
Provided that you comply with the terms and conditions of the <a href="VeraCrypt%20License.html" target="_blank" style="text-align:left; color:#0080c0; text-decoration:none.html">
VeraCrypt License</a>, you can install and run VeraCrypt free of charge on an arbitrary number of your computers.</div>
<div style="text-align:left; margin-top:19px; margin-bottom:19px; padding-top:0px; padding-bottom:0px">
<br style="text-align:left">
<strong style="text-align:left">We share a volume over a network. Is there a way to have the network share automatically restored when the system is restarted?</strong></div>
<div style="text-align:left; margin-top:19px; margin-bottom:19px; padding-top:0px; padding-bottom:0px">
Please see the chapter '<a href="Sharing%20over%20Network.html" style="text-align:left; color:#0080c0; text-decoration:none.html">Sharing over Network</a>' in the
<a href="https://www.veracrypt.fr/en/Documentation.html" target="_blank" style="text-align:left; color:#0080c0; text-decoration:none">
VeraCrypt User Guide</a>.</div>
<div style="text-align:left; margin-top:19px; margin-bottom:19px; padding-top:0px; padding-bottom:0px">
<br style="text-align:left">
<strong style="text-align:left">It is possible to access a single VeraCrypt volume simultaneously from multiple operating systems (for example, a volume shared over a network)?</strong></div>
<div style="text-align:left; margin-top:19px; margin-bottom:19px; padding-top:0px; padding-bottom:0px">
Please see the chapter '<a href="Sharing%20over%20Network.html" style="text-align:left; color:#0080c0; text-decoration:none.html">Sharing over Network</a>' in the
<a href="https://www.veracrypt.fr/en/Documentation.html" target="_blank" style="text-align:left; color:#0080c0; text-decoration:none">
VeraCrypt User Guide</a>.</div>
<div style="text-align:left; margin-top:19px; margin-bottom:19px; padding-top:0px; padding-bottom:0px">
<br style="text-align:left">
<strong style="text-align:left">Can a user access his or her VeraCrypt volume via a network?</strong></div>
<div style="text-align:left; margin-top:19px; margin-bottom:19px; padding-top:0px; padding-bottom:0px">
Please see the chapter '<a href="Sharing%20over%20Network.html" style="text-align:left; color:#0080c0; text-decoration:none.html">Sharing over Network</a>' in the
<a href="https://www.veracrypt.fr/en/Documentation.html" target="_blank" style="text-align:left; color:#0080c0; text-decoration:none">
VeraCrypt User Guide</a>.</div>
<div id="non_system_drive_letter" style="text-align:left; margin-top:19px; margin-bottom:19px; padding-top:0px; padding-bottom:0px">
<br style="text-align:left">
<strong style="text-align:left">I encrypted a non-system partition, but its original drive letter is still visible in the '<span style="text-align:left; font-style:italic">My Computer</span>' list. When I double click this drive letter, Windows asks if I want
to format the drive. Is there a way to hide or free this drive letter? </strong>
</div>
<div style="text-align:left; margin-top:19px; margin-bottom:19px; padding-top:0px; padding-bottom:0px">
Yes, to free the drive letter follow these steps:</div>
<ol style="text-align:left; margin-top:18px; margin-bottom:19px; padding-top:0px; padding-bottom:0px">
<li style="text-align:left; margin-top:0px; margin-bottom:0px; padding-top:0px; padding-bottom:0px">
Right-click the '<em style="text-align:left">Computer</em>' (or '<span style="text-align:left; font-style:italic">My Computer</span>') icon on your desktop or in the Start Menu and select
<span style="text-align:left; font-style:italic">Manage</span>. The '<span style="text-align:left; font-style:italic">Computer Management</span>' window should appear.
</li><li style="text-align:left; margin-top:0px; margin-bottom:0px; padding-top:0px; padding-bottom:0px">
From the list on the left, select '<span style="text-align:left; font-style:italic">Disk Management</span>' (within the
<span style="text-align:left; font-style:italic">Storage</span> sub-tree). </li><li style="text-align:left; margin-top:0px; margin-bottom:0px; padding-top:0px; padding-bottom:0px">
Right-click the encrypted partition/device and select <span style="text-align:left; font-style:italic">
Change Drive Letter and Paths</span>. </li><li style="text-align:left; margin-top:0px; margin-bottom:0px; padding-top:0px; padding-bottom:0px">
Click <span style="text-align:left; font-style:italic">Remove</span>. </li><li style="text-align:left; margin-top:0px; margin-bottom:0px; padding-top:0px; padding-bottom:0px">
If Windows prompts you to confirm the action, click <span style="text-align:left; font-style:italic">
Yes</span>. </li></ol>
<div style="text-align:left; margin-top:19px; margin-bottom:19px; padding-top:0px; padding-bottom:0px">
<strong style="text-align:left"><br style="text-align:left">
When I plug in my encrypted USB flash drive, Windows asks me if I want to format it. Is there a way to prevent that?</strong></div>
<div style="text-align:left; margin-top:19px; margin-bottom:19px; padding-top:0px; padding-bottom:0px">
Yes, but you will need to remove the drive letter assigned to the device. For information on how to do so, see the question '<em style="text-align:left">I encrypted a non-system partition, but its original drive letter is still visible in the 'My Computer'
list.</em>'</div>
<div style="text-align:left; margin-top:19px; margin-bottom:19px; padding-top:0px; padding-bottom:0px">
<strong style="text-align:left"><br style="text-align:left">
How do I remove or undo encryption if I do not need it anymore? How do I permanently decrypt a volume?
</strong></div>
<div style="text-align:left; margin-top:19px; margin-bottom:19px; padding-top:0px; padding-bottom:0px">
Please see the section '<a href="Removing%20Encryption.html" style="text-align:left; color:#0080c0; text-decoration:none.html">How to Remove Encryption</a>' in the
<a href="https://www.veracrypt.fr/en/Documentation.html" target="_blank" style="text-align:left; color:#0080c0; text-decoration:none">
VeraCrypt User Guide</a>.</div>
<div style="text-align:left; margin-top:19px; margin-bottom:19px; padding-top:0px; padding-bottom:0px">
<br style="text-align:left">
<strong style="text-align:left">What will change when I enable the option '<em style="text-align:left">Mount volumes as removable media</em>'?</strong></div>
<div style="text-align:left; margin-top:19px; margin-bottom:19px; padding-top:0px; padding-bottom:0px">
Please see the section '<a href="Removable%20Medium%20Volume.html" style="text-align:left; color:#0080c0; text-decoration:none.html">Volume Mounted as Removable Medium</a>' in the
<a href="https://www.veracrypt.fr/en/Documentation.html" target="_blank" style="text-align:left; color:#0080c0; text-decoration:none">
VeraCrypt User Guide</a>.</div>
<div style="text-align:left; margin-top:19px; margin-bottom:19px; padding-top:0px; padding-bottom:0px">
<br style="text-align:left">
<strong style="text-align:left">Is the online documentation available for download as a single file?</strong></div>
<div style="text-align:left; margin-top:19px; margin-bottom:19px; padding-top:0px; padding-bottom:0px">
Yes, the documentation is contained in the file <em style="text-align:left">VeraCrypt User Guide.chm</em> that is included in official VeraCrypt installer for Windows. You can also download the CHM using the link available at the home page
<a href="https://www.veracrypt.fr/en/Downloads.html" target="_blank">https://www.veracrypt.fr/en/downloads/</a>. Note that you do
<em style="text-align:left">not</em> have to install VeraCrypt to obtain the CHM documentation. Just run the self-extracting installation package and then select
<em style="text-align:left">Extract</em> (instead of <em style="text-align:left">
Install</em>) on the second page of the VeraCrypt Setup wizard. Also note that when you
<em style="text-align:left">do</em> install VeraCrypt, the CHM documentation is automatically copied to the folder to which VeraCrypt is installed, and is accessible via the VeraCrypt user interface (by pressing F1 or choosing
<em style="text-align:left">Help</em> &gt; <em style="text-align:left">User's Guide</em>).</div>
<div style="text-align:left; margin-top:19px; margin-bottom:19px; padding-top:0px; padding-bottom:0px">
<br style="text-align:left">
<strong style="text-align:left">Do I have to &quot;wipe&quot; free space and/or files on a VeraCrypt volume?</strong></div>
<div style="text-align:left; margin-top:19px; margin-bottom:19px; padding-top:0px; padding-bottom:0px">
<span style="text-align:left; font-size:10px; line-height:12px">Remark: to &quot;wipe&quot; = to securely erase; to overwrite sensitive data in order to render them unrecoverable.
</span><br style="text-align:left">
<br style="text-align:left">
If you believe that an adversary will be able to decrypt the volume (for example that he will make you reveal the password), then the answer is yes. Otherwise, it is not necessary, because the volume is entirely encrypted.</div>
<div style="text-align:left; margin-top:19px; margin-bottom:19px; padding-top:0px; padding-bottom:0px">
<br style="text-align:left">
<strong style="text-align:left">How does VeraCrypt know which encryption algorithm my VeraCrypt volume has been encrypted with?</strong></div>
<div style="text-align:left; margin-top:19px; margin-bottom:19px; padding-top:0px; padding-bottom:0px">
Please see the section <a href="Encryption%20Scheme.html" target="_blank" style="text-align:left; color:#0080c0; text-decoration:none.html">
Encryption Scheme</a> (chapter <a href="Technical%20Details.html" target="_blank" style="text-align:left; color:#0080c0; text-decoration:none.html">
Technical Details</a>) in the <a href="https://www.veracrypt.fr/en/Documentation.html" target="_blank" style="text-align:left; color:#0080c0; text-decoration:none">
documentation</a>.</div>
<div style="text-align:left; margin-top:19px; margin-bottom:19px; padding-top:0px; padding-bottom:0px">
<strong style="text-align:left">How can I perform a Windows built-in backup on a VeraCrypt volume? The VeraCrypt volume doesn't show up in the list of available backup paths.<br>
</strong>
<div style="text-align:left; margin-top:19px; margin-bottom:19px; padding-top:0px; padding-bottom:0px">
Windows built-in backup utility looks only for physical driver, that's why it doesn't display the VeraCrypt volume. Nevertheless, you can still backup on a VeraCrypt volume by using a trick: activate sharing on the VeraCrypt volume through Explorer interface
(of course, you have to put the correct permission to avoid unauthorized access) and then choose the option &quot;Remote shared folder&quot; (it is not remote of course but Windows needs a network path). There you can type the path of the shared drive (for example \\ServerName\sharename)
and the backup will be configured correctly.</div>
</div>
<div style="text-align:left; margin-top:19px; margin-bottom:19px; padding-top:0px; padding-bottom:0px">
<strong style="text-align:left">Is the encryption used by VeraCrypt vulnerable to Quantum attacks?</strong>
<div style="text-align:left; margin-top:19px; margin-bottom:19px; padding-top:0px; padding-bottom:0px">
VeraCrypt uses block ciphers (AES, Serpent, Twofish) for its encryption. Quantum attacks against these block ciphers are just a faster brute-force since the best know attack against these algorithms is exhaustive search (related keys attacks are irrelevant
to our case because all keys are random and independent from each other).<br>
Since VeraCrypt always uses 256-bit random and independent keys, we are assured of a 128-bit security<br>
level against quantum algorithms which makes VeraCrypt encryption immune to such attacks.</div>
<div style="text-align:left; margin-top:19px; margin-bottom:19px; padding-top:0px; padding-bottom:0px">
<strong>How to make a VeraCrypt volume available for Windows Search indexing?</strong></div>
<div style="text-align:left; margin-top:19px; margin-bottom:19px; padding-top:0px; padding-bottom:0px">
In order to be able to index a VeraCrypt volume through Windows Search, the volume must be mounted at boot time (System Favorite) or the Windows Search services must be restart after the volume is mounted. This is needed because Windows Search can only index
drives that are available when it starts.</div>
<strong style="text-align:left">I haven't found any answer to my question in the FAQ &ndash; what should I do?</strong></div>
<div style="text-align:left; margin-top:19px; margin-bottom:19px; padding-top:0px; padding-bottom:0px">
Please search the VeraCrypt documentation and website.</div>
</div><div class="ClearBoth"></div></body></html>
diff --git a/doc/html/Hash Algorithms.html b/doc/html/Hash Algorithms.html
index 9e59aa66..ea8c19ea 100644
--- a/doc/html/Hash Algorithms.html
+++ b/doc/html/Hash Algorithms.html
@@ -1,58 +1,58 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<meta http-equiv="content-type" content="text/html; charset=utf-8" />
<title>VeraCrypt - Free Open source disk encryption with strong security for the Paranoid</title>
<meta name="description" content="VeraCrypt is free open-source disk encryption software for Windows, Mac OS X and Linux. In case an attacker forces you to reveal the password, VeraCrypt provides plausible deniability. In contrast to file encryption, data encryption performed by VeraCrypt is real-time (on-the-fly), automatic, transparent, needs very little memory, and does not involve temporary unencrypted files."/>
<meta name="keywords" content="encryption, security"/>
<link href="styles.css" rel="stylesheet" type="text/css" />
</head>
<body>
<div>
<a href="Documentation.html"><img src="VeraCrypt128x128.png" alt="VeraCrypt"/></a>
</div>
<div id="menu">
<ul>
<li><a href="Home.html">Home</a></li>
<li><a href="/code/">Source Code</a></li>
<li><a href="Downloads.html">Downloads</a></li>
<li><a class="active" href="Documentation.html">Documentation</a></li>
<li><a href="Donation.html">Donate</a></li>
<li><a href="https://sourceforge.net/p/veracrypt/discussion/" target="_blank">Forums</a></li>
</ul>
</div>
<div>
<p>
<a href="Documentation.html">Documentation</a>
<img src="arrow_right.gif" alt=">>" style="margin-top: 5px">
<a href="Hash%20Algorithms.html">Hash Algorithms</a>
</p></div>
<div class="wikidoc">
<h1>Hash Algorithms</h1>
<div style="text-align:left; margin-top:19px; margin-bottom:19px; padding-top:0px; padding-bottom:0px">
In the Volume Creation Wizard, in the password change dialog window, and in the Keyfile Generator dialog window, you can select a hash algorithm. A user-selected hash algorithm is used by the VeraCrypt Random Number Generator as a pseudorandom &quot;mixing&quot; function,
and by the header key derivation function (HMAC based on a hash function, as specified in PKCS #5 v2.0) as a pseudorandom function. When creating a new volume, the Random Number Generator generates the master key, secondary key (XTS mode), and salt. For more
information, please see the section <a href="Random%20Number%20Generator.html" style="text-align:left; color:#0080c0; text-decoration:none.html">
Random Number Generator</a> and section <a href="Header%20Key%20Derivation.html" style="text-align:left; color:#0080c0; text-decoration:none.html">
Header Key Derivation, Salt, and Iteration Count</a>.</div>
<div style="text-align:left; margin-top:19px; margin-bottom:19px; padding-top:0px; padding-bottom:0px">
VeraCrypt currently supports the following hash algorithms:</div>
<ul style="text-align:left; margin-top:18px; margin-bottom:19px; padding-top:0px; padding-bottom:0px">
<li style="text-align:left; margin-top:0px; margin-bottom:0px; padding-top:0px; padding-bottom:0px">
-<a href="RIPEMD-160.html"><strong style="text-align:left.html">RIPEMD-160</strong></a>
+<a href="BLAKE2s-256.html"><strong style="text-align:left.html">BLAKE2s-256</strong></a>
</li><li style="text-align:left; margin-top:0px; margin-bottom:0px; padding-top:0px; padding-bottom:0px">
<a href="SHA-256.html"><strong style="text-align:left.html">SHA-256</strong></a>
</li><li style="text-align:left; margin-top:0px; margin-bottom:0px; padding-top:0px; padding-bottom:0px">
<a href="SHA-512.html"><strong style="text-align:left.html">SHA-512</strong></a>
</li><li style="text-align:left; margin-top:0px; margin-bottom:0px; padding-top:0px; padding-bottom:0px">
<a href="Whirlpool.html"><strong style="text-align:left.html">Whirlpool</strong></a>
</li><li style="text-align:left; margin-top:0px; margin-bottom:0px; padding-top:0px; padding-bottom:0px">
<strong style="text-align:left"><a href="Streebog.html">Streebog</a></strong>
</li></ul>
-<p><a href="RIPEMD-160.html" style="text-align:left; color:#0080c0; text-decoration:none; font-weight:bold.html">Next Section &gt;&gt;</a></p>
+<p><a href="BLAKE2s-256.html" style="text-align:left; color:#0080c0; text-decoration:none; font-weight:bold.html">Next Section &gt;&gt;</a></p>
</div><div class="ClearBoth"></div></body></html>
diff --git a/doc/html/Header Key Derivation.html b/doc/html/Header Key Derivation.html
index 860c85e0..d8896904 100644
--- a/doc/html/Header Key Derivation.html
+++ b/doc/html/Header Key Derivation.html
@@ -1,86 +1,87 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<meta http-equiv="content-type" content="text/html; charset=utf-8" />
<title>VeraCrypt - Free Open source disk encryption with strong security for the Paranoid</title>
<meta name="description" content="VeraCrypt is free open-source disk encryption software for Windows, Mac OS X and Linux. In case an attacker forces you to reveal the password, VeraCrypt provides plausible deniability. In contrast to file encryption, data encryption performed by VeraCrypt is real-time (on-the-fly), automatic, transparent, needs very little memory, and does not involve temporary unencrypted files."/>
<meta name="keywords" content="encryption, security"/>
<link href="styles.css" rel="stylesheet" type="text/css" />
</head>
<body>
<div>
<a href="Documentation.html"><img src="VeraCrypt128x128.png" alt="VeraCrypt"/></a>
</div>
<div id="menu">
<ul>
<li><a href="Home.html">Home</a></li>
<li><a href="/code/">Source Code</a></li>
<li><a href="Downloads.html">Downloads</a></li>
<li><a class="active" href="Documentation.html">Documentation</a></li>
<li><a href="Donation.html">Donate</a></li>
<li><a href="https://sourceforge.net/p/veracrypt/discussion/" target="_blank">Forums</a></li>
</ul>
</div>
<div>
<p>
<a href="Documentation.html">Documentation</a>
<img src="arrow_right.gif" alt=">>" style="margin-top: 5px">
<a href="Technical%20Details.html">Technical Details</a>
<img src="arrow_right.gif" alt=">>" style="margin-top: 5px">
<a href="Header%20Key%20Derivation.html">Header Key Derivation, Salt, and Iteration Count</a>
</p></div>
<div class="wikidoc">
<h1>Header Key Derivation, Salt, and Iteration Count</h1>
<div style="text-align:left; margin-top:19px; margin-bottom:19px; padding-top:0px; padding-bottom:0px">
Header key is used to encrypt and decrypt the encrypted area of the VeraCrypt volume header (for
<a href="System%20Encryption.html" style="text-align:left; color:#0080c0; text-decoration:none.html">
system encryption</a>, of the keydata area), which contains the master key and other data (see the sections
<a href="Encryption%20Scheme.html" style="text-align:left; color:#0080c0; text-decoration:none.html">
Encryption Scheme</a> and <a href="VeraCrypt%20Volume%20Format%20Specification.html" style="text-align:left; color:#0080c0; text-decoration:none.html">
VeraCrypt Volume Format Specification</a>). In volumes created by VeraCrypt (and for
<a href="System%20Encryption.html" style="text-align:left; color:#0080c0; text-decoration:none.html">
system encryption</a>), the area is encrypted in XTS mode (see the section <a href="Modes%20of%20Operation.html" style="text-align:left; color:#0080c0; text-decoration:none.html">
Modes of Operation</a>). The method that VeraCrypt uses to generate the header key and the secondary header key (XTS mode) is PBKDF2, specified in PKCS #5 v2.0; see
<a href="References.html" style="text-align:left; color:#0080c0; text-decoration:none.html">
[7]</a>.</div>
<div style="text-align:left; margin-top:19px; margin-bottom:19px; padding-top:0px; padding-bottom:0px">
512-bit salt is used, which means there are 2<sup style="text-align:left; font-size:85%">512</sup> keys for each password. This significantly decreases vulnerability to 'off-line' dictionary/'rainbow table' attacks (pre-computing all the keys for a dictionary
of passwords is very difficult when a salt is used) [7]. The salt consists of random values generated by the
<a href="Random%20Number%20Generator.html" style="text-align:left; color:#0080c0; text-decoration:none.html">
-VeraCrypt random number generator</a> during the volume creation process. The header key derivation function is based on HMAC-SHA-512, HMAC-SHA-256, HMAC-RIPEMD-160, or HMAC-Whirlpool (see [8, 9, 20, 22]) &ndash; the user selects which. The length of the derived
- key does not depend on the size of the output of the underlying hash function. For example, a header key for the AES-256 cipher is always 256 bits long even if HMAC-RIPEMD-160 is used (in XTS mode, an additional 256-bit secondary header key is used; hence,
+VeraCrypt random number generator</a> during the volume creation process. The header key derivation function is based on HMAC-SHA-512, HMAC-SHA-256, HMAC-BLAKE2S-256, HMAC-Whirlpool or HMAC-Streebog (see [8, 9, 20, 22]) &ndash; the user selects which. The length of the derived
+ key does not depend on the size of the output of the underlying hash function. For example, a header key for the AES-256 cipher is always 256 bits long even if HMAC-SHA-512 is used (in XTS mode, an additional 256-bit secondary header key is used; hence,
two 256-bit keys are used for AES-256 in total). For more information, refer to [7]. A large number of iterations of the key derivation function have to be performed to derive a header key, which increases the time necessary to perform an exhaustive search
for passwords (i.e., brute force attack)&nbsp;[7].</div>
<div style="text-align:left; margin-top:19px; margin-bottom:19px; padding-top:0px; padding-bottom:0px">
-<p>Prior to version 1.12, VeraCrypt always used a fixed number of iterations depending on the volume type and the derivation algorithm used:</p>
-<ul>
-<li>For system partition encryption (boot encryption), <strong>200000</strong> iterations are used for the HMAC-SHA-256 derivation function and
-<strong>327661</strong> iterations are used for HMAC-RIPEMD-160. </li><li>For standard containers and other partitions, <strong>655331</strong> iterations are used for HMAC-RIPEMD-160 and
-<strong>500000</strong> iterations are used for HMAC-SHA-512,&nbsp;HMAC-SHA-256 and HMAC-Whirlpool.
-</li></ul>
-<p>Starting from version 1.12, the <a href="Personal%20Iterations%20Multiplier%20%28PIM%29.html">
+<p>Prior to version 1.12, VeraCrypt always used a fixed number of iterations That depended only on the volume type and the derivation algorithm used.
+Starting from version 1.12, the <a href="Personal%20Iterations%20Multiplier%20%28PIM%29.html">
PIM </a>field (<a href="Personal%20Iterations%20Multiplier%20%28PIM%29.html">Personal Iterations Multiplier</a>) enables users to have more control over the number of iterations used by the key derivation function.</p>
+<p>
<p>When a <a href="Personal%20Iterations%20Multiplier%20%28PIM%29.html">
-PIM </a>value is not specified or if it is equal to zero, VeraCrypt uses the default values expressed above.</p>
+PIM </a>value is not specified or if it is equal to zero, VeraCrypt uses the default values expressed below:<br/>
+<ul>
+<li>For system partition encryption (boot encryption) that uses SHA-256, BLAKE2s-256 or Streebog, <strong>200000</strong> iterations are used.</li>
+<li>For system encryption that uses SHA-512 or Whirlpool, non-system encryption and file containers, <strong>500000</strong> iterations are used.
+</li></ul>
+</p>
<p>When a <a href="Personal%20Iterations%20Multiplier%20%28PIM%29.html">
PIM </a>value is given by the user, the number of iterations of the key derivation function is calculated as follows:</p>
<ul>
<li>For system encryption that doesn't use SHA-512 or Whirlpool: Iterations = <strong>PIM x 2048</strong>
</li><li>For system encryption that uses SHA-512 or Whirlpool, non-system encryption and file containers: Iterations = <strong>15000 &#43; (PIM x 1000)</strong>
</li></ul>
</div>
<div style="text-align:left; margin-top:19px; margin-bottom:19px; padding-top:0px; padding-bottom:0px">
Header keys used by ciphers in a cascade are mutually independent, even though they are derived from a single password (to which keyfiles may have been applied). For example, for the AES-Twofish-Serpent cascade, the header key derivation function is instructed
to derive a 768-bit encryption key from a given password (and, for XTS mode, in addition, a 768-bit
<em style="text-align:left">secondary</em> header key from the given password). The generated 768-bit header key is then split into three 256-bit keys (for XTS mode, the
<em style="text-align:left">secondary</em> header key is split into three 256-bit keys too, so the cascade actually uses six 256-bit keys in total), out of which the first key is used by Serpent, the second key is used by Twofish, and the third by AES (in addition,
for XTS mode, the first secondary key is used by Serpent, the second secondary key is used by Twofish, and the third secondary key by AES). Hence, even when an adversary has one of the keys, he cannot use it to derive the other keys, as there is no feasible
method to determine the password from which the key was derived (except for brute force attack mounted on a weak password).</div>
<div style="text-align:left; margin-top:19px; margin-bottom:19px; padding-top:0px; padding-bottom:0px">
<a href="Random%20Number%20Generator.html" style="text-align:left; color:#0080c0; text-decoration:none; font-weight:bold.html">Next Section &gt;&gt;</a></div>
</div><div class="ClearBoth"></div></body></html>
diff --git a/doc/html/Program Menu.html b/doc/html/Program Menu.html
index caed5f40..02ee86e6 100644
--- a/doc/html/Program Menu.html
+++ b/doc/html/Program Menu.html
@@ -1,205 +1,205 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<meta http-equiv="content-type" content="text/html; charset=utf-8" />
<title>VeraCrypt - Free Open source disk encryption with strong security for the Paranoid</title>
<meta name="description" content="VeraCrypt is free open-source disk encryption software for Windows, Mac OS X and Linux. In case an attacker forces you to reveal the password, VeraCrypt provides plausible deniability. In contrast to file encryption, data encryption performed by VeraCrypt is real-time (on-the-fly), automatic, transparent, needs very little memory, and does not involve temporary unencrypted files."/>
<meta name="keywords" content="encryption, security"/>
<link href="styles.css" rel="stylesheet" type="text/css" />
</head>
<body>
<div>
<a href="Documentation.html"><img src="VeraCrypt128x128.png" alt="VeraCrypt"/></a>
</div>
<div id="menu">
<ul>
<li><a href="Home.html">Home</a></li>
<li><a href="/code/">Source Code</a></li>
<li><a href="Downloads.html">Downloads</a></li>
<li><a class="active" href="Documentation.html">Documentation</a></li>
<li><a href="Donation.html">Donate</a></li>
<li><a href="https://sourceforge.net/p/veracrypt/discussion/" target="_blank">Forums</a></li>
</ul>
</div>
<div>
<p>
<a href="Documentation.html">Documentation</a>
<img src="arrow_right.gif" alt=">>" style="margin-top: 5px">
<a href="Main%20Program%20Window.html">Main Program Window</a>
<img src="arrow_right.gif" alt=">>" style="margin-top: 5px">
<a href="Program%20Menu.html">Program Menu</a>
</p></div>
<div class="wikidoc">
<h2>Program Menu</h2>
<div style="text-align:left; margin-top:19px; margin-bottom:19px; padding-top:0px; padding-bottom:0px">
<p>Note: To save space, only the menu items that are not self-explanatory are described in this documentation.</p>
<h3>Volumes -&gt; Auto-Mount All Device-Hosted Volumes</h3>
<p>See the section <a href="Main%20Program%20Window.html">
<em>Auto-Mount Devices.</em></a></p>
<h3>Volumes -&gt; Dismount All Mounted Volumes</h3>
<p>See the section <a href="Main%20Program%20Window.html">
<em>Dismount All.</em></a></p>
<h3>Volumes -&gt; Change Volume Password</h3>
<p>Allows changing the password of the currently selected VeraCrypt volume (no matter whether the volume is hidden or standard). Only the header key and the secondary header key (XTS mode) are changed &ndash; the master key remains unchanged. This function
re-encrypts the volume header using<br>
<br>
a header encryption key derived from a new password. Note that the volume header contains the master encryption key with which the volume is encrypted. Therefore, the data stored on the volume will
<em>not</em> be lost after you use this function (password change will only take a few seconds).<br>
<br>
To change a VeraCrypt volume password, click on <em>Select File</em> or <em>Select Device</em>, then select the volume, and from the
<em>Volumes</em> menu select <em>Change Volume Password</em>.<br>
<br>
Note: For information on how to change a password used for pre-boot authentication, please see the section
<em>System -&gt; Change Password</em>.<br>
<br>
See also the chapter <a href="Security%20Requirements%20and%20Precautions.html">
<em>Security Requirements and Precautions</em></a>.</p>
<div style="margin-left:50px">
<h4>PKCS-5 PRF</h4>
<p>In this field you can select the algorithm that will be used in deriving new volume header keys (for more information, see the section
<a href="Header%20Key%20Derivation.html">
<em>Header Key Derivation, Salt, and Iteration Count</em></a>) and in generating the new salt (for more information, see the section
<a href="Random%20Number%20Generator.html">
<em>Random Number Generator</em></a>).<br>
<br>
Note: When VeraCrypt re-encrypts a volume header, the original volume header is first overwritten many times (3, 7, 35 or 256 depending on the user choice) with random data to prevent adversaries from using techniques such as magnetic force microscopy or magnetic
force scanning tunneling microscopy [17] to recover the overwritten header (however, see also the chapter
<a href="Security%20Requirements%20and%20Precautions.html">
<em>Security Requirements and Precautions</em></a>).</p>
</div>
<h3>Volumes -&gt; Set Header Key Derivation Algorithm</h3>
-<p>This function allows you to re-encrypt a volume header with a header key derived using a different PRF function (for example, instead of HMAC-RIPEMD-160 you could use HMAC-Whirlpool). Note that the volume header contains the master encryption key with which
+<p>This function allows you to re-encrypt a volume header with a header key derived using a different PRF function (for example, instead of HMAC-BLAKE2S-256 you could use HMAC-Whirlpool). Note that the volume header contains the master encryption key with which
the volume is encrypted. Therefore, the data stored on the volume will <em>not</em> be lost after you use this function. For more information, see the section
<a href="Header%20Key%20Derivation.html">
<em>Header Key Derivation, Salt, and Iteration Count</em></a>.<br>
<br>
Note: When VeraCrypt re-encrypts a volume header, the original volume header is first overwritten many times (3, 7, 35 or 256 depending on the user choice) with random data to prevent adversaries from using techniques such as magnetic force microscopy or magnetic
force scanning tunneling microscopy [17] to recover the overwritten header (however, see also the chapter
<a href="Security%20Requirements%20and%20Precautions.html">
<em>Security Requirements and Precautions</em></a>).</p>
<h3>Volumes -&gt; Add/Remove Keyfiles to/from Volume</h3>
<h3>Volumes -&gt; Remove All Keyfiles from Volume</h3>
<p>See the chapter <a href="Keyfiles.html">
<em>Keyfiles.</em></a></p>
<h3>Favorites -&gt; Add Mounted Volume to Favorites Favorites -&gt; Organize Favorite Volumes Favorites -&gt; Mount Favorites Volumes</h3>
<p>See the chapter <a href="Favorite%20Volumes.html">
<em>Favorite Volumes</em></a>.</p>
<h3>Favorites -&gt; Add Mounted Volume to System Favorites</h3>
<h3>Favorites -&gt; Organize System Favorite Volumes</h3>
<p>See the chapter <a href="System%20Favorite%20Volumes.html">
<em>System Favorite Volumes</em></a>.</p>
<h3>System -&gt; Change Password</h3>
<p>Changes the password used for pre-boot authentication (see the chapter <em>System Encryption</em>). WARNING: Your VeraCrypt Rescue Disk allows you to restore key data if it is damaged. By doing so, you also restore the password that was valid when the VeraCrypt
Rescue Disk was created. Therefore, whenever you change the password, you should destroy your VeraCrypt Rescue Disk and create a new one (select
<em>System</em> -&gt; <em>Create Rescue Disk</em>). Otherwise, an attacker could decrypt your system partition/drive using the old password (if he finds the old VeraCrypt Rescue Disk and uses it to restore the key data). See also the chapter
<a href="Security%20Requirements%20and%20Precautions.html">
<em>Security Requirements and Precautions</em></a>.<br>
<br>
For more information on changing a password, please see the section <em>Volumes -&gt; Change Volume Password</em> above.</p>
<h3>System -&gt; Mount Without Pre-Boot Authentication</h3>
<p>Check this option, if you need to mount a partition that is within the key scope of system encryption without pre-boot authentication. For example, if you need to mount a partition located on the encrypted system drive of another operating system that is
not running. This can be useful e.g. when you need to back up or repair an operating system encrypted by VeraCrypt (from within another operating system).</p>
<p>Note 1: If you need to mount multiple partitions at once, click <em>&lsquo;Auto-Mount Devices</em>&rsquo;, then click &lsquo;<em>Mount Options</em>&rsquo; and enable the option &lsquo;<em>Mount partition using system encryption without pre-boot authentication</em>&rsquo;.<br>
<br>
Please note you cannot use this function to mount extended (logical) partitions that are located on an entirely encrypted system drive.</p>
<h3>Tools -&gt; Clear Volume History</h3>
<p>Clears the list containing the file names (if file-hosted) and paths of the last twenty successfully mounted volumes.</p>
<h3>Tools -&gt; Traveler Disk Setup</h3>
<p>See the chapter <a href="Portable%20Mode.html">
<em>Portable Mode.</em></a></p>
<h3>Tools -&gt; Keyfile Generator</h3>
<p>See section <em>Tools -&gt; Keyfile Generator</em> in the chapter <a href="Keyfiles.html">
<em>Keyfiles.</em></a></p>
<h3 id="tools-backup-volume-header">Tools -&gt; Backup Volume Header</h3>
<h3 id="tools-restore-volume-header">Tools -&gt; Restore Volume Header</h3>
<p>If the header of a VeraCrypt volume is damaged, the volume is, in most cases, impossible to mount. Therefore, each volume created by VeraCrypt (except system partitions) contains an embedded backup header, located at the end of the volume. For extra safety,
you can also create external volume header backup files. To do so, click <em>Select Device</em> or
<em>Select File</em>, select the volume, select <em>Tools</em> -&gt; <em>Backup Volume Header</em>, and then follow the instructions.</p>
<p>Note: For system encryption, there is no backup header at the end of the volume. For non-system volumes, a shrink operation is done first to ensure that all data are put at the beginning of the volume, leaving all free space at the end so that we have a
place to put the backup header. For system partitions, we can't perform this needed shrink operation while Windows is running and so the backup header can't be created at the end of the partition. The alternative way in the case of system encryption is the
use of the <a href="VeraCrypt%20Rescue%20Disk.html">
Rescue Disk</a>.</p>
<p>Note: A backup header (embedded or external) is <em>not</em> a copy of the original volume header because it is encrypted with a different header key derived using a different salt (see the section
<a href="Header%20Key%20Derivation.html">
<em>Header Key Derivation, Salt, and Iteration Count</em></a>). When the volume password and/or keyfiles are changed, or when the header is restored from the embedded (or an external) header backup, both the volume header and the backup header (embedded in
the volume) are re-encrypted with header keys derived using newly generated salts (the salt for the volume header is different from the salt for the backup header). Each salt is generated by the VeraCrypt random number generator (see the section
<a href="Random%20Number%20Generator.html">
<em>Random Number Generator</em></a>).</p>
<p>Both types of header backups (embedded and external) can be used to repair a damaged volume header. To do so, click
<em>Select Device</em> or <em>Select File</em>, select the volume, select <em>Tools</em> -&gt;
<em>Restore Volume Header</em>, and then follow the instructions.<br>
<br>
WARNING: Restoring a volume header also restores the volume password that was valid when the backup was created. Moreover, if keyfile(s) are/is necessary to mount a volume when the backup is created, the same keyfile(s) will be necessary to mount the volume
again after the volume header is restored. For more information, see the section
<a href="Encryption%20Scheme.html"><em>Encryption Scheme</em></a> in the chapter
<a href="Technical%20Details.html"><em>Technical Details</em></a>.<br>
<br>
After you create a volume header backup, you might need to create a new one only when you change the volume password and/or keyfiles. Otherwise, the volume header remains unmodified so the volume header backup remains up-to-date.</p>
<p>Note: Apart from salt (which is a sequence of random numbers), external header backup files do not contain any unencrypted information and they cannot be decrypted without knowing the correct password and/or supplying the correct keyfile(s). For more information,
see the chapter <a href="Technical%20Details.html">
<em>Technical Details</em></a>.</p>
<p>When you create an external header backup, both the standard volume header and the area where a hidden volume header can be stored is backed up, even if there is no hidden volume within the volume (to preserve plausible deniability of hidden volumes). If
there is no hidden volume within the volume, the area reserved for the hidden volume header in the backup file will be filled with random data (to preserve plausible deniability).<br>
<br>
When <em>restoring</em> a volume header, you need to choose the type of volume whose header you wish to restore (a standard or hidden volume). Only one volume header can be restored at a time. To restore both headers, you need to use the function twice (<em>Tools</em>
-&gt; <em>Restore Volume Header</em>). You will need to enter the correct password (and/or to supply the correct keyfiles) that was/were valid when the volume header backup was created. The password (and/or keyfiles) will also automatically determine the type
of the volume header to restore, i.e. standard or hidden (note that VeraCrypt determines the type through the process of trial and error).<br>
<br>
Note: If the user fails to supply the correct password (and/or keyfiles) twice in a row when trying to mount a volume, VeraCrypt will automatically try to mount the volume using the embedded backup header (in addition to trying to mount it using the primary
header) each subsequent time that the user attempts to mount the volume (until he or she clicks
<em>Cancel</em>). If VeraCrypt fails to decrypt the primary header but it successfully decrypts the embedded backup header at the same time, the volume is mounted and the user is warned that the volume header is damaged (and informed as to how to repair it).</p>
<h3 id="Settings-Performance">Settings -&gt; Performance and Driver Options</h3>
<p>Invokes the Performance dialog window, where you can change enable or disable AES Hardware acceleration and thread based parallelization. You can also change the following driver option:</p>
<h4>Enable extended disk control codes support</h4>
<p>If enabled, VeraCrypt driver will support returning extended technical information about mounted volumes through IOCTL_STORAGE_QUERY_PROPERTY control code. This control code is always supported by physical drives and it can be required by some applications
to get technical information about a drive (e.g. the Windows fsutil program uses this control code to get the physical sector size of a drive.).<br>
Enabling this option brings VeraCrypt volumes behavior much closer to that of physical disks and if it is disabled, applications can easily distinguish between physical disks and VeraCrypt volumes since sending this control code to a VeraCrypt volume will result
in an error.<br>
Disable this option if you experience stability issues (like volume access issues or system BSOD) which can be caused by poorly written software and drivers.</p>
<h3>Settings -&gt; Preferences</h3>
<p>Invokes the Preferences dialog window, where you can change, among others, the following options:</p>
<h4>Wipe cached passwords on exit</h4>
<p>If enabled, passwords (which may also contain processed keyfile contents) cached in driver memory will be cleared when VeraCrypt exits.</p>
<h4>Cache passwords in driver memory</h4>
<p>When checked, passwords and/or processed keyfile contents for up to last four successfully mounted VeraCrypt volumes are cached. This allows mounting volumes without having to type their passwords (and selecting keyfiles) repeatedly. VeraCrypt never saves
any password to a disk (however, see the chapter <a href="Security%20Requirements%20and%20Precautions.html">
<em>Security Requirements and Precautions</em></a>). Password caching can be enabled/disabled in the Preferences (<em>Settings</em> -&gt;
<em>Preferences</em>) and in the password prompt window. If the system partition/drive is encrypted, caching of the pre-boot authentication password can be enabled or disabled in the system encryption settings (<em>Settings</em> &gt; &lsquo;<em>System Encryption</em>&rsquo;).</p>
<h4>Temporary Cache password during &quot;Mount Favorite Volumes&quot; operations</h4>
<p>When this option is unchecked (this is the default), VeraCrypt will display the password prompt window for every favorite volume during the execution of the &quot;Mount Favorite Volumes&quot; operation and each password is erased once the volume is mounted (unless
password caching is enabled).<br>
<br>
If this option is checked and if there are two or more favorite volumes, then during the operation &quot;Mount Favorite Volumes&quot;, VeraCrypt will first try the password of the previous favorite and if it doesn't work, it will display password prompt window. This
logic applies starting from the second favorite volume onwards. Once all favorite volumes are processed, the password is erased from memory.</p>
<p>This option is useful when favorite volumes share the same password since the password prompt window will only be displayed once for the first favorite and VeraCrypt will automatically mount all subsequent favorites.</p>
<p>Please note that since we can't assume that all favorites use the same PRF (hash) nor the same TrueCrypt mode, VeraCrypt uses Autodetection for the PRF of subsequent favorite volumes and it tries both TrueCryptMode values (false, true) which means that the
total mounting time will be slower compared to the individual mounting of each volume with the manual selection of the correct PRF and the correct TrueCryptMode.</p>
<h4>Open Explorer window for successfully mounted volume</h4>
<p>If this option is checked, then after a VeraCrypt volume has been successfully mounted, an Explorer window showing the root directory of the volume (e.g., T:\) will be automatically opened.</p>
<h4>Use a different taskbar icon when there are mounted volumes</h4>
<p>If enabled, the appearance of the VeraCrypt taskbar icon (shown within the system tray notification area) is different while a VeraCrypt volume is mounted, except the following:</p>
<ul>
<li>Partitions/drives within the key scope of active system encryption (e.g., a system partition encrypted by VeraCrypt, or a non-system partition located on a system drive encrypted by VeraCrypt, mounted when the encrypted operating system is running).
</li><li>VeraCrypt volumes that are not fully accessible to the user account (e.g. a volume mounted from within another user account).
</li><li>VeraCrypt volumes that are not displayed in the VeraCrypt application window. For example, system favorite volumes attempted to be dismounted by an instance of VeraCrypt without administrator privileges when the option '<em>Allow only administrators to
view and dismount system favorite volumes in VeraCrypt</em>' is enabled. </li></ul>
<h4>VeraCrypt Background Task &ndash; Enabled</h4>
<p>See the chapter <a href="VeraCrypt%20Background%20Task.html">
<em>VeraCrypt Background Task</em></a>.</p>
<h4>VeraCrypt Background Task &ndash; Exit when there are no mounted volumes</h4>
<p>If this option is checked, the VeraCrypt background task automatically and silently exits as soon as there are no mounted VeraCrypt volumes. For more information, see the chapter
<a href="VeraCrypt%20Background%20Task.html">
<em>VeraCrypt Background Task</em></a>. Note that this option cannot be disabled when VeraCrypt runs in portable mode.</p>
<h4>Auto-dismount volume after no data has been read/written to it for</h4>
<p>After no data has been written/read to/from a VeraCrypt volume for <em>n</em> minutes, the volume is automatically dismounted.</p>
<h4>Force auto-dismount even if volume contains open files or directories</h4>
<p>This option applies only to auto-dismount (not to regular dismount). It forces dismount (without prompting) on the volume being auto-dismounted in case it contains open files or directories (i.e., file/directories that are in use by the system or applications).</p>
<p>&nbsp;</p>
<p><a href="Mounting%20VeraCrypt%20Volumes.html" style="text-align:left; color:#0080c0; text-decoration:none; font-weight:bold.html">Next Section &gt;&gt;</a></p>
</div>
</div><div class="ClearBoth"></div></body></html>
diff --git a/doc/html/Random Number Generator.html b/doc/html/Random Number Generator.html
index e5080389..8b9d934c 100644
--- a/doc/html/Random Number Generator.html
+++ b/doc/html/Random Number Generator.html
@@ -1,93 +1,93 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<meta http-equiv="content-type" content="text/html; charset=utf-8" />
<title>VeraCrypt - Free Open source disk encryption with strong security for the Paranoid</title>
<meta name="description" content="VeraCrypt is free open-source disk encryption software for Windows, Mac OS X and Linux. In case an attacker forces you to reveal the password, VeraCrypt provides plausible deniability. In contrast to file encryption, data encryption performed by VeraCrypt is real-time (on-the-fly), automatic, transparent, needs very little memory, and does not involve temporary unencrypted files."/>
<meta name="keywords" content="encryption, security"/>
<link href="styles.css" rel="stylesheet" type="text/css" />
</head>
<body>
<div>
<a href="Documentation.html"><img src="VeraCrypt128x128.png" alt="VeraCrypt"/></a>
</div>
<div id="menu">
<ul>
<li><a href="Home.html">Home</a></li>
<li><a href="/code/">Source Code</a></li>
<li><a href="Downloads.html">Downloads</a></li>
<li><a class="active" href="Documentation.html">Documentation</a></li>
<li><a href="Donation.html">Donate</a></li>
<li><a href="https://sourceforge.net/p/veracrypt/discussion/" target="_blank">Forums</a></li>
</ul>
</div>
<div>
<p>
<a href="Documentation.html">Documentation</a>
<img src="arrow_right.gif" alt=">>" style="margin-top: 5px">
<a href="Technical%20Details.html">Technical Details</a>
<img src="arrow_right.gif" alt=">>" style="margin-top: 5px">
<a href="Random%20Number%20Generator.html">Random Number Generator</a>
</p></div>
<div class="wikidoc">
<h1>Random Number Generator</h1>
<p>The VeraCrypt random number generator (RNG) is used to generate the master encryption key, the secondary key (XTS mode), salt, and keyfiles. It creates a pool of random values in RAM (memory). The pool, which is 320 bytes long, is filled with data from the
following sources:</p>
<ul>
<li>Mouse movements </li><li>Keystrokes </li><li><em>Mac OS X and Linux</em>: Values generated by the built-in RNG (both <em>/dev/random</em> and<em>/dev/urandom</em>)
</li><li><em>MS Windows only</em>: MS Windows CryptoAPI (collected regularly at 500-ms interval)
</li><li><em>MS Windows only</em>: Network interface statistics (NETAPI32) </li><li><em>MS Windows only</em>: Various Win32 handles, time variables, and counters (collected regularly at 500-ms interval)
</li></ul>
<p>Before a value obtained from any of the above-mentioned sources is written to the pool, it is divided into individual bytes (e.g., a 32-bit number is divided into four bytes). These bytes are then individually written to the pool with the modulo 2<sup>8</sup>
addition operation (not by replacing the old values in the pool) at the position of the pool cursor. After a byte is written, the pool cursor position is advanced by one byte. When the cursor reaches the end of the pool, its position is set to the beginning
of the pool. After every 16<sup>th</sup> byte written to the pool, the pool mixing function is automatically applied to the entire pool (see below).</p>
<h2>Pool Mixing Function</h2>
<p>The purpose of this function is to perform diffusion [2]. Diffusion spreads the influence of individual &ldquo;raw&rdquo; input bits over as much of the pool state as possible, which also hides statistical relationships. After every 16<sup>th</sup> byte
written to the pool, this function is applied to the entire pool.</p>
<p>Description of the pool mixing function:</p>
<ol>
-<li>Let <em>R</em> be the randomness pool. </li><li>Let <em>H</em> be the hash function selected by the user (SHA-512, RIPEMD-160, or Whirlpool).
+<li>Let <em>R</em> be the randomness pool. </li><li>Let <em>H</em> be the hash function selected by the user (SHA-512, BLAKE2S-256, or Whirlpool).
</li><li><em>l</em> = byte size of the output of the hash function <em>H</em> (i.e., if
-<em>H</em> is RIPEMD-160, then <em>l</em> = 20; if <em>H</em> is SHA-512, <em>l</em> = 64)
+<em>H</em> is BLAKE2S-256, then <em>l</em> = 20; if <em>H</em> is SHA-512, <em>l</em> = 64)
</li><li><em>z</em> = byte size of the randomness pool <em>R </em>(320 bytes) </li><li><em>q</em> = <em>z</em> / <em>l</em> &ndash; 1 (e.g., if <em>H</em> is Whirlpool, then
<em>q</em> = 4) </li><li>Ris divided intol-byte blocksB0...Bq.
<p>For 0 &le; i &le; q (i.e., for each block B) the following steps are performed:</p>
<ol type="a">
<li><em>M = H</em> (<em>B</em>0 || <em>B</em>1 || ... || <em>B</em>q) [i.e., the randomness pool is hashed using the hash function H, which produces a hash M]
</li><li>Bi = Bi ^ M </li></ol>
</li><li><em>R = B</em>0 || <em>B</em>1 || ... || <em>B</em>q </li></ol>
<p>For example, if <em>q</em> = 1, the randomness pool would be mixed as follows:</p>
<ol>
<li>(<em>B</em>0 || <em>B</em>1) = <em>R</em> </li><li><em>B</em>0 = <em>B</em>0 ^ <em>H</em>(<em>B</em>0 || <em>B</em>1) </li><li><em>B</em>1 = <em>B</em>1 ^ <em>H</em>(<em>B</em>0 || <em>B</em>1) </li><li><em>R</em> = <em>B</em>0 || <em>B</em>1 </li></ol>
<h2>Generated Values</h2>
<p>The content of the RNG pool is never directly exported (even when VeraCrypt instructs the RNG to generate and export a value). Thus, even if the attacker obtains a value generated by the RNG, it is infeasible for him to determine or predict (using the obtained
value) any other values generated by the RNG during the session (it is infeasible to determine the content of the pool from a value generated by the RNG).</p>
<p>The RNG ensures this by performing the following steps whenever VeraCrypt instructs it to generate and export a value:</p>
<ol>
<li>Data obtained from the sources listed above is added to the pool as described above.
</li><li>The requested number of bytes is copied from the pool to the output buffer (the copying starts from the position of the pool cursor; when the end of the pool is reached, the copying continues from the beginning of the pool; if the requested number of bytes
is greater than the size of the pool, no value is generated and an error is returned).
</li><li>The state of each bit in the pool is inverted (i.e., 0 is changed to 1, and 1 is changed to 0).
</li><li>Data obtained from some of the sources listed above is added to the pool as described above.
</li><li>The content of the pool is transformed using the pool mixing function. Note: The function uses a cryptographically secure one-way hash function selected by the user (for more information, see the section
<em>Pool Mixing Function</em> above). </li><li>The transformed content of the pool is XORed into the output buffer as follows:
<ol type="a">
<li>The output buffer write cursor is set to 0 (the first byte of the buffer). </li><li>The byte at the position of the pool cursor is read from the pool and XORed into the byte in the output buffer at the position of the output buffer write cursor.
</li><li>The pool cursor position is advanced by one byte. If the end of the pool is reached, the cursor position is set to 0 (the first byte of the pool).
</li><li>The position of the output buffer write cursor is advanced by one byte. </li><li>Steps b&ndash;d are repeated for each remaining byte of the output buffer (whose length is equal to the requested number of bytes).
</li><li>The content of the output buffer, which is the final value generated by the RNG, is exported.
</li></ol>
</li></ol>
<h2>Design Origins</h2>
<p>The design and implementation of the random number generator are based on the following works:</p>
<ul>
<li>Software Generation of Practically Strong Random Numbers by Peter Gutmann [10]
</li><li>Cryptographic Random Numbers by Carl Ellison [11] </li></ul>
<p>&nbsp;</p>
<p><a href="Keyfiles.html" style="text-align:left; color:#0080c0; text-decoration:none; font-weight:bold.html">Next Section &gt;&gt;</a></p>
</div><div class="ClearBoth"></div></body></html>