+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"

+ "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

+<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">

+<head>

+<meta http-equiv="content-type" content="text/html; charset=utf-8" />

+<title>VeraCrypt - Free Open source disk encryption with strong security for the Paranoid</title>

+<meta name="description" content="VeraCrypt is free open-source disk encryption software for Windows, Mac OS X and Linux. In case an attacker forces you to reveal the password, VeraCrypt provides plausible deniability. In contrast to file encryption, data encryption performed by VeraCrypt is real-time (on-the-fly), automatic, transparent, needs very little memory, and does not involve temporary unencrypted files."/>

+<meta name="keywords" content="encryption, security"/>

+<link href="styles.css" rel="stylesheet" type="text/css" />

+</head>

+<body>

+

+<div>

+<a href="Documentation.html"><img src="VeraCrypt128x128.png" alt="VeraCrypt"/></a>

+</div>

+

+<div id="menu">

+ <ul>

+ <li><a href="Home.html">Home</a></li>

+ <li><a href="/code/">Source Code</a></li>

+ <li><a href="Downloads.html">Downloads</a></li>

+ <li><a class="active" href="Documentation.html">Documentation</a></li>

+ <li><a href="Donation.html">Donate</a></li>

+ <li><a href="https://sourceforge.net/p/veracrypt/discussion/" target="_blank">Forums</a></li>

+ </ul>

+</div>

+

+<div>

+<p>

+<a href="Documentation.html">Documentation</a>

+<img src="arrow_right.gif" alt=">>" style="margin-top: 5px">

+<a href="Avoid%20Third-Party%20File%20Extensions.html">Avoid Third-Party File Extensions</a>

+</p></div>

+

+<div class="wikidoc">

+ <h1>Understanding the Risks of Using Third-Party File Extensions with VeraCrypt</h1>

+ <div>

+ <p>While VeraCrypt provides robust encryption capabilities to secure your data, using third-party file extensions for File Containers or Keyfiles could risk making the encrypted data inaccessible.<br />

+ This guide provides an in-depth explanation of the associated risks, and it outlines recommendations for best practices to mitigate these risks.</p>

+ </div>

+

+ <h2>Risks Associated with File Containers</h2>

+ <div>

+ <p>Using a third-party file extension for File Containers exposes you to several risks:</p>

+ <ul>

+ <li>Overwritten Metadata: Third-party applications may update their metadata, which could overwrite crucial parts of the File Container.</li>

+ <li>Unintentional Changes: Accidentally launching a File Container with a third-party application could modify its metadata without your consent.</li>

+ <li>Container Corruption: These actions could render the container unreadable or unusable.</li>

+ <li>Data Loss: The data within the container might be permanently lost if the container becomes corrupted.</li>

+ </ul>

+ </div>

+

+ <h2>Risks Associated with Keyfiles</h2>

+ <div>

+ <p>Similar risks are associated with Keyfiles:</p>

+ <ul>

+ <li>Keyfile Corruption: Inadvertently modifying a Keyfile with a third-party application can make it unusable for decryption.</li>

+ <li>Overwritten Data: Third-party applications may overwrite the portion of the Keyfile that VeraCrypt uses for decryption.</li>

+ <li>Unintentional Changes: Accidental changes can make it impossible to mount the volume unless you have an unaltered backup of the Keyfile.</li>

+ </ul>

+ </div>

+

+ <h2>Examples of Extensions to Avoid</h2>

+ <div>

+ <p>Avoid using the following types of third-party file extensions:</p>

+ <ul>

+ <li>Media Files: Picture, audio, and video files are subject to metadata changes by their respective software.</li>

+ <li>Archive Files: Zip files can be easily modified, which could disrupt the encrypted volume.</li>

+ <li>Executable Files: Software updates can modify these files, making them unreliable as File Containers or Keyfiles.</li>

+ <li>Document Files: Office and PDF files can be automatically updated by productivity software, making them risky to use.</li>

+ </ul>

+ </div>

+

+ <h2>Recommendations</h2>

+ <div>

+ <p>For secure usage, consider the following best practices:</p>

+ <ul>

+ <li>Use neutral file extensions for File Containers and Keyfiles to minimize the risk of automatic file association.</li>

+ <li>Keep secure backups of your File Containers and Keyfiles in locations isolated from network access.</li>

+ <li>Disable auto-open settings for the specific file extensions you use for VeraCrypt File Containers and Keyfiles.</li>

+ <li>Always double-check file associations and be cautious when using a new device or third-party application.</li>

+ </ul>

+ </div>

+

+<div class="ClearBoth"></div></body></html>

+<a href="BLAKE2s-256.html">BLAKE2s-256</a>

+<h1>BLAKE2s-256</h1>

+<p>

+BLAKE2 is a cryptographic hash function based on BLAKE, created by Jean-Philippe Aumasson, Samuel Neves, Zooko Wilcox-O'Hearn, and Christian Winnerlein. It was announced on December 21, 2012. The design goal was to replace the widely used, but broken, MD5 and SHA-1 algorithms in applications requiring high performance in software. BLAKE2 provides better security than SHA-2 and similar to that of SHA-3 (e.g. immunity to length extension, indifferentiability from a random oracle, etc...).<br/>

+BLAKE2 removes addition of constants to message words from BLAKE round function, changes two rotation constants, simplifies padding, adds parameter block that is XOR'ed with initialization vectors, and reduces the number of rounds from 16 to 12 for BLAKE2b (successor of BLAKE-512), and from 14 to 10 for BLAKE2s (successor of BLAKE-256).<br/>

+BLAKE2b and BLAKE2s are specified in RFC 7693.

+</p>

+<p>

+VeraCrypt uses only BLAKE2s with its maximum output size of 32-bytes (256 bits).

+</p>

+</div>

+ will be unmounted and all files stored on it will be inaccessible (and encrypted). Even when power supply is suddenly interrupted (without proper system shut down), all files stored on the volume will be inaccessible (and encrypted). To make them accessible

+<p>If you want to close the volume and make files stored on it inaccessible, either restart your operating system or unmount the volume. To do so, follow these steps:<br>

+<strong>Unmount </strong>(also marked with a red rectangle in the screenshot above). To make files stored on the volume accessible again, you will have to mount the volume. To do so, repeat Steps 13-18.</p>

+<td>It must be followed by a parameter indicating the PRF hash algorithm to use when mounting the volume. Possible values for /hash parameter are: sha256, sha-256, sha512, sha-512, whirlpool, blake2s and blake2s-256. When /hash is omitted, VeraCrypt will try

+<p>It must be followed by a parameter indicating the file and path name of a VeraCrypt volume to mount (do not use when unmounting) or the Volume ID of the disk/partition to mount.<br>

+<td>Beep after a volume has been successfully mounted or unmounted.</td>

+<td><em>/unmount</em> or <em>/u</em></td>

+<td>Unmount volume specified by drive letter (e.g., /u x). When no drive letter is specified, unmounts all currently mounted VeraCrypt volumes.</td>

+</tr>

+<tr>

+<td>Deprecated. Please use /unmount or /u.</td>

+<td>Forces unmount (if the volume to be unmounted contains files being used by the system or an application) and forces mounting in shared mode (i.e., without exclusive access).</td>

+<td>Enables a faster, albeit potentially insecure, method for creating file containers. This option carries security risks as it can embed existing disk content into the file container, possibly exposing sensitive data if an attacker gains access to it. Note that this switch affects all file container creation methods, whether initiated from the command line, using the /create switch, or through the UI wizard.</td>

+<p>VeraCrypt.exe [/tc] [/hash {sha256|sha-256|sha512|sha-512|whirlpool |blake2s|blake2s-256}][/a [devices|favorites]] [/b] [/c [y|n|f]] [/d [drive letter]] [/e] [/f] [/h [y|n]] [/k keyfile or search path] [tryemptypass [y|n]] [/l drive letter] [/m {bk|rm|recovery|ro|sm|ts|noattach}]

+<p>&quot;VeraCrypt Format.exe&quot; [/n] [/create] [/size number[{K|M|G|T}]] [/p password]&nbsp; [/encryption {AES | Serpent | Twofish | Camellia | Kuznyechik | AES(Twofish) | AES(Twofish(Serpent)) | Serpent(AES) | Serpent(Twofish(AES)) | Twofish(Serpent) | Camellia(Kuznyechik) | Kuznyechik(Twofish) | Camellia(Serpent) | Kuznyechik(AES) | Kuznyechik(Serpent(Camellia))}] [/hash {sha256|sha-256|sha512|sha-512|whirlpool|blake2s|blake2s-256}]

+<p>Unmount a volume mounted as the drive letter <em>X</em> (the main program window will not be displayed):</p>

+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"

+ "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

+

+<style>

+.textbox {

+ vertical-align: top;

+ height: auto !important;

+ font-family: Helvetica,sans-serif;

+ font-size: 20px;

+ font-weight: bold;

+ margin: 10px;

+ padding: 10px;

+ background-color: white;

+ width: auto;

+ border-radius: 10px;

+}

+

+.texttohide {

+ font-family: Helvetica,sans-serif;

+ font-size: 14px;

+ font-weight: normal;

+}

+

+

+</style>

+

+<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">

+<head>

+<meta http-equiv="content-type" content="text/html; charset=utf-8" />

+<title>VeraCrypt - Free Open source disk encryption with strong security for the Paranoid</title>

+<meta name="description" content="VeraCrypt is free open-source disk encryption software for Windows, Mac OS X and Linux. In case an attacker forces you to reveal the password, VeraCrypt provides plausible deniability. In contrast to file encryption, data encryption performed by VeraCrypt is real-time (on-the-fly), automatic, transparent, needs very little memory, and does not involve temporary unencrypted files."/>

+<meta name="keywords" content="encryption, security"/>

+<link href="styles.css" rel="stylesheet" type="text/css" />

+</head>

+<body>

+

+<div>

+<a href="Documentation.html"><img src="VeraCrypt128x128.png" alt="VeraCrypt"/></a>

+</div>

+

+<div id="menu">

+ <ul>

+ <li><a href="Home.html">Home</a></li>

+ <li><a href="/code/">Source Code</a></li>

+ <li><a href="Downloads.html">Downloads</a></li>

+ <li><a class="active" href="Documentation.html">Documentation</a></li>

+ <li><a href="Donation.html">Donate</a></li>

+ <li><a href="https://sourceforge.net/p/veracrypt/discussion/" target="_blank">Forums</a></li>

+ </ul>

+</div>

+

+<div>

+<p>

+<a href="Documentation.html">Documentation</a>

+<img src="arrow_right.gif" alt=">>" style="margin-top: 5px">

+<a href="Technical%20Details.html">Technical Details</a>

+<img src="arrow_right.gif" alt=">>" style="margin-top: 5px">

+<a href="CompilingGuidelines.html">Building VeraCrypt From Source</a>

+<img src="arrow_right.gif" alt=">>" style="margin-top: 5px">

+<a href="CompilingGuidelineLinux.html">Linux Build Guide</a>

+</p></div>

+

+<div class="wikidoc">

+This guide describes how to set up a Linux System to build VeraCrypt from source and how to perform compilation. <br>

+The procedure for a Ubuntu 22.04 LTS system is described here as an example, the procedure for other Linux systems is analogous.

+</div>

+

+<div class="wikidoc">

+<br>

+<br>

+The following components are required for compiling VeraCrypt:

+<ol>

+ <li>GNU Make</li>

+ <li>GNU C/C++ Compiler</li>

+ <li>YASM 1.3.0</li>

+ <li>pkg-config</li>

+ <li>wxWidgets 3.x shared library and header files installed by the system or wxWidgets 3.x library source code </li>

+ <li>FUSE library and header files</li>

+ <li>PCSC-lite library and header files</li>

+</ol>

+</div>

+

+<div class="wikidoc">

+<p>Below are the procedure steps. Clicking on any of the link takes directly to the related step:

+<ul>

+<li><strong><a href="#InstallationOfGNUMake">Installation of GNU Make</a></li></strong>

+<li><strong><a href="#InstallationOfGNUCompiler">Installation of GNU C/C++ Compiler</a></li></strong>

+<li><strong><a href="#InstallationOfYASM">Installation of YASM</a></li></strong>

+<li><strong><a href="#InstallationOfPKGConfig">Installation of pkg-config</a></li></strong>

+<li><strong><a href="#InstallationOfwxWidgets">Installation of wxWidgets 3.2</a></li></strong>

+<li><strong><a href="#InstallationOfFuse">Installation of libfuse</a></li></strong>

+<li><strong><a href="#InstallationOfPCSCLite">Installation of libpcsclite</a></li></strong>

+<li><strong><a href="#DownloadVeraCrypt">Download VeraCrypt</a></li></strong>

+<li><strong><a href="#CompileVeraCrypt">Compile VeraCrypt</a></li></strong>

+</ul>

+</p>

+<p>They can also be performed by running the below list of commands in a terminal or by copying them to a script:<br>

+<code>

+sudo apt update <br>

+sudo apt install -y build-essential yasm pkg-config libwxgtk3.0-gtk3-dev <br>

+sudo apt install -y libfuse-dev git libpcsclite-dev <br>

+git clone https://github.com/veracrypt/VeraCrypt.git <br>

+cd ~/VeraCrypt/src <br>

+make

+</code>

+</p>

+</div>

+

+<div class="wikidoc">

+ <div class="textbox" id="InstallationOfGNUMake">

+ <a href="#InstallationOfGNUMake">Installation of GNU Make</a>

+ <div class="texttohide">

+ <p>

+ <ol>

+ <li>

+ Open a terminal

+ </li>

+ <li>

+ Execute the following commands: <br>

+ <code>

+ sudo apt update <br>

+ sudo apt install build-essential

+ </code>

+ </li>

+ </ol>

+ </p>

+ </div>

+ </div>

+

+ <div class="textbox" id="InstallationOfGNUCompiler">

+ <a href="#InstallationOfGNUCompiler">Installation of GNU C/C++ Compiler</a>

+ <div class="texttohide">

+ <p> If the build-essential were already installed in the step before, this step can be skipped.

+ <ol>

+ <li>

+ Open a terminal

+ </li>

+ <li>

+ Execute the following commands: <br>

+ <code>

+ sudo apt update <br>

+ sudo apt install build-essential

+ </code>

+ </li>

+ </ol>

+ </p>

+ </div>

+ </div>

+

+ <div class="textbox" id="InstallationOfYASM">

+ <a href="#InstallationOfYASM">Installation of YASM</a>

+ <div class="texttohide">

+ <p>

+ <ol>

+ <li>

+ Open a terminal

+ </li>

+ <li>

+ Execute the following commands: <br>

+ <code>

+ sudo apt update <br>

+ sudo apt install yasm

+ </code>

+ </li>

+ </ol>

+ </p>

+ </div>

+ </div>

+

+ <div class="textbox" id="InstallationOfPKGConfig">

+ <a href="#InstallationOfPKGConfig">Installation of pkg-config</a>

+ <div class="texttohide">

+ <p>

+ <ol>

+ <li>

+ Open a terminal

+ </li>

+ <li>

+ Execute the following commands: <br>

+ <code>

+ sudo apt update <br>

+ sudo apt install pkg-config

+ </code>

+ </li>

+ </ol>

+ </p>

+ </div>

+ </div>

+

+ <div class="textbox" id="InstallationOfwxWidgets">

+ <a href="#InstallationOfwxWidgets">Installation of wxWidgets 3.2</a>

+ <div class="texttohide">

+ <p>

+ <ol>

+ <li>

+ Open a terminal

+ </li>

+ <li>

+ Execute the following commands: <br>

+ <code>

+ sudo apt update <br>

+ sudo apt install libwxgtk3.0-gtk3-dev <br>

+ </code>

+ </li>

+ </ol>

+ </p>

+ </div>

+ </div>

+

+ <div class="textbox" id="InstallationOfFuse">

+ <a href="#InstallationOfFuse">Installation of libfuse</a>

+ <div class="texttohide">

+ <p>

+ <ol>

+ <li>

+ Open a terminal

+ </li>

+ <li>

+ Execute the following commands: <br>

+ <code>

+ sudo apt update <br>

+ sudo apt install libfuse-dev

+ </code>

+ </li>

+ </ol>

+ </p>

+ </div>

+ </div>

+

+<div class="textbox" id="InstallationOfPCSCLite">

+ <a href="#InstallationOfPCSCLite">Installation of libpcsclite</a>

+ <div class="texttohide">

+ <p>

+ <ol>

+ <li>

+ Open a terminal

+ </li>

+ <li>

+ Execute the following commands: <br>

+ <code>

+ sudo apt update <br>

+ sudo apt install libpcsclite-dev

+ </code>

+ </li>

+ </ol>

+ </p>

+ </div>

+</div>

+

+ <div class="textbox" id="DownloadVeraCrypt">

+ <a href="#DownloadVeraCrypt">Download VeraCrypt</a>

+ <div class="texttohide">

+ <p>

+ <ol>

+ <li>

+ Open a terminal

+ </li>

+ <li>

+ Execute the following commands: <br>

+ <code>

+ sudo apt update <br>

+ sudo apt install git <br>

+ git clone https://github.com/veracrypt/VeraCrypt.git

+ </code>

+ </li>

+ </ol>

+ </p>

+ </div>

+ </div>

+

+ <div class="textbox" id="CompileVeraCrypt">

+ <a href="#CompileVeraCrypt">Compile VeraCrypt</a>

+ <div class="texttohide">

+ <p> Remarks: <br>

+ <ul>

+ <li>

+ By default, a universal executable supporting both graphical and text user interface (through the switch --text) is built. <br>

+ On Linux, a console-only executable, which requires no GUI library, can be built using the 'NOGUI' parameter. <br>

+ For that, you need to dowload wxWidgets sources, extract them to a location of your choice and then run the following commands: <br>

+ <code>

+ make NOGUI=1 WXSTATIC=1 WX_ROOT=/path/to/wxWidgetsSources wxbuild <br>

+ make NOGUI=1 WXSTATIC=1 WX_ROOT=/path/to/wxWidgetsSources

+ </code>

+ </li>

+ <li>

+ If you are not using the system wxWidgets library, you will have to download and use wxWidgets sources like the remark above but this time the following commands should be run to build GUI version of VeraCrypt (NOGUI is not specified): <br>

+ <code>

+ make WXSTATIC=1 WX_ROOT=/path/to/wxWidgetsSources wxbuild <br>

+ make WXSTATIC=1 WX_ROOT=/path/to/wxWidgetsSources

+ </code>

+ </li>

+ </ul>

+ Steps:

+ <ol>

+ <li>

+ Open a terminal

+ </li>

+ <li>

+ Execute the following commands: <br>

+ <code>

+ cd ~/VeraCrypt/src <br>

+ make

+ </code>

+ </li>

+ <li>

+ If successful, the VeraCrypt executable should be located in the directory 'Main'.

+ </li>

+ </ol>

+ </p>

+ </div>

+ </div>

+

+</div>

+</body></html>

+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"

+ "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

+

+<style>

+.textbox {

+ vertical-align: top;

+ height: auto !important;

+ font-family: Helvetica,sans-serif;

+ font-size: 20px;

+ font-weight: bold;

+ margin: 10px;

+ padding: 10px;

+ background-color: white;

+ width: auto;

+ border-radius: 10px;

+}

+

+.texttohide {

+ font-family: Helvetica,sans-serif;

+ font-size: 14px;

+ font-weight: normal;

+}

+

+

+</style>

+

+<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">

+<head>

+<meta http-equiv="content-type" content="text/html; charset=utf-8" />

+<title>VeraCrypt - Free Open source disk encryption with strong security for the Paranoid</title>

+<meta name="description" content="VeraCrypt is free open-source disk encryption software for Windows, Mac OS X and Linux. In case an attacker forces you to reveal the password, VeraCrypt provides plausible deniability. In contrast to file encryption, data encryption performed by VeraCrypt is real-time (on-the-fly), automatic, transparent, needs very little memory, and does not involve temporary unencrypted files."/>

+<meta name="keywords" content="encryption, security"/>

+<link href="styles.css" rel="stylesheet" type="text/css" />

+</head>

+<body>

+

+<div>

+<a href="Documentation.html"><img src="VeraCrypt128x128.png" alt="VeraCrypt"/></a>

+</div>

+

+<div id="menu">

+ <ul>

+ <li><a href="Home.html">Home</a></li>

+ <li><a href="/code/">Source Code</a></li>

+ <li><a href="Downloads.html">Downloads</a></li>

+ <li><a class="active" href="Documentation.html">Documentation</a></li>

+ <li><a href="Donation.html">Donate</a></li>

+ <li><a href="https://sourceforge.net/p/veracrypt/discussion/" target="_blank">Forums</a></li>

+ </ul>

+</div>

+

+<div>

+<p>

+<a href="Documentation.html">Documentation</a>

+<img src="arrow_right.gif" alt=">>" style="margin-top: 5px">

+<a href="Technical%20Details.html">Technical Details</a>

+<img src="arrow_right.gif" alt=">>" style="margin-top: 5px">

+<a href="CompilingGuidelines.html">Building VeraCrypt From Source</a>

+<img src="arrow_right.gif" alt=">>" style="margin-top: 5px">

+<a href="CompilingGuidelineWin.html">Windows Build Guide</a>

+</p></div>

+

+<div class="wikidoc">

+This guide describes how to set up a Windows system that can compile the VeraCrypt. Further it is described how VeraCrypt is going to be compiled. <br>

+The procedure for a Windows 10 system is described here as an example, but the procedure for other Windows systems is analogous.

+</div>

+

+<div class="wikidoc">

+The following components are required for compiling VeraCrypt:

+

+<ol>

+ <li>Microsoft Visual Studio 2010</li>

+ <li>Microsoft Visual Studio 2010 Service Pack 1</li>

+ <li>NASM</li>

+ <li>YASM</li>

+ <li>Visual C++ 1.52</li>

+ <li>Windows SDK 7.1</li>

+ <li>Windows Driver Kit 7.1</li>

+ <li>Windows 8.1 SDK</li>

+ <li>gzip</li>

+ <li>upx</li>

+ <li>7zip</li>

+ <li>Wix3</li>

+ <li>Microsoft Visual Studio 2019</li>

+ <li>Windows 10 SDK</li>

+ <li>Windows Driver Kit 1903</li>

+ <li>Visual Studio build tools</li>

+

+</ol>

+

+</div>

+

+<div class="wikidoc">

+Below are the procedure steps. Clicking on any of the link takes directly to the related step:

+<ul>

+<li><strong><a href="#InstallationOfMicrosoftVisualStudio2010">Installation of Microsoft Visual Studio 2010</a></li></strong>

+<li><strong><a href="#InstallationOfMicrosoftVisualStudio2010ServicePack1">Installation of Microsoft Visual Studio 2010 Service Pack 1</a></li></strong>

+<li><strong><a href="#InstallationOfNASM">Installation of NASM</a></li></strong>

+<li><strong><a href="#InstallationOfYASM">Installation of YASM</a></li></strong>

+<li><strong><a href="#InstallationOfVisualCPP">Installation of Microsoft Visual C++ 1.52</a></li></strong>

+<li><strong><a href="#InstallationOfWindowsSDK71PP">Installation of the Windows SDK 7.1</a></li></strong>

+<li><strong><a href="#InstallationOfWDK71PP">Installation of the Windows Driver Kit 7.1</a></li></strong>

+<li><strong><a href="#InstallationOfSDK81PP">Installation of the Windows 8.1 SDK</a></li></strong>

+<li><strong><a href="#InstallationOfGzip">Installation of gzip</a></li></strong>

+<li><strong><a href="#InstallationOfUpx">Installation of upx</a></li></strong>

+<li><strong><a href="#InstallationOf7zip">Installation of 7zip</a></li></strong>

+<li><strong><a href="#InstallationOfWix3">Installation of Wix3</a></li></strong>

+<li><strong><a href="#InstallationOfVS2019">Installation of Microsoft Visual Studio 2019</a></li></strong>

+<li><strong><a href="#InstallationOfWDK10">Installation of the Windows Driver Kit 2004</a></li></strong>

+<li><strong><a href="#InstallationOfVisualBuildTools">Installation of the Visual Studio build tools</a></li></strong>

+<li><strong><a href="#DownloadVeraCrypt">Download VeraCrypt Source Files</a></li></strong>

+<li><strong><a href="#CompileWin32X64">Compile the Win32/x64 Versions of VeraCrypt</a></li></strong>

+<li><strong><a href="#CompileARM64">Compile the ARM64 Version of VeraCrypt</a></li></strong>

+<li><strong><a href="#BuildVeraCryptExecutables">Build the VeraCrypt Executables</a></li></strong>

+<li><strong><a href="#ImportCertificates">Import the Certificates</a></li></strong>

+<li><strong><a href="#KnownIssues">Known Issues</a></li></strong>

+</ul>

+</div>

+

+<div class="wikidoc">

+ <div class="textbox" id="InstallationOfMicrosoftVisualStudio2010">

+ <a href="#InstallationOfMicrosoftVisualStudio2010">Installation of Microsoft Visual Studio 2010</a>

+ <div class="texttohide">

+ <p>

+ <ol>

+ <li>

+ Visit the following Microsoft website and log in with a free Microsoft account: <br>

+ <a href="https://my.visualstudio.com/Downloads?q=Visual%20Studio%202010%20Professional&pgroup=" target="_blank">https://my.visualstudio.com/Downloads?q=Visual%20Studio%202010%20Professional&pgroup=</a>

+ </li>

+ <li>

+ Please download a (trial) version of “Visual Studio Professional 2010” <br>

+ <img src="CompilingGuidelineWin/DownloadVS2010.jpg" width="80%">

+ </li>

+ <li>

+ Mount the downloaded ISO file by doubleclicking it

+ </li>

+ <li>

+ Run the file "autorun.exe" as administrator

+ </li>

+ <li>

+ Install Microsoft Visual Studio 2010 with the default settings

+ </li>

+ </ol>

+ The installation of the Microsoft SQL Server 2008 Express Service Pack 1 (x64) may fail, but it is not required for compiling VeraCrypt.

+ </p>

+ </div>

+ </div>

+

+ <div class="textbox" id="InstallationOfMicrosoftVisualStudio2010ServicePack1">

+ <a href="#InstallationOfMicrosoftVisualStudio2010ServicePack1">Installation of Microsoft Visual Studio 2010 Service Pack 1</a>

+ <div class="texttohide">

+ <p>

+ Note: The content the official installer from Microsoft tries to download is no longer available. Therefore, it is necessary to use an offline installer.

+ <ol>

+ <li>

+ Visit the website of the internet archive and download the iso image of the Microsoft Visual Studio 2010 Service Pack 1:<br>

+ <a href="https://archive.org/details/vs-2010-sp-1dvd-1" target="_blank">https://archive.org/details/vs-2010-sp-1dvd-1</a>

+ </li>

+ <li>

+ Mount the downloaded ISO file by doubleclicking it

+ </li>

+ <li>

+ Run the file "Setup.exe" as administrator

+ </li>

+ <li>

+ Install Microsoft Visual Studio 2010 Service Pack 1 with the default settings

+ </li>

+ </ol>

+ </p>

+ </div>

+ </div>

+

+ <div class="textbox" id="InstallationOfNASM">

+ <a href="#InstallationOfNASM">Installation of NASM</a>

+ <div class="texttohide">

+ <p>

+ <ol>

+ <li>

+ Download “nasm-2.08-installer.exe” at: <br>

+ <a href="https://www.nasm.us/pub/nasm/releasebuilds/2.08/win32/" target="_blank">https://www.nasm.us/pub/nasm/releasebuilds/2.08/win32/</a>

+ </li>

+ <li>

+ Run the file as administrator

+ </li>

+ <li>

+ Install NASM with the default settings

+ </li>

+ <li>

+ Add NASM to the path Variable. This will make the command globally available on the command line. <br>

+ <ol style="list-style-type: upper-roman;">

+ <li>

+ Open a file explorer

+ </li>

+ <li>

+ Within the left file tree, please make a right click on "This PC" and select "Properties" <br>

+ <img src="CompilingGuidelineWin/SelectThisPC.jpg" width="40%">

+ </li>

+ <li>

+ Within the right menu, please click on "Advanced system settings" <br>

+ <img src="CompilingGuidelineWin/SelectAdvancedSystemSettings.jpg" width="50%">

+ </li>

+ <li>

+ Please click on "Environment Variables" <br>

+ <img src="CompilingGuidelineWin/SelectEnvironmentVariables.jpg" width="17%">

+ </li>

+ <li>

+ Within the area of the system variables, please select the "Path" variable and click on "Edit..." <br>

+ <img src="CompilingGuidelineWin/SelectPathVariable.jpg" width="25%">

+ </li>

+ <li>

+ Click on "New" and add the following value: <br>

+ <p style="font-family: 'Courier New', monospace;">C:\Program Files (x86)\nasm</p>

+ </li>

+ <li>

+ Close the windows by clicking on "OK"

+ </li>

+ </ol>

+ </li>

+ <li>

+ To check if the configuration is working correctly, please open a command prompt and watch the output of the following command: <br>

+ <p style="font-family: 'Courier New', monospace;">nasm</p> <br>

+ <img src="CompilingGuidelineWin/NasmCommandLine.jpg" width="50%">

+ </li>

+ </ol>

+ </p>

+ </div>

+ </div>

+

+ <div class="textbox" id="InstallationOfYASM">

+ <a href="#InstallationOfYASM">Installation of YASM</a>

+ <div class="texttohide">

+ <p>

+ <ol>

+ <li>

+ Please create the following folder: <br>

+ C:\Program Files\YASM

+ </li>

+ <li>

+ Please download the file "Win64 VS2010 .zip" at: <br>

+ <a href="https://yasm.tortall.net/Download.html" target="_blank">https://yasm.tortall.net/Download.html</a>

+ </li>

+ <li>

+ Your browser might inform you that the file might be a security risk due to the low download rate or the unencrypted connection. Nevertheless, the official website is the most reliable source for this file, so we recommend to allow the download

+ </li>

+ <li>

+ Unzip the zip file and copy the files to “C:\Program Files\YASM”

+ </li>

+ <li>

+ Please download the file "Win64 .exe" at: <br>

+ <a href="https://yasm.tortall.net/Download.html" target="_blank">https://yasm.tortall.net/Download.html</a>

+ </li>

+ <li>

+ Your browser might inform you that the file might be a security risk due to the low download rate or the unencrypted connection. Nevertheless, the official website is the most reliable source for this file, so we recommend to allow the download

+ </li>

+ <li>

+ Rename the file to “yasm.exe” and copy it to “C:\Program Files\YASM”

+ </li>

+ <li>

+ Add YASM to the path Variable and create a new system variable for YASM. This will make the command globally available on the command line. <br>

+ <ol style="list-style-type: upper-roman;">

+ <li>

+ Open a file explorer

+ </li>

+ <li>

+ Within the left file tree, please make a right click on "This PC" and select "Properties" <br>

+ <img src="CompilingGuidelineWin/SelectThisPC.jpg" width="40%">

+ </li>

+ <li>

+ Within the right menu, please click on "Advanced system settings" <br>

+ <img src="CompilingGuidelineWin/SelectAdvancedSystemSettings.jpg" width="50%">

+ </li>

+ <li>

+ Please click on "Environment Variables" <br>

+ <img src="CompilingGuidelineWin/SelectEnvironmentVariables.jpg" width="17%">

+ </li>

+ <li>

+ Within the area of the system variables, please select the "Path" variable and click on "Edit..." <br>

+ <img src="CompilingGuidelineWin/SelectPathVariable.jpg" width="25%">

+ </li>

+ <li>

+ Click on "New" and add the following value: <br>

+ <p style="font-family: 'Courier New', monospace;">C:\Program Files\YASM</p>

+ </li>

+ <li>

+ Close the top window by clicking on "OK"

+ </li>

+ <li>

+ Within the area of the system variables, please click on "New..." <br>

+ <img src="CompilingGuidelineWin/AddNewSystemVar.jpg" width="25%">

+ </li>

+ <li>

+ Fill out the form with the following values: <br>

+ <p style="font-family: 'Courier New', monospace;">Variable name: YASMPATH<br> Variable value: C:\Program Files\YASM</p>

+ </li>

+ <li>

+ Close the windows by clicking on "OK"

+ </li>

+ </ol>

+ </li>

+ <li>

+ To check if the configuration is working correctly, please open a command prompt and watch the output of the following command: <br>

+ <p style="font-family: 'Courier New', monospace;">yasm</p> <br>

+ and <br>

+ <p style="font-family: 'Courier New', monospace;">vsyasm</p> <br>

+ <img src="CompilingGuidelineWin/YasmCommandLine.jpg" width="50%">

+ </li>

+ </ol>

+ </p>

+ </div>

+ </div>

+

+ <div class="textbox" id="InstallationOfVisualCPP">

+ <a href="#InstallationOfVisualCPP">Installation of Microsoft Visual C++ 1.52</a>

+ <div class="texttohide">

+ <p>

+ <ol>

+ <li>

+ Visual C++ 1.52 is available via the paid Microsoft MSDN subscription. If you do not have a subscription, you download the ISO image via the internet archive: <br>

+ <a href="https://archive.org/details/ms-vc152" target="_blank">https://archive.org/details/ms-vc152</a>

+ </li>

+ <li>

+ Create the folder “C:\MSVC15”

+ </li>

+ <li>

+ Mount the ISO file and copy the content of the folder “MSVC” to “C:\MSVC15”

+ </li>

+ <li>

+ Create a system variable for Microsoft Visual C++ 1.52 <br>

+ <ol style="list-style-type: upper-roman;">

+ <li>

+ Open a file explorer

+ </li>

+ <li>

+ Within the left file tree, please make a right click on "This PC" and select "Properties" <br>

+ <img src="CompilingGuidelineWin/SelectThisPC.jpg" width="40%">

+ </li>

+ <li>

+ Within the right menu, please click on "Advanced system settings" <br>

+ <img src="CompilingGuidelineWin/SelectAdvancedSystemSettings.jpg" width="50%">

+ </li>

+ <li>

+ Please click on "Environment Variables" <br>

+ <img src="CompilingGuidelineWin/SelectEnvironmentVariables.jpg" width="17%">

+ </li>

+ <li>

+ Within the area of the system variables, please click on "New..." <br>

+ <img src="CompilingGuidelineWin/AddNewSystemVar.jpg" width="25%">

+ </li>

+ <li>

+ Fill out the form with the following values: <br>

+ <p style="font-family: 'Courier New', monospace;">Variable name: MSVC16_ROOT<br> Variable value: C:\MSVC15</p>

+ </li>

+ <li>

+ Close the windows by clicking on "OK"

+ </li>

+ </ol>

+ </li>

+ </ol>

+ </p>

+ </div>

+ </div>

+

+ <div class="textbox" id="InstallationOfWindowsSDK71PP">

+ <a href="#InstallationOfWindowsSDK71PP">Installation of the Windows SDK 7.1</a>

+ <div class="texttohide">

+ <p>

+ The installer requires .Net Framework 4 (Not a newer one like .Net Framework 4.8!). Since a newer version is already preinstalled with Windows 10, the installer has to be tricked:

+ <ol>

+ <li>

+ Click on the start button and search for: "regedit.msc". Start the first finding.

+ </li>

+ <li>

+ Navigate to "HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\NET Framework Setup\NDP\v4\"

+ </li>

+ <li>

+ Change the permissions for the "Client" folder, so you can edit the keys: <br>

+ <ol style="list-style-type: upper-roman;">

+ <li>

+ Right click on the subfolder "Client" and select "Permissions..."

+ </li>

+ <li>

+ Click on "Advanced" <br>

+ <img src="CompilingGuidelineWin/RegeditPermissions-1.jpg" width="17%">

+ </li>

+ <li>

+ Change the owner to your user and click on "Add" <br>

+ <img src="CompilingGuidelineWin/RegeditPermissions-2.jpg" width="35%">

+ </li>

+ <li>

+ Set the principal to your user, select "Full Control" and click on "OK" <br>

+ <img src="CompilingGuidelineWin/RegeditPermissions-3.jpg" width="35%">

+ </li>

+ <li>

+ Within the folder "Client" note down the value of the entry "Version"

+ </li>

+ <li>

+ Doubleclick on the entry "Version" and change the value to "4.0.30319" <br>

+ <img src="CompilingGuidelineWin/RegeditPermissions-4.jpg" width="30%">

+ </li>

+ </ol>

+ </li>

+ <li>

+ Change the permissions for the "Full" folder, so you can edit the keys: <br>

+ <ol style="list-style-type: upper-roman;">

+ <li>

+ Right click on the subfolder "Full" and select "Permissions..."

+ </li>

+ <li>

+ Click on "Advanced" <br>

+ <img src="CompilingGuidelineWin/RegeditPermissions-1.jpg" width="17%">

+ </li>

+ <li>

+ Change the owner to your user and click on "Add" <br>

+ <img src="CompilingGuidelineWin/RegeditPermissions-2.jpg" width="35%">

+ </li>

+ <li>

+ Set the principal to your user, select "Full Control" and click on "OK" <br>

+ <img src="CompilingGuidelineWin/RegeditPermissions-3.jpg" width="35%">

+ </li>

+ <li>

+ Within the folder "Full" note down the value of the entry "Version"

+ </li>

+ <li>

+ Doubleclick on the entry "Version" and change the value to "4.0.30319" <br>

+ <img src="CompilingGuidelineWin/RegeditPermissions-4.jpg" width="30%">

+ </li>

+ </ol>

+ </li>

+ <li>

+ Download the Windows SDK 7.1 at: <br>

+ <a href="https://www.microsoft.com/en-us/download/details.aspx?id=8279" target="_blank">https://www.microsoft.com/en-us/download/details.aspx?id=8279</a>

+ </li>

+ <li>

+ Run the downloaded file as administrator and install the application with default settings

+ </li>

+ <li>

+ After the installation, revert the changes done in the registry editor. <br>

+ <b>Note:</b> The owner "TrustedInstaller" can be restored by searching for: "NT Service\TrustedInstaller"

+ </li>

+ </ol>

+ </p>

+ </div>

+ </div>

+

+ <div class="textbox" id="InstallationOfWDK71PP">

+ <a href="#InstallationOfWDK71PP">Installation of the Windows Driver Kit 7.1</a>

+ <div class="texttohide">

+ <p>

+ <ol>

+ <li>

+ Please download the ISO of the Windows Diver Kit 7.1 at: <br>

+ <a href="https://www.microsoft.com/en-us/download/details.aspx?id=11800" target="_blank">https://www.microsoft.com/en-us/download/details.aspx?id=11800</a>

+ </li>

+ <li>

+ Mount the downloaded ISO file by doubleclicking it

+ </li>

+ <li>

+ Run the file "KitSetup.exe" as administrator. Within the installation select all features to be installed. <br>

+ <b>Note: </b>It might be that during the installed you are requested to install the .NET Framework 3.5. In this case click on "Download and install this feature".

+ </li>

+ <li>

+ Install the Driver Kit to the default location

+ </li>

+ </ol>

+ </p>

+ </div>

+ </div>

+

+ <div class="textbox" id="InstallationOfSDK81PP">

+ <a href="#InstallationOfSDK81PP">Installation of the Windows 8.1 SDK</a>

+ <div class="texttohide">

+ <p>

+ <ol>

+ <li>

+ Please download the ISO of the Windows 8.1 SDK at: <br>

+ <a href="https://developer.microsoft.com/de-de/windows/downloads/sdk-archive/" target="_blank">https://developer.microsoft.com/de-de/windows/downloads/sdk-archive/</a>

+ </li>

+ <li>

+ Run the downloaded file as administrator and install the Windows 8.1 SDK with default settings

+ </li>

+ <li>

+ Create a system variable for the Windows 8.1 SDK <br>

+ <ol style="list-style-type: upper-roman;">

+ <li>

+ Open a file explorer

+ </li>

+ <li>

+ Within the left file tree, please make a right click on "This PC" and select "Properties" <br>

+ <img src="CompilingGuidelineWin/SelectThisPC.jpg" width="40%">

+ </li>

+ <li>

+ Within the right menu, please click on "Advanced system settings" <br>

+ <img src="CompilingGuidelineWin/SelectAdvancedSystemSettings.jpg" width="50%">

+ </li>

+ <li>

+ Please click on "Environment Variables" <br>

+ <img src="CompilingGuidelineWin/SelectEnvironmentVariables.jpg" width="17%">

+ </li>

+ <li>

+ Within the area of the system variables, please click on "New..." <br>

+ <img src="CompilingGuidelineWin/AddNewSystemVar.jpg" width="25%">

+ </li>

+ <li>

+ Fill out the form with the following values: <br>

+ <p style="font-family: 'Courier New', monospace;">Variable name: WSDK81<br> Variable value: C:\Program Files (x86)\Windows Kits\8.1\</p>

+ </li>

+ <li>

+ Close the windows by clicking on "OK"

+ </li>

+ </ol>

+ </li>

+ </ol>

+ </p>

+ </div>

+ </div>

+

+ <div class="textbox" id="InstallationOfGzip">

+ <a href="#InstallationOfGzip">Installation of gzip</a>

+ <div class="texttohide">

+ <p>

+ <ol>

+ <li>

+ Please create the following folder: <br>

+ C:\Program Files (x86)\gzip

+ </li>

+ <li>

+ Please download gzip version at: <br>

+ <a href="https://sourceforge.net/projects/gnuwin32/files/gzip/1.3.12-1/gzip-1.3.12-1-bin.zip/download?use-mirror=netix&download=" target="_blank">https://sourceforge.net/projects/gnuwin32/files/gzip/1.3.12-1/gzip-1.3.12-1-bin.zip/download?use-mirror=netix&download=</a>

+ </li>

+ <li>

+ Copy the content of the downloaded zip to “C:\Program Files (x86)\gzip”

+ </li>

+ <li>

+ Add gzip to the path Variable. This will make the command globally available on the command line. <br>

+ <ol style="list-style-type: upper-roman;">

+ <li>

+ Open a file explorer

+ </li>

+ <li>

+ Within the left file tree, please make a right click on "This PC" and select "Properties" <br>

+ <img src="CompilingGuidelineWin/SelectThisPC.jpg" width="40%">

+ </li>

+ <li>

+ Within the right menu, please click on "Advanced system settings" <br>

+ <img src="CompilingGuidelineWin/SelectAdvancedSystemSettings.jpg" width="50%">

+ </li>

+ <li>

+ Please click on "Environment Variables" <br>

+ <img src="CompilingGuidelineWin/SelectEnvironmentVariables.jpg" width="17%">

+ </li>

+ <li>

+ Within the area of the system variables, please select the "Path" variable and click on "Edit..." <br>

+ <img src="CompilingGuidelineWin/SelectPathVariable.jpg" width="25%">

+ </li>

+ <li>

+ Click on "New" and add the following value: <br>

+ <p style="font-family: 'Courier New', monospace;">C:\Program Files (x86)\gzip\bin</p>

+ </li>

+ <li>

+ Close the windows by clicking on "OK"

+ </li>

+ </ol>

+ </li>

+ <li>

+ To check if the configuration is working correctly, please open a command prompt and watch the output of the following command: <br>

+ <p style="font-family: 'Courier New', monospace;">gzip</p> <br>

+ <img src="CompilingGuidelineWin/gzipCommandLine.jpg" width="50%">

+ </li>

+ </ol>

+ </p>

+ </div>

+ </div>

+

+ <div class="textbox" id="InstallationOfUpx">

+ <a href="#InstallationOfUpx">Installation of upx</a>

+ <div class="texttohide">

+ <p>

+ <ol>

+ <li>

+ Please create the following folder: <br>

+ C:\Program Files (x86)\upx

+ </li>

+ <li>

+ Please download the latest upx-X-XX-win64.zip version at: <br>

+ <a href="https://github.com/upx/upx/releases/tag/v3.96" target="_blank">https://github.com/upx/upx/releases/tag/v3.96</a>

+ </li>

+ <li>

+ Copy the content of the downloaded zip to “C:\Program Files (x86)\upx”

+ </li>

+ <li>

+ Add gzip to the path Variable. This will make the command globally available on the command line. <br>

+ <ol style="list-style-type: upper-roman;">

+ <li>

+ Open a file explorer

+ </li>

+ <li>

+ Within the left file tree, please make a right click on "This PC" and select "Properties" <br>

+ <img src="CompilingGuidelineWin/SelectThisPC.jpg" width="40%">

+ </li>

+ <li>

+ Within the right menu, please click on "Advanced system settings" <br>

+ <img src="CompilingGuidelineWin/SelectAdvancedSystemSettings.jpg" width="50%">

+ </li>

+ <li>

+ Please click on "Environment Variables" <br>

+ <img src="CompilingGuidelineWin/SelectEnvironmentVariables.jpg" width="17%">

+ </li>

+ <li>

+ Within the area of the system variables, please select the "Path" variable and click on "Edit..." <br>

+ <img src="CompilingGuidelineWin/SelectPathVariable.jpg" width="25%">

+ </li>

+ <li>

+ Click on "New" and add the following value: <br>

+ <p style="font-family: 'Courier New', monospace;">C:\Program Files (x86)\upx</p>

+ </li>

+ <li>

+ Close the windows by clicking on "OK"

+ </li>

+ </ol>

+ </li>

+ <li>

+ To check if the configuration is working correctly, please open a command prompt and watch the output of the following command: <br>

+ <p style="font-family: 'Courier New', monospace;">upx</p> <br>

+ <img src="CompilingGuidelineWin/upxCommandLine.jpg" width="50%">

+ </li>

+ </ol>

+ </p>

+ </div>

+ </div>

+

+ <div class="textbox" id="InstallationOf7zip">

+ <a href="#InstallationOf7zip">Installation of 7zip</a>

+ <div class="texttohide">

+ <p>

+ <ol>

+ <li>

+ Please download the latest version of 7zip at: <br>

+ <a href="https://www.7-zip.de/" target="_blank">https://www.7-zip.de/</a>

+ </li>

+ <li>

+ Run the downloaded file as administrator and install 7zip with default settings

+ </li>

+ </ol>

+ </p>

+ </div>

+ </div>

+

+ <div class="textbox" id="InstallationOfWix3">

+ <a href="#InstallationOfWix3">Installation of Wix3</a>

+ <div class="texttohide">

+ <p>

+ <ol>

+ <li>

+ Please download wix311.exe at: <br>

+ <a href="https://github.com/wixtoolset/wix3/releases" target="_blank">https://github.com/wixtoolset/wix3/releases</a>

+ </li>

+ <li>

+ Run the downloaded file as administrator and install WiX Toolset with default settings

+ </li>

+ </ol>

+ </p>

+ </div>

+ </div>

+

+ <div class="textbox" id="InstallationOfVS2019">

+ <a href="#InstallationOfVS2019">Installation of Microsoft Visual Studio 2019</a>

+ <div class="texttohide">

+ <p>

+ <ol>

+ <li>

+ Visit the following Microsoft website and log in with a free Microsoft account: <br>

+ <a href="https://my.visualstudio.com/Downloads?q=visual%20studio%202019%20Professional" target="_blank">https://my.visualstudio.com/Downloads?q=visual%20studio%202019%20Professional</a>

+ </li>

+ <li>

+ Please download the latest (trial) version of “Visual Studio Professional 2019” <br>

+ <img src="CompilingGuidelineWin/DownloadVS2019.jpg" width="80%">

+ </li>

+ <li>

+ Run the downloaded file as administrator and go through the wizard. <br>

+ Select the following Workloads for installation: <br>

+ <ol style="list-style-type: upper-roman;">

+ <li>

+ Desktop development with C++

+ </li>

+ <li>

+ .NET desktop development

+ </li>

+ </ol>

+ Select the following individual components for installation:

+ <ol style="list-style-type: upper-roman;">

+ <li>

+ .NET

+ <ol style="list-style-type: upper-roman;">

+ <li>

+ .NET 6.0 Runtime

+ </li>

+ <li>

+ .NET Core 3.1 Runtime (LTS)

+ </li>

+ <li>

+ .NET Framework 4 targeting pack

+ </li>

+ <li>

+ .NET Framework 4.5 targeting pack

+ </li>

+ <li>

+ .NET Framework 4.5.1 targeting pack

+ </li>

+ <li>

+ .NET Framework 4.5.2 targeting pack

+ </li>

+ <li>

+ .NET Framework 4.6 targeting pack

+ </li>

+ <li>

+ .NET Framework 4.6.1 targeting pack

+ </li>

+ <li>

+ .NET Framework 4.7.2 targeting pack

+ </li>

+ <li>

+ .NET Framework 4.8 SDK

+ </li>

+ <li>

+ .NET Framework 4.8 targeting pack

+ </li>

+ <li>

+ .NET SDK

+ </li>

+ <li>

+ ML.NET Model Builder (Preview)

+ </li>

+ </ol>

+ </li>

+ <li>

+ Cloud, database, and server

+ <ol style="list-style-type: upper-roman;">

+ <li>

+ CLR data types for SQL Server

+ </li>

+ <li>

+ Connectivity and publishing tools

+ </li>

+ </ol>

+ </li>

+ <li>

+ Code tools

+ <ol style="list-style-type: upper-roman;">

+ <li>

+ NuGet package manager

+ </li>

+ <li>

+ Text Template Transformation

+ </li>

+ </ol>

+ </li>

+ <li>

+ Compilers, build tools, and runtimes

+ <ol style="list-style-type: upper-roman;">

+ <li>

+ .NET Compiler Platform SDK

+ </li>

+ <li>

+ C# and Visual Basic Roslyn compilers

+ </li>

+ <li>

+ C++ 2019 Redistributable Update

+ </li>

+ <li>

+ C++ CMake tools for Windows

+ </li>

+ <li>

+ C++/CLI support for v142 build tools (Latest)

+ </li>

+ <li>

+ MSBuild

+ </li>

+ <li>

+ MSVC v142 - VS 2019 C++ ARM64 build tools (Latest)

+ </li>

+ <li>

+ MSVC v142 - VS 2019 C++ ARM64 Spectre-mitigated libs (Latest)

+ </li>

+ <li>

+ MSVC v142 - VS 2019 C++ x64/x86 build tools (Latest)

+ </li>

+ <li>

+ MSVC v142 - VS 2019 C++ x64/x86 Spectre-mitigated libs (Latest)

+ </li>

+ </ol>

+ </li>

+ <li>

+ Debugging and testing

+ <ol style="list-style-type: upper-roman;">

+ <li>

+ .NET profiling tools

+ </li>

+ <li>

+ C++ AddressSanatizer

+ </li>

+ <li>

+ C++ profiling tools

+ </li>

+ <li>

+ Just-In-Time debugger

+ </li>

+ <li>

+ Test Adapter for Boost.Test

+ </li>

+ <li>

+ Test Adapter for Google Test

+ </li>

+ </ol>

+ </li>

+ <li>

+ Development activities

+ <ol style="list-style-type: upper-roman;">

+ <li>

+ C# and Visual Basic

+ </li>

+ <li>

+ C++ core features

+ </li>

+ <li>

+ F# language support

+ </li>

+ <li>

+ IntelliCode

+ </li>

+ <li>

+ JavaScript and TypeScript language support

+ </li>

+ <li>

+ Live Share

+ </li>

+ </ol>

+ </li>

+ <li>

+ Emulators

+ <ol style="list-style-type: upper-roman;">

+ NONE

+ </ol>

+ </li>

+ <li>

+ Games and Graphics

+ <ol style="list-style-type: upper-roman;">

+ <li>

+ Graphics debugger and GPU profiler for DirectX

+ </li>

+ </ol>

+ </li>

+ <li>

+ SDKs, libraries, and frameworks

+ <ol style="list-style-type: upper-roman;">

+ <li>

+ C++ ATL for latest v142 build tools (ARM64)

+ </li>

+ <li>

+ C++ ATL for latest v142 build tools (x86 & x64)

+ </li>

+ <li>

+ C++ ATL for latest v142 build tools with Spectre Mitigations (ARM64)

+ </li>

+ <li>

+ C++ ATL for latest v142 build tools with Spectre Mitigations (x86 & x64)

+ </li>

+ <li>

+ C++ MFC for latest v142 build tools (ARM64)

+ </li>

+ <li>

+ C++ MFC for latest v142 build tools (x86 & x64)

+ </li>

+ <li>

+ C++ MFC for latest v142 build tools with Spectre Mitigations (ARM64)

+ </li>

+ <li>

+ C++ MFC for latest v142 build tools with Spectre Mitigations (x86 & x64)

+ </li>

+ <li>

+ Entity Framework 6 tools

+ </li>

+ <li>

+ TypeScript 4.3 SDK

+ </li>

+ <li>

+ Windows 10 SDK (10.0.19041.0)

+ </li>

+ <li>

+ Windows Universal C Runtime

+ </li>

+ </ol>

+ </li>

+ </ol>

+ </li>

+ </ol>

+ </p>

+ </div>

+ </div>

+

+ <div class="textbox" id="InstallationOfWDK10">

+ <a href="#InstallationOfWDK10">Installation of the Windows Driver Kit version 2004</a>

+ <div class="texttohide">

+ <p>

+ <ol>

+ <li>

+ Please download the Windows Driver Kit (WDK) version 2004 at: <br>

+ <a href="https://docs.microsoft.com/en-us/windows-hardware/drivers/other-wdk-downloads" target="_blank">https://docs.microsoft.com/en-us/windows-hardware/drivers/other-wdk-downloads</a>

+ </li>

+ <li>

+ Run the downloaded file as administrator and install the WDK with default settings

+ </li>

+ <li>

+ At the end of the installation you will be asked if you want to "install Windows Driver Kit Visual Studio extension". <br>

+ Please make sure, that this option is selected before closing the dialog.

+ </li>

+ <li>

+ A different setup will start automatically and will detect Visual Studio Professional 2019 as possible target for the extension. <br>

+ Please select it and proceed with the installation.

+ </li>

+ </ol>

+ </p>

+ </div>

+ </div>

+

+ <div class="textbox" id="InstallationOfVisualBuildTools">

+ <a href="#InstallationOfVisualBuildTools">Installation of the Visual Studio build tools</a>

+ <div class="texttohide">

+ <p>

+ <ol>

+ <li>

+ Visit the following Microsoft website and log in with a free Microsoft account: <br>

+ <a href="https://my.visualstudio.com/Downloads?q=visual%20studio%202019%20build%20tools" target="_blank">https://my.visualstudio.com/Downloads?q=visual%20studio%202019%20build%20tools</a>

+ </li>

+ <li>

+ Please download the latest version of “Build Tools for Visual Studio 2019” <br>

+ <img src="CompilingGuidelineWin/DownloadVSBuildTools.jpg" width="80%">

+ </li>

+ <li>

+ Run the downloaded file as administrator and go through the wizard. Select the following individual components for installation:

+ <ol style="list-style-type: upper-roman;">

+ <li>

+ .NET

+ <ol style="list-style-type: upper-roman;">

+ NONE

+ </ol>

+ </li>

+ <li>

+ Cloud, database, and server

+ <ol style="list-style-type: upper-roman;">

+ NONE

+ </ol>

+ </li>

+ <li>

+ Code tools

+ <ol style="list-style-type: upper-roman;">

+ NONE

+ </ol>

+ </li>

+ <li>

+ Compilers, build tools, and runtimes

+ <ol style="list-style-type: upper-roman;">

+ <li>

+ C++/CLI support for v142 build tools (Latest)

+ </li>

+ <li>

+ MSVC v142 - VS 2019 C++ ARM64 build tools (Latest)

+ </li>

+ <li>

+ MSVC v142 - VS 2019 C++ ARM64 Spectre-mitigated libs (Latest)

+ </li>

+ <li>

+ MSVC v142 - VS 2019 C++ x64/x86 build tools (Latest)

+ </li>

+ <li>

+ MSVC v142 - VS 2019 C++ x64/x86 Spectre-mitigated libs (Latest)

+ </li>

+ </ol>

+ </li>

+ <li>

+ Debugging and testing

+ <ol style="list-style-type: upper-roman;">

+ NONE

+ </ol>

+ </li>

+ <li>

+ Development activities

+ <ol style="list-style-type: upper-roman;">

+ NONE

+ </ol>

+ </li>

+ <li>

+ SDKs, libraries, and frameworks

+ <ol style="list-style-type: upper-roman;">

+ <li>

+ C++ ATL for latest v142 build tools (ARM64)

+ </li>

+ <li>

+ C++ ATL for latest v142 build tools (x86 & x64)

+ </li>

+ <li>

+ C++ ATL for latest v142 build tools with Spectre Mitigations (ARM64)

+ </li>

+ <li>

+ C++ ATL for latest v142 build tools with Spectre Mitigations (x86 & x64)

+ </li>

+ </ol>

+ </li>

+ </ol>

+ </li>

+ </ol>

+ </p>

+ </div>

+ </div>

+

+ <div class="textbox" id="DownloadVeraCrypt">

+ <a href="#DownloadVeraCrypt">Download VeraCrypt Source Files</a>

+ <div class="texttohide">

+ <p>

+ <ol>

+ <li>

+ Visit the VeraCrypt Github repository at: <br>

+ <a href="https://github.com/veracrypt/VeraCrypt" target="_blank">https://github.com/veracrypt/VeraCrypt</a>

+ </li>

+ <li>

+ Please click on the green button with the label "Code" and download the code. <br>

+ You can download the repository as zip file, but you may consider to use the git protocol in order to track changes.

+ </li>

+ </ol>

+ </p>

+ </div>

+ </div>

+

+ <div class="textbox" id="CompileWin32X64">

+ <a href="#CompileWin32X64">Compile the Win32/x64 Versions of VeraCrypt</a>

+ <div class="texttohide">

+ <p>

+ <ol>

+ <li>

+ Please open the file "src/VeraCrypt.sln" in Visual Studio <b>2010</b>

+ </li>

+ <li>

+ Please select "All|Win32" as active configuration <br>

+ <img src="CompilingGuidelineWin/VS2010Win32Config.jpg" width="80%">

+ </li>

+ <li>

+ Please click on "Build -> Build Solution" <br>

+ <img src="CompilingGuidelineWin/VS2010BuildSolution.jpg" width="40%">

+ </li>

+ <li>

+ The compiling process should end with warnings, but without errors. Some projects should be skipped.

+ </li>

+ <li>

+ Please select "All|x64" as active configuration <br>

+ <img src="CompilingGuidelineWin/VS2010X64Config.jpg" width="80%">

+ </li>

+ <li>

+ Please click on "Build -> Build Solution" <br>

+ <img src="CompilingGuidelineWin/VS2010BuildSolution.jpg" width="40%">

+ </li>

+ <li>

+ The compiling process should end with warnings, but without errors. Some projects should be skipped. <br>

+ Please close Visual Studio 2010 after the compiling process finished

+ </li>

+ </ol>

+ </p>

+ </div>

+ </div>

+

+ <div class="textbox" id="CompileARM64">

+ <a href="#CompileARM64">Compile the ARM64 Version of VeraCrypt</a>

+ <div class="texttohide">

+ <p>

+ <ol>

+ <li>

+ Please open the file "src/VeraCrypt_vs2019.sln" in Visual Studio <b>2019</b>

+ </li>

+ <li>

+ Please select "All|ARM64" as active configuration <br>

+ <img src="CompilingGuidelineWin/VS2019ARM64Config.jpg" width="80%">

+ </li>

+ <li>

+ Please click on "Build -> Build Solution" <br>

+ <img src="CompilingGuidelineWin/VS2019BuildSolution.jpg" width="40%">

+ </li>

+ <li>

+ The compiling process should end with warnings, but without errors. One project should be skipped. <br>

+ Please close Visual Studio 2019 after the compiling process finished

+ </li>

+ </ol>

+ </p>

+ </div>

+ </div>

+

+ <div class="textbox" id="BuildVeraCryptExecutables">

+ <a href="#BuildVeraCryptExecutables">Build the VeraCrypt Executables</a>

+ <div class="texttohide">

+ <p>

+ <ol>

+ <li>

+ Please open a command line as administrator

+ </li>

+ <li>

+ Go into the folder "src/Signing/"

+ </li>

+ <li>

+ Run the script "sign_test.bat"

+ </li>

+ <li>

+ You will find the generated exectuables within the folder "src/Release/Setup Files"

+ </li>

+ </ol>

+ </p>

+ </div>

+ </div>

+

+ <div class="textbox" id="ImportCertificates">

+ <a href="#ImportCertificates">Import the Certificates</a>

+ <div class="texttohide">

+ <p> With the sign_test.bat script you just signed the VeraCrypt executables. This is necessary, since Windows only accepts drivers, which are trusted by a signed Certificate Authority. <br>

+ Since you did not use the official VeraCrypt signing certificate to sign your code, but a public development version, you have to import and therefore trust the certificates used.

+ <ol>

+ <li>

+ Open the folder "src/Signing"

+ </li>

+ <li>

+ Import the following certificates to your Local Machine Certificate storage, by double clicking them:

+ <ul>

+ <li>GlobalSign_R3Cross.cer</li>

+ <li>GlobalSign_SHA256_EV_CodeSigning_CA.cer</li>

+ <li>TestCertificates/idrix_codeSign.pfx</li>

+ <li>TestCertificates/idrix_Sha256CodeSign.pfx</li>

+ <li>TestCertificates/idrix_SHA256TestRootCA.crt</li>

+ <li>TestCertificates/idrix_TestRootCA.crt</li>

+ </ul>

+ Note: If prompted, the password for .pfx certificates is <b>idrix</b>.

+ </li>

+ </ol>

+ </p>

+ </div>

+ </div>

+

+ <div class="textbox" id="KnownIssues">

+ <a href="#KnownIssues">Known Issues</a>

+ <div class="texttohide">

+ <p>

+ <ul>

+ <li>

+ <b>This distribution package is damaged</b> <br>

+ <img src="CompilingGuidelineWin/DistributionPackageDamaged.jpg" width="20%"> <br>

+ On Windows 10 or higher you might get the error message above. In order to avoid this, you will need to:<br>

+ <ul>

+ <li>Double-check the installation of the root certificate that issued the test code signing certificate in the "Local Machine Trusted Root Certification Authorities" store.</li>

+ <li>Compute SHA512 fingerprint of the test code signing certificate and update the gpbSha512CodeSignCertFingerprint array in the file "src/Common/Dlgcode.c" accordingly.</li>

+ </ul>

+ Please see <a href="https://sourceforge.net/p/veracrypt/discussion/technical/thread/83d5a2d6e8/#db12" target="_blank">https://sourceforge.net/p/veracrypt/discussion/technical/thread/83d5a2d6e8/#db12</a> for further details.<br>

+ <br>

+ Another approach is to disable the signature verification in the VeraCrypt code. This should be done only for testing purposes and not for production use:

+ <ol>

+ <li>

+ Open the file "src/Common/Dlgcode.c"

+ </li>

+ <li>

+ Look for the function "VerifyModuleSignature"

+ </li>

+ <li>

+ Replace the following lines: <br>

+ Find:<br>

+ <p style="font-family: 'Courier New', monospace;">

+ if (!IsOSAtLeast (WIN_10)) <br>

+ return TRUE;

+ </p> <br>

+ Replace:<br>

+ <p style="font-family: 'Courier New', monospace;">

+ return TRUE;

+ </p>

+ </li>

+ <li>

+ Compile the VeraCrypt code again

+ </li>

+ </ol>

+ </li>

+ <li>

+ <b>Driver Installation Failure during VeraCrypt Setup from Custom Builds</b> <br>

+ <img src="CompilingGuidelineWin/CertVerifyFails.jpg" width="20%"> <br>

+ Windows validates the signature for every driver which is going to be installed.<br>

+ For security reasons, Windows allows only drivers signed by Microsoft to load.<br>

+ So, when using a custom build:<br>

+ <ul>

+ <li>If you have not modified the VeraCrypt driver source code, you can use the Microsoft-signed drivers included in the VeraCrypt source code (under "src\Release\Setup Files").</li>

+ <li>If you have made modifications, <strong>you will need to boot Windows into "Test Mode"</strong>. This mode allows Windows to load drivers that aren't signed by Microsoft. However, even in "Test Mode", there are certain requirements for signatures, and failures can still occur due to reasons discussed below.</li>

+ </ul>

+ Potential Causes for Installation Failure under "Test Mode":

+ <ol>

+ <li>

+ <b>The certificate used for signing is not trusted by Windows</b><br>

+ You can verify if you are affected by checking the properties of the executable:

+ <ol>

+ <li>

+ Make a right click on the VeraCrypt Setup executable: "src/Release/Setup Files/VeraCrypt Setup 1.XX.exe"

+ </li>

+ <li>

+ Click on properties

+ </li>

+ <li>

+ Go to the top menu "Digital Signatures". Her you will find two signatures in the Signature list

+ </li>

+ Check both by double clicking on it. If the headline says "The certificate in the signature cannot be verified", the corresponding signing certificate was not imported correctly.<br>

+ Click on "View Certificate" and then on "Install Certificate..." to import the certificate to Local Machine certificate storage. For the Root certificates, you may need to choose "Place all certificates in the following store", and select the "Trusted Root Certification Authorities" store.<br>

+ <img src="CompilingGuidelineWin/CertificateCannotBeVerified.jpg" width="40%"> <br>

+ <li>

+ </ol>

+ </li>

+ <li>

+ <b>The driver was modified after the signing process.</b> <br>

+ In this case, please use the script "src/Signing/sign_test.bat" to sign your code again with the test certificates

+ </li>

+ </ol>

+ </li>

+ </ul>

+ </p>

+ </div>

+ </div>

+

+</div>

+</body></html>

+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"

+ "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

+<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">

+<head>

+<meta http-equiv="content-type" content="text/html; charset=utf-8" />

+<title>VeraCrypt - Free Open source disk encryption with strong security for the Paranoid</title>

+<meta name="description" content="VeraCrypt is free open-source disk encryption software for Windows, Mac OS X and Linux. In case an attacker forces you to reveal the password, VeraCrypt provides plausible deniability. In contrast to file encryption, data encryption performed by VeraCrypt is real-time (on-the-fly), automatic, transparent, needs very little memory, and does not involve temporary unencrypted files."/>

+<meta name="keywords" content="encryption, security"/>

+<link href="styles.css" rel="stylesheet" type="text/css" />

+</head>

+<body>

+

+<div>

+<a href="Documentation.html"><img src="VeraCrypt128x128.png" alt="VeraCrypt"/></a>

+</div>

+

+<div id="menu">

+ <ul>

+ <li><a href="Home.html">Home</a></li>

+ <li><a href="/code/">Source Code</a></li>

+ <li><a href="Downloads.html">Downloads</a></li>

+ <li><a class="active" href="Documentation.html">Documentation</a></li>

+ <li><a href="Donation.html">Donate</a></li>

+ <li><a href="https://sourceforge.net/p/veracrypt/discussion/" target="_blank">Forums</a></li>

+ </ul>

+</div>

+

+<div>

+<p>

+<a href="Documentation.html">Documentation</a>

+<img src="arrow_right.gif" alt=">>" style="margin-top: 5px">

+<a href="Technical%20Details.html">Technical Details</a>

+<img src="arrow_right.gif" alt=">>" style="margin-top: 5px">

+<a href="CompilingGuidelines.html">Building VeraCrypt From Source</a>

+</p></div>

+

+<div class="wikidoc">

+<h1>Building VeraCrypt From Source</h1>

+<p>In order to build VeraCrypt from the source code, you can follow these step-by-step guidelines:

+<ul style="text-align:left; margin-top:18px; margin-bottom:19px; padding-top:0px; padding-bottom:0px">

+<li style="text-align:left; margin-top:0px; margin-bottom:0px; padding-top:0px; padding-bottom:0px">

+<a href="CompilingGuidelineWin.html" style="text-align:left; color:#0080c0; text-decoration:none.html">Windows Build Guide</a>

+</li><li style="text-align:left; margin-top:0px; margin-bottom:0px; padding-top:0px; padding-bottom:0px">

+<a href="CompilingGuidelineLinux.html" style="text-align:left; color:#0080c0; text-decoration:none.html">Linux Build Guide</a>

+</li></ul>

+</p>

+</div><div class="ClearBoth"></div></body></html>

+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"

+ "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

+<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">

+<head>

+<meta http-equiv="content-type" content="text/html; charset=utf-8" />

+<title>VeraCrypt - Conversion Guide for Versions 1.26 and Later</title>

+<meta name="description" content="Guide on how to handle deprecated features and conversion of TrueCrypt volumes in VeraCrypt versions 1.26 and later."/>

+<meta name="keywords" content="VeraCrypt, TrueCrypt, Conversion, Encryption, Security"/>

+<link href="styles.css" rel="stylesheet" type="text/css" />

+</head>

+<body>

+

+<div>

+<a href="Documentation.html"><img src="VeraCrypt128x128.png" alt="VeraCrypt"/></a>

+</div>

+

+<div id="menu">

+ <ul>

+ <li><a href="Home.html">Home</a></li>

+ <li><a href="/code/">Source Code</a></li>

+ <li><a href="Downloads.html">Downloads</a></li>

+ <li><a class="active" href="Documentation.html">Documentation</a></li>

+ <li><a href="Donation.html">Donate</a></li>

+ <li><a href="https://sourceforge.net/p/veracrypt/discussion/" target="_blank">Forums</a></li>

+ </ul>

+</div>

+

+<div>

+<p>

+<a href="Documentation.html">Documentation</a>

+<img src="arrow_right.gif" alt=">>" style="margin-top: 5px">

+<a href="Conversion_Guide_VeraCrypt_1.26_and_Later.html">Conversion Guide for Versions 1.26 and Later</a>

+</p></div>

+

+<div class="wikidoc">

+<h1>Conversion Guide for VeraCrypt 1.26 and Later</h1>

+

+<h2>1. Introduction</h2>

+<p>Version 1.26 and newer of VeraCrypt have introduced significant changes by removing support for certain features. If you encounter issues while mounting volumes, this guide will help you understand and resolve them.</p>

+

+<h2>2. Deprecated Features in VeraCrypt 1.26 and Later</h2>

+<p>The following features have been deprecated:</p>

+<ul>

+<li>TrueCrypt Mode</li>

+<li>HMAC-RIPEMD-160 Hash Algorithm</li>

+<li>GOST89 Encryption Algorithm</li>

+</ul>

+<p>If you experience mounting errors with volumes created in VeraCrypt 1.25.9 or older, use VeraCrypt 1.25.9 to check if these deprecated features are in use. Highlight the volume and click on "Volume Properties" in the GUI to check.</p>

+

+<h2>3. Remediation Procedures Based on Version</h2>

+

+<h3>3.1 Scenario 1: Using VeraCrypt 1.25.9 or Older</h3>

+<p>If you are using or can upgrade to VeraCrypt 1.25.9, follow these steps:</p>

+<ul>

+<li>Convert TrueCrypt Volumes to VeraCrypt Volumes</li>

+<li>Change from Deprecated HMAC-RIPEMD-160 Hash Algorithm</li>

+<li>Recreate VeraCrypt Volume if Using GOST89 Encryption Algorithm</li>

+</ul>

+<p>Download the 1.25.9 version <a href="https://veracrypt.fr/en/Downloads_1.25.9.html">here</a>.</p>

+

+<h3>3.2 Scenario 2: Upgraded to VeraCrypt 1.26 or Newer</h3>

+<p>If you have already upgraded to VeraCrypt 1.26 or newer, follow these steps:</p>

+<ul>

+<li>Convert TrueCrypt Volumes to VeraCrypt Volumes</li>

+<li>Change from Deprecated HMAC-RIPEMD-160 Hash Algorithm</li>

+</ul>

+<p>If you are on Linux or Mac, temporarily downgrade to VeraCrypt 1.25.9. Windows users can use the VCPassChanger tool <a href="https://launchpad.net/veracrypt/trunk/1.25.9/+download/VCPassChanger_%28TrueCrypt_Convertion%29.zip">that can be downloaded from here</a>.</p>

+<ul>

+<li>Recreate VeraCrypt Volume if Using GOST89 Encryption Algorithm</li>

+</ul>

+All OSes temporarily downgrade to 1.25.9 version.

+<h2>4. Conversion and Remediation Procedures</h2>

+

+<h3>4.1 Converting TrueCrypt Volumes to VeraCrypt</h3>

+<p>TrueCrypt file containers and partitions created with TrueCrypt versions 6.x or 7.x can be converted to VeraCrypt using VeraCrypt 1.25.9 or the VCPassChanger tool on Windows. For more details, refer to the <a href="Converting%20TrueCrypt%20volumes%20and%20partitions.html">documentation</a>.</p>

+<p>After conversion, the file extension will remain as <code>.tc</code>. Manually change it to <code>.hc</code> if you want VeraCrypt 1.26 or newer to automatically recognize it.</p>

+

+<h3>4.2 Changing Deprecated HMAC-RIPEMD-160 Hash Algorithm</h3>

+<p>Use the "Set Header Key Derivation Algorithm" feature to change the HMAC-RIPEMD-160 hash algorithm to one supported in VeraCrypt 1.26. Refer to the <a href="Hash%20Algorithms.html">documentation</a> for more details.</p>

+

+<h3>4.3 Recreating VeraCrypt Volume if Using GOST89 Encryption Algorithm</h3>

+<p>If your volume uses the GOST89 encryption algorithm, you will need to copy your data elsewhere and recreate the volume using a supported encryption algorithm. More details are available in the <a href="Encryption%20Algorithms.html">encryption algorithm documentation</a>.</p>

+

+<h2>5. Important Notes</h2>

+<p><strong>Note to users who created volumes with VeraCrypt 1.17 or earlier:</strong></p>

+<blockquote>

+<p>To avoid revealing whether your volumes contain a hidden volume or not, or if you rely on plausible deniability, you must recreate both the outer and hidden volumes, including system encryption and hidden OS. Discard existing volumes created prior to VeraCrypt 1.18a.</p>

+</blockquote>

+

+<p>For more information, visit:</p>

+<ul>

+<li><a href="TrueCrypt%20Support.html">TrueCrypt Support</a></li>

+<li><a href="Converting%20TrueCrypt%20volumes%20and%20partitions.html">Converting TrueCrypt Volumes and Partitions</a></li>

+</ul>

+

+</div>

+

+<div class="ClearBoth"></div>

+</body>

+</html>

+<p><strong>⚠️ Warning:</strong> <span style="color: red;">After conversion, ensure that the "TrueCrypt Mode" checkbox is not selected during the mount of the converted volume. Since it is no longer a TrueCrypt volume, mounting it with this option will lead to a mount failure.</span></p>

+<p><strong>⚠️ Important Notice:</strong> As of version 1.26, VeraCrypt has removed support for "TrueCrypt Mode." Consequently, the conversion of TrueCrypt volumes and partitions using this method is no longer possible. Please refer to <a href="Conversion_Guide_VeraCrypt_1.26_and_Later.html">this documentation page</a> for guidance on how to proceed with TrueCrypt volumes in VeraCrypt versions 1.26 and later.</p>

+<p>From version 1.0f up to and including version 1.25.9, TrueCrypt volumes and <strong>non-system</strong> partitions created with TrueCrypt versions 6.x and 7.x, starting with version 6.0 released on July 4th 2008, can be converted to VeraCrypt format using any of the following actions:</p>

+<p>If the TrueCrypt volume contains a hidden volume, it should also be converted using the same approach, by specifying the hidden volume password and/or keyfiles.</p>

+<p>🚨 After conversion of a file container, the file extension will remain as .tc. Manually change it to .hc if you want VeraCrypt 1.26 or newer to automatically recognize it.</p>

+<p>&ldquo;TrueCrypt Mode&rdquo; must be checked in the dialog as shown below:</p>

+ If you are not sure whether to enable or disable Quick Format, we recommend that you leave this option unchecked. Note that Quick Format can only be enabled when encrypting partitions/devices, except on Windows where it is also available when creating file containers.</p>

+</li><li><strong><a href="Normal%20Unmount%20vs%20Force%20Unmount.html">Normal Unmount vs Force Unmount</a></strong>

+</li><li><strong><a href="Avoid%20Third-Party%20File%20Extensions.html">Avoid Third-Party File Extensions</a></strong>

+</li><li><strong><a href="EMV%20Smart%20Cards.html">EMV Smart Cards</a></strong>

+</li><li><strong><a href="Conversion_Guide_VeraCrypt_1.26_and_Later.html">Conversion Guide for Versions 1.26 and Later</a></strong>

+<li><a href="BLAKE2s-256.html">BLAKE2s-256</a>

+</li><li><a href="VeraCrypt%20RAM%20Encryption.html">VeraCrypt RAM Encryption</a>

+</li><li><a href="VeraCrypt%20Memory%20Protection.html">VeraCrypt Memory Protection</a>

+</li><li><a href="CompilingGuidelines.html">Building VeraCrypt From Source</a>

+<ul>

+<li><a href="CompilingGuidelineWin.html">Windows Build Guide</a>

+</li><li><a href="CompilingGuidelineLinux.html">Linux Build Guide</a>

+</li></ul>

+<script src="donation.js"></script>

+<p>You can support VeraCrypt development through donations using PayPal, bank transfers and cryptocurrencies (<a href="#Bitcoin">Bitcoin</a>, <a href="#BitcoinCash">Bitcoin Cash</a>, <a href="#Ethereum">Ethereum</a>, <a href="#Litecoin">Litecoin</a> and <a href="#Monero">Monero</a>). It is also possible to donate using Liberapay.</p>

+<div class="donation-buttons">

+ <div class="donation-button">

+ <a title="Donate to VeraCrypt in Euros" href="https://www.paypal.com/ncp/payment/MN367WS3VY9ZU" target="_blank">

+ <img src="Donation_donate_Euros.gif" alt="Donate in Euros" width="92" height="26">

+ </a>

+ <div class="currency-label">Euro</div>

+ </div>

+ <div class="donation-button">

+ <a title="VeraCrypt Donation in USD" href="https://www.paypal.com/ncp/payment/MDY6S3XNCUQRW" target="_blank">

+ <img src="Donation_donate_Dollars.gif" alt="Donate in USD" width="92" height="26">

+ </a>

+ <div class="currency-label">US Dollar</div>

+ </div>

+ <div class="donation-button">

+ <a title="VeraCrypt Donation in GBP" href="https://www.paypal.com/ncp/payment/QLA86UP7S58H4" target="_blank">

+ <img src="Donation_donate_GBP.gif" alt="Donate in GBP" width="92" height="26">

+ </a>

+ <div class="currency-label">Pound Sterling</div>

+ </div>

+ <div class="donation-button">

+ <a title="VeraCrypt Donation in Canadian Dollar" href="https://www.paypal.com/ncp/payment/6KA5U56B9S2LS" target="_blank">

+ <img src="Donation_donate_Dollars.gif" alt="Donate in CAD" width="92" height="26">

+ </a>

+ <div class="currency-label">Canadian Dollar</div>

+ </div>

+ <div class="donation-button">

+ <a title="VeraCrypt Donation in Swiss Francs" href="https://www.paypal.com/ncp/payment/ZUD4RAVN3668G" target="_blank">

+ <img src="Donation_donate_CHF.gif" alt="Donate in CHF" width="92" height="26">

+ </a>

+ <div class="currency-label">Swiss Franc</div>

+ </div>

+ <div class="donation-button">

+ <a title="VeraCrypt Donation in Japanese Yen" href="https://www.paypal.com/ncp/payment/7VDVBU3HDMZWE" target="_blank">

+ <img src="Donation_donate_YEN.gif" alt="Donate in JPY" width="92" height="26">

+ </a>

+ <div class="currency-label">Japanese Yen</div>

+ </div>

+ <div class="donation-button">

+ <a title="VeraCrypt Donation in Australian Dollar" href="https://www.paypal.com/ncp/payment/JGW5REWFUUSJS" target="_blank">

+ <img src="Donation_donate_Dollars.gif" alt="Donate in AUD" width="92" height="26">

+ </a>

+ <div class="currency-label">Australian Dollar</div>

+ </div>

+ <div class="donation-button">

+ <a title="VeraCrypt Donation in Polish złoty" href="https://www.paypal.com/ncp/payment/YVFANME4Y9WFU" target="_blank">

+ <img src="Donation_donate_PLN.gif" alt="Donate in PLN" width="92" height="26">

+ </a>

+ <div class="currency-label">Polish złoty</div>

+ </div>

+</div>

+

+<p>For other currencies, select from the list below:</p>

+<form method="get" action="" id="currency-form" target="_blank">

+ <select name="currency" style="padding: 5px; margin-right: 10px;" required>

+ <option value="" disabled selected>Select your currency</option>

+ <option value="https://www.paypal.com/ncp/payment/MN367WS3VY9ZU">€ EUR - Euro</option>

+ <option value="https://www.paypal.com/ncp/payment/MDY6S3XNCUQRW">$ USD - US Dollar</option>

+ <option value="https://www.paypal.com/ncp/payment/JGW5REWFUUSJS">$ AUD - Australian Dollar</option>

+ <option value="https://www.paypal.com/ncp/payment/P8JABT6BWBQKG">R$ BRL - Brazilian Real</option>

+ <option value="https://www.paypal.com/ncp/payment/6KA5U56B9S2LS">$ CAD - Canadian Dollar</option>

+ <option value="https://www.paypal.com/ncp/payment/ZUD4RAVN3668G">₣ CHF - Swiss Franc</option>

+ <option value="https://www.paypal.com/ncp/payment/3LVJ8XBWNMCYQ">Kč CZK - Czech Koruna</option>

+ <option value="https://www.paypal.com/ncp/payment/542JDQZL74AZW">kr DKK - Danish Krone</option>

+ <option value="https://www.paypal.com/ncp/payment/QLA86UP7S58H4">£ GBP - British Pound</option>

+ <option value="https://www.paypal.com/ncp/payment/YXB526AAZACQ6">$ HKD - Hong Kong Dollar</option>

+ <option value="https://www.paypal.com/ncp/payment/VZBXSS49JNU6G">Ft HUF - Hungarian Forint</option>

+ <option value="https://www.paypal.com/ncp/payment/5FZRSA4VQ3UXA">₪ ILS - Israeli Shekel</option>

+ <option value="https://www.paypal.com/ncp/payment/7VDVBU3HDMZWE">¥ JPY - Japanese Yen</option>

+ <option value="https://www.paypal.com/ncp/payment/GAUPLADH3NV6S">$ MXN - Mexican Peso</option>

+ <option value="https://www.paypal.com/ncp/payment/6LGRTR5L7K5MQ">$ NZD - New Zealand Dollar</option>

+ <option value="https://www.paypal.com/ncp/payment/P5Z56HRYLSM6Q">kr NOK - Norwegian Krone</option>

+ <option value="https://www.paypal.com/ncp/payment/2AQ5GKLQJDLB8">₱ PHP - Philippine Peso</option>

+ <option value="https://www.paypal.com/ncp/payment/YVFANME4Y9WFU">zł PLN - Polish Złoty</option>

+ <option value="https://www.paypal.com/ncp/payment/542JDQZL74AZW">kr SEK - Swedish Krona</option>

+ <option value="https://www.paypal.com/ncp/payment/EFHP9Z9KL4H9N">S$ SGD - Singapore Dollar</option>

+ <option value="https://www.paypal.com/ncp/payment/QMSTMEMJ7UE3S">฿ THB - Thai Baht</option>

+ </select>

+ <input type="submit" value="Donate" style="padding: 5px 15px; background-color: #08aad7; color: white; border: none; cursor: pointer;">

+</form>

+<p><img src="Donation_VC_BTC_Sigwit.png" alt="VeraCrypt BTC SegWit Address" width="200" height="200"></p>

+<li><strong>Legacy:</strong>

+<p><img src="Donation_VeraCrypt_Bitcoin_small.png" alt="VeraCrypt Bitcoin Address" width="200" height="200"></p>

+<p><strong>14atYG4FNGwd3F89h1wDAfeRDwYodgRLcf</strong></p>

+</li>

+

+<h3 id="BitcoinCash"><img src="BCH_Logo_30x30.png" style="vertical-align: middle; margin-right: 5px">Bitcoin Cash</h3>

+<p><img src="Donation_VeraCrypt_BitcoinCash.png" alt="VeraCrypt Bitcoin Cash Address" width="200" height="200"></p>

+<p><img src="Donation_VeraCrypt_Ethereum.png" alt="VeraCrypt Ethereum Address" width="200" height="200"></p>

+<p><img src="Donation_VeraCrypt_Litecoin.png" alt="VeraCrypt Litecoin Address" width="200" height="200"></p>

+<p><img src="Donation_VeraCrypt_Monero.png" alt="VeraCrypt Monero Address" width="200" height="200"></p>

+Account number: 8310085792<br>

+ACH and Wire routing number: 026073150<br>

+Address: Wise, 30 W. 26th Street, Sixth Floor, New York NY 10010, United States<br>

+Routing number: 026073150<br>

+Address: Wise, 30 W. 26th Street, Sixth Floor, New York NY 10010, United States<br>

+Address: Wise, 56 Shoreditch High Street, London, E1 6JJ, United Kingdom<br>

+Address: Wise, 36-38 Gipps Street, Collingwood VIC 3066, Autralia.<br>

+Address: Wise, 56 Shoreditch High Street, London, E1 6JJ, United Kingdom<br>

+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

+<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">

+ <head>

+ <meta http-equiv="content-type" content="text/html; charset=utf-8" />

+ <title>

+ VeraCrypt - Free Open source disk encryption with strong security for the

+ Paranoid

+ </title>

+ <meta

+ name="description"

+ content="VeraCrypt is free open-source disk encryption software for Windows, Mac OS X and Linux. In case an attacker forces you to reveal the password, VeraCrypt provides plausible deniability. In contrast to file encryption, data encryption performed by VeraCrypt is real-time (on-the-fly), automatic, transparent, needs very little memory, and does not involve temporary unencrypted files."

+ />

+ <meta name="keywords" content="encryption, security" />

+ <link href="styles.css" rel="stylesheet" type="text/css" />

+ </head>

+ <body>

+ <div>

+ <a href="Documentation.html"

+ ><img src="VeraCrypt128x128.png" alt="VeraCrypt"

+ /></a>

+ </div>

+

+ <div id="menu">

+ <ul>

+ <li><a href="Home.html">Home</a></li>

+ <li><a href="/code/">Source Code</a></li>

+ <li><a href="Downloads.html">Downloads</a></li>

+ <li><a class="active" href="Documentation.html">Documentation</a></li>

+ <li><a href="Donation.html">Donate</a></li>

+ <li>

+ <a

+ href="https://sourceforge.net/p/veracrypt/discussion/"

+ target="_blank"

+ >Forums</a

+ >

+ </li>

+ </ul>

+ </div>

+

+ <div>

+ <p>

+ <a href="Documentation.html">Documentation</a>

+ <img src="arrow_right.gif" alt=">>" style="margin-top: 5px" />

+ <a href="EMV%20Smart%20Cards.html">EMV Smart Cards</a>

+ </p>

+ </div>

+

+ <div class="wikidoc">

+ <h1>EMV Smart Cards</h1>

+ <div

+ style="

+ text-align: left;

+ margin-top: 19px;

+ margin-bottom: 19px;

+ padding-top: 0px;

+ padding-bottom: 0px;

+ "

+ >

+ <p>

+ Windows and Linux versions of VeraCrypt offer to use EMV compliant

+ smart cards as a feature. Indeed, the use of PKCS#11 compliant smart

+ cards is dedicated to users with more or less cybersecurity skills.

+ However, in some situations, having such a card strongly reduces the

+ plausible deniability of the user.

+ </p>

+ <p>

+ To overcome this problem, the idea is to allow the use of a type of

+ smart card owned by anyone: EMV compliant smart cards. According to

+ the standard of the same name, these cards spread all over the world

+ are used to carry out banking operations. Using internal data of the

+ user's EMV card as keyfiles will strengthen the security of his volume

+ while keeping his denial plausible.

+ </p>

+ <p>

+ For more technical information, please see the section

+ <em style="text-align: left">EMV Smart Cards</em> in the chapter

+ <a

+ href="Keyfiles%20in%20VeraCrypt.html"

+ style="text-align: left; color: #0080c0; text-decoration: none.html"

+ >

+ <em style="text-align: left">Keyfiles</em></a

+ >.

+ </p>

+ </div>

+ </div>

+ </body>

+</html>

+<p>HMAC-SHA-512, HMAC-SHA-256, HMAC-BLAKE2S-256, HMAC-Whirlpool. If a PRF is explicitly specified by the user, it will be used directly without trying the other possibilities.</p>

+<span style="text-decoration:underline">500000 </span>iterations.<br>

+Before you unplug or turn off the device, you should always unmount the VeraCrypt volume in VeraCrypt first, and then perform the '<em style="text-align:left">Eject</em>' operation if available (right-click the device in the '<em style="text-align:left">Computer</em>'

+<strong style="text-align:left">Do I have to unmount VeraCrypt volumes before shutting down or restarting Windows?</strong></div>

+No. VeraCrypt automatically unmounts all mounted VeraCrypt volumes on system shutdown/restart.</div>

+ is stored (when the VeraCrypt volume is unmounted).</div>

+ <div style="text-align:left; margin-top:19px; margin-bottom:19px; padding-top:0px; padding-bottom:0px">

+<strong>I'm encountering an "Operation not permitted" error with VeraCrypt on macOS when trying to mount a file container. How can I resolve this?</strong></div>

+<div style="text-align:left; margin-top:19px; margin-bottom:19px; padding-top:0px; padding-bottom:0px">

+

+<p>This specific error, which appears in the form "Operation not permitted: /var/folders/w6/d2xssyzx.../T/.veracrypt_aux_mnt1/control VeraCrypt::File::Open:232", has been reported by some users. It is the result of macOS not granting the necessary permissions to VeraCrypt. Here are a couple of solutions you can try:</p>

+

+<ul>

+<li>A. Granting Full Disk Access to VeraCrypt:

+<p>

+<ol>

+ <li>Go to <code>Apple Menu</code> > <code>System Settings</code>.</li>

+ <li>Click on the <code>Privacy & Security</code> tab.</li>

+ <li>Scroll down and select <code>Full Disk Access</code>.</li>

+ <li>Click the <code>+</code> button, navigate to your Applications folder, select <code>VeraCrypt</code>, and click <code>Open</code>.</li>

+ <li>Ensure that the checkbox next to VeraCrypt is ticked.</li>

+ <li>Close the System Settings window and try using VeraCrypt again.</li>

+</p>

+</ol>

+</li>

+<li>B. Using the sudo approach to launch VeraCrypt:

+<p>You can launch VeraCrypt from the Terminal using elevated permissions:

+

+<pre>

+sudo /Applications/VeraCrypt.app/Contents/MacOS/VeraCrypt

+</pre>

+

+Running VeraCrypt with sudo often bypasses certain permission-related issues, but it's always a good practice to grant the necessary permissions via the system settings whenever possible.</p>

+</li>

+</ul>

+</div>

+<div style="text-align:left; margin-top:19px; margin-bottom:19px; padding-top:0px; padding-bottom:0px">

+<strong style="text-align:left">Why does VeraCrypt show an unknown device in its list that doesn't appear as a physical disk in Windows Disk Management or in DiskPart output?</strong></div>

+<div style="text-align:left; margin-top:19px; margin-bottom:19px; padding-top:0px; padding-bottom:0px">

+<p>

+Starting from Windows 10 version 1903 and later, Microsoft introduced a feature called <b>Windows Sandbox</b>. This is an isolated environment designed to run untrusted applications safely. As part of this feature, Windows generates a dynamic virtual hard disk (VHDX) which represents a clean Windows installation. This VHDX contains a base system image, user data, and the runtime state, and its size can vary depending on system configurations and usage.

+</p>

+<p>

+When VeraCrypt enumerates devices on a system, it identifies all available disk devices using device path formats like <b>\Device\HardDiskX\PartitionY</b>. VeraCrypt lists these devices, including virtual ones such as those associated with Windows Sandbox, without making distinctions based on their physical or virtual nature. Therefore, you might observe an unexpected device in VeraCrypt, even if it doesn't appear as a physical disk in tools like diskpart.

+</p>

+<p>

+For more details on the Windows Sandbox feature and its associated virtual hard disk, you can refer to this <a href="https://techcommunity.microsoft.com/t5/windows-os-platform-blog/windows-sandbox/ba-p/301849">official Microsoft article</a>.

+</p>

+</div>

+<div style="text-align:left; margin-top:19px; margin-bottom:19px; padding-top:0px; padding-bottom:0px">

+<a href="BLAKE2s-256.html"><strong style="text-align:left.html">BLAKE2s-256</strong></a>

+<p><a href="BLAKE2s-256.html" style="text-align:left; color:#0080c0; text-decoration:none; font-weight:bold.html">Next Section &gt;&gt;</a></p>

+VeraCrypt random number generator</a> during the volume creation process. The header key derivation function is based on HMAC-SHA-512, HMAC-SHA-256, HMAC-BLAKE2S-256, HMAC-Whirlpool or HMAC-Streebog (see [8, 9, 20, 22]) &ndash; the user selects which. The length of the derived

+ key does not depend on the size of the output of the underlying hash function. For example, a header key for the AES-256 cipher is always 256 bits long even if HMAC-SHA-512 is used (in XTS mode, an additional 256-bit secondary header key is used; hence,

+<p>Prior to version 1.12, VeraCrypt always used a fixed number of iterations That depended only on the volume type and the derivation algorithm used.

+Starting from version 1.12, the <a href="Personal%20Iterations%20Multiplier%20%28PIM%29.html">

+<p>

+PIM </a>value is not specified or if it is equal to zero, VeraCrypt uses the default values expressed below:<br/>

+<ul>

+<li>For system partition encryption (boot encryption) that uses SHA-256, BLAKE2s-256 or Streebog, <strong>200000</strong> iterations are used.</li>

+<li>For system encryption that uses SHA-512 or Whirlpool, <strong>500000</strong> iterations are used.</li>

+<li>For non-system encryption and file containers, all derivation algorithms will use <strong>500000</strong> iterations.

+</li></ul>

+</p>

+</li><li>For system encryption that uses SHA-512 or Whirlpool: Iterations = <strong>15000 &#43; (PIM x 1000)</strong>

+</li><li>For non-system encryption and file containers: Iterations = <strong>15000 &#43; (PIM x 1000)</strong>

+<em>Preferences</em> &gt; <em>Unmount all when: Entering power saving mode</em>) to automatically unmount all mounted VeraCrypt volumes, erase their master keys stored in RAM, and cached passwords (stored in RAM), if there are any, before a computer hibernates

+ space on <em style="text-align:left">any </em>VeraCrypt volume is always filled with random data when the volume is created** and no part of the (unmounted) hidden volume can be distinguished from random data. Note that VeraCrypt does not modify the file

+If Outpost Firewall or Outpost Security Suite is installed with Proactive Protection enabled, the machine freezes completely for 5-10 seconds during the volume mount/unmount operation. This is caused by a conflict between Outpost System Guard option that protects "Active Desktop" objects and VeraCrypt waiting dialog displayed during mount/unmount operations.</div>

+ will be unmounted and files stored in it will be inaccessible (and encrypted). Even when power supply is suddenly interrupted (without proper system shut down), files stored in the volume are inaccessible (and encrypted). To make them accessible again, you

+<li>On some Windows machines, VeraCrypt may hang intermittently when mounting or unmounting a volume. Similar hanging may affect other running applications during VeraCrypt mounting or unmounting operations.

+This issue is caused by a conflict between VeraCrypt waiting dialog displayed during mount/unmount operations and other software installed on the machine (e.g. Outpost Firewall Pro).

+</li><li>When the notebook battery power is low, Windows may omit sending the appropriate messages to running applications when the computer is entering power saving mode. Therefore, VeraCrypt may fail to auto-unmount volumes in such cases.

+<li>Windows system Repair/Recovery Disk can't be created when a VeraCrypt volume is mounted as a fixed disk (which is the default). To solve this, either unmount all volumes or mount volumes are removable media.

+<h3 id="SmartCard" style="text-align:left; font-family:Arial,Helvetica,Verdana,sans-serif; font-weight:bold; margin-top:0px; font-size:13px; margin-bottom:4px">

+EMV Smart Cards</h3>

+<div style="text-align:left; margin-top:19px; margin-bottom:19px; padding-top:0px; padding-bottom:0px">

+Windows and Linux versions of VeraCrypt can use directly as keyfiles data extracted from EMV compliant smart cards, supporting Visa, Mastecard or Maestro applications. As with PKCS-11 compliant smart cards, to use such data as VeraCrypt keyfiles,

+click <em style="text-align:left">Add Token Files</em> (in the keyfile dialog window). The last four digits of the card's Primary Account Number will be displayed, allowing the selection of the card as a keyfile source.

+<div style="text-align:left; margin-top:19px; margin-bottom:19px; padding-top:0px; padding-bottom:0px">

+The data extracted and concatenated into a single keyfile are as follow : ICC Public Key Certificate, Issuer Public Key Certificate and Card Production Life

+Cycle (CPLC) data. They are respectively identified by the tags '9F46', '90' and '9F7F' in the card's data management system. These two certificates are specific to an application deployed on the EMV card and used for the Dynamic Data Authentication of the card

+during banking transactions. CPLC data are specific to the card and not to any of its applications. They contain information on the production process of the smart card. Therefore both certificates and data are unique and static on any EMV compliant smart card.</div>

+<div style="text-align:left; margin-top:19px; margin-bottom:19px; padding-top:0px; padding-bottom:0px">

+According to the ISO/IEC 7816 standard on which the EMV standard is based, communication with an EMV smart card is done through structured commands called APDUs, allowing to extract the data from the smart card. These data are encoded in the BER-TLV format,

+defined by the ASN.1 standard, and therefore need to be parsed before being concatenated into a keyfile. No PIN is required to access and retrieve data from the card. To cope with the diversity of smart cards readers on the market, librairies compliant with the Microsoft Personal

+Computer/Smart Card communication standard are used. The Winscard library is used. Natively available on Windows in System32, it then doesn't require any installation on this operating system. However, the libpcsclite1 package has to be installed on Linux.</div>

+<div style="text-align:left; margin-top:19px; margin-bottom:19px; padding-top:0px; padding-bottom:0px">

+Since the card is read-only, it is not possible to import or delete data. However, data used as keyfiles can be exported locally in any binary file. During the entire cryptographic process of mounting or creating a volume, the certificates and CPLC data are never stored anywhere

+other than in the user's machine RAM. Once the process is complete, these RAM memory areas are rigorously erased.</div>

+<div style="text-align:left; margin-top:19px; margin-bottom:19px; padding-top:0px; padding-bottom:0px">

+It important to note that this feature is optional and disabled by default. It can be enabled in the <em style="text-align:left">Security Token Preferences</em> parameters by checking the box provided.</div>

+<p>&nbsp;</p>

+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

+ <head>

+ <meta http-equiv="content-type" content="text/html; charset=utf-8" />

+ <title>

+ VeraCrypt - Free Open source disk encryption with strong security for the

+ Paranoid

+ </title>

+ <meta

+ name="description"

+ content="VeraCrypt is free open-source disk encryption software for Windows, Mac OS X and Linux. In case an attacker forces you to reveal the password, VeraCrypt provides plausible deniability. In contrast to file encryption, data encryption performed by VeraCrypt is real-time (on-the-fly), automatic, transparent, needs very little memory, and does not involve temporary unencrypted files."

+ />

+ <meta name="keywords" content="encryption, security" />

+ <link href="styles.css" rel="stylesheet" type="text/css" />

+ </head>

+ <body>

+ <div>

+ <a href="Documentation.html"

+ ><img src="VeraCrypt128x128.png" alt="VeraCrypt"

+ /></a>

+ </div>

+ <div id="menu">

+ <ul>

+ <li><a href="Home.html">Home</a></li>

+ <li><a href="/code/">Source Code</a></li>

+ <li><a href="Downloads.html">Downloads</a></li>

+ <li><a class="active" href="Documentation.html">Documentation</a></li>

+ <li><a href="Donation.html">Donate</a></li>

+ <li>

+ <a

+ href="https://sourceforge.net/p/veracrypt/discussion/"

+ target="_blank"

+ >Forums</a

+ >

+ </li>

+ </ul>

+ </div>

+ <div>

+ <p>

+ <a href="Documentation.html">Documentation</a>

+ <img src="arrow_right.gif" alt=">>" style="margin-top: 5px" />

+ <a href="Technical%20Details.html">Technical Details</a>

+ <img src="arrow_right.gif" alt=">>" style="margin-top: 5px" />

+ <a href="Keyfiles.html">Keyfiles</a>

+ </p>

+ </div>

+ <div class="wikidoc">

+ <h1>Keyfiles</h1>

+ <div

+ style="

+ text-align: left;

+ margin-top: 19px;

+ margin-bottom: 19px;

+ padding-top: 0px;

+ padding-bottom: 0px;

+ "

+ >

+ <p>

+ VeraCrypt keyfile is a file whose content is combined with a password.

+ The user can use any kind of file as a VeraCrypt keyfile. The user can

+ also generate a keyfile using the built-in keyfile generator, which

+ utilizes the VeraCrypt RNG to generate a file with random content (for

+ more information, see the section

+ <a href="Random%20Number%20Generator.html">

+ <em>Random Number Generator</em></a

+ >).

+ </p>

+ <p>

+ The maximum size of a keyfile is not limited; however, only its first

+ 1,048,576 bytes (1 MiB) are processed (all remaining bytes are ignored

+ due to performance issues connected with processing extremely large

+ files). The user can supply one or more keyfiles (the number of

+ keyfiles is not limited).

+ </p>

+ <p>

+ Keyfiles can be stored on PKCS-11-compliant [23] security tokens and

+ smart cards protected by multiple PIN codes (which can be entered

+ either using a hardware PIN pad or via the VeraCrypt GUI).

+ </p>

+ <p>

+ EMV-compliant smart cards' data can be used as keyfile, see chapter

+ <a

+ href="EMV%20Smart%20Cards.html"

+ style="text-align: left; color: #0080c0; text-decoration: none.html"

+ >

+ <em style="text-align: left">EMV Smart Cards</em></a

+ >.

+ </p>

+ <p>

+ Keyfiles are processed and applied to a password using the following

+ method:

+ </p>

+ <ol>

+ <li>

+ Let <em>P</em> be a VeraCrypt volume password supplied by user (may

+ be empty)

+ </li>

+ <li>Let <em>KP</em> be the keyfile pool</li>

+ <li>

+ Let <em>kpl</em> be the size of the keyfile pool <em>KP</em>, in

+ bytes (64, i.e., 512 bits);

+ <p>

+ kpl must be a multiple of the output size of a hash function H

+ </p>

+ </li>

+ <li>

+ Let <em>pl</em> be the length of the password <em>P</em>, in bytes

+ (in the current version: 0 &le; <em>pl</em> &le; 64)

+ </li>

+ <li>

+ if <em>kpl &gt; pl</em>, append (<em>kpl &ndash; pl</em>) zero bytes

+ to the password <em>P</em> (thus <em>pl = kpl</em>)

+ </li>

+ <li>

+ Fill the keyfile pool <em>KP</em> with <em>kpl</em> zero bytes.

+ </li>

+ <li>

+ For each keyfile perform the following steps:

+ <ol type="a">

+ <li>

+ Set the position of the keyfile pool cursor to the beginning of

+ the pool

+ </li>

+ <li>Initialize the hash function <em>H</em></li>

+ <li>

+ Load all bytes of the keyfile one by one, and for each loaded

+ byte perform the following steps:

+ <ol type="i">

+ <li>

+ Hash the loaded byte using the hash function

+ <em>H</em> without initializing the hash, to obtain an

+ intermediate hash (state) <em>M.</em> Do not finalize the

+ hash (the state is retained for next round).

+ </li>

+ <li>

+ Divide the state <em>M</em> into individual bytes.<br />

+ For example, if the hash output size is 4 bytes, (<em>T</em

+ >₀ || <em>T</em>₁ || <em>T</em

+ >₂ || <em>T</em>₃) = <em>M</em>

+ </li>

+ <li>

+ Write these bytes (obtained in step 7.c.ii) individually to

+ the keyfile pool with the modulo 2⁸ addition

+ operation (not by replacing the old values in the pool) at

+ the position of the pool cursor. After a byte is written,

+ the pool cursor position is advanced by one byte. When the

+ cursor reaches the end of the pool, its position is set to

+ the beginning of the pool.

+ </li>

+ </ol>

+ </li>

+ </ol>

+ </li>

+ <li>

+ Apply the content of the keyfile pool to the password

+ <em>P</em> using the following method:

+ <ol type="a">

+ <li>

+ Divide the password <em>P</em> into individual bytes <em>B</em

+ >₀...<em>B</em>_pl-1.<br />

+ Note that if the password was shorter than the keyfile pool,

+ then the password was padded with zero bytes to the length of

+ the pool in Step 5 (hence, at this point the length of the

+ password is always greater than or equal to the length of the

+ keyfile pool).

+ </li>

+ <li>

+ Divide the keyfile pool <em>KP</em> into individual bytes

+ <em>G</em>₀...<em>G</em>_kpl-1

+ </li>

+ <li>For 0 &le; i &lt; kpl perform: Bi = Bi &oplus; Gi</li>

+ <li>

+ <em>P</em> = <em>B</em>₀ || <em>B</em>₁ ||

+ ... || <em>B</em>_pl-2 || <em>B</em>_pl-1

+ </li>

+ </ol>

+ </li>

+ <li>

+ The password <em>P</em> (after the keyfile pool content has been

+ applied to it) is now passed to the header key derivation function

+ PBKDF2 (PKCS #5 v2), which processes it (along with salt and other

+ data) using a cryptographically secure hash algorithm selected by

+ the user (e.g., SHA-512). See the section

+ <a href="Header%20Key%20Derivation.html">

+ <em>Header Key Derivation, Salt, and Iteration Count</em></a

+ >

+ for more information.

+ </li>

+ </ol>

+ <p>

+ The role of the hash function <em>H</em> is merely to perform

+ diffusion [2]. CRC-32 is used as the hash function <em>H</em>. Note

+ that the output of CRC-32 is subsequently processed using a

+ cryptographically secure hash algorithm: The keyfile pool content (in

+ addition to being hashed using CRC-32) is applied to the password,

+ which is then passed to the header key derivation function PBKDF2

+ (PKCS #5 v2), which processes it (along with salt and other data)

+ using a cryptographically secure hash algorithm selected by the user

+ (e.g., SHA-512). The resultant values are used to form the header key

+ and the secondary header key (XTS mode).

+ </p>

+ <p>&nbsp;</p>

+ <p>

+ <a

+ href="Personal%20Iterations%20Multiplier%20%28PIM%29.html"

+ style="

+ text-align: left;

+ color: #0080c0;

+ text-decoration: none;

+ font-weight: bold.html;

+ "

+ >Next Section &gt;&gt;</a

+ >

+ </p>

+ </div>

+ </div>

+ <div class="ClearBoth"></div>

+ </body>

+</html>

+<div>

+<a href="Documentation.html">Documentation</a>

+You can still download an archive containing all language packs for the latest version (1.26.18) from

+<a href="https://launchpad.net/veracrypt/trunk/1.26.18/+download/VeraCrypt_1.26.18_Language_Files.zip">

+Copyright &copy; 2013-2025 IDRIX. All rights reserved.<br>

+<p>Copyright &copy; 2013-2025 IDRIX. All rights reserved.<br>

+<p>Copyright &copy; 1995-2023 Jean-loup Gailly and Mark Adler.</p>

+<p>Copyright &copy; 1999-2023 Dieter Baron and Thomas Klausner.</p>

+<p>Copyright &copy; 2013-2019 Stephan Mueller &lt;smueller@chronox.de&gt;</p>

+<p>Copyright &copy; 1999-2023 Igor Pavlov.</p>

+<p>Important: Note that when you exit the VeraCrypt application, the VeraCrypt driver continues working and no VeraCrypt volume is unmounted.</p>

+<h3>Unmount</h3>

+<p>This function allows you to unmount the VeraCrypt volume selected in the drive list in the main window. To unmount a VeraCrypt volume means to close it and make it impossible to read/write from/to the volume.</p>

+<h3>Unmount All</h3>

+<em>Unmount All</em>).<br>

+This function allows you to unmount multiple VeraCrypt volumes. To unmount a VeraCrypt volume means to close it and make it impossible to read/write from/to the volume. This function unmounts all mounted VeraCrypt volumes except the following:</p>

+</li><li>VeraCrypt volumes that are not displayed in the VeraCrypt application window. For example, system favorite volumes attempted to be unmounted by an instance of VeraCrypt without administrator privileges when the option '<em>Allow only administrators to

+ view and unmount system favorite volumes in VeraCrypt</em>' is enabled. </li></ul>

+<p>Terminates the VeraCrypt application. The driver continues working and no VeraCrypt volumes are unmounted. When running in &lsquo;portable&rsquo; mode, the VeraCrypt driver is unloaded when it is no longer needed (e.g., when all instances of the main application

+ and/or of the Volume Creation Wizard are closed and no VeraCrypt volumes are mounted). However, if you force unmount on a</p>

+ applications using the unmounted volume).</p>

+<em>not</em> unmount a successfully mounted VeraCrypt volume (unlike system restart, which unmounts all mounted VeraCrypt volumes).<br>

+ they supply the correct password and/or keyfiles). A user without administrator privileges can unmount only volumes that he or she mounted. However, this does not apply to system favorite volumes unless you enable the option (disabled by default)

+<em>Settings</em> &gt; &lsquo;<em>System Favorite Volumes</em>&rsquo; &gt; &lsquo;<em>Allow only administrators to view and unmount system favorite volumes in VeraCrypt</em>&rsquo;.</p>

+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"

+ "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

+<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">

+<head>

+<meta http-equiv="content-type" content="text/html; charset=utf-8" />

+<title>VeraCrypt - Free Open source disk encryption with strong security for the Paranoid</title>

+<meta name="description" content="VeraCrypt is free open-source disk encryption software for Windows, Mac OS X and Linux. In case an attacker forces you to reveal the password, VeraCrypt provides plausible deniability. In contrast to file encryption, data encryption performed by VeraCrypt is real-time (on-the-fly), automatic, transparent, needs very little memory, and does not involve temporary unencrypted files."/>

+<meta name="keywords" content="encryption, security"/>

+<link href="styles.css" rel="stylesheet" type="text/css" />

+</head>

+<body>

+

+<div>

+<a href="Documentation.html"><img src="VeraCrypt128x128.png" alt="VeraCrypt"/></a>

+</div>

+

+<div id="menu">

+ <ul>

+ <li><a href="Home.html">Home</a></li>

+ <li><a href="/code/">Source Code</a></li>

+ <li><a href="Downloads.html">Downloads</a></li>

+ <li><a class="active" href="Documentation.html">Documentation</a></li>

+ <li><a href="Donation.html">Donate</a></li>

+ <li><a href="https://sourceforge.net/p/veracrypt/discussion/" target="_blank">Forums</a></li>

+ </ul>

+</div>

+

+<div>

+<p>

+<a href="Documentation.html">Documentation</a>

+<img src="arrow_right.gif" alt=">>" style="margin-top: 5px">

+<a href="Normal%20Unmount%20vs%20Force%20Unmount.html">Normal Unmount vs Force Unmount</a>

+</p></div>

+

+<div class="wikidoc">

+<h1>Normal Unmount vs Force Unmount</h1>

+<p>Understanding the distinction between "Normal Unmount" and "Force Unmount" operation is important due to the potential impact on user data.</p>

+

+<h2>Normal Unmount Process</h2>

+

+<p>During a normal unmount process, VeraCrypt performs the following steps:</p>

+

+<ol>

+ <li>Requests the Windows operating system to lock the volume, prohibiting further I/O operations.</li>

+ <li>Requests Windows to gracefully eject the volume from the system. This step is analogous to user-initiated device ejection via the system tray.</li>

+ <li>Instructs the Windows Mount Manager to unmount the volume.</li>

+ <li>Deletes the link between the drive letter and the volume's virtual device.</li>

+ <li>Deletes the volume's virtual device, which includes erasing the encryption keys from RAM.</li>

+</ol>

+

+<p>In this flow, steps 1 and 2 may fail if there are open files on the volume. Notably, even if all user applications accessing files on the volume are closed, Windows might still keep the files open until the I/O cache is completely flushed.</p>

+

+<h2>Force Unmount Process</h2>

+

+<p>The Force Unmount process is distinct but largely similar to the Normal Unmount. It essentially follows the same steps but disregards any failures that might occur during steps 1 and 2, and carries on with the rest of the procedure. However, if there are files open by the user or if the volume I/O cache has not yet been flushed, this could result in potential data loss. This situation parallels forcibly removing a USB device from your computer while Windows is still indicating its active usage.</p>

+

+<p>Provided all applications using files on the mounted volume have been successfully closed and the I/O cache is fully flushed, neither data loss nor data/filesystem corruption should occur when executing a 'force unmount'. As in a normal unmount, the encryption keys are erased from RAM upon successful completion of a 'Force Unmount'.</p>

+

+<h2>How to Trigger Force Unmount</h2>

+

+<p>There are three approaches to trigger a force unmount in VeraCrypt:</p>

+

+<ol>

+ <li>Through the popup window that appears if a normal unmount attempt is unsuccessful.</li>

+ <li>Via Preferences, by checking the "force auto-unmount" option in the "Auto-Unmount" section.</li>

+ <li>Using the command line, by incorporating the /force or /f switch along with the /d or /unmount switch.</li>

+</ol>

+

+<p>In order to avoid inadvertent data loss or corruption, always ensure to follow suitable precautions when unmounting a VeraCrypt volume. This includes</p>

+<ol>

+ <li>Ensuring all files on the volume are closed before initiating a unmount.</li>

+ <li>Allowing some time after closing all files to ensure Windows has completely flushed the I/O cache.</li>

+ <li>Take note that some antivirus software may keep file handles open on the volume after performing a scan, hindering a successful Normal Unmount. If you experience this issue, you might consider excluding the VeraCrypt volume from your antivirus scans. Alternatively, consult with your antivirus software provider to understand how their product interacts with VeraCrypt volumes and how to ensure it doesn't retain open file handles.</li>

+</ol>

+

+

+</div><div class="ClearBoth"></div></body></html>

+<li>For system encryption that doesn't use SHA-512 or Whirlpool: Iterations = <strong>PIM x 2048</strong>

+</li><li>For system encryption that uses SHA-512 or Whirlpool: Iterations = <strong>15000 &#43; (PIM x 1000)</strong>

+</li><li>For non-system encryption and file containers: Iterations = <strong>15000 &#43; (PIM x 1000)</strong>

+<p>If no PIM value is specified, VeraCrypt will use the default number of iterations used in versions prior to 1.12 (see

+ <a href="Header%20Key%20Derivation.html">

+ Header Key Derivation</a>). This can be summarized as follows:<br/>

+ <ul>

+ <li>For system partition encryption (boot encryption) that uses SHA-256, BLAKE2s-256 or Streebog, <strong>200000</strong> iterations are used which is equivalent to a PIM value of <strong>98</strong>.</li>

+ <li>For system encryption that uses SHA-512 or Whirlpool, <strong>500000</strong> iterations are used which is equivalent to a PIM value of <strong>485</strong>.</li>

+ <li>For non-system encryption and file containers, all derivation algorithms will use <strong>500000</strong> iterations which is equivalent to a PIM value of <strong>485</strong>.</li>

+ </ul>

+</p>

+ if you force unmount on a VeraCrypt volume when VeraCrypt runs in portable mode, or mount a writable NTFS-formatted volume on Windows Vista or later, the VeraCrypt driver may

+ applications using the unmounted volume).</p>

+<h3>Volumes -&gt; Unmount All Mounted Volumes</h3>

+<em>Unmount All.</em></a></p>

+<p>This function allows you to re-encrypt a volume header with a header key derived using a different PRF function (for example, instead of HMAC-BLAKE2S-256 you could use HMAC-Whirlpool). Note that the volume header contains the master encryption key with which

+WARNING: Restoring a volume header also restores the volume password and PIM that were valid when the backup was created. Moreover, if keyfile(s) are/is necessary to mount a volume when the backup is created, the same keyfile(s) will be necessary to mount the volume

+After you create a volume header backup, you might need to create a new one only when you change the volume password and/or keyfiles, or when you change the PIM value. Otherwise, the volume header remains unmodified so the volume header backup remains up-to-date.</p>

+ -&gt; <em>Restore Volume Header</em>). You will need to enter the correct password (and/or to supply the correct keyfiles) and the non-default PIM value, if applicable, that were valid when the volume header backup was created. The password (and/or keyfiles) and PIM will also automatically determine the type

+Note: If the user fails to supply the correct password (and/or keyfiles) and/or the correct non-default PIM value twice in a row when trying to mount a volume, VeraCrypt will automatically try to mount the volume using the embedded backup header (in addition to trying to mount it using the primary

+<p>If enabled, passwords (which may also contain processed keyfile contents) and PIM values cached in driver memory will be cleared when VeraCrypt exits.</p>

+<p>When checked, passwords and/or processed keyfile contents for up to last four successfully mounted VeraCrypt volumes are cached. If the 'Include PIM when caching a password' option is enabled in the Preferences, non-default PIM values are cached alongside the passwords. This allows mounting volumes without having to type their passwords (and selecting keyfiles) repeatedly. VeraCrypt never saves

+ any password or PIM values to a disk (however, see the chapter <a href="Security%20Requirements%20and%20Precautions.html">

+</li><li>VeraCrypt volumes that are not displayed in the VeraCrypt application window. For example, system favorite volumes attempted to be unmounted by an instance of VeraCrypt without administrator privileges when the option '<em>Allow only administrators to

+ view and unmount system favorite volumes in VeraCrypt</em>' is enabled. </li></ul>

+<h4>Auto-unmount volume after no data has been read/written to it for</h4>

+<p>After no data has been written/read to/from a VeraCrypt volume for <em>n</em> minutes, the volume is automatically unmounted.</p>

+<h4>Force auto-unmount even if volume contains open files or directories</h4>

+<p>This option applies only to auto-unmount (not to regular unmount). It forces unmount (without prompting) on the volume being auto-unmounted in case it contains open files or directories (i.e., file/directories that are in use by the system or applications).</p>

+ data to the area of the hidden volume will be rejected (until the outer volume is unmounted).

+<strong style="text-align:left">Note that VeraCrypt never modifies the filesystem (e.g., information about allocated clusters, amount of free space, etc.) within the outer volume in any way. As soon as the volume is unmounted, the protection is lost. When

+As soon as a write operation to the hidden volume area is denied/prevented (to protect the hidden volume), the entire host volume (both the outer and the hidden volume) becomes write-protected until unmounted (the VeraCrypt driver reports the 'invalid parameter'

+no</em> information about the event is written to the volume. When the outer volume is unmounted and mounted again, the volume properties will

+</strong></em><strong style="text-align:left">can</strong><em style="text-align:left"><strong style="text-align:left"> find out that a hidden volume exists within the outer volume (he/she will be able to find it out until the volume is unmounted and possibly

+<li>Let <em>R</em> be the randomness pool. </li><li>Let <em>H</em> be the hash function selected by the user (SHA-512, BLAKE2S-256, or Whirlpool).

+<em>H</em> is BLAKE2S-256, then <em>l</em> = 20; if <em>H</em> is SHA-512, <em>l</em> = 64)

+

+<p><strong style="text-align:left">1.26.20</strong> (February 3^rd, 2025):</p>

+<ul>

+<li><strong>All OSes:</strong>

+ <ul>

+ <li>Implement SHA-256 acceleration on ARM64 platforms using CPU instructions.</li>

+ <li>Update translations.</li>

+ <li>Replace "Dismount" with "Unmount" across the UI and documentation to align with IT standards.</li>

+ </ul>

+</li>

+<li><strong>Windows:</strong>

+ <ul>

+ <li>Fix regression in driver that always allowed defragmentation and caused other side effects.</li>

+ <li>Revert to the previous method of gathering system entropy due to stability issues reported by users.</li>

+ </ul>

+</li>

+<li><strong>Linux:</strong>

+ <ul>

+ <li>Fix a regression in Linux Mint affecting administrator password authentication (GH #1473).</li>

+ </ul>

+</li>

+<li><strong>macOS:</strong>

+<ul>

+<li>Fix a regression that prevented volume unmounting (GH #1467).</li>

+<li>Resolve a wxWidgets 3.2.6 assertion error related to the undefined switch <code>use-dummy-sudo-password</code> (GH #1470).</li>

+</ul>

+</li>

+</ul>

+

+<p><strong style="text-align:left">1.26.18</strong> (January 20^th, 2025):</p>

+<ul>

+<li><strong>All OSes:</strong>

+<ul>

+<li>Added support for SHA-256 x86 intrinsic to enhance the performance of PBKDF2-HMAC-SHA256.</li>

+<li>Added support for AES hardware on ARM64 platforms (e.g. Windows ARM64, macOS on Apple Silicon Mx).</li>

+<li>Updated translations</li>

+</ul>

+</li>

+<li><strong>Windows:</strong>

+ <ul>

+ <li>Dropped support for Windows 32-bit.</li>

+ <li>Set Windows 10 October 2018 Update (version 1809) as the minimum supported version.</li>

+ <li>Reduce driver deadlock occurences under low-memory scenarios caused by re-entrant IRP completions.</li>

+ <li>Fixed failed EFI detection on some PCs where the BootOrder variable is not defined (proposed by @kriegste, GH #360).</li>

+ <li>Fixed "Access Denied" error when updating VeraCrypt using EXE setup following a Windows upgrade.</li>

+ <li>Fixed various issues affecting the EFI system encryption configuration editor.</li>

+ <li>Fixed regression in Traveler Disk creation (GH #886)</li>

+ <li>Replaced the deprecated CryptGenRandom with BCryptGenRandom for generating secure random bytes.</li>

+ <li>Use modern API to gather system entropy for random generation instead of obsolete ones.</li>

+ <li> Update LZMA SDK to version 24.09</li>

+ <li>Update libzip to version 1.11.2</li>

+ </ul>

+</li>

+<li><strong>Linux:</strong>

+ <ul>

+ <li>CVE-2024-54187: Added absolute paths when executing system binaries to prevent path hijacking (collaboration with SivertPL @__tfr)</li>

+ <li>CVE-2025-23021: Prevent mounting volumes on system directories and PATH (reported by SivertPL @__tfr)</li>

+ <li>Fixed an assertion issue with the wxWidgets library included in Ubuntu.</li>

+ <li>Improved directory-opening logic by prioritizing xdg-open and adding fallback mechanisms.</li>

+ <li>Ensure that volume exists before starting the mount operation.</li>

+ <li>Fix "Password too long" error message not expanded to include max length (GH #1456)</li>

+ <li>Simplify sudo session detection logic.</li>

+ </ul>

+</li>

+<li><strong>macOS:</strong>

+ <ul>

+ <li>CVE-2024-54187: Added absolute paths when executing system binaries to prevent path hijacking (collaboration with SivertPL @__tfr)</li>

+ <li>CVE-2025-23021: Prevent mounting volumes on system directories and PATH (reported by SivertPL @__tfr)</li>

+ <li>Disabled screen capture by default. Added the --allow-screencapture CLI switch to enable it if needed.</li>

+ <li>Ensure that volume exists before starting the mount operation.</li>

+ <li>Implement sudo session detection logic</li>

+ </ul>

+</li>

+</ul>

+

+<p><strong style="text-align:left">1.26.15</strong> (September 2^nd, 2024):</p>

+<ul>

+<li><strong>Windows:</strong>

+<ul>

+ <li>Fix MSI install/uninstall issues:

+ <ul>

+ <li>Fixed error 1603 returned by MSI silent install when REBOOT=ReallySuppress is specified and a reboot is required.</li>

+ <li>Fixed missing documentation and language files from the MSI package.</li>

+ <li>Fixed MSI not installing new documentation and language files when upgrading from an EXE-based installation.</li>

+ <li>Fixed installation folder not being removed after MSI uninstall in some cases.</li>

+ </ul>

+ </li>

+ <li>Fix regression during UEFI system decryption that caused the bootloader to persist.</li>

+</ul>

+</li>

+</ul>

+

+<p><strong style="text-align:left">1.26.14</strong> (August 25^th, 2024):</p>

+<ul>

+<li><strong>All OSes:</strong>

+<ul>

+<li>Update translations and documentation</li>

+<li>Implement language selection settings in non-Windows versions.</li>

+<li>Make codebase compatible with wxWidgets 3.3 in non-Windows versions.</li>

+<li>Implement detection of volumes affected by XTS master key vulnerability and warn user about it.</li>

+<li>Update mount failure error messages to mention removal of TrueCrypt support and old algorithms.</li>

+</ul>

+</li>

+<li><strong>Windows:</strong>

+ <ul>

+ <li>Better fix for Secure Desktop issues under Windows 11 22H2

+ <ul>

+ <li>IME is now disabled in Secure Desktop because it is known to cause issues</li>

+ </ul>

+ </li>

+ <li>VeraCrypt Expander: Fix expansion of volumes on disks with a sector size different from 512 (by skl0n6)</li>

+ <li>Fix writing wrong EFI System Encryption Advanced Options to registry</li>

+ <li>Don't close Setup when exiting VeraCrypt process through system tray Exit menu</li>

+ <li>Fix failure to format some disks (e.g. VHDX) caused by virtual partition offset not 4K aligned</li>

+ <li>Fallback to absolute positioning when accessing disks if relative positioning fails</li>

+ <li>Update zlib to version 1.3.1</li>

+ </ul>

+</li>

+<li><strong>Linux:</strong>

+ <ul>

+ <li>Focus PIM field when selected (#1239)</li>

+ <li>Fix generic installation script on Konsole in Wayland (#1244)</li>

+ <li>Added the ability to build using wolfCrypt as the cryptographic backend. Disabled by default. (Contributed by wolfSSL, GH PR #1227)</li>

+ <li>Allows GUI to launch in a Wayland-only environment (GH #1264)</li>

+ <li>CLI: Don't initially re-ask PIM if it was already specified (GH #1288)</li>

+ <li>CLI: Fix incorrect max hidden volume size for file containers (GH #1338))</li>

+ <li>Enhance ASLR security of generic installer binaries by adding linked flag for old GCC version (reported by @morton-f on Sourceforge)</li>

+ </ul>

+</li>

+<li><strong>macOS:</strong>

+ <ul>

+ <li>Fix corrupted disk icon in main UI (GH #1218)</li>

+ <li>Fix near zero width PIM input box and simplify wxTextValidator logic (GH #1274)</li>

+ <li>Use correct Disk Utility location when "check filesystem" is ran (GH #1273)</li>

+ <li>Add support for FUSE-T as an alternative to MacFUSE (GH #1055)</li>

+ </ul>

+</li>

+<li><strong>FreeBSD:</strong>

+ <ul>

+ <li>Fix privilege escalation prompts not showing up (GH #1349)</li>

+ <li>Support automatic detection and mounting of ext2/3/4, exFAT, NTFS filesystems (GH #1350)</li>

+ <li>Use correct Disk Utility location when "check filesystem" is ran (GH #1273)</li>

+ </ul>

+</li>

+</ul>

+

+<p><strong style="text-align:left">1.26.7</strong> (October 1^st, 2023):</p>

+<ul>

+<li><strong>All OSes:</strong>

+<ul>

+<li>Security: Ensure that XTS primary key is different from the secondary key when creating volumes

+ <ul>

+ <li>Issue unlikely to happen thanks to random generator properties but this check must be added to prevent attacks</li>

+ <li>Reference: CCSS,NSA comment at page 3: <a href="https://csrc.nist.gov/csrc/media/Projects/crypto-publication-review-project/documents/initial-comments/sp800-38e-initial-public-comments-2021.pdf">https://csrc.nist.gov/csrc/media/Projects/crypto-publication-review-project/documents/initial-comments/sp800-38e-initial-public-comments-2021.pdf</a></li>

+ </ul>

+</li>

+<li>Remove TrueCrypt Mode support. Version 1.25.9 can be used to mount or convert TrueCrypt volumes.</li>

+<li>Complete removal of RIPEMD160 and GOST89 algorithms. Legacy volumes using any of them cannot be mounted by VeraCrypt anymore.</li>

+<li>Add support for BLAKE2s as new PRF algorithm for both system encryption and standard volumes.</li>

+<li>Introducing support for EMV banking smart cards as keyfiles for non-system volumes.

+ <ul>

+ <li>No need for a separate PKCS#11 module configuration.</li>

+ <li>Card PIN isn't required.</li>

+ <li>Generates secure keyfile content from unique, encoded data present on the banking card.</li>

+ <li>Supports all EMV standard-compliant banking cards.</li>

+ <li>Can be enabled in settings (go to Settings->Security Tokens).</li>

+ <li>Developed by a team of students from the <a href="https://www.insa-rennes.fr">Institut national des sciences appliquées de Rennes</a>.</li>

+ <li>More details about the team and the project are available at <a href="https://projets-info.insa-rennes.fr/projets/2022/VeraCrypt/index_en.html">https://projets-info.insa-rennes.fr/projets/2022/VeraCrypt/index_en.html</a>.</li>

+ </ul>

+</li>

+<li>When overwriting an existing file container during volume creation, add its current size to the available free space</li>

+<li>Add Corsican language support. Update several translations. </li>

+<li>Update documentation</li>

+</ul>

+</li>

+<li><strong>Windows:</strong>

+<ul>

+<li>Officially, the minimum supported version is now <strong>Windows 10</strong>. VeraCrypt may still run on Windows 7 and Windows 8/8.1, but no active tests are done on these platforms.</li>

+<li>EFI Bootloader:

+<ul>

+<li>Fix bug in PasswordTimeout value handling that caused it to be limited to 255 seconds.</li>

+<li>Rescue Disk: enhance "Boot Original Windows Loader" by using embedded backup of original Windows loader if it is missing from disk</li>

+<li>Addition of Blake2s and removal of RIPEMD160 & GOST89</li>

+</ul>

+</li>

+<li>Enable memory protection by default. Add option under Performance/Driver Configuration to disable it if needed.

+<ul>

+ <li>Memory protection blocks non-admin processes from reading VeraCrypt memory</li>

+ <li>It may block Screen Readers (Accessibility support) from reading VeraCrypt UI, in which case it can be disabled</li>

+ <li>It can be disabled by setting registry value "VeraCryptEnableMemoryProtection" to 0 under "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\veracrypt"</li>

+</ul>

+</li>

+<li>Add process mitigation policy to prevent VeraCrypt from being injected by other processes</li>

+<li>Minor enhancements to RAM Encryption implementation</li>

+<li>Fix Secure Desktop issues under Windows 11 22H2</li>

+<li>Implement support for mounting partially encrypted system partitions.</li>

+<li>Fix false positive detection of new device insertion when Clear Encryption Keys option is enable (System Encryption case only)</li>

+<li>Better implementation of Fast Create when creating file containers that uses UAC to request required privilege if not already held</li>

+<li>Allow choosing Fast Create in Format Wizard UI when creating file containers</li>

+<li>Fix formatting issues during volume creation on some machines.</li>

+<li>Fix stall issue caused by Quick Format of large file containers</li>

+<li>Add dropdown menu to Mount button to allow mounting without using the cache.</li>

+<li>Possible workaround for logarithmic slowdown for Encrypt-In-Place on large volumes.</li>

+<li>Make Expander first check file existence before proceeding further</li>

+<li>Allow selecting size unit (KB/MB/GB) for generated keyfiles</li>

+<li>Display full list of supported cluster sizes for NTFS, ReFS and exFAT filesystems when creating volumes</li>

+<li>Support drag-n-drop of files and keyfiles in Expander.</li>

+<li>Implement translation of Expander UI</li>

+<li>Replace legacy file/dir selection APIs with modern IFileDialog interface for better Windows 11 compatibility</li>

+<li>Enhancements to dependency dlls safe loading, including delay loading.</li>

+<li>Remove recommendation of keyfiles files extensions and update documentation to mention risks of third-party file extensions.</li>

+<li>Add support for more language in the setup installer</li>

+<li>Update LZMA library to version 23.01</li>

+<li>Update libzip to version 1.10.1 and zlib to version 1.3</li>

+</ul>

+</li>

+<li><strong>Linux:</strong>

+<ul>

+<li>Fix bug in Random generator on Linux when used with Blake2s that was triggering a self test failure.</li>

+<li>Modify Random Generator on Linux to exactly match official documentation and the Windows implementation.</li>

+<li>Fix compatibility issues with Ubuntu 23.04.</li>

+<li>Fix assert messages displayed when using wxWidgets 3.1.6 and newer.</li>

+<li>Fix issues launching fsck on Linux.</li>

+<li>Fix privilege escalation prompts being ignored.</li>

+<li>Fix wrong size for hidden volume when selecting the option to use all free space.</li>

+<li>Fix failure to create hidden volume on a disk using CLI caused by wrong maximum size detection.</li>

+<li>Fix various issues when running in Text mode:

+<ul>

+<li>Don't allow selecting exFAT/BTRFS filesytem if they are not present or not compatible with the created volume.</li>

+<li>Fix wrong unmount message displayed when mounting a volume.</li>

+<li>Hide PIM during entry and re-ask PIM when user entered a wrong value.</li>

+<li>Fix printing error when checking free space during volume creation in path doesn't exist.</li>

+</ul>

+</li>

+<li>Use wxWidgets 3.2.2.1 for static builds (e.g. console only version)</li>

+<li>Fix compatibility of generic installers with old Linux distros</li>

+<li>Update help message to indicate that when cascading algorithms they must be separated by dash</li>

+<li>Better compatibility with building under Alpine Linux and musl libc</li>

+</ul>

+</li>

+<li><strong>macOS:</strong>

+ <ul>

+ <li>Fix issue of VeraCrypt window becoming unusable in use cases involving multiple monitors and change in resolution.</li>

+ </ul>

+</li>

+</ul>

+

+<p><strong style="text-align:left">1.25.9</strong> (February 19^th, 2022):</p>

+<ul>

+<li><strong>All OSes:</strong>

+<ul>

+<li>Update translations (Chinese, Dutch, French, German, Turkish).</li>

+</ul>

+</li>

+<li><strong>Windows:</strong>

+<ul>

+<li>Make MSI installer compatible with system encryption.</li>

+<li>Set minimum support for MSI installation to Windows 7.</li>

+<li>Fix failure to create Traveler Disk when VeraCrypt is installed using MSI.</li>

+<li>Don't cache the outer volume password when mounting with hidden volume protection if wrong hidden volume password was specified.</li>

+<li>Reduce the size of EXE installers by almost 50% by using LZMA compression instead of DEFLATE.</li>

+<li>Fix double-clicking mounted drive in VeraCrypt UI not working in some special Windows configurations.</li>

+<li>Add registry key to fix BSOD during shutdown/reboot on some machines when using system encryption.

+<ul>

+<li>Under "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\veracrypt", create a REG_DWORD value named "VeraCryptEraseKeysShutdown".</li>

+<li>Setting this registry value to 0 disables erasing system encryption keys which is the cause of BSOD during shutdown on some machines.</li>

+</ul>

+</li>

+</ul>

+</li>

+<li><strong>Linux:</strong>

+<ul>

+<li>Fix hidden volume settings not correctly displayed when enabling hidden volume protection in mount options window.</li>

+<li>Fix generic Linux installer overwriting /usr/sbin if it is a symlink.</li>

+<li>Fix crash when building with _GLIBCXX_ASSERTIONS defined.</li>

+<li>Enable building from source without AES-NI support.</li>

+</ul>

+</li>

+<li><strong>MacOSX:</strong>

+<ul>

+<li>Fix hidden volume settings not correctly displayed when enabling hidden volume protection in mount options window.</li>

+</ul>

+</li>

+</ul>

+<li>Don't display mount/unmount examples in help dialog for command line in Format and Expander.</li>

+<li>Fix some cases of external applications freezing during mount/unmount.</li>

+</li><li>Solve &quot;Class Already exists&quot; error that was happening for some users. </li><li>Solve some menu items and GUI fields not translatable </li><li>Make volumes correctly report Physical Sector size to Windows. </li><li>Correctly detect switch user/RDP disconnect operations for autounmount on session locked.

+<li>Solve issue volumes not auto-unmounting when quitting VeraCrypt<strong>.</strong>

+</li><li>Implement option to auto-unmount when user session is locked </li><li>Add self-test vectors for SHA-256 </li><li>Modern look-and-feel by enabling visual styles </li><li>few minor fixed. </li></ul>

+explained here</a>. Big thanks to Liran Elharar for discovering this. </li><li>Windows may use caching methods and write delays that are normally used for removable media (for example, USB flash drives). This might slightly decrease the performance but at the same increase the likelihood that it will be possible to unmount the volume

+ quickly without having to force the unmount. </li><li>The operating system may tend to keep the number of handles it opens to such a volume to a minimum. Hence, volumes mounted as removable media might require fewer forced unmounts than other volumes.

+</li><li>Unmount the VeraCrypt volume. </li><li>delete it (the container) just like you delete any other file. </li></ol>

+</li><li>Prevent traffic analysis when encrypted data is transmitted over a network. </li><li>Prevent an attacker from determining in which sectors of the volume the content changed (and when and how many times) if he or she can observe the volume (unmounted or mounted) before and after data is written to it, or if the storage medium/device allows

+</li><li>Unmount, using VeraCrypt, (and, in the VeraCrypt application window, see the path to and properties of) any VeraCrypt volume mounted by him or her. However, this does not apply to &lsquo;system favorite volumes&rsquo;, which he or she can unmount (etc.)

+Settings</em> &gt; &lsquo;<em>System Favorite Volumes</em>&rsquo; &gt; &lsquo;<em>Allow</em> only administrators to view and unmount system favorite volumes in VeraCrypt&rsquo;; note that this option can be enabled or disabled only by an administrator).

+</li><li>Unmount, using VeraCrypt, (and, in the VeraCrypt application window, see the path to and properties of) any VeraCrypt volume mounted by him or her.

+<a href="VeraCrypt%20Memory%20Protection.html" style="text-align:left; color:#0080c0; text-decoration:none.html">VeraCrypt Memory Protection</a>

+</li><li style="text-align:left; margin-top:0px; margin-bottom:0px; padding-top:0px; padding-bottom:0px">

+If an adversary has access to a (unmounted) VeraCrypt volume at several points over time, he may be able to determine which sectors of the volume are changing. If you change the contents of a

+</li><li>A unmounted VeraCrypt file container is stored on a single computer (for example, on a server). This encrypted file is shared over a network. Users on other computers or systems will locally mount the shared file. Thus, the volume will be mounted simultaneously

+Mac OS X 14 Sonoma </li><li style="text-align:left; margin-top:0px; margin-bottom:0px; padding-top:0px; padding-bottom:0px">

+Mac OS X 13 Ventura </li><li style="text-align:left; margin-top:0px; margin-bottom:0px; padding-top:0px; padding-bottom:0px">

+Linux x86, x86-64, ARM64 (Starting from Debian 10, Ubuntu 20.04, CentOS 7, OpenSUSE 15.1) </li><li style="text-align:left; margin-top:0px; margin-bottom:0px; padding-top:0px; padding-bottom:0px">

+FreeBSD x86-64 (starting from version 12) </li><li style="text-align:left; margin-top:0px; margin-bottom:0px; padding-top:0px; padding-bottom:0px">

+<span style="text-align:left;">Note: <br/>

+VeraCrypt 1.25.9 is the last version that supports Windows XP, Windows Vista, Windows 7, Windows 8, and Windows 8.1.<br/>

+VeraCrypt 1.25.9 is the last version the supports Mac OS X versions from 10.9 Mavericks to 11 Big Sur<br/>

+VeraCrypt 1.24-Update8 is the last version that supports Mac OS X 10.7 Lion and Mac OS X 10.8 Mountain Lion.</span></div>

+Windows 10 </li></ul>

+

+<div style="text-align:left; margin-top:19px; margin-bottom:19px; padding-top:0px; padding-bottom:0px">

+<strong>Note on SSDs and TRIM:</strong>

+When using system encryption on SSDs, it's important to consider the implications of the TRIM operation, which can potentially reveal information about which sectors on the drive are not in use. For detailed guidance on how TRIM operates with VeraCrypt and how to manage its settings for enhanced security, please refer to the <a href="Trim%20Operation.html">TRIM Operation</a> documentation.

+</div>

+

+</strong>During the system encryption process, VeraCrypt automatically and transparently switches the keyboard to US layout in order to ensure that the password value typed will match the one typed in pre-boot mode.

+However, pasting the password from the clipboard can override this protective measure. To prevent any issues arising from this discrepancy, VeraCrypt disables the option to paste passwords from the clipboard in the system encryption wizard.

+Thus, when setting or entering your password, it's crucial to type it manually using the same keys as when creating the system encryption, ensuring consistent access to your encrypted system.</div>

+ running). In EFI boot mode, which is the default on modern PCs, VeraCrypt can not encrypt this partition since it must remain unencrypted so that the BIOS can load the EFI bootloader from it. This in turn implies that in EFI boot mode, VeraCrypt offers only to encrypt the system partition where Windows is installed (the user can later manually encrypt other data partitions using VeraCrypt).

+</strong>(select <em>Settings </em>&gt; &lsquo;<em>System Favorite Volumes</em>&rsquo; &gt; &lsquo;<em>Allow only administrators to view and unmount system favorite volumes in VeraCrypt</em>&rsquo;). This option should be enabled on servers to ensure that

+ system favorite volumes cannot be unmounted by users without administrator privileges. On non-server systems, this option can be used to prevent normal VeraCrypt volume actions (such as &lsquo;<em>Unmount All</em>&rsquo;, auto-unmount, etc.) from affecting

+</li><li style="text-align:left; margin-top:0px; margin-bottom:0px; padding-top:0px; padding-bottom:0px">

+<a href="CompilingGuidelines.html" style="text-align:left; color:#0080c0; text-decoration:none.html">Building VeraCrypt From Source</a>

+<ul>

+<li style="text-align:left; margin-top:0px; margin-bottom:0px; padding-top:0px; padding-bottom:0px">

+<a href="CompilingGuidelineWin.html" style="text-align:left; color:#0080c0; text-decoration:none.html">Windows Build Guide</a>

+</li><li style="text-align:left; margin-top:0px; margin-bottom:0px; padding-top:0px; padding-bottom:0px">

+<a href="CompilingGuidelineLinux.html" style="text-align:left; color:#0080c0; text-decoration:none.html">Linux Build Guide</a>

+</li>

+</ul>

+ even if they are located within a part of the drive that is encrypted by VeraCrypt.<br>

+<br>

+On Windows, VeraCrypt allows users to control the trim operation for both non-system and system volumes:

+<ul>

+<li>For non-system volumes, trim is blocked by default. Users can enable trim through VeraCrypt's interface by navigating to "Settings -> Performance/Driver Configuration" and checking the option "Allow TRIM command for non-system SSD partition/drive."</li>

+<li>For <a href="System%20Encryption.html">system encryption</a>, trim is enabled by default (unless a <a href="Hidden%20Operating%20System.html">hidden operating system</a> is running). Users can disable trim by navigating to "System -> Settings" and checking the option "Block TRIM command on system partition/drive."</li>

+</ul>

+

+Under Linux, VeraCrypt does not block the trim operation on volumes using the native Linux kernel cryptographic services, which is the default setting. To block TRIM on Linux, users should either enable the "do not use kernel cryptographic services" option in VeraCrypt's Preferences (applicable only to volumes mounted afterward) or use the <code>--mount-options=nokernelcrypto</code> switch in the command line when mounting.

+<br>

+<br>

+Under macOS, VeraCrypt does not support the trim operation. Therefore, trim is always blocked on all volumes.

+<br>

+<br>

+In cases where trim operations occur, the adversary will be able to tell which sectors contain free space (and may be able to use this information for

+plausible deniability</a> may be negatively affected. In order to avoid these issues, users should either disable trim in VeraCrypt settings as previously described or make sure VeraCrypt volumes are not located on drives that use the trim operation.</div>

+<em style="text-align:left">When mounting or unmounting a VeraCrypt volume, the system crashes (a 'blue screen' error screen appears or the

+<p>

+<strong>Note: <span style="color:#ff0000;">TrueCrypt support was dropped starting from version 1.26</span></strong>

+</p>

+ (RAM) until the computer is turned off (and, according to some researchers, even for some time after the power is turned off*). Also note that if you open a file stored on a VeraCrypt volume, for example, in a text editor and then force unmount on the VeraCrypt

+ volume, then the file will remain unencrypted in the area of memory (RAM) used by (allocated to) the text editor. This also applies to forced auto-unmount.</div>

+Inherently, unencrypted master keys have to be stored in RAM too. When a non-system VeraCrypt volume is unmounted, VeraCrypt erases its master keys (stored in RAM). When the computer is cleanly restarted (or cleanly shut down), all non-system VeraCrypt volumes

+ are automatically unmounted and, thus, all master keys stored in RAM are erased by the VeraCrypt driver (except master keys for system partitions/drives &mdash; see below). However, when power supply is abruptly interrupted, when the computer is reset (not

+<span style="text-align:left; font-size:10px; line-height:12px">** Before a key can be erased from RAM, the corresponding VeraCrypt volume must be unmounted. For non-system volumes, this does not cause any problems. However, as Microsoft currently does not

+ provide any appropriate API for handling the final phase of the system shutdown process, paging files located on encrypted system volumes that are unmounted during the system shutdown process may still contain valid swapped-out memory pages (including portions

+ of Windows system files). This could cause 'blue screen' errors. Therefore, to prevent 'blue screen' errors, VeraCrypt does not unmount encrypted system volumes and consequently cannot clear the master keys of the system volumes when the system is shut down

+After a system administrator installs VeraCrypt on the system, users without administrator privileges will be able to run VeraCrypt, mount/unmount any type of VeraCrypt volume, load/save data from/to it, and create file-hosted VeraCrypt volumes on the system.

+<li>Hot keys </li><li>Auto-unmount (e.g., upon logoff, inadvertent host device removal, time-out, etc.)