Release Notes
Note to users who created volumes with 1.17 version of VeraCrypt or earlier:
To avoid hinting whether your volumes contain a hidden volume or not, or if you depend on plausible deniability when using hidden volumes/OS, then you must recreate both the outer and hidden volumes including system encryption and hidden OS, discarding existing volumes created prior to 1.18a version of VeraCrypt.
1.26.17 (November 24th, 2024):
- All OSes:
- Added support for SHA-256 x86 intrinsic to enhance the performance of PBKDF2-HMAC-SHA256.
- Updated translations
- Windows:
- Dropped support for Windows 32-bit.
- Set Windows 10 May 2020 Update (version 2004) as the minimum supported version.
- Fixed driver deadlock under low-memory scenarios caused by re-entrant IRP completions.
- Fixed failed EFI detection on some PCs where the BootOrder variable is not defined (proposed by @kriegste, GH #360).
- Fixed various issues affecting the EFI system encryption configuration editor.
- Replaced the deprecated CryptGenRandom with BCryptGenRandom for generating secure random bytes.
- Linux:
- Fixed an assertion issue with the wxWidgets library included in Ubuntu.
- Improved directory-opening logic by prioritizing xdg-open and adding fallback mechanisms.
- macOS:
- Disabled screen capture by default. Added the --allow-screencapture CLI switch to enable it if needed.
1.26.15 (September 2nd, 2024):
- Windows:
- Fix MSI install/uninstall issues:
- Fixed error 1603 returned by MSI silent install when REBOOT=ReallySuppress is specified and a reboot is required.
- Fixed missing documentation and language files from the MSI package.
- Fixed MSI not installing new documentation and language files when upgrading from an EXE-based installation.
- Fixed installation folder not being removed after MSI uninstall in some cases.
- Fix regression during UEFI system decryption that caused the bootloader to persist.
1.26.14 (August 25th, 2024):
- All OSes:
- Update translations and documentation
- Implement language selection settings in non-Windows versions.
- Make codebase compatible with wxWidgets 3.3 in non-Windows versions.
- Implement detection of volumes affected by XTS master key vulnerability and warn user about it.
- Update mount failure error messages to mention removal of TrueCrypt support and old algorithms.
- Windows:
- Better fix for Secure Desktop issues under Windows 11 22H2
- IME is now disabled in Secure Desktop because it is known to cause issues
- VeraCrypt Expander: Fix expansion of volumes on disks with a sector size different from 512 (by skl0n6)
- Fix writing wrong EFI System Encryption Advanced Options to registry
- Don't close Setup when exiting VeraCrypt process through system tray Exit menu
- Fix failure to format some disks (e.g. VHDX) caused by virtual partition offset not 4K aligned
- Fallback to absolute positioning when accessing disks if relative positioning fails
- Update zlib to version 1.3.1
- Linux:
- Focus PIM field when selected (#1239)
- Fix generic installation script on Konsole in Wayland (#1244)
- Added the ability to build using wolfCrypt as the cryptographic backend. Disabled by default. (Contributed by wolfSSL, GH PR #1227)
- Allows GUI to launch in a Wayland-only environment (GH #1264)
- CLI: Don't initially re-ask PIM if it was already specified (GH #1288)
- CLI: Fix incorrect max hidden volume size for file containers (GH #1338))
- Enhance ASLR security of generic installer binaries by adding linked flag for old GCC version (reported by @morton-f on Sourceforge)
- macOS:
- Fix corrupted disk icon in main UI (GH #1218)
- Fix near zero width PIM input box and simplify wxTextValidator logic (GH #1274)
- Use correct Disk Utility location when "check filesystem" is ran (GH #1273)
- Add support for FUSE-T as an alternative to MacFUSE (GH #1055)
- FreeBSD:
- Fix privilege escalation prompts not showing up (GH #1349)
- Support automatic detection and mounting of ext2/3/4, exFAT, NTFS filesystems (GH #1350)
- Use correct Disk Utility location when "check filesystem" is ran (GH #1273)
1.26.7 (October 1st, 2023):
- All OSes:
- Security: Ensure that XTS primary key is different from the secondary key when creating volumes
- Remove TrueCrypt Mode support. Version 1.25.9 can be used to mount or convert TrueCrypt volumes.
- Complete removal of RIPEMD160 and GOST89 algorithms. Legacy volumes using any of them cannot be mounted by VeraCrypt anymore.
- Add support for BLAKE2s as new PRF algorithm for both system encryption and standard volumes.
- Introducing support for EMV banking smart cards as keyfiles for non-system volumes.
- When overwriting an existing file container during volume creation, add its current size to the available free space
- Add Corsican language support. Update several translations.
- Update documentation
- Windows:
- Officially, the minimum supported version is now Windows 10. VeraCrypt may still run on Windows 7 and Windows 8/8.1, but no active tests are done on these platforms.
- EFI Bootloader:
- Fix bug in PasswordTimeout value handling that caused it to be limited to 255 seconds.
- Rescue Disk: enhance "Boot Original Windows Loader" by using embedded backup of original Windows loader if it is missing from disk
- Addition of Blake2s and removal of RIPEMD160 & GOST89
- Enable memory protection by default. Add option under Performance/Driver Configuration to disable it if needed.
- Memory protection blocks non-admin processes from reading VeraCrypt memory
- It may block Screen Readers (Accessibility support) from reading VeraCrypt UI, in which case it can be disabled
- It can be disabled by setting registry value "VeraCryptEnableMemoryProtection" to 0 under "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\veracrypt"
- Add process mitigation policy to prevent VeraCrypt from being injected by other processes
- Minor enhancements to RAM Encryption implementation
- Fix Secure Desktop issues under Windows 11 22H2
- Implement support for mounting partially encrypted system partitions.
- Fix false positive detection of new device insertion when Clear Encryption Keys option is enable (System Encryption case only)
- Better implementation of Fast Create when creating file containers that uses UAC to request required privilege if not already held
- Allow choosing Fast Create in Format Wizard UI when creating file containers
- Fix formatting issues during volume creation on some machines.
- Fix stall issue caused by Quick Format of large file containers
- Add dropdown menu to Mount button to allow mounting without using the cache.
- Possible workaround for logarithmic slowdown for Encrypt-In-Place on large volumes.
- Make Expander first check file existence before proceeding further
- Allow selecting size unit (KB/MB/GB) for generated keyfiles
- Display full list of supported cluster sizes for NTFS, ReFS and exFAT filesystems when creating volumes
- Support drag-n-drop of files and keyfiles in Expander.
- Implement translation of Expander UI
- Replace legacy file/dir selection APIs with modern IFileDialog interface for better Windows 11 compatibility
- Enhancements to dependency dlls safe loading, including delay loading.
- Remove recommendation of keyfiles files extensions and update documentation to mention risks of third-party file extensions.
- Add support for more language in the setup installer
- Update LZMA library to version 23.01
- Update libzip to version 1.10.1 and zlib to version 1.3
- Linux:
- Fix bug in Random generator on Linux when used with Blake2s that was triggering a self test failure.
- Modify Random Generator on Linux to exactly match official documentation and the Windows implementation.
- Fix compatibility issues with Ubuntu 23.04.
- Fix assert messages displayed when using wxWidgets 3.1.6 and newer.
- Fix issues launching fsck on Linux.
- Fix privilege escalation prompts being ignored.
- Fix wrong size for hidden volume when selecting the option to use all free space.
- Fix failure to create hidden volume on a disk using CLI caused by wrong maximum size detection.
- Fix various issues when running in Text mode:
- Don't allow selecting exFAT/BTRFS filesytem if they are not present or not compatible with the created volume.
- Fix wrong dismount message displayed when mounting a volume.
- Hide PIM during entry and re-ask PIM when user entered a wrong value.
- Fix printing error when checking free space during volume creation in path doesn't exist.
- Use wxWidgets 3.2.2.1 for static builds (e.g. console only version)
- Fix compatibility of generic installers with old Linux distros
- Update help message to indicate that when cascading algorithms they must be separated by dash
- Better compatibility with building under Alpine Linux and musl libc
- macOS:
- Fix issue of VeraCrypt window becoming unusable in use cases involving multiple monitors and change in resolution.
1.25.9 (February 19th, 2022):
- All OSes:
- Update translations (Chinese, Dutch, French, German, Turkish).
- Windows:
- Make MSI installer compatible with system encryption.
- Set minimum support for MSI installation to Windows 7.
- Fix failure to create Traveler Disk when VeraCrypt is installed using MSI.
- Don't cache the outer volume password when mounting with hidden volume protection if wrong hidden volume password was specified.
- Reduce the size of EXE installers by almost 50% by using LZMA compression instead of DEFLATE.
- Fix double-clicking mounted drive in VeraCrypt UI not working in some special Windows configurations.
- Add registry key to fix BSOD during shutdown/reboot on some machines when using system encryption.
- Under "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\veracrypt", create a REG_DWORD value named "VeraCryptEraseKeysShutdown".
- Setting this registry value to 0 disables erasing system encryption keys which is the cause of BSOD during shutdown on some machines.
- Linux:
- Fix hidden volume settings not correctly displayed when enabling hidden volume protection in mount options window.
- Fix generic Linux installer overwriting /usr/sbin if it is a symlink.
- Fix crash when building with _GLIBCXX_ASSERTIONS defined.
- Enable building from source without AES-NI support.
- MacOSX:
- Fix hidden volume settings not correctly displayed when enabling hidden volume protection in mount options window.
1.25.7 (January 7th, 2022):
- All OSes:
- Windows:
- Restore support of Windows Vista, Windows 7 and Windows 8/8.1.
- Windows 7 support requires that either KB3033929 or KB4474419 is installed.
- Windows Vista support requires that either KB4039648 or KB4474419 is installed.
- MSI installation only: Fix double-clicking .hc file container inserting %1 instead of volume name in path field.
- Advanced users: Add registry settings to control driver internal encryption queue to allow tuning performance for SSD disks and having better stability under heavy load.
- Under registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\veracrypt:
- VeraCryptEncryptionFragmentSize (REG_DWORD): size of encryption data fragment in KiB. Default is 256. Maximum is 2048.
- VeraCryptEncryptionIoRequestCount (REG_DWORD): maximum number of parallel I/O requests. Default is 16. Maximum is 8192.
- VeraCryptEncryptionItemCount (REG_DWORD): maximum number of encryption queue items processed in parallel. Default as well as maximum is half of VeraCryptEncryptionIoRequestCount.
- The triplet (FragmentSize=512, IoRequestCount=128, ItemCount=64) is an example of parameters that enhance sequential read speed on some SSD NVMe systems.
- Fix truncate text in installer for some languages.
- MacOSX:
- Fix resource files inside VeraCrypt application bundle (e.g. HTML documentation, languages XML files) being world-writable. (Reported by Niall O'Reilly)
1.25.4 (December 3rd, 2021):
- All OSes:
- Speed optimization of Streebog.
- Update translations.
- Windows:
- Add support for Windows on ARM64 (e.g. Microsoft Surface Pro X) but system encryption not yet supported.
- Add MSI installer for silent mode deployment (ACCEPTLICENSE=YES must be set in msiexec command line).
- For now, MSI installer cannot be used if system partition is encrypted with VeraCrypt
- MSI installer requires Windows 10 or newer
- Drop support of Windows Vista, Windows 7, Windows 8 and Windows 8.1 because of new requirement for driver code signing.
- Reduce time of mount when PRF auto-detection is selected.
- Fix potential memory corruption in driver caused by integer overflow in IOCTL_STORAGE_MANAGE_DATA_SET_ATTRIBUTES (reported by Ilja van Sprundel).
- Replace insecure wcscpy/wcscat/strcpy runtime functions with secure equivalents.
- Changes to EFI bootloader:
- Fix memory leak in some cases caused by wrong check of pointer for calling MEM_FREE
- Clear bootParams variable that may contain sensitive information when halting the system in case of fatal error
- Add option "KeyboardInputDelay" in DcsProp to control the minimum delay supported between two key strokes
- Try to workaround Windows Feature Updates issues with system encryption by fixing of bootloader and SetupConfig.ini when system resumes or when session is opened/unlocked
- Fix failure to load local HTML documentation if application running with administrative privileges
- Fix freeze when password dialog displayed in secure desktop and try to access token keyfiles protected by PIN
- Fix failure to launch keyfile generator in secure desktop mode
- Block Windows from resizing system partition if it is encrypted
- Add keyboard shortcut to "TrueCrypt mode" in the mount dialog.
- MacOSX:
- Native support of Apple Silicon M1.
- Drop official support of Mac OS X 10.7 Lion and Mac OS X 10.8 Mountain Lion.
- Add UI language support using installed XML files. Language is automatically detected using "LANG" environment variable
- Add CLI switch (--size=max) and UI option to give a file container all available free space on the disk where it is created.
- Return error if unknown filesystem value specified in CLI --filesystem switch instead of silently skipping filesystem creation.
- Linux:
- Add UI language support using installed XML files. Language is automatically detected using "LANG" environment variable
- Compatiblity with with pam_tmpdir.
- Display icon in notification area on Ubuntu 18.04 and newer (contibuted by https://unit193.net/).
- Add CLI switch (--size=max) and UI option to give a file container all available free space on the disk where it is created.
- Return error if unknown filesystem value specified in CLI --filesystem switch instead of silently skipping filesystem creation.
- FreeBSD:
- Make system devices work under FreeBSD
- Add CLI switch (--size=max) and UI option to give a file container all available free space on the disk where it is created.
- Return error if unknown filesystem value specified in CLI --filesystem switch instead of silently skipping filesystem creation.
- OpenBSD:
- Add basic support of OpenBSD
- Add CLI switch (--size=max) and UI option to give a file container all available free space on the disk where it is created.
- Return error if unknown filesystem value specified in CLI --filesystem switch instead of silently skipping filesystem creation.
1.24-Update8 (November 28th, 2020):
- MacOSX:
- Fix compatibility issues with macOS Big Sur, especially on Apple Silicon M1 with macFUSE 4.0.x.
1.24-Update7 (August 7th, 2020):
- All OSes:
- Don't allow Hidden volume to have the same password, PIM and keyfiles as Outer volume
- Fix random crash in 32-bit builds when using Streebog.
- Enable FIPS mode in JitterEntropy random generator.
- Update Beginner's Tutorial in documentation to use "MyVolume.hc" instead of "My Volume" for file container name in order to avoid confusion about nature of file nature.
- Minor code cleanup
- Windows:
- Fix wrong results in benchmark of encryption algorithms when RAM encryption is enabled
- Fix issue when RAM encryption used, AES selected and AES-NI not supported by CPU that caused the free space of newly created volumes not filled with random data even if "quick format" is not selected.
- Fix UI for blocking TRIM in system encryption not working in MBR boot mode.
- Support password drag-n-drop from external applications (e.g. KeePass) to password UI fields which is more secure than using clipboard.
- Implements compatibility with Windows 10 Modern Standby and Windows 8.1 Connected Standby power model. This makes detection of entring power saving mode more reliable.
- Avoid displaying waiting dialog when /silent specified for "VeraCrypt Format" during creating of file container using /create switch and a filesystem other than FAT.
- Use native Windows format program to perform formatting of volume since it is more reliable and only fallback to FormatEx function from fmifs.dll in case of issue.
- Don't use API for Processor Groups support if there is only 1 CPU group in the system. This can fix slowness issue observed on some PCs with AMD CPUs.
- Don't allow to encrypt the system drive if it is already encrypted by BitLocker.
- Implement detection of Hibernate and Fast Startup and disable them if RAM encryption is activated.
- Warn about Fast Startup if it is enabled during VeraCrypt installation/upgrade, when starting system encryption or when creating a volume, and propose to disable it.
- Add UI options to control the behavior of automatic bootloader fixing when System Encryption used.
- Don't allow a directory path to be entered for the file container to be created in Format wizard.
- Don't try to use fix for CVE-2019-19501 if Windows Shell has been modified or is not running since there is no reliable way to fix it in such non standard configuation.
- MBR bootloader: fix incorrect compressed data size passed to decompressor in boot sector.
- Add warning message when typed password reaches maximum length during the system encryption wizard.
- Fix wrong error message when UTF-8 encoding of entered password exceeds the maximum supported length.
- Fix crash when using portable 32-bit "VeraCrypt Format.exe" to create hidden volume on a 64-bit machine where VeraCrypt is already installed.
- Update libzip to latest version 1.7.3.
- Update translations.
- Linux/MacOSX:
- Force reading of at least 32 bytes from /dev/random before allowing it to fail gracefully
- Allow choosing a filesystem other than FAT for Outer volume but display warning about risks of such choice. Implement an estimation of maximum possible size of hidden volume in this case.
- Erase sensitive memory explicitly instead of relying on the compiler not optimizing calls to method Memory::Erase.
- Add support for Btrfs filesystem when creating volumes (Linux Only).
- Update wxWidgets for static builds to version 3.0.5.
1.24-Update6 (March 10th, 2020):
- Windows:
- Fix PIM label text truncation in password dialog
- Fix wrong language used in installer if user selects a language other than English and then selects English before clicking OK on language selection dialog.
1.24-Update5 (March 9th, 2020):
- Windows:
- Optimize performance for CPUs that have more than 64 logical processors (contributed by Sachin Keswani from AMD)
- Support specifying keyfiles (both in tokens and in filesystem) when creating file containers using command line (switches /keyfile, /tokenlib and /tokenpin supported in VeraCrypt Format)
- Fix leak of keyfiles path and name after VeraCrypt process exits.
- Add CLI switch /secureDesktop to VeraCrypt Format.
- Update libzip to version 1.6.1
- Minor UI fixes
1.24-Update4 (January 23rd, 2020):
- Windows:
- Fix regression in Expander and Format when RAM encryption is enable that was causing volume headers to be corrupted.
- Fix failure of Screen Readers (Accessibility support) to read UI by disabling newly introduced memory protection by default and adding a CLI switch (/protectMemory) to enable it when needed.
- Fix side effects related to the fix for CVE-2019-19501 which caused links in UI not to open.
- Add switch /signalExit to support notifying WAITFOR Windows command when VeraCrypt.exe exits if /q was specified in CLI (cf documentation for usage).
- Don't display mount/dismount examples in help dialog for command line in Format and Expander.
- Documentation and translation updates.
- Linux:
- Fix regression that limited the size available for hidden volumes created on disk or partition.
- MacOSX:
- Fix regression that limited the size available for hidden volumes created on disk or partition.
1.24-Update3 (December 21nd, 2019):
- Linux:
- Fix console-only build to remove dependency on GTK that is not wanted on headless servers.
1.24-Update2 (December 16th, 2019):
- All OSes:
- clear AES key from stack memory when using non-optimized implementation. Doesn't apply to VeraCrypt official build (Reported and fixed by Hanno Böck)
- Update Jitterentropy RNG Library to version 2.2.0
- Start following IEEE 1541 agreed naming of bytes (KiB, MiB, GiB, TiB, PiB).
- Various documentation enhancements.
- Windows:
- Fix possible local privilege escalation vulnerability during execution of VeraCrypt Expander (CVE-2019-19501)
- MBR bootloader:
- workaround for SSD disks that don't allow write operations in BIOS mode with buffers less than 4096 bytes.
- Don't restore MBR to VeraCrypt value if it is coming from a loader different from us or different from Microsoft one.
- EFI bootloader:
- Fix "ActionFailed" not working and add "ActionCancelled" to customize handling of user hitting ESC on password prompt
- Fix F5 showing previous password after failed authentication attempt. Ensure that even wrong password value are cleared from memory.
- Fix multi-OS boot compatibility by only setting VeraCrypt as first bootloader of the system if the current first bootloader is Windows one.
- Add new registry flags for SystemFavoritesService to control updating of EFI BIOS boot menu on shutdown.
- Allow system encrypted drive to be mounted in WindowsPE even if changing keyboard layout fails (reported and fixed by Sven Strickroth)
- Enhancements to the mechanism preserving file timestamps, especially for keyfiles.
- Fix RDRAND instruction not detected on AMD CPUs.
- Detect cases where RDRAND is flawed (e.g. AMD Ryzen) to avoid using it if enabled by user.
- Don't write extra 0x00 byte at the end of DcsProp file when modifying it through UI
- Reduce memory usage of IOCTL_DISK_VERIFY handler used in disk verification by Windows.
- Add switch /FastCreateFile for VeraCrypt Format.exe to speedup creation of large file container if quick format is selected.
- Fix the checkbox for skipping verification of Rescue Disk not reflecting the value of /noisocheck switch specified in VeraCrypt Format command line.
- check "TrueCrypt Mode" in password dialog when mounting a file container with .tc extension
- Update XML languages files.
- Linux:
- Fix regression causing admin password to be requested too many times in some cases
- Fix off by one buffer overflow in function Process::Execute (Reported and fixed by Hanno Böck)
- Make sure password gets deleted in case of internal error when mounting volume (Reported and fixed by Hanno Böck)
- Fix passwords using Unicode characters not recognized in text mode.
- Fix failure to run VeraCrypt binary built for console mode on headless machines.
- Add switch to force the use of legacy maximum password length (64 UTF8 bytes)
- Add CLI switch (--use-dummy-sudo-password) to force use of old sudo behavior of sending a dummy password
- During uninstall, output error message to STDERR instead of STDOUT for better compatibility with package managers.
- Make sector size mismatch error when mounting disks more verbose.
- Speedup SHA256 in 64-bit mode by using assembly code.
- MacOSX:
- Add switch to force the use of legacy maximum password length (64 UTF8 bytes)
- Fix off by one buffer overflow in function Process::Execute (Reported and fixed by Hanno Böck)
- Fix passwords using Unicode characters not recognized in text mode.
- Make sector size mismatch error when mounting disks more verbose.
- Speedup SHA256 in 64-bit mode by using assembly code.
- Link against latest wxWidgets version 3.1.3
1.24-Hotfix1 (October 27rd, 2019):
- Windows:
- Fix 1.24 regression that caused system favorites not to mount at boot if VeraCrypt freshly installed.
- Fix failure to encrypt system if the current Windows username contains a Unicode non-ASCII character.
- Make VeraCrypt Expander able to resume expansion of volumes whose previous expansion was aborted before it finishes.
- Add "Quick Expand" option to VeraCrypt Expander to accelarate the expansion of large file containers.
- Add several robustness checks and validation in case of system encryption to better handle some corner cases.
- Minor UI and documentation changes.
- Linux:
- Workaround gcc 4.4.7 bug under CentOS 6 that caused VeraCrypt built under CentOS 6 to crash when Whirlpool hash is used.
- Fix "incorrect password attempt" written to /var/log/auth.log when mounting volumes.
- Fix dropping file in UI not showing its correct path , specifically under GTK-3.
- Add missing JitterEntropy implementation/
- MacOSX:
- Fix some devices and partitions not showing in the device selection dialog under OSX 10.13 and newer.
- Fix keyboard tab navigation between password fields in "Volume Password" page of volume creation wizard.
- Add missing JitterEntropy implementation/
- Support APFS filesystem for creation volumes.
- Support Dark Mode.
1.24 (October 6th, 2019):
- All OSs:
- Increase password maximum length to 128 bytes in UTF-8 encoding for non-system volumes.
- Add option to use legacy maximum password length (64) instead of new one for compatibility reasons.
- Use Hardware RNG based on CPU timing jitter "Jitterentropy" by Stephan Mueller as a good alternative to CPU RDRAND (http://www.chronox.de/jent.html)
- Speed optimization of XTS mode on 64-bit machine using SSE2 (up to 10% faster).
- Fix detection of CPU features AVX2/BMI2. Add detection of RDRAND/RDSEED CPU features. Detect Hygon CPU as AMD one.
- Windows:
- Implement RAM encryption for keys and passwords using ChaCha12 cipher, t1ha non-cryptographic fast hash and ChaCha20 based CSPRNG.
- Available only on 64-bit machines.
- Disabled by default. Can be enabled using option in UI.
- Less than 10% overhead on modern CPUs.
- Side effect: Windows Hibernate is not possible if VeraCrypt System Encryption is also being used.
- Mitigate some memory attacks by making VeraCrypt applications memory inaccessible to non-admin users (based on KeePassXC implementation)
- New security features:
- Erase system encryption keys from memory during shutdown/reboot to help mitigate some cold boot attacks
- Add option when system encryption is used to erase all encryption keys from memory when a new device is connected to the system.
- Add new driver entry point that can be called by applications to erase encryption keys from memory in case of emergency.
- MBR Bootloader: dynamically determine boot loader memory segment instead of hardcoded values (proposed by neos6464)
- MBR Bootloader: workaround for issue affecting creation of hidden OS on some SSD drives.
- Fix issue related to Windows Update breaking VeraCrypt UEFI bootloader.
- Several enhancements and fixes for EFI bootloader:
- Implement timeout mechanism for password input. Set default timeout value to 3 minutes and default timeout action to "shutdown".
- Implement new actions "shutdown" and "reboot" for EFI DcsProp config file.
- Enhance Rescue Disk implementation of restoring VeraCrypt loader.
- Fix ESC on password prompt during Pre-Test not starting Windows.
- Add menu entry in Rescue Disk that enables starting original Windows loader.
- Fix issue that was preventing Streebog hash from being selected manually during Pre-Boot authentication.
- If "VeraCrypt" folder is missing from Rescue Disk, it will boot PC directly from bootloader stored on hard drive
- This makes it easy to create a bootable disk for VeraCrypt from Rescue Disk just by removing/renaming its "VeraCrypt" folder.
- Add option (disabled by default) to use CPU RDRAND or RDSEED as an additional entropy source for our random generator when available.
- Add mount option (both UI and command line) that allows mounting a volume without attaching it to the specified drive letter.
- Update libzip to version 1.5.2
- Do not create uninstall shortcut in startmenu when installing VeraCrypt. (by Sven Strickroth)
- Enable selection of Quick Format for file containers creation. Separate Quick Format and Dynamic Volume options in the wizard UI.
- Fix editor of EFI system encryption configuration file not accepting ENTER key to add new lines.
- Avoid simultaneous calls of favorites mounting, for example if corresponding hotkey is pressed multiple times.
- Ensure that only one thread at a time can create a secure desktop.
- Resize some dialogs in Format and Mount Options to to fix some text truncation issues with non-English languages.
- Fix high CPU usage when using favorites and add switch to disable periodic check on devices to reduce CPU load.
- Minor UI changes.
- Updates and corrections to translations and documentation.
- MacOSX:
- Add check on size of file container during creation to ensure it's smaller than available free disk space. Add CLI switch --no-size-check to disable this check.
- Linux:
- Make CLI switch --import-token-keyfiles compatible with Non-Interactive mode.
- Add check on size of file container during creation to ensure it's smaller than available free disk space. Add CLI switch --no-size-check to disable this check.
1.23-Hotfix-2 (October 8th, 2018):
- Windows:
- Fix low severity vulnerability inherited from TrueCrypt that allowed reading 3 bytes of kernel stack memory (with a rare possibility of 25 additional bytes).
- Reported by Tim Harrison.
- Disable quick format when creating file containers from command line. Add /quick switch to enable it in this case if needed.
- Add /nosizecheck switch to disable checking container size against available free space during its creation.
- This enables to workaround a bug in Microsoft Distributed File System (DFS).
1.23 (September 12th, 2018):
- Windows:
- VeraCrypt is now compatible with default EFI SecureBoot configuration for system encryption.
- Fix EFI system encryption issues on some machines (e.g. HP, Acer).
- Support EFI system encryption on Windows LTSB.
- Add compatibility of system encryption with Windows 10 upgrade using ReflectDrivers mechanism
- Make EFI Rescue Disk decrypt partition correctly when Windows Repair overwrites first partition sector.
- Add Driver option in the UI to explicitly allow Windows 8.1 and Windows 10 defragmenter to see VeraCrypt encrypted disks.
- Add internal verification of binaries embedded signature to protect against some types to tampering attacks.
- Fix Secure Desktop not working for favorites set to mount at logon on Windows 10 under some circumstances.
- when Secure Desktop is enabled, use it for Mount Options dialog if it is displayed before password dialog.
- when extracting files in Setup or Portable mode, decompress zip files docs.zip and Languages.zip in order to have ready to use configuration.
- Display a balloon tip warning message when text pasted to password field is longer than maximum length and so it will be truncated.
- Implement language selection mechanism at the start of the installer to make easier for international users.
- Add check on size of file container during creation to ensure it's smaller than available free disk space.
- Fix buttons at the bottom not shown when user sets a large system font under Window 7.
- Fix compatibility issues with some disk drivers that don't support IOCTL_DISK_GET_DRIVE_GEOMETRY_EX ioctl.
- MacOSX:
- Support pasting values to password fields using keyboard (CMD+V and CMD+A now working properly).
- Add CheckBox in mount option dialog to force the use of embedded backup header during mount.
- When performing backup of volume header, automatically try to use embedded backup header if using the main header fails.
- Implement benchmarking UI for Hash and PKCS-5 PRF algorithms.
- Linux:
- Don't allow waiting dialog to be closed before the associated operation is finished. This fix a crash under Lubuntu 16.04.
- Add CheckBox in mount option dialog to force the use of embedded backup header during mount.
- When performing backup of volume header, automatically try to use embedded backup header if using the main header fails.
- Implement benchmarking UI for Hash and PKCS-5 PRF algorithms.
- Remove limitation of hidden volume protection on disk with sector size larger than 512 bytes.
1.22 (March 30th, 2018):
- All OSs:
- SIMD speed optimization for Kuznyechik cipher implementation (up to 2x speedup).
- Add 5 new cascades of cipher algorithms: Camellia-Kuznyechik, Camellia-Serpent, Kuznyechik-AES, Kuznyechik-Serpent-Camellia and Kuznyechik-Twofish.
- Windows:
- MBR Bootloader: Fix failure to boot hidden OS on some machines.
- MBR Bootloader: Reduce CPU usage during password prompt.
- Security enhancement: Add option to block TRIM command for system encryption on SSD drives.
- Implement TRIM support for non-system SSD drives and add option to enable it (TRIM is disabled by default for non-system volumes).
- Better fix for "Parameter Incorrect" issues during EFI system encryption in some machines.
- Driver: remove unnecessary dependency to wcsstr which can cause issues on some machines.
- Driver: Fix "Incorrect Parameter" error when mounting volumes on some machines.
- Fix failure to mount system favorites during boot on some machines.
- Fix current application losing focus when VeraCrypt is run in command line with /quit /silent switches.
- Fix some cases of external applications freezing during mount/dismount.
- Fix rare cases of secure desktop for password dialog not visible which caused UI to block.
- Update libzip to version 1.5.0 that include fixes for some security issues.
- Extend Secure Desktop feature to smart card PIN entry dialog.
- Fix truncated license text in installer wizard.
- Add portable package that allows extracting binaries without asking for admin privileges.
- Simplify format of language XML files.
- Workaround for cases where password dialog doesn't get keyboard focus if Secure Desktop is not enabled.
- Linux:
- Fix failure to install GUI version under recent versions of KDE.
- Fix wxWidgets assertion failed when backing up/restoring volume header.
- MacOSX:
- Fix issue preventing some local help files from opening in the browser.
1.21 (July 9th, 2017):
- All OSs:
- Fix 1.20 regression crash when running on CPU not supporting extended features.
- Windows:
- Fix 1.20 regression that caused PIM value stored in favorites to be ignored during mount.
- Fix 1.20 regression that causes system favorites not to mount in some cases.
- Fix some cases of "Parameter Incorrect" error during EFI system encryption wizard.
- Install PDF documents related to EFI system encryption configuration for advanced users:
- disk_encryption_v1_2.pdf related to EFI hidden OS and full fisk encryption
- dcs_tpm_owner_02.pdf related to TPM configuration for EFI system encryption.
FreeBSD:
- Add support for building on FreeBSD.
1.20 (June 29th, 2017):
- All OSs:
- Use 64-bit optimized assembly implementation of Twofish and Camellia by Jussi Kivilinna.
- Camellia 2.5 faster when AES-NI supported by CPU. 30% faster without it.
- Use optimized implementation for SHA-512/SHA256.
- 33% speedup on 64-bit systems.
- Deploy local HTML documentation instead of User Guide PDF.
- Change links in UI from ones on Codeplex to ones hosted at veracrypt.fr
- Security: build binaries with support for Address Space Layout Randomization (ASLR).
- Windows:
- Several fixes and modifications for EFI System Encryption:
- Fix bug in EFI system decryption using EFI Rescue Disk
- Add support for TPM 1.2 and TPM 2.0 (experimental) through DCS low level configuration.
- Add Support for EFI full disk encryption and hidden OS using manual procedure (not exposed in UI).
- Enable using Secure Desktop for password entry. Add preferences option and command line switch (/secureDesktop) to activate it.
- Use default mount parameters when mounting multiple favorites with password caching.
- Enable specifying PRF and TrueCryptMode for favorites.
- Preliminary driver changes to support EFI hidden OS functionality.
- Fix Streebog not recognized by /hash command line.
- Add support for ReFS filesystem on Windows 10 when creating normal volumes
- Fix high CPU usage when favorite configured to mount with VolumeID on arrival.
- Use CHM file for User Guide instead of PDF.
- Fix false warning in case of EFI system encryption about Windows not installed on boot drive.
- Enhancements to driver handling of various disk IOCTL.
- Enhancements to EFI bootloader. Add possibility to manually edit EFI configuration file.
- Driver Security: Use enhanced protection of NX pool under Windows 8 and later.
- Reduce performance impact of internal check for disconnected network drives.
- Minor fixes.
MacOSX:
- OSX 10.7 or newer is required to run VeraCrypt.
- Make VeraCrypt default handler of .hc & .tc files.
- Add custom VeraCrypt icon to .hc and .tc files in Finder.
- Check TrueCryptMode in password dialog when opening container file with .tc extension.
Linux:
- Check TrueCryptMode in password dialog when opening container file with .tc extension.
- Fix executable stack in resulting binary which was caused by crypto assembly files missing the GNU-stack note.
1.19 (October 17th, 2016):
- All OSs:
- Fix issues raised by Quarkslab audit.
- Remove GOST89 encryption algorithm.
- Make PBKDF2 and HMAC code clearer and easier to analyze.
- Add test vectors for Kuznyechik.
- Update documentation to warn about risks of using command line switch ”tokenpin”.
- Use SSE2 optimized Serpent algorithm implementation from Botan project (2.5 times faster on 64-bit platforms).
- Windows:
- Fix keyboard issues in EFI Boot Loader.
- Fix crash on 32-bit machines when creating a volume that uses Streebog as PRF.
- Fix false positive detection of Evil-Maid attacks in some cases (e.g. hidden OS creation)
- Fix failure to access EFS data on VeraCrypt volumes under Windows 10.
- Fix wrong password error in the process of copying hidden OS.
- Fix issues raised by Quarkslab audit:
- Fix leak of password length in MBR bootloader inherited from TrueCrypt.
- EFI bootloader: Fix various leaks and erase keyboard buffer after password is typed.
- Use libzip library for handling zip Rescue Disk file instead of vulnerable XUnzip library.
- Support EFI system encryption for 32-bit Windows.
- Perform shutdown instead of reboot during Pre-Test of EFI system encryption to detect incompatible motherboards.
- Minor GUI and translations fixes.
- MacOSX:
- Remove dependency to MacFUSE compatibility layer in OSXFuse.
1.18a (August 17th, 2016):
- All OSs:
- Support Japanese encryption standard Camellia, including for Windows system encryption (MBR & EFI).
- Support Russian encryption and hash standards Kuznyechik, Magma and Streebog, including for Windows EFI system encryption.
- Fix TrueCrypt vulnerability allowing detection of hidden volumes presence (reported by Ivanov Aleksey Mikhailovich, alekc96 [at] mail dot ru)
- To avoid hinting whether your volumes contain a hidden volume or not, or if you depend on plausible deniability when using hidden volumes/OS, then you must recreate both the outer and hidden volumes including system encryption and hidden OS, discarding existing volumes created prior to 1.18a version of VeraCrypt.
- Windows:
- Support EFI Windows system encryption (limitations: no hidden os, no boot custom message)
- Enhanced protection against dll hijacking attacks.
- Fix boot issues on some machines by increasing required memory by 1 KiB
- Add benchmarking of hash algorithms and PRF with PIM (including for pre-boot).
- Move build system to Visual C++ 2010 for better stability.
- Workaround for AES-NI support under Hyper-V on Windows Server 2008 R2.
- Correctly remove driver file veracrypt.sys during uninstall on Windows 64-bit.
- Implement passing smart card PIN as command line argument (/tokenpin) when explicitly mounting a volume.
- When no drive letter specified, choose A: or B: only when no other free drive letter is available.
- Reduce CPU usage caused by the option to disable use of disconnected network drives.
- Add new volume ID mechanism to be used to identify disks/partitions instead of their device name.
- Add option to avoid PIM prompt in pre-boot authentication by storing PIM value unencrypted in MBR.
- Add option and command line switch to hide waiting dialog when performing operations.
- Add checkbox in "VeraCrypt Format" wizard GUI to skip Rescue Disk verification during system encryption procedure.
- Allow files drag-n-drop when VeraCrypt is running as elevated process.
- Minor GUI and translations fixes.
- Linux:
- Fix mount issue on Fedora 23.
- Fix mount failure when compiling source code using gcc 5.x.
- Adhere to XDG Desktop Specification by using XDG_CONFIG_HOME to determine location of configuration files.
- MacOSX:
- Solve compatibility issue with newer versions of OSXFuse.
1.17 (February 13th, 2016):
- All OSs:
- Support UNICODE passwords: all characters are now accepted in passwords (except Windows system encryption)
- Cut mount/boot time by half thanks to a clever optimization of key derivation (found by
Xavier de Carné de Carnavalet)
- Optimize Whirlpool PRF speed by using assembly (25% speed gain compared to previous code).
- Add support for creating exFAT volumes.
- Add GUI indicator for the amount of randomness gathered using mouse movement.
- Include new icons and graphics contributed by Andreas Becker (http://www.andreasbecker.de)
- Windows:
- Fix dll hijacking issue affecting installer that allows code execution with elevation of privilege (CVE-2016-1281). Reported by Stefan Kanthak (http://home.arcor.de/skanthak/)
- Sign binaries using both SHA-1 and SHA-256 to follow new Microsoft recommendations.
- Solve issues under Comodo/Kaspersky when running an application from a VeraCrypt volume (Reported and fixed by Robert Geisler).
- Bootloader: Protect password/PIM length by filling the fields to maximum length with '*' after ENTER
- Solve issue with system favorites not being able to be mounted to drive A:
- Solve lost focus issues for after displaying the waiting dialog
- Solve rare issue where some partitions where asscoiated with wrong disk the "Select Device" dialog.
- Implement PIM caching, for both system encryption and normal volumes. Add option to activate it.
- Don't try mounting using cached passwords if password and/or keyfile are specified in the command line.
- Internal rewrite to make VeraCrypt native UNICODE application.
- Workaround to avoid false positive detection by some anti-virus software.
- Hide disconnected network drives in the list of available drives. Add option to make them available for mounting.
- Solve issue that caused in some cases configuration and history XML files to be updated even when not needed.
- Fix leak of path of selected keyfiles in RAM.
- Fix TB unit can't be deselected in VeraCryptExpander.
- Add Alt+i keyboard shortcut for "Use PIM" checkbox in GUI.
- Minor GUI and translations fixes.
- Linux/MacOSX:
- Fix issue of --stdin option not handling correctly passwords that contain a space character (reported and fixed by Codeplex user horsley1953).
- Fix issue creating volumes using command line with a filesystem other than FAT.
- Support K/M/G/T suffixes for --size switch to indicate unit to use for size value.
1.16 (October 7th, 2015):
- Windows:
- Modify patch for CVE-2015-7358 vulnerability to solve side effects on Windows while still making it very hard to abuse drive letter handling.
- Fix failure to restore volume header from an external file in some configurations.
- Add option to disable “Evil Maid” attack detection for those encountering false positive cases (e.g. FLEXnet/Adobe issue).
- By default, don’t try to mount using empty password when default keyfile configured or keyfile specified in command line. Add option to restore the old behavior.
- If mounting using empty password is needed, explicitly specify so in the command line using: /p ""
1.15 (September 26th, 2015):
- Windows:
- Fix two TrueCrypt vulnerabilities reported by James Forshaw (Google Project
Zero)
- CVE-2015-7358 (critical): Local Elevation of Privilege on Windows by
abusing drive letter handling. - CVE-2015-7359: Local Elevation of Privilege on Windows caused by
incorrect Impersonation Token Handling.
- Fix regression in mounting of favorite volumes at user logon.
- Fix display of some Unicode languages (e.g. Chinese) in formatting wizard.
- Set keyboard focus to PIM field when "Use PIM" is checked.
- Allow Application key to open context menu on drive letters list
- Support specifying volumes size in TB in the GUI (command line already supports this)
1.14 (September 16th, 2015):
- All OSs:
- Mask and unmask PIM value in GUI and bootloader like the password.
- Windows:
- Solve Rescue Disk damaged error when using cascade ciphers and SHA256 for system encryption.
- Solve option "Cache password in drive memory" always disabled even if checked in preferences.
- Solve UI language change not taken into account for new install unless a preference is changed.
- Implement creating file containers using command line.
- Driver: disable support of IOCTL_STORAGE_QUERY_PROPERTY by default and add option to enable it.
- Driver: Support returning StorageDeviceProperty when queried through IOCTL_STORAGE_QUERY_PROPERTY.
- Support setting volume label in Explorer through mount option or favorite label value.
- Fix for Hot Keys assignment dialog issue where OEM-233 is always displayed and can't be changed.
- Always copy both 32-bit and 64-bit executable binaries during install and in Traveler Disk Setup.
- Traveler Disk will again use 32-bit exe by default while also offering 64-bit exe.
- On Windows 64-bit, 32-bit exe files are now available(e.g. if needed to use 32-bit PKCS#11 dll)
- Include Volume Expander in Traveler Disk Setup.
- Don't offer creating a restore point if it is disabled in Windows.
- Add possibility to verify a Rescue Disk ISO image file.
- Minors fixes in the installer, GUI and driver.
- Linux:
- Support supplying password using stdin in non interactive mode (contributed by
LouisTakePILLz)
- Example:
veracrypt -t ${IMAGE_PATH} ${MOUNT_PATH} --mount --non-interactive --stdin <<< "$PWD"
1.13 (August 9th, 2015):
- Windows:
- Solve TOR crashing when run from a VeraCrypt volume.
1.12 (August 5th, 2015):
- All OSs:
- Implement "Dynamic Mode" by supporting a Personal Iterations Multiplier (PIM). See documentation for more information.
- Windows:
- Detect Boot Loader tampering ("Evil Maid" attacks) for system encryption and propose recovery options.
- Fix buffer overrun issue and other memory related bugs when parsing language XML files.
- Fix wrongly reported bad sectors by chkdsk caused by a bug in IOCTL_DISK_VERIFY handling.
- Fix privacy issue caused by configuration and history files being updated whenever VeraCrypt is used (reported by Liran Elharar)
- Fix system favorites not always mounting after cold start.
- Solve installer error when updating VeraCrypt on Windows 10.
- Implement decryption of non-system partition/drive.
- Include 64-bit exe files in the installer and deploy them on 64-bit machines for better performances.
- Allow using drive letters A: and B: for mounting volumes
- Make command line argument parsing more strict and robust (e.g. /lz rejected, must be /l z)
- Add possibility to show system encryption password in Windows GUI and bootloader
- Solve "Class Already exists" error that was happening for some users.
- Solve some menu items and GUI fields not translatable
- Make volumes correctly report Physical Sector size to Windows.
- Correctly detect switch user/RDP disconnect operations for autodismount on session locked.
- Add manual selection of partition when resuming in-place encryption.
- Add command line option (/cache f) to temporarily cache password during favorites mounting.
- Add waiting dialog for Auto-Mount Devices operations to avoid freezing GUI.
- Add extra information to displayed error message in order to help analyze reported issues.
- Disable menu entry for changing system encryption PRF since it's not yet implemented.
- Fix failure to change password when UAC required (inherited from TrueCrypt)
- Minor fixes and changes (see Git history for more details)
- Linux:
- Solve installer issue under KDE when xterm not available
- Fix warnings on about/LegalNotice dialogs when wxWidgets linked dynamically (N/A for official binary)
- Support hash names with '-' in command line (sha-256, sha-512 and ripemd-160)
- Remove "--current-hash" switch and add "--new-hash" to be more coherent with existing switches.
- When only keyfile specified in command line, don't try to mount using empty password.
- If mounting using empty password is needed, explicitly specify so using: -p ""
1.0f-2(April 5th, 2015):
- All OSs:
- Mounting speed improvement, up to 20% quicker on 64-bit (contributed by Nils Maier)
- Add option to set default hash/TrueCryptMode used for mounting volumes.
- Use TrueCryptMode/Hash specified in command line in password dialog.
- Windows:
- Solve CryptAcquireContext vulnerability reported by Open Crypto Audit Phase II.
- Proper handling of random generator failures. Inform user in such cases.
- TrueCrypt Mode related changes:
- Support mounting TrueCrypt system partition (no conversion yet)
- Support TrueCrypt volumes as System Favorites.
- Correct displaying wrong TrueCrypt mode in volume properties when SHA-256 is used.
- Solve PIN BLOCKED issue with smart cards in a special case.
- Correctly handle file access errors when mounting containers.
- Solve several issues reported by the Static Code Analysis too Coverity.
- Bootloader: Add "Verifying Password..." message.
- When UAC prompt fails (for example timeout), offer the user to retry the operation.
- Uninstall link now open the standard "Add/Remove Programs" window.
- On uninstall, remove all VeraCrypt references from registry and disk.
- Included VeraCryptExpander in the Setup.
- Add option to temporary cache password when mounting multiple favorites.
- Minor fixes and enhancements (see git history for more information)
- MacOSX:
- Solve issue volumes not auto-dismounting when quitting VeraCrypt.
- Solve issue VeraCrypt window not reopening by clicking dock icon.
- Linux/MacOSX:
- Solve preferences dialog not closing when clicking on the 'X' icon.
- Solve read-only issue when mounting non-FAT volumes in some cases.
- Support opening/exploring mounted volumes on desktops other than Gnome/KDE.
- Solve various installer issues when running on less common configurations
- Minor fixes (see git history for more information)
1.0f-1 (January 4th, 2015)
- All OSs:
- Add support for old TrueCrypt 6.0.
- Change naming of cascades algorithms in GUI for a better description.
- Linux/MacOSX:
- Make cancel button of the preference dialog working.
- Solve impossibility to enter a one digit size for the volume.
- Add wait dialog to the benchmark calculation.
- Windows:
- Add TrueCrypt mode to the mounted volume information.
- For Windows XP, correct the installer graphical artefacts.
1.0f (December 30, 2014)
- All OSs:
- Add support for mounting TrueCrypt volumes.
- Add support for converting TrueCrypt containers and non-system partitions.
- Add support for SHA-256 for volume encryption.
- Make SHA-512 the default key derivation algorithm and change the order of preference of derivation algorithms : SHA-512 -> Whirlpool -> SHA-256 -> RIPEMD160
- Deprecate RIPEMD160 for non-system encryption.
- Speedup mount operation by enabling choice of correct hash algorithm.
- Display a wait dialog during lengthy operations to avoid freezing the GUI.
- Implement creation of multiple keyfiles at once, with predefined or random size.
- Always display random gathering dialog before performing sensitive operations.
- Links in the application now points to the online resources on Codeplex
- First version of proper VeraCrypt User Guide
- MacOSX:
- Implement support for hard drives with a large sector size (> 512).
- Link against new wxWidgets version 3.0.2.
- Solve truncated text in some Wizard windows.
- Linux:
- Add support of NTFS formatting of volumes.
- Correct issue on opening of the user guide PDF.
- Better support for hard drives with a large sector size (> 512).
- Link against new wxWidgets version 3.0.2.
- Windows:
- Security: fix vulnerability in bootloader detected by Open Crypto Audit and make it more robust.
- Add support for SHA-256 in system boot encryption.
- Various optimizations in bootloader.
- Complete fix of ShellExecute security issue.
- Kernel driver: check that the password length received from bootloader is less or equal to 64.
- Correct a random crash when clicking the link for more information on keyfiles
- Implement option to auto-dismount when user session is locked
- Add self-test vectors for SHA-256
- Modern look-and-feel by enabling visual styles
- few minor fixed.
1.0e (September 4, 2014)
- Improvements and bug fixes:
- Correct most of the security vulnerabilities reported by the Open Crypto Audit Project.
- Correct security issues detected by Static Code Analysis, mainly under Windows.
- Correct issue of unresponsiveness when changing password/key file of a volume. Reduce overall time taken for creating encrypted volume/partition.
- Minor improvements and bug fixes (look at git history for more details).
1.0d (June 3, 2014)
- Improvements and bug fixes:
- Correct issue while creating hidden operating system.
- Minor improvements and bug fixes.