VeraCrypt Versions Save

• Security: Ensure that XTS primary key is different from the secondary key when creating volumes
  • Issue unlikely to happen thanks to random generator properties but this check must be added to prevent attacks
  • Reference: CCSS,NSA comment at page 3: https://csrc.nist.gov/csrc/media/Projects/crypto-publication-review-project/documents/initial-comments/sp800-38e-initial-public-comments-2021.pdf
• Remove TrueCrypt Mode support. Version 1.25.9 can be used to mount or convert TrueCrypt volumes.
• Complete removal of RIPEMD160 and GOST89 algorithms. Legacy volumes using any of them cannot be mounted by VeraCrypt anymore.
• Add support for BLAKE2s as new PRF algorithm for both system encryption and standard volumes.
• Introducing support for EMV banking smart cards as keyfiles for non-system volumes.
  • No need for a separate PKCS#11 module configuration.
  • Card PIN isn't required.
  • Generates secure keyfile content from unique, encoded data present on the banking card.
  • Supports all EMV standard-compliant banking cards.
  • Can be enabled in settings (go to Settings->Security Tokens).
  • Developed by a team of students from the Institut national des sciences appliquées de Rennes.
  • More details about the team and the project are available at https://projets-info.insa-rennes.fr/projets/2022/VeraCrypt/index_en.html.
• When overwriting an existing file container during volume creation, add its current size to the available free space
• Add Corsican language support. Update several translations.
• Update documentation

• Officially, the minimum supported version is now Windows 10. VeraCrypt may still run on Windows 7 and Windows 8/8.1, but no active tests are done on these platforms.
• EFI Bootloader:
  • Fix bug in PasswordTimeout value handling that caused it to be limited to 255 seconds.
  • Rescue Disk: enhance "Boot Original Windows Loader" by using embedded backup of original Windows loader if it is missing from disk
  • Addition of Blake2s and removal of RIPEMD160 & GOST89
• Enable memory protection by default. Add option under Performance/Driver Configuration to disable it if needed.
  • Memory protection blocks non-admin processes from reading VeraCrypt memory
  • It may block Screen Readers (Accessibility support) from reading VeraCrypt UI, in which case it can be disabled
  • It can be disabled by setting registry value "VeraCryptEnableMemoryProtection" to 0 under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\veracrypt
• Add process mitigation policy to prevent VeraCrypt from being injected by other processes
• Minor enhancements to RAM Encryption implementation
• Fix Secure Desktop issues under Windows 11 22H2
• Implement support for mounting partially encrypted system partitions.
• Fix false positive detection of new device insertion when Clear Encryption Keys option is enable (System Encryption case only)
• Better implementation of Fast Create when creating file containers that uses UAC to request required privilege if not already held
• Allow choosing Fast Create in Format Wizard UI when creating file containers
• Fix formatting issues during volume creation on some machines.
• Fix stall issue caused by Quick Format of large file containers
• Add dropdown menu to Mount button to allow mounting without using the cache.
• Possible workaround for logarithmic slowdown for Encrypt-In-Place on large volumes.
• Make Expander first check file existence before proceeding further
• Allow selecting size unit (KB/MB/GB) for generated keyfiles
• Display full list of supported cluster sizes for NTFS, ReFS and exFAT filesystems when creating volumes
• Support drag-n-drop of files and keyfiles in Expander.
• Implement translation of Expander UI
• Replace legacy file/dir selection APIs with modern IFileDialog interface for better Windows 11 compatibility
• Enhancements to dependency dlls safe loading, including delay loading.
• Remove recommendation of keyfiles files extensions and update documentation to mention risks of third-party file extensions.
• Add support for more language in the setup installer
• Update LZMA library to version 23.01
• Update libzip to version 1.10.1 and zlib to version 1.3.

• Linux:
  • Fix bug in Random generator on Linux when used with Blake2s that was triggering a self test failure.
  • Modify Random Generator on Linux to exactly match official documentation and the Windows implementation.
  • Fix compatibility issues with Ubuntu 23.04.
  • Fix assert messages displayed when using wxWidgets 3.1.6 and newer.
  • Fix issues launching fsck on Linux.
  • Fix privilege escalation prompts being ignored.
  • Fix wrong size for hidden volume when selecting the option to use all free space.
  • Fix failure to create hidden volume on a disk using CLI caused by wrong maximum size detection.
  • Fix various issues when running in Text mode:
    • Don't allow selecting exFAT/BTRFS filesytem if they are not present or not compatible with the created volume.
    • Fix wrong dismount message displayed when mounting a volume.
    • Hide PIM during entry and re-ask PIM when user entered a wrong value.
    • Fix printing error when checking free space during volume creation in path doesn't exist.
  • Use wxWidgets 3.2.2.1 for static builds (e.g. console only version)
  • Fix compatibility of generic installers with old Linux distros
  • Update help message to indicate that when cascading algorithms they must be separated by dash
  • Better compatibility with building under Alpine Linux and musl libc
• macOS:
  • Fix issue of VeraCrypt window becoming unusable in use cases involving multiple monitors and change in resolution.

All OSes:

• Update translations (Chinese, Dutch, French, German, Turkish).

Windows:

• Make MSI installer compatible with system encryption (Issue #869).
• Set minimum support for MSI installation to Windows 7.
• Fix failure to create Traveler Disk when VeraCrypt is installed using MSI (Issue #886).
• Don't cache the outer volume password when mounting with hidden volume protection if wrong hidden volume password was specified.
• Reduce the size of EXE installers by almost 50% by using LZMA compression instead of DEFLATE.
• Fix double-clicking mounted drive in VeraCrypt UI not working in some special Windows configurations (Issue #873).
• Add registry key to fix BSOD during shutdown/reboot on some machines when using system encryption (Issue #871).
  • Under "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\veracrypt", create a REG_DWORD value named "VeraCryptEraseKeysShutdown".
  • Setting this registry value to 0 disables erasing system encryption keys which is the cause of BSOD during shutdown on some machines.

Linux:

• Fix hidden volume settings not correctly displayed when enabling hidden volume protection in mount options window.
• Fix generic Linux installer overwriting /usr/sbin if it is a symlink (Issue #888).
• Fix crash when building with _GLIBCXX_ASSERTIONS defined (Issue #896).
• Enable building from source without AES-NI support (Issue #892).

MacOSX:

• Fix hidden volume settings not correctly displayed when enabling hidden volume protection in mount options window.

All OSes:

• Update translations.

Windows:

• Restore support of Windows Vista, Windows 7 and Windows 8/8.1.
  • Windows 7 support requires that either KB3033929 or KB4474419 is installed.
  • Windows Vista support requires that either KB4039648 or KB4474419 is installed.
• MSI installation only: Fix double-clicking .hc file container inserting %1 instead of volume name in path field.
• Advanced users: Add registry settings to control driver internal encryption queue to allow tuning performance for SSD disks and having better stability under heavy load.
  • Under registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\veracrypt:
    • VeraCryptEncryptionFragmentSize (REG_DWORD): size of encryption data fragment in KiB. Default is 256. Maximum is 2048.
    • VeraCryptEncryptionIoRequestCount (REG_DWORD): maximum number of parallel I/O requests. Default is 16. Maximum is 8192.
    • VeraCryptEncryptionItemCount (REG_DWORD): maximum number of encryption queue items processed in parallel. Default as well as maximum is half of VeraCryptEncryptionIoRequestCount.
  • The triplet (FragmentSize=512, IoRequestCount=128, ItemCount=64) is an example of parameters that enhance sequential read speed on some SSD NVMe systems.
• Fix truncate text in installer for some languages.

MacOSX:

• Fix resource files inside VeraCrypt application bundle (e.g. HTML documentation, languages XML files) being world-writable. (Reported by Niall O'Reilly)

All OSes:

• Speed optimization of Streebog.
• Update translations.

Windows:

• Add support for Windows on ARM64 (e.g. Microsoft Surface Pro X) but system encryption not yet supported.
• Add MSI installer for silent mode deployment (ACCEPTLICENSE=YES must be set in msiexec command line).
  • For now, MSI installer cannot be used if system partition is encrypted with VeraCrypt
  • MSI installer requires Windows 10 or newer
• Drop support of Windows Vista, Windows 7, Windows 8 and Windows 8.1 because of new requirement for driver code signing.
• Reduce time of mount when PRF auto-detection is selected.
• Fix potential memory corruption in driver caused by integer overflow in IOCTL_STORAGE_MANAGE_DATA_SET_ATTRIBUTES (reported by Ilja van Sprundel).
• Replace insecure wcscpy/wcscat/strcpy runtime functions with secure equivalents.
• Changes EFI Bootloader:
  • Fix memory leak in some cases caused by wrong check of pointer for calling MEM_FREE
  • Clear bootParams variable that may contain sensitive information when halting the system in case of fatal error
  • Add option "KeyboardInputDelay" in DcsProp to control the minimum delay supported between two key strokes
• Try to workaround Windows Feature Updates issues with system encryption by fixing of bootloader and SetupConfig.ini when system resumes or when session is opened/unlocked
• Fix failure to load local HTML documentation if application running with administrative privileges
• Fix freeze when password dialog displayed in secure desktop and try to access token keyfiles protected by PIN
• Fix failure to launch keyfile generator in secure desktop mode
• Block Windows from resizing system partition if it is encrypted
• Add keyboard shortcut to "TrueCrypt mode" in the mount dialog.

MacOSX:

• Native support of Apple Silicon M1.
• Drop official support of Mac OS X 10.7 Lion and Mac OS X 10.8 Mountain Lion.
• Add UI language support using installed XML files. Language is automatically detected using "LANG" environment variable.
• Add CLI switch (--size=max) and UI option to give a file container all available free space on the disk where it is created.
• Return error if unknown filesystem value specified in CLI --filesystem switch instead of silently skipping filesystem creation.

Linux:

• Add UI language support using installed XML files. Language is automatically detected using "LANG" environment variable
• Compatiblity with with pam_tmpdir.
• Display icon in notification area on Ubuntu 18.04 and newer (contibuted by https://unit193.net/).
• Add CLI switch (--size=max) and UI option to give a file container all available free space on the disk where it is created.
• Return error if unknown filesystem value specified in CLI --filesystem switch instead of silently skipping filesystem creation.

FreeBSD:

• Make system devices work under FreeBSD
• Add CLI switch (--size=max) and UI option to give a file container all available free space on the disk where it is created.
• Return error if unknown filesystem value specified in CLI --filesystem switch instead of silently skipping filesystem creation.

OpenBSD:

• Add basic support of OpenBSD
• Add CLI switch (--size=max) and UI option to give a file container all available free space on the disk where it is created.
• Return error if unknown filesystem value specified in CLI --filesystem switch instead of silently skipping filesystem creation.

• Fix compatibility issues with macOS Big Sur, especially on Apple Silicon M1 with macFUSE 4.0.x (#699 )

Windows:

• Fix regression in Expander and Format when RAM encryption is enable that was causing volume headers to be corrupted.

All OSes:

• Don't allow Hidden volume to have the same password, PIM and keyfiles as Outer volume
• Fix random crash in 32-bit builds when using Streebog.
• Enable FIPS mode in JitterEntropy random generator.
• Update Beginner's Tutorial in documentation to use "MyVolume.hc" instead of "My Volume" for file container name in order to avoid confusion about nature of file nature.
• Minor code cleanup

Windows:

• Fix wrong results in benchmark of encryption algorithms when RAM encryption is enabled
• Fix issue when RAM encryption used, AES selected and AES-NI not supported by CPU that caused the free space of newly created volumes not filled with random data even if "quick format" is not selected.
• Fix UI for blocking TRIM in system encryption not working in MBR boot mode.
• Support password drag-n-drop from external applications (e.g. KeePass) to password UI fields which is more secure than using clipboard.
• Implements compatibility with Windows 10 Modern Standby and Windows 8.1 Connected Standby power model. This makes detection of entering power saving mode more reliable.
• Avoid displaying waiting dialog when /silent specified for "VeraCrypt Format" during creating of file container using /create switch and a filesystem other than FAT.
• Use native Windows format program to perform formatting of volume since it is more reliable and only fallback to FormatEx function from fmifs.dll in case of issue.
• Don't use API for Processor Groups support if there is only 1 CPU group in the system. This can fix slowness issue observed on some PCs with AMD CPUs.
• Don't allow to encrypt the system drive if it is already encrypted by BitLocker.
• Implement detection of Hibernate and Fast Startup and disable them if RAM encryption is activated.
• Warn about Fast Startup if it is enabled during VeraCrypt installation/upgrade, when starting system encryption or when creating a volume, and propose to disable it.
• Add UI options to control the behavior of automatic bootloader fixing when System Encryption used.
• Don't allow a directory path to be entered for the file container to be created in Format wizard.
• Don't try to use fix for CVE-2019-19501 if Windows Shell has been modified or is not running since there is no reliable way to fix it in such non standard configuation.
• MBR bootloader: fix incorrect compressed data size passed to decompressor in boot sector.
• Add warning message when typed password reaches maximum length during the system encryption wizard.
• Fix wrong error message when UTF-8 encoding of entered password exceeds the maximum supported length.
• Fix crash when using portable 32-bit "VeraCrypt Format.exe" to create hidden volume on a 64-bit machine where VeraCrypt is already installed.
• Update libzip to latest version 1.7.3.
• Update translations.

Linux/MacOSX:

• Force reading of at least 32 bytes from /dev/random before allowing it to fail gracefully
• Allow choosing a filesystem other than FAT for Outer volume but display warning about risks of such choice. Implement an estimation of maximum possible size of hidden volume in this case.
• Erase sensitive memory explicitly instead of relying on the compiler not optimizing calls to method Memory::Erase.
• Add support for Btrfs filesystem when creating volumes (Linux Only).
• Update wxWidgets for static builds to version 3.0.5.

• Fix PIM label text truncation in password dialog
• Fix wrong language used in installer if user selects a language other than English and then selects English before clicking OK on language selection dialog.

• Optimize performance for CPUs that have more than 64 logical processors (contributed by Sachin Keswani from AMD)
• Support specifying keyfiles (both in tokens and in filesystem) when creating file containers using command line (switches /keyfile, /tokenlib and /tokenpin supported in VeraCrypt Format)
• Fix leak of keyfiles path and name after VeraCrypt process exits.
• Add CLI switch /secureDesktop to VeraCrypt Format.
• Update libzip to version 1.6.1
• Minor UI fixes

Windows:

• Fix regression in Expander and Format when RAM encryption is enable that was causing volume headers to be corrupted.
• Fix failure of Screen Readers (Accessibility support) to read UI by disabling newly introduced memory protection by default and adding a CLI switch (/protectMemory) to enable it when needed.
• Fix side effects related to the fix for CVE-2019-19501 which caused links in UI not to open.
• Add switch /signalExit to support notifying WAITFOR Windows command when VeraCrypt.exe exits if /q was specified in CLI (cf documentation for usage).
• Don't display mount/dismount examples in help dialog for command line in Format and Expander.
• Documentation and translation updates.

Linux:

• Fix console-only build to remove dependency on GTK that is not wanted on headless servers.
• Fix regression that limited the size available for hidden volumes created on disk or partition.

MacOSX:

• Fix regression that limited the size available for hidden volumes created on disk or partition.

All OSs:

• clear AES key from stack memory when using non-optimized implementation. Doesn't apply to VeraCrypt official build (Reported and fixed by Hanno Böck)
• Update Jitterentropy RNG Library to version 2.2.0
• Start following IEEE 1541 agreed naming of bytes (KiB, MiB, GiB, TiB, PiB).
• Various documentation enhancements.

Windows:

• Fix possible local privilege escalation vulnerability during execution of VeraCrypt Expander (CVE-2019-19501)
• MBR bootloader:
  • workaround for SSD disks that don't allow write operations in BIOS mode with buffers less than 4096 bytes.
  • Don't restore MBR to VeraCrypt value if it is coming from a loader different from us or different from Microsoft one.
• EFI bootloader:
  • Fix "ActionFailed" not working and add "ActionCancelled" to customize handling of user hitting ESC on password prompt
  • Fix F5 showing previous password after failed authentication attempt. Ensure that even wrong password value are cleared from memory.
• Fix multi-OS boot compatibility by only setting VeraCrypt as first bootloader of the system if the current first bootloader is Windows one.
• Add new registry flags for SystemFavoritesService to control updating of EFI BIOS boot menu on shutdown.
• Allow system encrypted drive to be mounted in WindowsPE even if changing keyboard layout fails (reported and fixed by Sven Strickroth)
• Enhancements to the mechanism preserving file timestamps, especially for keyfiles.
• Fix RDRAND instruction not detected on AMD CPUs.
• Detect cases where RDRAND is flawed (e.g. AMD Ryzen) to avoid using it if enabled by user.
• Don't write extra 0x00 byte at the end of DcsProp file when modifying it through UI
• Reduce memory usage of IOCTL_DISK_VERIFY handler used in disk verification by Windows.
• Add switch /FastCreateFile for VeraCrypt Format.exe to speedup creation of large file container if quick format is selected.
• Fix the checkbox for skipping verification of Rescue Disk not reflecting the value of /noisocheck switch specified in VeraCrypt Format command line.
• check "TrueCrypt Mode" in password dialog when mounting a file container with .tc extension
• Update XML languages files.

Linux:

• Fix regression causing admin password to be requested too many times in some cases
• Fix off by one buffer overflow in function Process::Execute (Reported and fixed by Hanno Böck)
• Make sure password gets deleted in case of internal error when mounting volume (Reported and fixed by Hanno Böck)
• Fix passwords using Unicode characters not recognized in text mode.
• Fix failure to run VeraCrypt binary built for console mode on headless machines.
• Add switch to force the use of legacy maximum password length (64 UTF8 bytes)
• Add CLI switch (--use-dummy-sudo-password) to force use of old sudo behavior of sending a dummy password
• During uninstall, output error message to STDERR instead of STDOUT for better compatibility with package managers.
• Make sector size mismatch error when mounting disks more verbose.
• Speedup SHA256 in 64-bit mode by using assembly code.

MacOSX:

• Add switch to force the use of legacy maximum password length (64 UTF8 bytes)
• Fix off by one buffer overflow in function Process::Execute (Reported and fixed by Hanno Böck)
• Fix passwords using Unicode characters not recognized in text mode.
• Make sector size mismatch error when mounting disks more verbose.
• Speedup SHA256 in 64-bit mode by using assembly code.