Here we are focusing on VeraCrypt, a forked-off version of TrueCrypt that has become the most popular encryption software. There is a lot of debate as to which of the programs is better and more secure. We will try our best to draw an unbiased comparison revealing the advantages and disadvantages of both of the products.
Brief history of VeraCrypt
TrueCrypt, a well-known encryption tool, has been discontinued for already four years. But since TrueCrypt is free and open source software, it lets anyone use it to develop separate products. This led a French IT security consultant Mounir Idrassi to unveil his own project VeraCrypt to the world in summer 2013.
The main idea behind the branch version was to create a more secure solution than TrueCrypt. For instance, TrueCrypt used quite mediocre key generation that, according to experts, wasn’t capable of providing adequate protection from the computer capacity wielded by special services. VeraCrypt offers a considerably more reliable solution against brute-force attacks. You will find out more on this solution in the section that compares VeraCrypt against TrueCrypt.
When TrueCrypt was still maintained, its derived versions weren’t that popular: everything changed when in spring 2014 TrueCrypt’s developers announced that they had discontinued the project. VeraCrypt was seen as a secure upgrade of TrueCrypt (though there were other forks such as Gostcrypt, CipherShed). Some TrueCrypt users hurried to switch to using VeraCrypt, some remained loyal to TrueCrypt.
A large number of users took a shine to VeraCrypt, but just as many criticized it. Some suggested that VeraCrypt is a project run by special services which has knowingly made vulnerabilities. A lot of people regard forks with much caution and skepticism, while TrueCrypt’s developers actually believe this fork to be dangerous. Their concerns are rooted in the belief that outside developers are unable to understand their code profoundly, and as you will learn about it further, they didn’t prove altogether groundless.
VeraCrypt vs TrueCrypt
Now let’s compare TrueCrypt and VeraCrypt. These programs are similar, both functionality-wise and design-wise (not a big surprise here as VeraCrypt is a fork project), so we are going to take a look at their speed and security performance.
The speed of mounting encrypted file-hosted volumes
An obvious downside to VeraCrypt discovered by TrueCrypt’s users who try it for the first time is the time the system spends on mounting an encrypted file-hosted volume. When you specify the correct password in TrueCrypt, the wait time till you access the encrypted data is split seconds for a modern computer. When you use VeraCrypt, you have to wait significantly longer.
Resistance to brute-force attacks
Brute-force attack involves trying every key combination until the correct password is guessed. Modern supercomputers owned by special services are capable of trying combinations very fast. With an enhanced key generation method at its disposal, VeraCrypt from 10 to 300 times is more resistant to brute-force attacks. Many users would find this to be VeraCrypt’s key advantage over its counterpart.
Developers’ support
TrueCrypt is no longer maintained, the solutions being used are getting outdated every day, potential vulnerabilities are not fixed. This, undoubtedly, benefits VeraCrypt that is actively run and managed.
Vulnerabilities
You would think that the developers’ support behind VeraCrypt was supposed to give this program a hefty advantage, but the reverse proved true. In the chapter that focuses on TrueCrypt, you found out that the security assessment of the program revealed no critical vulnerabilities. A similar assessment was run on VeraCrypt…
The results of the security assessment revealed 36 vulnerabilities, 8 of them were deemed critical, 3 – moderate and 15 – insignificant. 8 critical vulnerabilities can easily classify such application as a disaster. You can access the full version of the technical report by clicking this link.
Currently the majority of the vulnerabilities have been successfully fixed, however, some of them require a major overhaul of the architecture and can still be found in VeraCrypt.
A highly skilled team of developers
As we mentioned earlier, the security assessment of VeraCrypt revealed 8 critical vulnerabilities, while the assessment of TrueCrypt revealed none. This raises concerns about the level of VeraCrypt’s team of developers. There is no question that TrueCrypt software was developed by a stronger development team.
Suppose the 8 critical vulnerabilities found during the security assessment of VeraCrypt will be fixed, but who would guarantee you that their developers will not allow just as many new critical weaknesses?
TrueCrypt emerged the winner of our competition. However, you still have to make an informed decision independently. On the one hand, TrueCrypt‘s dated technologies are inferior to VeraCrypt’s ones as far as their resistance to attacks is concerned. Moreover, TrueCrypt has long been discontinued. On the other hand, VeraCrypt is constantly updated and supports more effective technologies, but the discovered vulnerabilities and a less superior development team make you ponder your ultimate choice.
CyberYozh security group’s team hasn’t settled for a unanimous decision, but we are unanimous about one thing: you should use both of the tools simultaneously. This way you create one encrypted file-hosted volume, for instance, using TrueCrypt, inside of it you create a second encrypted file-hosted volume using VeraCrypt and place your files already in it. Using both systems makes encryption way more effective than using each of the applications separately.