# security/truecrypt is broken. Need advice about Veracrypt



## DanDare (Jul 12, 2021)

Truecrypt is actually broken from quarterly (2021Q3). After copying the right truecrypt source file to distfile (checked freshports for the right SHA256 hashes, including for wxWidgets), then previously building all the deps listed, still having:

Configuring wxWidgets library...
configure: error: Can't use --enable-std_string without std::wstring or std::basic_string<wchar_t>

Tried searching for any solution on internet but no deal.

I have a huge (650GB) truecrypt volume that I use mainly in Windows but also when I boot Ubuntu, want to do the same when I boot FreeBSD.
Truecrypt fork (Veracrypt) is offered in ports and says it can deal with truecrypt volumes.
Anyone around used to Veracrypt to tell me if it's realiable dealing truecrypt volumes with Veracrypt?
Thanks.


----------



## mark_j (Jul 12, 2021)

I don't know about how well veracrypt reads/interracts with truecrypt, so I can't help you there, sorry.
For the configure, try adding on the configure command line --disable-std_string.


----------



## DanDare (Jul 12, 2021)

Nice. Thank you.
I'm not able to test it now but will post the result after trying.


----------



## DanDare (Jul 12, 2021)

Build crashed with --disable-std_string after a while with "6 warnings and 9 errors generated."
Anyway it looks like the future for Truecrypt port is not promising. Nothing more than something to be expected as time passes by. Time to migrate to Veracrypt I guess.

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=257125


----------



## hardworkingnewbie (Jul 12, 2021)

DanDare said:


> Truecrypt is actually broken from quarterly (2021Q3). After copying the right truecrypt source file to distfile (checked freshports for the right SHA256 hashes, including for wxWidgets), then previously building all the deps listed, still having


In fact Truecrypt was being developed by a team of anonymous developers, who never published their identities. The development of Truecrypt was being stopped suddenly by that group already in 2014, which was a big surprise back then and let to several rumors about the reasons behind that move. As parting message the Truecrypt developers putted on the web site "Using TrueCrypt is not secure as it may contain unfixed security issues."

So this really makes me wonder why FreeBSD is still shipping TrueCrypt at all.

So this means:

a) you shouldn't have used TrueCrypt since 7 years
b) you should use a well maintained alternative, which you obviously do.

For me, mounting Truecrypt in Veracrypt works just fine. But in your position I would use that functionality only to migrate this data to a Veracrypt file container.


----------



## grahamperrin@ (Jul 12, 2021)

DanDare said:


> … Time to migrate to Veracrypt I guess. …



Certainly, if security is essential, trust in TrueCrypt should have ended years ago.






I don't recall _using_ VeraCrypt, but I do recall it being an accepted alternative around the time that TrueCrypt wound things down. A handful of articles, in chronological order:

True mystery of the disappearing TrueCrypt disk encryption software – Naked Security
Is TrueCrypt pining for the fjords? – Naked Security
Life after TrueCrypt: 5 tips for better data security – Sophos News
TrueCrypt mystery – forking weirder than before – Naked Security
VeraCrypt a Worthy TrueCrypt Alternative | eSecurity Planet


Incidentally, I looked first for articles in the Sophos area because I have a record of two cases in 2010:

0050181 – Sophos Anti-Virus on-access clean up incompatible with TrueCrypt
0051317 – … crashing & data loss when using TrueCrypt & Sophos on access cleanup with OSX
– access to details is no longer readily available, so I can't tell exactly how the cases were resolved, it's likely that (from our perspective) there was no solution.


----------



## mark_j (Jul 12, 2021)

DanDare said:


> Build crashed with --disable-std_string after a while with "6 warnings and 9 errors generated."
> Anyway it looks like the future for Truecrypt port is not promising. Nothing more than something to be expected as time passes by. Time to migrate to Veracrypt I guess.
> 
> https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=257125


For sure. You can only try it and like you I suspect it should act ok with truecrypt containers and files.
I didn't realise it had been deprecated, so thanks to grahamperrin for weeding out that!
Veracrypt has been rock solid for me on all platforms (except Linux).


----------



## DanDare (Jul 12, 2021)

hardworkingnewbie said:


> In fact Truecrypt was being developed by a team of anonymous developers, who never published their identities. The development of Truecrypt was being stopped suddenly by that group already in 2014, which was a big surprise back then and let to several rumors about the reasons behind that move. As parting message the Truecrypt developers putted on the web site "Using TrueCrypt is not secure as it may contain unfixed security issues."
> 
> So this really makes me wonder why FreeBSD is still shipping TrueCrypt at all.
> 
> ...


Thanks. Yeah I know all the history. I really don't care about it as I use it just to protect my data in the case my lap get stolen or something like this. Truecrypt will never try to reach the network/internet, is very effective and reliable and that's all I need.
Yeah that drop was super strange and also funny... as it included the suggestion to move to bitlocker with instructions about how to do it and all. It will be missed.


----------



## grahamperrin@ (Jul 12, 2021)

hardworkingnewbie said:


> … why FreeBSD is still shipping TrueCrypt …



Deprecated a few hours ago <https://cgit.freebsd.org/ports/commit/?id=8c3593db9e0654f34caa66d8ca95a85958c41156> with an expiration date of 2021-06-11. So:


```
root@mowa219-gjp4-8570p:/usr/ports/security/truecrypt # make configure
===>   NOTICE:

This port is deprecated; you may wish to reconsider installing it:

Development and support for truecrypt ended in 2014.

It is scheduled to be removed on or after 2021-06-11.

===>  License TRUECRYPT needs confirmation, will ask later
…
```



DanDare said:


> … the suggestion to move to bitlocker …



If I recall correctly, this was because TrueCrypt was originally/primarily Windows-oriented. Whatever the origin, Windows users would have been the largest audience.


----------



## DanDare (Jul 12, 2021)

mark_j said:


> For sure. You can only try it and like you I suspect it should act ok with truecrypt containers and files.
> I didn't realise it had been deprecated, so thanks to grahamperrin for weeding out that!
> Veracrypt has been rock solid for me on all platforms (except Linux).


Now I'm curious.
What went wrong while using it in Linux?
Wanted to have my volume accessible in FreeBSD besides windows and linux and now Veracrypt is a option to have it for Windows & FreeBSD but not Linux?


----------



## hardworkingnewbie (Jul 12, 2021)

DanDare said:


> Thanks. Yeah I know all the history. I really don't care about it as I use it just to protect my data in the case my lap get stolen or something like this. Truecrypt will never try to reach the network/internet, is very effective and reliable and that's all I need.
> Yeah that drop was super strange and also funny... as it included the suggestion to move to bitlocker with instructions about how to do it and all. It will be missed.


Truecrypt is now 7 years old abandonware, the rest of the world moved on and so I would not trust that piece of software to protect my data any longer. I would therefore abandon using it altogether, because there are more advanced up to date solutions out there right now.


----------



## DanDare (Jul 12, 2021)

hardworkingnewbie said:


> Truecrypt is now 7 years old abandonware, the rest of the world moved on and so I would not trust that piece of software to protect my data any longer. I would therefore abandon using it altogether, because there are more advanced up to date solutions out there right now.


Do you have any suggestion about any option to transparently access a same encrypted volume across windows linux and freeBSD? Basically what truecrypt permit (permitted) without the hassles of mounting ext4 or UFS or NTFS across systems?


----------



## mark_j (Jul 12, 2021)

DanDare said:


> Now I'm curious.
> What went wrong while using it in Linux?
> Wanted to have my volume accessible in FreeBSD besides windows and linux and now Veracrypt is a option to have it for Windows & FreeBSD but not Linux?


I just don't use linux. MacOS, Windows, FreeBSD are my computing brands. I presume Linux is just fine with veracrypt. There's nothing sinister, I can assure you.


----------



## mark_j (Jul 12, 2021)

DanDare said:


> Do you have any suggestion about any option to transparently access a same encrypted volume across windows linux and freeBSD? Basically what truecrypt permit (permitted) without the hassles of mounting ext4 or UFS or NTFS across systems?


If your veracrypt is the entire device then I think all you would do is mount the device it's on. If however it's a file on the, for example, Windows disk/partition and you're running Freebsd, then you'd have to mount ntfs and then the file. I guess it depends on how veracrypt handles low-level I/O.


----------



## 6502 (Jul 12, 2021)

The Truecrypt Mystery and Intelligence Agencies' Fixation with Decrypting Your Hard Drive
					

In 2014, Truecrypt was considered by many to be the best open-sourced hard drive encryption software ever created for public use.  So, why after 10 years of development did the unknown people who brought us Truecrypt suddenly abandon it?



					cheapskatesguide.org


----------



## hardworkingnewbie (Jul 12, 2021)

DanDare said:


> Do you have any suggestion about any option to transparently access a same encrypted volume across windows linux and freeBSD? Basically what truecrypt permit (permitted) without the hassles of mounting ext4 or UFS or NTFS across systems?


You've got to differentiate between: 

a) the file system on the storage medium, where your encrypt container is living and
b) the file system being created in your encrypted container. 

For both NTFS and NTFS are a viable option on your mentioned platforms.

So since you're used to Truecrypt why not just use Veracrypt instead? The UI is very similar, feature set as well so you should have no big problems when you make that switch.


----------



## 6502 (Jul 12, 2021)

DanDare said:


> Do you have any suggestion about any option to transparently access a same encrypted volume across windows linux and freeBSD? Basically what truecrypt permit (permitted) without the hassles of mounting ext4 or UFS or NTFS across systems?


Simply use FAT32, if the volume is not too large.


----------



## hardworkingnewbie (Jul 12, 2021)

FAT32 has a maximum file size limit of 4 GB. For some this can be a real show stopper. Aside that, no journaling whatsoever.


----------



## 6502 (Jul 12, 2021)

hardworkingnewbie said:


> Aside that, no journaling whatsoever.


Not sure how journaling will work with encrypted file system. In my opinion it is mandatory to have UPS or laptop with working battery.


----------



## DanDare (Jul 12, 2021)

mark_j said:


> If your veracrypt is the entire device then I think all you would do is mount the device it's on. If however it's a file on the, for example, Windows disk/partition and you're running Freebsd, then you'd have to mount ntfs and then the file. I guess it depends on how veracrypt handles low-level I/O.


No need to have a formatted partition for Truecrypt (and so for Veracrypt too I presume). If you use Truecrypt directly to partition windows will call it a "RAW" partition and truecrypt will just mount it. It's like you can do with zfs. This is a good thing as you can just mount that volume anywhere truecrypt runs.

I will play with veracrypt using a USB stick then migrate the 650GB partition to use it. Then, hope long life to veracrypt.


----------



## mark_j (Jul 13, 2021)

DanDare said:


> No need to have a formatted partition for Truecrypt (and so for Veracrypt too I presume). If you use Truecrypt directly to partition windows will call it a "RAW" partition and truecrypt will just mount it. It's like you can do with zfs. This is a good thing as you can just mount that volume anywhere truecrypt runs.
> 
> I will play with veracrypt using a USB stick then migrate the 650GB partition to use it. Then, hope long life to veracrypt.


That was what I was saying in a roundabout way.   If you use the entire disk then it can be 'mounted' raw. Veracrypt also allows encrypted files/containers in the native file system; I was not sure if truecrypt did so also.

Let us know the results so others can gain from your experience


----------



## grahamperrin@ (Jul 13, 2021)

6502 said:


> <https://cheapskatesguide.org/articles/truecrypt-mystery.html>





> > … means that prudence dictates the continued use of version 7.1a of Truecrypt. …



Too ambiguous. 



> > … (Update 5-8-21: The Truecrypt download has been removed from grc.com, and the following statement now appears: "VeraCrypt is being continually maintained, while the aging TrueCrypt code has become problemmatical to use.") …



GRC's page is more emphatic, the large red alert: 

It's (past) time to switch to VeraCrypt…


----------



## 6502 (Jul 13, 2021)

OK but we don't know who is working on VeraCrypt. Maybe they are NSA "friends" if we assume original TC authors are not.






						TrueCrypt Security Audit Completed - Schneier on Security
					






					www.schneier.com
				




"Some issues were found, but nothing major."


----------



## hardworkingnewbie (Jul 13, 2021)

6502 said:


> OK but we don't know who is working on VeraCrypt. Maybe they are NSA "friends" if we assume original TC authors are not.


Well given the fact that the authors of TrueCrypt never disclosed their identities - what's exactly the problem here for old TC users?

I mean VC is open source, and has been audited for problems, so...


----------



## DanDare (Jul 16, 2021)

mark_j said:


> That was what I was saying in a roundabout way.   If you use the entire disk then it can be 'mounted' raw. Veracrypt also allows encrypted files/containers in the native file system; I was not sure if truecrypt did so also.
> 
> Let us know the results so others can gain from your experience


First thing: I was being silly by saying truecrypt (or veracrypt) is an option to 'transparently' using any volume across OS. You need to choose a disk format (of course) that will be created and encrypted.

With Veractypt in Windows I've created a NTFS encrypted volume in a USB memstick partition. Was able to open/use in Ubuntu but not in FreeBSD with "mount: /dev/md0: No such file or directory"

In Ubuntu destroyed the volume and recreated it formatted as ext4, still not able to mount in FreeBSD after loading ext2fs kernel module, with the same error message.
In Windows recreated it as FAT. This time FreeBSD was able to mount it. It created the /dev/md0 entry and mounted in /media/Veracrypt1.
While in FreeBSD Wanted to recreate the volume as exFAT but the only format options in Veracrypt while creating a volume are FAT and UFS



			VeraCrypt on FreeBSD: "Error: mount: /dev/md0: No such file or directory" - VeraCrypt


----------



## Deleted member 30996 (Jul 16, 2021)

DanDare said:


> Was able to open/use in Ubuntu but not in FreeBSD with "mount: /dev/md0: No such file or directory"


Create it.

It does not exist and never has, because that was your job in the first place.

I have always mounted my USB drives with this command:

`mount -v -t msdosfs /dev/da0s1 /media/da0s1`

This command for larger drives, up to 500GB in my experience:

`mount -v -t msdosfs -F32 -o large /dev/da0s1 /media/da0s1`

But before I can mount it I must open my File Manager as root and create /media/da0s1. Or I could use a command to create it, but I'm getting ready to use x11-fm/xfe and transfer some files so that's how I do it.

That no one else does it like that, one of the mysteries that is me.

But but but what about dev/da0s1? It does not exist. But my way works:


----------



## T-Daemon (Jul 16, 2021)

DanDare said:


> With Veractypt in Windows I've created a NTFS encrypted volume in a USB memstick partition. Was able to open/use in Ubuntu but not in FreeBSD with "mount: /dev/md0: No such file or directory"


Ubuntu has NTFS support in kernel, FreeBSD doesn't. VeraCrypt can't mount automatic on FreeBSD. NTFS support on FreeBSD is realized by third party utilities.

To mount NTFS on FreeBSD try following: Do not mount the VeraCrypt volumes filesystem (see checkbox at image bottom after opening 'Options':





After password entered a memory disk is created, i.e. /dev/md0, try mounting the file system with sysutils/fusefs-ntfs manually:

For example:
`#  ntfs-3g /dev/md0 /mnt`
After done with the volume unmount memory disk from mount point before unmounting from VeraCrypt.



DanDare said:


> In Ubuntu destroyed the volume and recreated it formatted as ext4, still not able to mount in FreeBSD after loading ext2fs kernel module, with the same error message.


Works with sysutils/fusefs-lkl. Mount manually as instructed above.



DanDare said:


> In Windows recreated it as FAT. This time FreeBSD was able to mount it. It created the /dev/md0 entry and mounted in /media/Veracrypt1.


FreeBSD has MS-DOS file system support in kernel. VeraCrypt can mount automatic.



DanDare said:


> While in FreeBSD Wanted to recreate the volume as exFAT but the only format options in Veracrypt while creating a volume are FAT and UFS


FreeBSD has no exFAT support in base. It's not possible to create a exFAT filesystem from the GUI dialog.

Howerver, it's possible to create a filesystem _after_ creating a VeraCrypt volume. Create the volume/container without a filesystem in 'Format Options' dialog: Filesystem Options - Filesystem type  'None'.

"Mount" that volume without mounting the volumes filesystem (as instructed above). Afterwards create the filesystem on the memory disk.

This works well with FAT, UFS2, ZFS [1], ext4 [2], and xfs [3] file systems (tested so far). FAT and UFS2 can be mounted automatic by VeraCrypt, ZFS pool needs importing , ext4 and xfs mounting manually with sysutils/fusefs-lkl.

Trying to create NTFS, exFAT [4] file systems results in errors. I can't tell what's wrong.


[1] newfs_msdos(8), newfs(8), 12.2 zpool(8), 13.0 zpool-create(8)
[2] sysutils/e2fsprogs: mkfs.ext4(8)
[3] sysutils/xfsprogs: mkfs.xfs(8)
[4] sysutils/fusefs-ntfs: mkntfs(8), sysutils/exfat-utils: mkexfatfs(8)


----------



## puretone (Jul 16, 2021)

DanDare said:


> Truecrypt is actually broken from quarterly (2021Q3).



I was about to demand you tell us about time-travel...
Didn't realize the cgit repo uses 20xxQx versioning scheme just like svn does.


----------



## Alain De Vos (Jul 17, 2021)

I never tested these filesystems,

```
fusefs-cryptofs-0.6.0_7        Encrypted filesystem for FUSE
fusefs-encfs-1.9.5_6           Encrypted pass-through FUSE filesystem
fusefs-securefs-0.11.1_1       Filesystem in userspace with transparent encryption and decryption
```


----------



## Menelkir (Jul 17, 2021)

Alain De Vos said:


> I never tested these filesystems,
> 
> ```
> fusefs-cryptofs-0.6.0_7        Encrypted filesystem for FUSE
> ...


Encfs can be used with Plasma Vault, but I'm not sure if it's available for FreeBSD (or if both can be used together).


----------



## Jose (Jul 17, 2021)

grahamperrin said:


> Deprecated a few hours ago <https://cgit.freebsd.org/ports/commit/?id=8c3593db9e0654f34caa66d8ca95a85958c41156> with an expiration date of 2021-06-11...


I didn't know expiration dates in the past were used.


----------



## hardworkingnewbie (Jul 17, 2021)

Alain De Vos said:


> I never tested these filesystems,
> 
> ```
> fusefs-cryptofs-0.6.0_7        Encrypted filesystem for FUSE
> ...


Encfs is quite old and comes from Linux. It's also considered to be unsafe since an audit made in 2014, and until version 2 is released not exactly something you should therefore use if you really need tight security.

Veracrypt like Truecrypt has one thing all these other tools have not: plausible deniability, which might be interesting for some use cases. You can hide a smaller encrypt container within your bigger container at ease. So you could generate a big container with porn as facade and embed a smaller into it with your real data.

If you really want to use an overlay cryptographic file system, the most advanced so far by my knowledge is CryFS, which works also with FreeBSD.





__





						CryFS: A cryptographic filesystem for the cloud
					

CryFS encrypts your Dropbox and protects you against hackers and data leaks. It also works well together with other cloud providers.



					www.cryfs.org


----------



## grahamperrin@ (Jul 17, 2021)

Thanks,


hardworkingnewbie said:


> … CryFS, which works also with FreeBSD.



<https://github.com/cryfs/cryfs> to build from source. 

Side note: 









						Download panel not compatible with strict ETP in Firefox · Issue #4 · cryfs/cryfs-web-legacy
					

With enhanced tracking protection set to strict, at https://www.cryfs.org/#download the Other button does not work: – no response to clicks.




					github.com


----------



## tunik (Oct 26, 2022)

FreeBSD 13.1-RELEASE GENERIC amd64, veracrypt-1.25.9  NTFS. It's work very well.

Mount


```
sudo veracrypt --text --pim 0 --fs-options "rw,mountprog=/usr/local/bin/ntfs-3g" --keyfiles "/home/fileKey" --protect-hidden no --slot 1 --verbose /media/file.hc /tmp/vera
```
 Dismount

```
umount -f  /tmp/vera && veracrypt -d
```


----------

