Security requirements and precautions [CIT Research Documentation]

IMPORTANT: Please take into account that you can use VeraCrypt yourself up to what we call Lvl 3 Protection without the risk of losing important data or access to your system. As long as you follow the encryption guide provided here and are careful about the things we warn you about, you should not need assistance in setting this up.

From Lvl 4 Protection onwards, we suggest that you talk to someone at the DCC for assistance. These higher levels of protection ensure that your data is harder to find and leaves less traces, but they also carry the risk of losing data by overwriting it or losing access to your operating system, IF THEY ARE SET UP INCORRECTLY. You will also have to be told about clear practices that you need to follow in order to ensure plausible deniability and the best level of protection.

In our consultation with you we have advised you on a level of protection that is ultimately just a suggestion. You can decide to get higher protection for your data, of course. Be aware, once again, that in getting a higher protection level the risk you face shifts from data leakage to actual data loss. We would ask that you follow our guidelines unless you really need a higher level of protection for your data, in which case you should request a follow up consultation with us.

In order for VeraCrypt to provide effective security, the user needs to be aware and follow a number of guidelines that are listed here in short form and in their entirety in the VeraCrypt manual. Please refer to the VeraCrypt manual (pp.90-99 in the pdf or the Security requirements and precautions section of the online documentation) for a more detailed explanation.

Before we go into detail, there are four golden rules you want to follow:

Mount your VeraCrypt volumes only when you work with them. Once you are done, make sure you dismount your volume(s). If you do not require a specific volume to be mounted, never mount it in the first place.
Always lock your machine when you are not working with it. If you are about to leave your machine unattended for more than ~5 min (bathroom break, quick coffee grab, etc.), dismount EVERY VeraCrypt volume and mount them again when you come back.
Never take sensitive data out of the VeraCrypt volume. If you have to copy or create a new file, make sure that you move files or create them in a VeraCrypt volume. Files taken or created outside of the volume might leave traces of information on unencrypted parts of Windows.
When you are done working with a VeraCrypt volume, always dismount it, turn off your machine, and leave it turned off for a few minutes. If you have to continue working on non-sensitive data later, you can safely resume your work after the computer has been shut off for said period of time. This is to ensure that information on the VeraCrypt volume doesn’t stay stored in RAM.

Hereafter are some practical steps you should take to ensure that information on your data or the VeraCrypt volume does not accidentally get left unencrypted.

Windows can store parts of the files in use outside of the RAM memory when the memory does not have enough space. This can lead to unencrypted parts of your data being stored on disk, instead of RAM. To avoid this, please consider disabling paging files for your VeraCrypt volume. This can only be done if you have already created a volume, and will have to be repeated for each new volume created. To learn how to create a volume using VeraCrypt, please refer to this page.

Click to display step-by-step guide

Memory dump files are files Windows creates to recover information after an error occurs. Since these files are unencrypted, VeraCrypt information (such as the master key or part of the file stored in the volume) might be recorded in them and stored. To avoid this happening, disable memory dump file generation at least for the session when you use VeraCrypt volumes (even if you just mount them).

Click to display step-by-step guide

Hibernation files are files that Windows creates when entering power saving mode. These files contain information that Windows uses to restore all processes once it exits power saving mode. This means that information stored on a VeraCrypt volume you were working with, the master key of the mounted volume and/or other information contained in your VeraCrypt volume might be written on disk unencrypted by Windows. To avoid this occurrence, follow these steps. Warning: Keep in mind that the best way to avoid this, is to manually dismount all VeraCrypt volumes when done and shut down the computer for a few minutes (the longer, the better) before turning it on again.

Click to display step-by-step guide

In order to give as little as possible information away to an unauthorized user, VeraCrypt preserves the date of creation of the files contained in a volume. This means that if you modify a file after it was created, VeraCrypt will not update the date of the last change done to the file. This is not a problem, unless you want to synchronize your VeraCrypt folder (once encrypted and dismounted) with a cloud service. The cloud service performs its synchronization by checking the modification date of the data contained in the volume and the volume itself. As VeraCrypt does not update the date of last modification, the cloud service will assume that no work has been done on the file and will skip the synchronization.

To prevent this from happening, there are two easy steps you can follow:

Click to display step-by-step guide

Unless you have encrypted your entire system (which carries its own risks and should not be done on your own) VeraCrypt cannot avoid writing unencrypted information to RAM. This will always carry a risk of data leaks happening if the user doesn’t employ some precautions. The main one being that you DO NOT want to shut down your computer or leave it to hibernate with a VeraCrypt volume still mounted. Make sure that you ALWAYS dismount ALL your VeraCrypt volumes whenever you are done. This allows VeraCrypt to erase information on your Master Keys from RAM. ALSO, make sure that you shut down your computer right after, and LEAVE IT TURNED OFF for a few minutes. This will ensure that no information on your VeraCrypt volume files is retained when turning your machine back on.
VeraCrypt can only secure your volumes/system if you are the only person able to physically access your machine. In case someone else has access to your machine, malware or other malicious software capable of recording your passwords might have been installed on it. This also holds true if you have been given a machine by somebody other than the RUG. Should your computer/drive be easily accessible to other people, then we kindly ask you to contact the DCC (dcc@rug.nl) to discuss strategies on how to ensure that your data remains protected.
1. Examples of an easily accessible machine are:
  1. You work on a shared workstation that is not specifically yours. Other people will sign into that machine after you leave.
  2. Your computer is provided by an organization you collaborate with and is not your own.
  3. You work in an office with multiple people and cannot lock your machine when you leave the office.
  4. Your machine is constantly connected to an internet connection that is not secure/that might be intercepted by people you don’t want to share your data with.
If your machine is not easily accessible, but you suspect that at some point someone gained access to it and could have compromised it, then VeraCrypt could be entirely unable to secure your data. In that case, please make sure NOT TO MOUNT AND WORK with a VeraCrypt volume until you have contacted the DCC (dcc@rug.nl).
The same goes if you suspect that your machine might have been infected by malware. Keep in mind that making sure your machine is up-to-date is a good way to reduce the chance of malware infection.
When choosing a password, make sure that you choose a strong one. VeraCrypt details what a strong password is, both when prompting you to choose it and in its manual. In short, choose a sequence of words, rather than a single word, use both upper and lower case and special characters. Your password should at least be 20 characters long. (Example: Song lyrics are a good inspiration if you don’t know where to start).
Changing password and keyfile(s) does not change the masterkey of the encryption. The masterkey is an element of your volume’s header that ensures the correct interpretation of the encrypted data in combination with your password and keyfiles. Should you suspect that someone gained access to your password(s) or keyfile(s), changing password will not protect your data if they gained access to the masterkey. In short, having access to the masterkey is already enough to ensure decryption by brute force methods. In such a case we ask you to disconnect your machine or your VeraCrypt volume(s) from any point of access (internet access, USB drives, or other) and to please contact the DCC (dcc@rug.nl) immediately.
Should you be working on a machine where you DO NOT have administrator privileges, we advise you to not use VeraCrypt on it. Find a machine where you are administrator and use that machine. This is because the administrator of a machine you are using might be able to see what you used or what you did with VeraCrypt. They might not have access to your data, but can potentially log your activity.
If you are using keyfiles, you can store them in single copy on a separate device (e.g. a USB stick) for an added layer of security. Please keep in mind that if you lose the USB stick, you lose access to your data. We then advise you to have a second back-up USB stick containing the keyfiles for such emergencies. Also, if you have lost the USB stick, your keyfiles need to be changed. Please contact the DCC for this.

Should you have any other questions regarding possible risks of data loss or weaknesses in VeraCrypt security, please contact the DCC (dcc@rug.nl). We will be glad to address your concerns.

→ Move to the next step

Security requirements and precautions

Disabling paging files

Disabling memory dump file generation

Disabling hibernation files

Ensuring proper synchronization

Further precautions and best practices to follow