Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision		 Previous revision
dcc:itsol:veracrypt:precautions [2024/07/30 11:30] – resized figures giuliodcc:itsol:veracrypt:precautions [2025/06/03 14:22] (current) alba
Line 2: Line 2:
 ===== Security requirements and precautions ===== ===== Security requirements and precautions =====
  
-**IMPORTANT**: Please take into account that you can use VeraCrypt yourself up to what we call Lvl 3 Protection without the risk of losing important data or access to your system. As long as you follow the encryption guide provided here and are careful about the things we warn you about, you should not need assistance in setting this up.+**IMPORTANT**: Please take into account that you can use VeraCrypt yourself at any level of protection suggested in this guide. The risk of losing important data is mainly linked to losing your password or your keyfiles. As long as you follow the encryption guide provided here and are careful about the things we warn you about, you should not need assistance in setting this up.
  
-From Lvl 4 Protection onwards, we suggest that you **talk to someone at the DCC** for assistance. These higher levels of protection ensure that your data is harder to find and leaves less traces, but they also carry the risk of **losing data by overwriting it** or **losing access to your operating system, IF THEY ARE SET UP INCORRECTLY**. You will also have to be told about clear practices that you need to follow in order to ensure **plausible deniability and the best level of protection**. +This guide advises you on a level of protection that is ultimately just a suggestion. You can decide to get higher protection for your data, of course. Be aware, once again, that in getting a higher protection level the risk you face shifts from data leakage to actual data loss. We would ask that you follow our guidelines unless you really need a higher level of protection for your data, in which case you should request a consultation with us. You are responsible for your data and what happens to it.
- +
-In our consultation with you we have advised you on a level of protection that is ultimately just a suggestion. You can decide to get higher protection for your data, of course. Be aware, once again, that in getting a higher protection level the risk you face shifts from data leakage to actual data loss. We would ask that you follow our guidelines unless you really need a higher level of protection for your data, in which case you should request a follow up consultation with us.+
  
 In order for VeraCrypt to provide effective security, the user needs to be aware and follow a number of guidelines that are listed here in short form and in their entirety in the VeraCrypt manual. Please refer to the VeraCrypt manual (pp.90-99 in the pdf or the [[https://www.veracrypt.fr/en/Security%20Requirements%20and%20Precautions.html| Security requirements and precautions]] section of the online documentation) for a more detailed explanation. In order for VeraCrypt to provide effective security, the user needs to be aware and follow a number of guidelines that are listed here in short form and in their entirety in the VeraCrypt manual. Please refer to the VeraCrypt manual (pp.90-99 in the pdf or the [[https://www.veracrypt.fr/en/Security%20Requirements%20and%20Precautions.html| Security requirements and precautions]] section of the online documentation) for a more detailed explanation.
Line 15: Line 13:
   * **Always lock your machine when you are not working with it**. If you are about to leave your machine unattended for more than ~5 min (bathroom break, quick coffee grab, etc.), dismount EVERY VeraCrypt volume and mount them again when you come back.   * **Always lock your machine when you are not working with it**. If you are about to leave your machine unattended for more than ~5 min (bathroom break, quick coffee grab, etc.), dismount EVERY VeraCrypt volume and mount them again when you come back.
   * **Never take sensitive data out of the VeraCrypt volume**. If you have to copy or create a new file, make sure that you move files or create them in a VeraCrypt volume. Files taken or created outside of the volume might leave traces of information on unencrypted parts of Windows.   * **Never take sensitive data out of the VeraCrypt volume**. If you have to copy or create a new file, make sure that you move files or create them in a VeraCrypt volume. Files taken or created outside of the volume might leave traces of information on unencrypted parts of Windows.
-  * **When you are done working with a VeraCrypt volume, always dismount it, turn off your machine, and leave it turned off for a few minutes**. If you have to continue working on non-sensitive data later, you can safely resume your work after the computer has been shut off for said period of time. **This is to ensure that information on the VeraCrypt volume doesn’t stay stored in RAM**.+  * **When you are done working with a VeraCrypt volume, always dismount it, and leave your computer running for a few minutes**. If you have to continue working on non-sensitive data, you can safely do so after the VeraCrypt volume has been dismounted. **This is to ensure that information on the VeraCrypt volume doesn’t stay stored in RAM**.
  
  
Line 68: Line 66:
  
   - Click on //Settings//, as shown in the figure, then select //Preferences...//. {{ :dcc:itsol:veracrypt:tmstamp_1.png?direct&650 | }}   - Click on //Settings//, as shown in the figure, then select //Preferences...//. {{ :dcc:itsol:veracrypt:tmstamp_1.png?direct&650 | }}
-  - A new window will appear. You can then deselect the option in the red box, then click //OK//. VeraCrypt will now update the date the file was modified, intead of preserving the original date. {{ :dcc:itsol:veracrypt:tmstamp_2.png?direct&650 | }}+  - A new window will appear. You can then deselect the option in the red box, then click //OK//. VeraCrypt will now update the date the file was modified, instead of preserving the original date. {{ :dcc:itsol:veracrypt:tmstamp_2.png?direct&650 | }}
  
 **IMPORTANT**: Please make sure to regularly check whether your synchronized files are indeed what you have been working on. Please do this even if you have followed this guide on how to disable this option. **IMPORTANT**: Please make sure to regularly check whether your synchronized files are indeed what you have been working on. Please do this even if you have followed this guide on how to disable this option.
Line 78: Line 76:
 ++++ Click to display step-by-step guide | ++++ Click to display step-by-step guide |
  
-  - Unless you have encrypted your entire system (which carries its own risks and should not be done on your own) VeraCrypt cannot avoid writing unencrypted information to RAM. This will always carry a risk of data leaks happening if the user doesn’t employ some precautions. The main one being that you DO NOT want to shut down your computer or leave it to hibernate with a VeraCrypt volume still mounted. **Make sure that you ALWAYS dismount ALL your VeraCrypt volumes whenever you are done**. This allows VeraCrypt to erase information on your Master Keys from RAM. **ALSO**, make sure that you **shut down your computer** right after, and **LEAVE IT TURNED OFF** for a few minutes. This will ensure that no information on your VeraCrypt volume files is retained when turning your machine back on. +  - VeraCrypt writes unencrypted information to RAM. This will always carry a risk of data leaks happening if the user doesn’t employ some precautions. The main one being that you **DO NOT** want to shut down your computer or leave it to hibernate with a VeraCrypt volume still mounted. **Make sure that you ALWAYS dismount ALL your VeraCrypt volumes whenever you are done**. This allows VeraCrypt to erase information on your Master Keys from RAM. **ALSO**, make sure that you **shut down your computer** after, and **LEAVE IT TURNED OFF** for a few minutes. This will ensure that no information on your VeraCrypt volume files is retained when turning your machine back on. 
-  - VeraCrypt can only secure your volumes/system if **you are the only person** able to **physically access** your machine. In case someone else has access to your machine, malware or other malicious software capable of recording your passwords might have been installed on it. This also holds true if you have been given a machine by somebody other than the RUG. Should your computer/drive be easily accessible to other people, then we kindly ask you to contact the DCC ([[dcc@rug.nl|dcc@rug.nl]]) to discuss strategies on how to ensure that your data remains protected.+  - VeraCrypt can only secure your volumes/system if **you are the only person** able to **physically access** your machine. In case someone else has access to your machine, malware or other malicious software capable of recording your passwords might have been installed on it. This also holds true if you have been given a machine by somebody other than the UG. Should your computer/drive be easily accessible to other people, then we kindly ask you to contact the DCC ([[dcc@rug.nl|dcc@rug.nl]]) to discuss strategies on how to ensure that your data remains protected.
     - Examples of an easily accessible machine are:     - Examples of an easily accessible machine are:
       - You work on a shared workstation that is not specifically yours. Other people will sign into that machine after you leave.       - You work on a shared workstation that is not specifically yours. Other people will sign into that machine after you leave.
Line 86: Line 84:
       - Your machine is constantly connected to an internet connection that is not secure/that might be intercepted by people you don’t want to share your data with.       - Your machine is constantly connected to an internet connection that is not secure/that might be intercepted by people you don’t want to share your data with.
   - If your machine is not easily accessible, but you suspect that at some point someone gained access to it and could have compromised it, then VeraCrypt could be entirely unable to secure your data. In that case, please make sure **NOT TO MOUNT AND WORK** with a VeraCrypt volume until you have contacted the DCC ([[dcc@rug.nl|dcc@rug.nl]]).   - If your machine is not easily accessible, but you suspect that at some point someone gained access to it and could have compromised it, then VeraCrypt could be entirely unable to secure your data. In that case, please make sure **NOT TO MOUNT AND WORK** with a VeraCrypt volume until you have contacted the DCC ([[dcc@rug.nl|dcc@rug.nl]]).
-  - The same goes if you suspect that your machine might have been infected by malware. Keep in mind that making sure your machine is up-to-date is a good way to reduce the chance of malware infection. +  - The same goes if you suspect that your machine might have been infected by malware. Keep in mind that **making sure your machine is up-to-date** is a good way to reduce the chance of malware infection. 
-  - When choosing a password, make sure that you choose a strong one. VeraCrypt details what a strong password is, both when prompting you to choose it and in its manual. In short, choose a sequence of words, rather than a single word, use both upper and lower case and special characters. Your password should at least be 20 characters long. (Example: Song lyrics are a good inspiration if you don’t know where to start). +  - When choosing a password, make sure that you choose a strong one. VeraCrypt defines what a strong password is, both when prompting you to choose it and in its manual. In short, choose a sequence of words, rather than a single word, use both upper and lower case and special characters, and makes sure that your password contains at least 20 characters. (Example: Song lyrics are a good inspiration if you don’t know where to start). 
-  - Changing password and keyfile(s) does not change the masterkey of the encryption. The masterkey is an element of your volume’s header that ensures the correct interpretation of the encrypted data in combination with your password and keyfiles. Should you suspect that someone gained access to your password(s) or keyfile(s), **changing password will not protect your data** if they gained access to the masterkey. In short, having access to the masterkey is already enough to ensure decryption by brute force methods.  In such a case we ask you to **disconnect your machine** or your VeraCrypt volume(s) from any point of access (internet access, USB drives, or other) and to **please contact the DCC ([[dcc@rug.nl|dcc@rug.nl]]) immediately**. +  - Changing password and keyfile(s) does not change the master key of the encryption. The master key is an element of your volume’s header that ensures the correct interpretation of the encrypted data in combination with your password and keyfiles. Should you suspect that someone gained access to your password(s) or keyfile(s), **changing password will not protect your data** if they gained access to the masterkey. In short, having access to the master key is already enough to ensure decryption by brute force methods.  In such a casewe ask you to **disconnect your machine** or your VeraCrypt volume(s) from any point of access (internet access, USB drives, or other) and to **please contact the DCC ([[dcc@rug.nl|dcc@rug.nl]]) immediately**. 
-  - Should you be working on a machine where you **DO NOT** have administrator privileges, we advise you to not use VeraCrypt on it. Find a machine where you are administrator and use that machine. This is because the administrator of a machine you are using might be able to see what you used or what you did with VeraCrypt. They might not have access to your data, but can potentially log your activity. +  - Should you be working on a machine where you **DO NOT** have administrator privileges, we advise you to not use VeraCrypt on it. Find a machine where you are administrator and use that machine. This is because the administrator of a machine you are using might be able to see what you used or what you did with VeraCrypt. They might not have access to your data, but they can potentially log your activity. 
-  -  If you are using keyfiles, you can store them in single copy on a separate device (e.g. a USB stick) for an added layer of security. Please keep in mind that **if you lose the USB stick, you lose access to your data**. We then advise you to have a second back-up USB stick containing the keyfiles for such emergencies. Also, if you have lost the USB stick, your keyfiles need to be changed. Please contact the DCC for this.+  -  If you are using keyfiles, you can store them in single copy on a separate device (e.g. a USB stick) for an added layer of security. Please keep in mind that **if you lose the USB stick, you lose access to your data**. We advise you to have a second backup USB stick containing the keyfiles for such emergencies. Also, if you have lost the USB stick, your keyfiles need to be changed. Please contact the DCC for this.
  
 ++++ ++++