Replies: 2 comments 5 replies
-
|
Regarding containers, Windows can also do this natively with the EFS feature (mentioned in the article but link is offline atm). Alternative: There is therefore no reason to use an external program for encryption. Thanks for the feedback! 🍺 |
Beta Was this translation helpful? Give feedback.
-
|
Perfect, I think this will clarify things a lot for readers. Happy to help, I'll do what I can to help out going forward. Cheers 🍷 |
Beta Was this translation helpful? Give feedback.
-
|
See also https://github.com/beerisgood/Windows11_Hardening/blob/master/why%20not%20to%20use%20TrueCrypt-Veracrypt for added info 🍺 |
Beta Was this translation helpful? Give feedback.
-
File not found :/ But yeah, I was coming to the Discussions page to say the same thing as OP: It seems like Veracrypt works just fine for encrypting folders and drives; it just shouldn't be used for the OS drive, and the Readme is misleading in this regard. |
Beta Was this translation helpful? Give feedback.
-
|
Correct link is: https://github.com/beerisgood/Windows11_Hardening/blob/master/TrueCrypt-VeraCrypt |
Beta Was this translation helpful? Give feedback.
-
|
You need to preface that this Windows hardening project of yours is not recommended to follow and that you are not an expert in the subject. EFS is only as strong as the users password, and there are many other EFS vulnerabilities you would find by simply researching. Additionally, VeraCrypt with secure boot enabled: https://www.veracrypt.fr/code/VeraCrypt-DCS/tree/SecureBoot/readme.txt |
Beta Was this translation helpful? Give feedback.
-
so then why not provide sources for that statement?
adding more attack surface isn’t how security works.
I’m sure you are. |
Beta Was this translation helpful? Give feedback.
-
I realize that the reason for recommending against VeraCrypt is how using it for OS FDE breaks the chain of trust, and that the linked section of the guide explains this, but it might be useful to some readers to make the specificity of this claim more explicit, since the same consideration doesn't necessarily diminish the value of VeraCrypt for creating encrypted storage containers. As written, some readers might take away the lesson "avoid VeraCrypt as such" rather than "avoid VeraCrypt for OS FDE."
As an aside, love the project, I'm going to be sharing it with people when they want real advice rather than cargo-cult "privacy/security" advice.
Beta Was this translation helpful? Give feedback.
All reactions