|F r e q u e n t l y A s k e d Q u e s t i o n s|
Last Updated September 9, 2013
This document is not guaranteed to be error-free and is provided "as is" without warranty of any kind. For more information, see Disclaimers.
We have not implemented any 'backdoor' in TrueCrypt (and will never implement any even if asked to do so by a government agency), because it would defeat the purpose of the software. TrueCrypt does not allow decryption of data without knowing the correct password or key. We cannot recover your data because we do not know and cannot determine the password you chose or the key you generated using TrueCrypt. If you follow the security requirements listed in this chapter of the documentation, then (to our best knowledge) the only way to recover your files is to try to "crack" the password or the key, but it could take thousands or millions of years (depending on the length and quality of the password or keyfiles, on the software/hardware performance, algorithms, and other factors). If you find this hard to believe, consider the fact that even the FBI was not able to decrypt a TrueCrypt volume after a year of trying.
Yes. The first chapter, Beginner's Tutorial, in the TrueCrypt User Guide contains screenshots and step-by-step instructions on how to create, mount, and use a TrueCrypt volume.
Yes, see the chapter System Encryption in the TrueCrypt User Guide.
Yes, TrueCrypt-encrypted volumes are like normal disks. You provide the correct password (and/or keyfile) and mount (open) the TrueCrypt volume. When you double click the icon of the video file, the operating system launches the application associated with the file type – typically a media player. The media player then begins loading a small
portion of the video file from the TrueCrypt-encrypted volume to RAM (memory) in order to play it. While the portion is being loaded, TrueCrypt is automatically decrypting it (in RAM). The decrypted portion of the video (stored in RAM) is then played by the media player. While this portion is being played, the media player begins loading another small portion of the video file from the TrueCrypt-encrypted volume to RAM (memory) and the process repeats.
Yes, it will. We will never create a commercial version of TrueCrypt, as we believe in open-source and free security software.
Please see http://www.truecrypt.org/donations/
As the source code for TrueCrypt is publicly available, independent researchers can verify that the source code does not contain any security flaw or secret 'backdoor'. If the source code were not available, reviewers would need to reverse-engineer the executable files. However, analyzing and understanding such reverse-engineered code is so difficult that it is practically impossible to do (especially when the code is as large as the TrueCrypt code).
Yes. In fact, the source code is constantly being reviewed by many independent researchers and users. We know this because many bugs and several security issues have been discovered by independent researchers (including some well-known ones) while reviewing the source code.
Yes, they can. In addition to reviewing the source code, independent researchers can compile the source code and compare the resulting executable files with the official ones. They may find some differences (for example, timestamps or embedded digital signatures) but they can analyze the differences and verify that they do not form malicious code.
You have two options:
Yes. The entire file system within a TrueCrypt volume is encrypted (including file names, folder names, and contents of every file). This applies to both types of TrueCrypt volumes – i.e., to file containers (virtual TrueCrypt disks) and to TrueCrypt-encrypted partitions/devices.
Yes. Increase in encryption/decryption speed is directly proportional to the number of cores/processors your computer has. For more information, please see the chapter Parallelization in the documentation.
Yes, TrueCrypt volumes are independent of the operating system. You will be able to mount your TrueCrypt volume on any computer on which you can run TrueCrypt (see also the question 'Can I use TrueCrypt on Windows if I do not have administrator privileges?').
Before you unplug or turn off the device, you should always dismount the TrueCrypt volume in TrueCrypt first, and then perform the 'Eject' operation if available (right-click the device in the 'Computer' or 'My Computer' list), or use the 'Safely Remove Hardware' function (built in Windows, accessible via the taskbar notification area). Otherwise, data loss may occur.
Yes, TrueCrypt volumes are independent of the operating system. However, you need to make sure your operating system installer does not format the partition where your TrueCrypt volume resides. Some users reported that Windows installers sometimes format TrueCrypt-encrypted partitions when installing/upgrading Windows. Therefore, we recommend that you physically disconnect all drives containing such partitions before installing/upgrading Windows (you can reconnect them when Windows has been installed/upgraded).
Generally, yes. However, before upgrading, please read the release notes for all versions of TrueCrypt that have been released since your version was released. If there are any known issues or incompatibilities related to upgrading from your version to a newer one, they will be listed in the release notes.
Generally, you can upgrade to the latest version without decrypting the system partition/drive (just run the TrueCrypt installer and it will automatically upgrade TrueCrypt on the system). However, before upgrading, please read the release notes for all versions of TrueCrypt that have been released since your version was released. If there are any known issues or incompatibilities related to upgrading from your version to a newer one, they will be listed in the release notes. Note that this FAQ answer is also valid for users of a hidden operating system. Also note that you cannot downgrade TrueCrypt if the system partition/drive is encrypted.
Yes (as of TrueCrypt 6.1). To do so, boot the encrypted system, start TrueCrypt, select Settings > System Encryption, enable the option 'Do not show any texts in the pre-boot authentication screen' and click OK. Then, when you start the computer, no texts will be displayed by the TrueCrypt boot loader (not even when you enter the wrong password). The computer will appear to be "frozen" while you can type your password. It is, however, important to note that if the adversary can analyze the content of the hard drive, he can still find out that it contains the TrueCrypt boot loader.
Yes (as of TrueCrypt 6.1). To do so, boot the encrypted system, start TrueCrypt, select Settings > System Encryption, enable the option 'Do not show any texts in the pre-boot authentication screen' and enter the fake error message in the corresponding field (for example, the "Missing operating system" message, which is normally displayed by the Windows boot loader if it finds no Windows boot partition). It is, however, important to note that if the adversary can analyze the content of the hard drive, he can still find out that it contains the TrueCrypt boot loader.
Yes. To do so, follow these steps:
For more information, see the chapter System Favorite Volumes.
Yes. To do so, follow these steps:
Then, when you log on to Windows, you will be asked for the volume password (and/or keyfiles) and if it is correct, the volume will be mounted.
Note: TrueCrypt will not prompt you for a password if you have enabled caching of the pre-boot authentication password (Settings > 'System Encryption') and the volumes use the same password as the system partition/drive.
Yes. For example, if you have a TrueCrypt container on a USB flash drive and you want TrueCrypt to mount it automatically when you insert the USB flash drive into the USB port, follow these steps:
Then, when you insert the USB flash drive into the USB port, you will be asked for the volume password (and/or keyfiles) (unless it is cached) and if it is correct, the volume will be mounted.
Yes. Select Settings > 'System Encryption' and enable the following option: 'Cache pre-boot authentication password in driver memory'.
Yes. This can be achieved by running TrueCrypt in portable mode under BartPE or in a similar environment. BartPE stands for "Bart's Preinstalled Environment", which is essentially the Windows operating system prepared in a way that it can be entirely stored on and booted from a CD/DVD (registry, temporary files, etc., are stored in RAM – hard drive is not used at all and does not even have to be present). The freeware Bart's PE Builder can transform a Windows XP installation CD into a BartPE CD. Note that you do not even need any special TrueCrypt plug-in for BartPE. Follow these steps:
Yes, TrueCrypt supports all keyboard layouts.
Yes. You can write data to the decoy system partition anytime without any risk that the hidden volume will get damaged (because the decoy system is not installed within the same partition as the hidden system). For more information, see the section Hidden Operating System in the documentation.
Yes, but the following conditions must be met:
No. Those programs use TPM to protect against attacks that require the attacker to have administrator privileges, or physical access to the computer, and the attacker needs you to use the computer after such an access. However, if any of these conditions is met, it is actually impossible to secure the computer (see below) and, therefore, you must stop using it (instead of relying on TPM).
No. TrueCrypt automatically dismounts all mounted TrueCrypt volumes on system shutdown/restart.
File containers are normal files so you can work with them as with any normal files (file containers can be, for example, moved, renamed, and deleted the same way as normal files). Partitions/drives may be better as regards performance. Note that reading and writing to/from a file container may take significantly longer when the container is heavily fragmented. To solve this problem, defragment the file system in which the container is stored (when the TrueCrypt volume is dismounted).
See the question 'Is it possible to change the file system of an encrypted volume?'
Yes, when mounted, TrueCrypt volumes can be formatted as FAT12, FAT16, FAT32, NTFS, or any other file system. TrueCrypt volumes behave as standard disk devices so you can right-click the device icon (for example in the 'Computer' or 'My Computer' list) and select 'Format'. The actual volume contents will be lost. However, the whole volume will remain encrypted. If you format a TrueCrypt-encrypted partition when the TrueCrypt volume that the partition hosts is not mounted, then the volume will be destroyed, and the partition will not be encrypted anymore (it will be empty).
Yes. However, if you need to mount a TrueCrypt volume that is stored on a read-only medium (such as a CD or DVD) under Windows 2000, the file system within the TrueCrypt volume must be FAT (Windows 2000 cannot mount an NTFS file system on read-only media).
Yes, the password change dialog works both for standard and hidden volumes. Just type the password for the hidden volume in the 'Current Password' field of the 'Volume Password Change' dialog.
Remark: TrueCrypt first attempts to decrypt the standard volume header and if it fails, it attempts to decrypt the area within the volume where the hidden volume header may be stored (if there is a hidden volume within). In case it is successful, the password change applies to the hidden volume. (Both attempts use the password typed in the 'Current Password' field.)
No, TrueCrypt never uses an output of a hash function (nor of a HMAC algorithm) directly as an encryption key. See the section Header Key Derivation, Salt, and Iteration Count in the documentation for more information.
Yes, TrueCrypt volumes behave like real physical disk devices, so it is possible to use any filesystem checking/repairing/defragmenting tools on the contents of a mounted TrueCrypt volume.
Yes, it does. Note: 64-bit versions of Windows load only drivers that are digitally signed with a digital certificate issued by a certification authority approved for issuing kernel-mode code signing certificates. TrueCrypt complies with this requirement (the TrueCrypt driver is digitally signed with a digital certificate of the TrueCrypt Foundation, which was issued by the certification authority GlobalSign).
Yes, TrueCrypt volumes are fully cross-platform.
In encrypted data, one corrupted bit usually corrupts the whole ciphertext block in which it occurred. The ciphertext block size used by TrueCrypt is 16 bytes (i.e., 128 bits). The mode of operation used by TrueCrypt ensures that if data corruption occurs within a block, the remaining blocks are not affected. See also the question 'What do I do when the encrypted filesystem on my TrueCrypt volume is corrupted?
File system within a TrueCrypt volume may become corrupted in the same way as any normal unencrypted file system. When that happens, you can use filesystem repair tools supplied with your operating system to fix it. In Windows, it is the 'chkdsk' tool. TrueCrypt provides an easy way to use this tool on a TrueCrypt volume: Right-click the mounted volume in the main TrueCrypt window (in the drive list) and from the context menu select 'Repair Filesystem'.
Yes. Note that there is no "backdoor" implemented in TrueCrypt. However, there is a way to "reset" volume passwords/keyfiles and pre-boot authentication passwords. After you create a volume, back up its header to a file (select Tools -> Backup Volume Header) before you allow a non-admin user to use the volume. Note that the volume header (which is encrypted with a header key derived from a password/keyfile) contains the master key with which the volume is encrypted. Then ask the user to choose a password, and set it for him/her (Volumes -> Change Volume Password); or generate a user keyfile for him/her. Then you can allow the user to use the volume and to change the password/keyfiles without your assistance/permission. In case he/she forgets his/her password or loses his/her keyfile, you can "reset" the volume password/keyfiles to your original admin password/keyfiles by restoring the volume header from the backup file (Tools -> Restore Volume Header).
Provided that you comply with the terms and conditions of the TrueCrypt License, you can install and run TrueCrypt free of charge on an arbitrary number of your computers.
Yes, to free the drive letter follow these steps:
Yes, but you will need to remove the drive letter assigned to the device. For information on how to do so, see the question 'I encrypted a non-system partition, but its original drive letter is still visible in the 'My Computer' list.'
Yes, the documentation is contained in the file TrueCrypt User Guide.pdf that is included in all official TrueCrypt distribution packages. Note that you do not have to install TrueCrypt to obtain the PDF documentation. Just run the self-extracting installation package and then select Extract (instead of Install) on the second page of the TrueCrypt Setup wizard. Also note that when you do install TrueCrypt, the PDF documentation is automatically copied to the folder to which TrueCrypt is installed, and is accessible via the TrueCrypt user interface (by pressing F1 or choosing Help > User's Guide).
Remark: to "wipe" = to securely erase; to overwrite sensitive data in order to render them unrecoverable.
Please search the TrueCrypt documentation and website.
Legal Notices • Sitemap • Search