17
How does Veracrypt work?
(lemmy.ca)
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
this post was submitted on 01 Jun 2026
17 points (100.0% liked)
Asklemmy
54458 readers
468 users here now
A loosely moderated place to ask open-ended questions
Search asklemmy ๐
If your post meets the following criteria, it's welcome here!
- Open-ended question
- Not offensive: at this point, we do not have the bandwidth to moderate overtly political discussions. Assume best intent and be excellent to each other.
- Not regarding using or support for Lemmy: context, see the list of support communities and tools for finding communities below
- Not ad nauseam inducing: please make sure it is a question that would be new to most members
- An actual topic of discussion
Looking for support?
Looking for a community?
- Lemmyverse: community search
- sub.rehab: maps old subreddits to fediverse options, marks official as such
- !lemmy411@lemmy.ca: a community for finding communities
~Icon~ ~by~ ~@Double_A@discuss.tchncs.de~
founded 7 years ago
MODERATORS
This is a reasonable way to do it HOWEVER this only protects you against data loss in case of a lost USB stick. If attackers get access to the stick and place it back into your possession afterwards, they can manipulate the portable veracryp so you will run their malware to decrypt the data. The malicious veracryp could then either save the password you entered (hidden somewhere on the USB for the attacker after they steal the stick again) or just upload the whole decrypted data to an attacker server.
If you use the portable veracryp you need to make sure it has not been tampered with.
Well actually decrypting the data on any device you do not trust is risky for the same reason. If veracryp is installed on a machine you still have to trust the person that owns that machine to not have manipulated it or to not have been a victim of malware themselves.
TL:DR decrypting the data on any device you don't control yourself is risky and optimally you could install veracrypt on any device you control.
Ah ok, thank you for letting me know. I'll keep that in mind. Thank you.
this is a very specialized attack, your threat model needs to be way higher than the average joe for someone to do such a precision strike on this, all keeping in mind that you lose your stick.
Why does OP have a stick with encrypted data if they do not care about its security?
Yes, maybe its just the porn collection that they don't want others to see, but maybe its actually important stuff.
I think it is important to inform people about the ways their security can be circumvented and if somebody gives security advice its important to inform people if that advice contains flaws.
OP should know about the potential risks and then decide themselves if that is acceptable to them.
And when talking about encryption, people often forget, that the best way to break it is to never attack the encryption, but attack the way people interact with the unencrypted data.
OP should know about the dangers of decrypting their USB with software that could be manipulated.
Is all that overkill in 95% of cases? Probably? Do we know OP isn't in the 5% where it matters? No.
Maybe they want to hide something from someone in their household who has frequent access to the USB stick. Maybe they are a journalist that might get searched by police/airport security ... we do not know and we shouldn't make assumptions about their threat model.
That's why I started the comment with "reasonable approach"
i dont disagree, but if you don't mention stuff like threat model to n00bs they end up thinking they need to only communicate telepathically in order to not get spied on. every attack is possible, just not for every threat model, for example a very sophisticated js attack wouldnt be used on the wild, but more likely targetted on a specific individual because once it's known it's fixed and you can't use it. it's worthy so you use it on a worthy individual.