0

The password in VeraCrypt is used to en-/decrypt a header, that contains a master key, that is used to en-/decrypt the data.

I know, that I can change the password, which will not change the master key and thus be quite fast. But if I have the suspicion, that someone gained access to my header and is able to crack my password, he will be able to use the master key to decrypt my data even after I changed my password.

So, how can I also change the master key, which will include a complete recoding of the container/volume and thus may take some time?

stackprotector
  • 1,621
  • 3
  • 6
  • 15

1 Answers1

2

As per the documentation, it is currently not possible to change the master key "on-the-fly":

[...] create a new VeraCrypt volume and move files from the old volume to the new volume (the new volume will have a different master key).

So, to change the master key, you actually have to create a new volume/container, which will have a different master key, move your files from the old to the new volume/container and securely delete the old volume/container afterwards.

This is in particular not very handy, if you want to change the master key of your fully encrypted system disk.

stackprotector
  • 1,621
  • 3
  • 6
  • 15
  • Why is this not very handy? Do you have a better solution? Changing the master key on the fly requires the two keys and a layer that keeps track of the changed sector and so on. What if there is a crush, etc? It is not impossible to write, however, this is more convenient. Instead of on the fly, I prefer a more secure code. – kelalaka Sep 17 '21 at 16:05
  • Well, you can use your computer to migrate from one USB drive to another, but you need another computer with the ability to connect two e. g. SATA disks to perform the migration of your computer. Or boot from a live CD, if you can connect a second SSD/HDD. That's what I consider not very handy. If I was aware of another solution, you would have read about it here. – stackprotector Sep 17 '21 at 16:52
  • 1
    At first hand, why does one need to change the master key? They need since their password was weak. Then one needs to talk about the risks. Does the computer connected to the internet? If not, just changing the password is a simple solution. If you consider that someone attacked your online computer and steal the header, then you have more serious problems like key loggers etc. People should stick to the usual advice, use strong passwords like dicewire generated. The Master key itself is secure to protect the encryption, but your weak password is not. For SATA, yes that is a bit costy. – kelalaka Sep 17 '21 at 17:18