Skip to content

Migrate TrueCrypt to VeraCrypt on macOS

As of macOS 10.15 Catalina, I could no longer use TrueCrypt 7.1a because it does not support 64-bit and Catalina is 64-bit only. Looking for an alternative, I found VeraCrypt, which was forked from TrueCrypt.

Install VeraCrypt

Here’s how I installed VeraCrypt on my macOS 12 Monterey MacBook:

  1. Install macFUSE (previously known as OSXFUSE). Thankfully, the latest macFUSE 4.2.4 version supports macOS 12 Monterey.
    1. After the installation completes, you will see this message: ‘System software from developer “Benjamin Fleischer” was blocked from loading.’
    2. Open System Preferences, Security & Privacy, General tab, unlock the bottom-left “Click the lock to make changes”, and click the Allow button on the bottom-right.
    3. You will be prompted to restart.
  2. Install VeraCrypt. (VeraCrypt version 1.25 or later supports macOS 12 Monterey. Version 1.25.7 is the latest.)

Convert TrueCrypt Volume to VeraCrypt

While VeraCrypt does support TrueCrypt volumes, I decided to convert to a VeraCrypt volume to avoid any compatibility issues now or in the future. (There are claims that VeraCrypt cannot open very old TrueCrypt versions.)

To make a clean start, I thought to mount the old TrueCrypt volume file (a.k.a. encrypted file container), create a new VeraCrypt volume file, and then copy from the former to the latter. Unfortunately, I am unable to use TrueCrypt on my macOS 12 Monterey machine.

Thankfully, VeraCrypt as of version 1.0f supports converting TrueCrypt volume files and non-system partitions to VeraCrypt volumes. One can do so by performing one of the following:

  • Change Volume Password
  • Set Header Key Derivation Algorithm
  • Add/Remove key files
  • Remove all key files

Because my TrueCrypt volume file does not use key files and I don’t want to change the password, I will use the “Set Header Key Derivation Algorithm” option. This option will also allow me to change to a more secure hash algorithm, from RIPEMD-160 to SHA-512. (Whirlpool is also a good choice for hash algorithm, but SHA-512 is used by the Gubbermint!)

Note: The AES-256 encryption algorithm I used for my TrueCrypt volume file is still good. As long as a strong password (of at least 14 characters) is used, AES-256 is pretty secure. Unfortunately, none of the conversion options above provide a method to change the encryption algorithm.

Here’s how I converted my password-protected TrueCrypt volume file to VeraCrypt:

  1. Run the VeraCrypt app.
  2. At the bottom, click on the “Select File…” Button and choose the TrueCrypt volume file.
  3. Click the “Volume Tools” button (near bottom-right) and choose the “Set Header Key Derivation Algorithm…” option.
  4. The “Set Header Key Derivation Algorithm” dialog will appear:
    1. Input the password.
    2. Make sure that the “TrueCrypt Mode” option is checked. (The “TrueCrypt Mode” option is enabled by default because my volume file name uses the TrueCrypt “.tc” file extension.)
    3. On the bottom “new” section, change “PKCS-5 PRF” from “Unchanged” to “HMAC-SHA-512”. (Doing this will change the hash algorithm.)
    4. Click the OK button.
  5. The “VeraCrypt – Random Pool Enrichment” dialog will appear:
    1. Inside the dialog window, drag your mouse around by moving it randomly while holding down the left-click. (Or do a “three finger drag” if you have that configured.)
    2. Once the “Randomness Collected From Mouse Movements” progress bar is full, click on the Continue button. (Note that clicking the top-left red X icon is the same as clicking Continue. It does not do a cancel.)
    3. It took less than 30 seconds to convert my 512MB TrueCrypt volume file.
  6. Change the volume file’s extension from “.tc” to “.hc”. (VeraCrypt’s file extension is “.hc”. When opening “.hc” files, VeraCrypt will not enable the “TrueCrypt Mode” option by default.)
  7. Select the renamed volume file and click on the bottom-left Mount button.
  8. Input the password. (The “TrueCrypt Mode” option should not be checked.)
  9. The volume file will be mounted as a new drive.
Leave a Reply

Your email address will not be published.