Can I run VeraCrypt if I don’t install it?
Yes, see the chapter Portable Mode.
Some encryption programs use TPM to prevent attacks. Will VeraCrypt use it too?
No. Those programs use TPM to protect against attacks that require the attacker to have
administrator privileges, or physical access to the computer, and the attacker needs you to use the
computer after such an access. However, if any of these conditions is met, it is actually
impossible to secure the computer (see below) and, therefore, you must stop using it (instead of
relying on TPM).
If the attacker has administrator privileges, he can, for example, reset the TPM, capture the content
of RAM (containing master keys) or content of files stored on mounted VeraCrypt volumes
(decrypted on the fly), which can then be sent to the attacker over the Internet or saved to an
unencrypted local drive (from which the attacker might be able to read it later, when he gains
physical access to the computer).
If the attacker can physically access the computer hardware (and you use it after such an access),
he can, for example, attach a malicious component to it (such as a hardware keystroke logger) that
will capture the password, the content of RAM (containing master keys) or content of files stored on
mounted VeraCrypt volumes (decrypted on the fly), which can then be sent to the attacker over the
Internet or saved to an unencrypted local drive (from which the attacker might be able to read it
later, when he gains physical access to the computer again).
The only thing that TPM is almost guaranteed to provide is a false sense of security (even the
name itself, “Trusted Platform Module”, is misleading and creates a false sense of security). As for
real security, TPM is actually redundant (and implementing redundant features is usually a way to
create so-called bloatware). Features like this are sometimes referred to as ‘security theater’ [6].
For more information, please see the sections Physical Security and Malware.
Why does Windows Vista (and later versions of Windows) ask me for permission to run
VeraCrypt every time I run it in ‘portable’ mode?
When you run VeraCrypt in portable mode, VeraCrypt needs to load and start the VeraCrypt device
driver. VeraCrypt needs a device driver to provide transparent on-the-fly encryption/decryption, and
users without administrator privileges cannot start device drivers in Windows. Therefore, Windows
Vista and later versions of Windows ask you for permission to run VeraCrypt with administrator
privileges.
Note that if you install VeraCrypt on the system (as opposed to running VeraCrypt in portable
mode), you will not be asked for permission every time you run it.
Do I have to dismount VeraCrypt volumes before shutting down or restarting Windows?
No. VeraCrypt automatically dismounts all mounted VeraCrypt volumes on system
shutdown/restart.
