Browse to the . g. Select the password and copy it to the clipboard. Oct 11, 2018 | Disk Encryption, YubiKey. Because we're extraordinarily sneaky, our file is in D:mysecretfiles. So I've been planning on buying 2 Yubikey NFC following this setup: Yubikey #1 -> main bitwarden, store account info and TOTPs. In case an attacker forces you to reveal the password, VeraCrypt provides plausible deniability. hey guys, thinking about buying a yubikey and i'm trying to clarify an important detail, if i used the yubikey with veracrypt, would it act as a keyfile in conjunction with my password? meaning that i would still have to put my password in? or does it replace my password completely? meaning that i won't have to put in my password and it automatically puts. With EFS, you can specify the "cache" time between authentication requests. YubiKey products work in tandem with KeePass to backup their password manager with strong, hardware-backed 2-factor authentication. by mario rossi. Storage Encryption on GNU+Linux with ECryptFS. Primary Functions: Secure Static Passwords, Yubico OTP, OATH – HOTP (Event), OATH – TOTP (Time), Smart Card (PIV-Compatible), OpenPGP, FIDO U2F, FIDO2. Password verification fails with system partition installed in BIOS/MBR. Car il est possible de faire de même avec un disque dur contenant un système d. I’m going to show you step by step how to configure your Yubikey to get the most out of it and set. Biometric. PROTECT ONLINE ACCOUNTS – A hardware password manager, two-factor security key, and file encryption token in one, OnlyKey can keep your accounts safe even if your computer or a website is compromised. This module is based on version 2. I. Pull the SSD out the old laptop and stick it inside the new laptop. Click -> Run. Erstellt mittels VeraCrypt ein neues Volume. efi file on a USB and am trying to edit the BIOS, got the GRUB to boot, looking to change the admin password on the Dell laptop. In order to sign code, you need to know the thumbprint for the certificate you've created. Here is a primer on the TPM basics. VeraCrypt Forums Open source disk encryption with strong security for the Paranoid Brought to you by: idrassi. In this video I will show you how to use a Yubikey for 1 or 2 static passwordsWhenever I open the VeraCrypt Volume Creation Wizard and choose either option "Encrypt a non-system partition/drive" or "Encrypt the system partition or entire system drive", the UI hangs immediately and completely ("Not responding"), without even getting to the very first step of the process. Your YubiKey emulates a keyboard, but it doesn't know what keyboard layout your Windows 10 machine is expecting. Forum to discuss new features that you think should be added to VeraCrypt. This is because the yubihsm-pkcs11. I would like to add that there's one important step omitted here if one want to automount without any PROMPT (and ofc if you dont want to use system favourite). Authenticate using programs such as Microsoft Authenticator or AuthyBitwarden documentation. wireless-networking. This is why ciphers require more rounds with larger keys. in the settings) it uses X. One or more domain controller(s) are missing certificates. Second, Veracrypt is very good at what it does, but the encryption process is about 3 times the rate as bitlocker. CryptoHow the YubiKey works. UNIVERSALLY SUPPORTED – Works with all websites including. The steam secret key is the key you are given that is used by the mobile authenticator in order to generate a OTP every 30 seconds. This is a. It is the. . 123passw0rd -> type '123' long press for static 'passw0rd'. EMC2DATA592 •. By default, however, the key that resides on. Visit Stack ExchangeThe YubiKey is a hardware authentication device manufactured by Yubico to protect access to computers, networks, and online services that supports one-time passwords (OTP), public-key cryptography, and authentication, and the Universal 2nd Factor (U2F) and FIDO2 protocols [1] developed by the FIDO Alliance. websites and apps) you want to protect with your YubiKey. Want to know what happen to: Bitlocker partition Veracrypt partition Veracrypt container If there's bad sector appear in the encryption area. Q&A for information security professionals. Anschließend klickt auf Keyfiles. Althought not being officially supported on this platform, YubiKey Manager can be installed on FreeBSD. That being said, it is advised to create a dedicated keyfile using VeraCrypt keyfile generator and then import it into your Yubikey in order to use a keyfile. # SPDX-License-Identifier: MIT-0 # Destroy any old key on the Yubikey (careful!) ykman piv reset # Generate a new private/public key pair on the device, store the public key in # 'pubkey. 1. Con. see that's the thing, the only difference i can see between a keyfile and a yubikey is that a yubikey is easier to lose and harder to copy, so if if's just a keyfile that's. Signal is free and open source software, enabling anyone to verify its security by auditing the code. Get your Yubikey 5C NFC here: (affiliate)At long last, the Yubikey 5C NFC has launched, offering the widest compatibility wit. Privacy X talks about Yubikey by Yubico. 131; asked Dec 8, 2020 at 22:50. Visit Stack ExchangeKey files and YubiKey. It generates one time passwords (OTPs), stores private keys and in general implements different authentication protocols. There is smart card mode in yubikey but i doubt it can store key files. Veracrypt is still the de-facto program, it uses strong encryption algos, provides plausible deniability with hidden storage containers and is. Stack Exchange network consists of 181 Q&A communities including Stack Overflow, the largest, most trusted online community for developers to learn, share their knowledge, and build their careers. But it would be great if I could upload keyfiles to my Yubikey (or better yet - generate one onboard) and store them. Select “Encrypt a non-system partition/drive” and click “Next. FIDO2 is a technology / interface on your Yubikey, which stands for Fast IDentity Online. a) In theory yes, although I don't know if Strongbox works with Nitrokeys (they only mention Yubikeys in their support articles AFAIK) b) No. But I’d still like to use the Yubikey to unlock just out of convenience. First, type your prefix, then tap your YubiKey to insert its stored password. e. 복구 디스크 화면에서 '복구 옵션' > '키. The Yubico PIV tool is used for interacting with the Personal Identity Verification (PIV) application on a YubiKey. Native Yubikey support for VeraCrypt. What will be the best opensource software to use with Ubuntu 20. Should you opt to install and use YubiKey Manager on this platform, please. Read about this and join our forum: Link Coming Soonveracrypt algorithms? Best veracrypt algorithms for sensitive files? AES is enough unless you're in super paranoia mode in which case AES (Twofish (Serpent)) is the best choice. YubiKey 5 Series. Place. Just for some clarification what do you meant formatted with veracrypt , do you mean you throw the. OpenSC provides a set of libraries and utilities to work with smart cards. But when it comes to the point where Veracrypt test-reboots my system, I only get a black screen after the screen where it offers me to enter BIOS. This reduces the compatibility issues because it avoids. Click Next -> select Yes, export the private key -> click Next again. The Yubikey would not need to encrypt passwords, just unlock the app;. By definition, while the public key can can derived from the secret key material, you don't need access to the secret key stored on the YubiKey in order to encrypt data that will require the YubiKey to decrypt. In addition to the two "slots" your Yubi can also hold gpg keys. For many months I’ve been using a Yubikey as a staple of my cyber security plan. You are now in admin mode for GPG and should see the following: 1 - change PIN. Enter ykman piv certificates import <slot> <filename> to import your certificate onto your YubiKey. Their "touch-policy=always" feature ensures that in addition to entering the PIN, the. com. I encrypted the drive using veracrypt and a password since day one, no keyfiles. dll's dependencies in the current working directory (ideal if using VeraCrypt portable & want to use yubikey with it). Now I use Authy for all sites that support 2FA. the master password, 3. My drives are all fully system encrypted via VeraCrypt with a PIM in place. Search. Windows is starting. Q&A for information security professionals. Fun and functional - An ideal solution for adding personality and distinguishing your YubiKeys from one another. YubiKey Manager. GameStop Moderna Pfizer Johnson & Johnson AstraZeneca Walgreens Best Buy Novavax SpaceX Tesla. Although not all yubikeys support that mode. Posted in pkcs11, VeraCrypt, yubikey RSA insensitive and extractable private key. Works with YubiKey. You just need to select the virtual key on the database login page. Technical Topics. Veracrypt will then read your Yubikey's imported keyfile, match that with what is stored on the system and then unlock your drive. 3. GitHub), may trigger this behavior if desired. This doc includes guides on setting up your Yubikey with Bitlocker, EFS, Code Signing, Veracrypt, Github commit signing, KeePassXC, SSH/PuTTY and a large variety of other software and technologies. Based on your request " I want to encrypt some files on my hard drive. Under "Security Keys," you’ll find the option called "Add Key. This is slightly less secure since it doesn't require a Yubikey for every access, but my 1Password account needs a Yubikey to access, so I'm OK with it. Click Next -> check Password box -> enter a password for the certificate. The most important is, unfortunately, storing TOTP codes for the above super important accounts that have not implemented FIDO2 / U2F on all platforms (e. Any help you are able to provide would be greatly appreciated!Enable 2FA, Yubikey even better than app 2FA. Type certmgr. Stack Exchange network consists of 181 Q&A communities including Stack Overflow, the largest, most trusted online community for developers to learn, share their knowledge, and build their careers. A lot of other encrypting programs can utilize this, too, like VeraCrypt. I'm using 1Password instead of the Yubico Authenticator App because the Yubico app has a hard limit on how many accounts can be stored on a Yubikey. July 25, 2021 Olexandr Siroklyn. It needs to be able to extract the public-key from the smartcard, and to do that through the X. Ensuring your credentials are safe and secure is a vital aspect to the web. Note Streebog and Whirlpool use S-Boxes. veracrypt; yubikey; Firsh - justifiedgrid. Visit Stack ExchangeVeraCrypt is a disk encryption add-on for Windows, Linux and other operating systems. You’re asking a pretty vague question here but yes, it’s safe. In "Manage Bitlocker" - add this pin to system drive. I'm happy to report that it still works. Use the YubiKey Personalization Tool to configure the two slots on your YubiKey on Windows, macOS, and Linux operating systems. Learn how to create a keyfile on the Yubikey token and use it with a PIN and a passphrase to access your Vera Crypt container. Install the YubiKey Personalization Tools. YubiKey Security token Peripheral Computer hardware Computer Information & communications technology Technology comments sorted by Best Top New Controversial Q&A Add a CommentOP a smart card is an actual physical card that can be used to decrypt a VeraCrypt keyfile. I see some people online saying you can use both but I can't find any guides on how to set that up. Visit Stack ExchangeVeraCrypt is a disk encryption add-on for Windows, Linux and other operating systems. In contrast to file encryption, data encryption performed by VeraCrypt is real-time (on-the-fly), automatic, transparent, needs very little memory, and does not involve. There's more than one type of yubikey, and the more advanced ones can be used in several ways. Yubico changes the game for strong authentication, providing superior security with unmatched ease-of-use. c) As long as you keep a backup of the C/R secret in a safe location, you can always buy another Nitrokey or Yubikey and program it with. The YubiHSM 2 is a Hardware Security Module that provides advanced cryptography, including hashing, asymmetric and symmetric key cryptography, to protect the cryptographic keys that secure critical applications, identities, and sensitive data in an enterprise for certificate authorities, databases, code signing and more. The problem is that I have used VeraCrypt to encrypt my. There is no questions in this post (unless you want to correct any misunderstandings after the lessons learned). • 2 yr. If you want added security, use cascading encryption algorithms (e. com. pfx -> click Next, and finally Finish. Watch the video. Yubikey login + full encrypted HD . In contrast to file encryption, data encryption performed by VeraCrypt is real-time (on-the-fly), automatic, transparent, needs very little memory, and does not involve. But now you have a new problem: how to securely store the passphrase or key for that. Contact support. 满足条件的yubikey: (1)配置YubiKey PIV的密码. e. generate_yubikey_keys. Steam does not provide an easy way to view your steam secret; and they frankly don't want you having it. The YubiKey stores data on a tamper-resistant solid-state chip which is impossible to access non-destructively without an expensive process and a forensics laboratory. If your getting one, get at least 2. AES-serpent-twofish) and not just one (e. Start DiscordTokenProtectorSetup. com. veracrypt; yubikey; Firsh - justifiedgrid. There's more than one type of yubikey, and the more advanced ones can be used in several ways. Stack Exchange network consists of 181 Q&A communities including Stack Overflow, the largest, most trusted online community for developers to learn, share their knowledge, and build their careers. Select and copy (CTRL + C) the Thumbprint. Click System > Encrypt System Partition/Drive in the VeraCrypt window to get started. This code is best described as only being useful if you are setting up a Yubikey for someone as the administrator, and then handing the Yubikey over to another person. VeraCrypt is free open-source disk encryption software for Windows, Mac OS X and Linux. VeraCrypt is a free open source disk encryption software for Windows, Mac OSX and Linux. EFS on the other hand is much more adamate about ensuring your files are only accessed by the correct people. Changing the PINs for GPG are a bit different. This leaves only 2 usable slots displayed in the Veracrypt dialog. dll is dynamically linked to the libyubihsm*. I have a yubikey 5 NFC and I am wanting to use it with my veracrypt containers I dont know how or where the PKCS #11 Library is and when I do figure it out and I have to reset my PC for any reason Can I get the same Library config. Summary Files Reviews Support Source Code. 1 is the newer “modern” version. The tool works with any currently supported YubiKey. Q&A for information security professionals. All I need to do is boot up the new PC and update a few drivers and everything's working beautifully and I have all my data and I don't have to waste time with configuring Windows from scratch. Since Veracrypt hash is repetead thousands of times, you don't care about speed, you care about algorithms. When prompted, depending on the key, touch the contacts on the sides of the key or the golden ring on. g. For VeraCrypt, unless Veracrypt gets updated to allow you to use it as a PKCS#11, the only way you can use it is to program part of your password into the YubiKey. Printed Information seems to already contain data written by Yubikey Manager if you Generated PIV certificates with it, so may not be a safe place to store keyfiles as it may get overwritten. Stores OTP passwords directly on your Yubikey and displays them in a neat program. Type the following commands: gpg --card-edit. Nie wierzysz? Sprawdź, przeprowadziłem pra. Honestly using this as a PIV smart-card really opens up the doors on what this can do as far as security, and with free utilities like VeraCrypt, not utilizing PIV features like certificate and token storage is just making this go to waste. Click Next -> check Password box -> enter a password for the certificate. any tutorial will be welcomed. Yes, useful to protect the session while logged out but not shut-down. 840. A question and answer about the security implications of using a PKCS #11 keyfile on a YubiKey for Veracrypt volumes. same=>n,Set (DB (THEN YOU CAN ADD INTO ASTERISK DATABASE INFO)) And repeat all these 3 lines of all agents and queues. Official Yubico program which helps manage your Yubikey. Add them in favorites. the benefits of a PKCS #11 keyfile stored on a smartcard such as a YubiKey with. Visit Stack ExchangeYubiOTP is primarily for enterprise use. 3. Years in operation: 2020-present. Veracrypt, yubikey, keyfile . About Press Copyright Contact us Creators Advertise Developers Terms Privacy Policy & Safety How YouTube works Test new features NFL Sunday Ticket Press Copyright. Back in the Hardware Key Configuration screen, tap your newly added Virtual Hardware Key. I am having feature issues with PKCS#11 library files I am trying to use with VeraCrypt keyfiles, a YubiKey 5NFC, and Windows 10. 2. Look, you need to manage backups for your password manager anyway. ago. My GPG key is stored on the yubikey with a backup on an SD card that remains in a safe. In KeePass' dialog for specifying/changing the master key (displayed when. Printed Information seems to already contain data written by Yubikey Manager if you Generated PIV certificates with it, so may not be a safe place to store keyfiles as it may get overwritten. • 2 yr. Make sure your Yubikey is plugged into the USB port on your computer. (e. Now we begin specifying how we’ll be creating our container. Not perfect, but better than nothing. 4. Storage Encryption on GNU+Linux with EncFS. Step 16: rename VeraCrypt encrypted. . 21K subscribers in the yubikey community. 0 answers. The YubiKey then enters the password into the text editor. 1. Yubikey can be used as a one-time password, meaning you're not at as much risk sending the password across a network. Veracrypt says it supports smart card authentication. Releases are signed using the keys listed here. g. Click “Applications”, then “Utilities”, then “Unlock VeraCrypt Volumes”, then “Add”, select “tails” file on backup volume, click “Open”, enter password and, finally, click “Unlock”. SUPPORTS DESKTOP - Designed for desktop and workstation applications, and perfect for call centers and shared workspace environments. If you have no need for things like GPG or PIV, you may never even cross paths with these PINs. GTIN: 5060408464731. Using Yubikey with Veracrypt. YubiKey Bio. However I dont have a TPM chip and I dont have windows 10. GitHub), may trigger this behavior if desired. Open source smart card tools and middleware. If you want to further secure your TOTP, you can add a password to the OATH-TOTP module. Professional Services. The private key is stored on the Yubikey and whenever it is accessed, Yubikey can require a touch action. It will then fill in the password it stores. On Windows I use veracrypt to access this container, on Android I use EDS Lite. 0, but it’s untested. Click “Applications”, then “Utilities”, then “Unlock VeraCrypt Volumes”, then “Add”, select “tails” file on backup volume, click “Open”, enter password and, finally, click “Unlock”. Navigation to Certificates - Current User -> Personal -> Certificates. Step 16: rename VeraCrypt encrypted. Then, you can have the YubiKey Manager generate a random password that can use any valid US keyboard character. Out of those, only the second one ("Printed. Start Veracrypt-encrypted computer. 1. to recover my veracrypt containers?? i would love to know the process on a windows 11. com. Purism is a new player in the security key and multi-factor authentication markets. With the introduction of the Librem Key, Purism joins the ranks of other players—such as Yubico, Google, RSA and so on—in providing hardware tokens for multi-factor authentication. VeraCrypt already supports using smart card and USB tokens through the PKCS#11 interface: the idea is to store keyfiles needed to mount volumes on the smart card or USB token and then VeraCrypt will access these. Yubico Authenticator for iOS is an authenticator app that adds a layer of security for mobile and desktop users. File encryption is a great way to keep files safe from nosy folks or potential thieves. Bitwarden Pricing Chart. To enhance security, EgoSecure’s full disk. Q&A for information security professionals. Keep one in your person and one somewhere safe at home as a back up. It is protected with the PIN-code that must be entered for the. Professional Services. If instead of a keyfile you use a YubiKey, this trojan needs to collect its response instead (a. 0 votes. To deselect the key first key, run key 1. YubiKey 4 for Disk Encryption as part of Your Password with VeraCrypt or BitLocker. Locate your imported certificate and double-click. We’re excited to share an exclusive collaboration with Keyport Inc. This is because pkcs11-tool --test-ec assumes that the same user can both generate a keypair and sign data. Bitlocker may be operating in a lower ring, but VeraCrypt handles data like any other application, and which it's time to safe the mounted volume, it merely updates the file. With this, I still use my Windows username and password but the Yubikey must be inserted to complete the authentication. Im sich öffnenden Dialog klickt auf Add Token Files. Open settings, update and security, device encryption. 1. 1. Focuses on Yubikey GPG interface and explains how GPG works. Insert the YubiKey and press its button. com. Join. And, by definition, you do not need recovery keys on a regular basis. Veracrypt will then read your Yubikey's imported keyfile, match that with what is stored on the system and then unlock your drive. Any file works, like a photo or document. Click Next -> select Browse… -> save the file as bitlocker-certificate. It has been audited by a third party and ALL identified issues related to security have been fixed. Repeat this step with the password confirmation/reentry field. Thus when one of these fails there are still two others that will protect your files. Yubikey #2 -> personal bitwarden -> store TOTPs in Yubikey. to bring high quality YubiKey accessories to Yubico. In contrast to file encryption, data encryption performed by VeraCrypt is real-time (on-the-fly), automatic, transparent, needs very little memory, and does not. It is a small usb device that can act like a keyboard. 89 views. This leaves only 2 usable slots displayed in the Veracrypt dialog. I was able to create a container in Windows with the Veracrypt GUI, and then open it on the server. PKCS#11/MiniDriver/TokendUsing the Yubikey 5 series, learn exactly how to setup and use your 2FA key not just as a key, but also as an authenticator. There was a quite fresh discussion and no “how to ways” had been provided, but a way exist. 3. VeraCrypt-Volume mit YubiKey-Schlüsseldatei erstellen. VeraCrypt是一个不错的加密软件,基于trueCrypt的后续版本。. VeraCrypt is a free disk encryption software brought to you by IDRIX (and based on TrueCrypt 7. . Is it possible to use a security key like Yubikey 5 NFC to encrypt 100% of my SSD /boot with VeraCrypt then Login dual-boot with that security key? I would like to dual-boot and Login my full encrypted disk only one time then, to choose what I want to run between Windows 10 or Ubuntu 20. d. only has the option for one password*Except from YubiKey NEO. 2. This procedure and script is for managing an encrypted veracrypt filesystem with a yubikey NFC 5 device. 3 or higher) ; Computer running macOS Catalina or Big Sur Caveats ; When copy/pasting commands that start with $, strip out $ as this character is not part of the command YubiKey personalization tools. The main bitwarden will store accounts from websites like Steam, Dropbox, Gmail, Epic Games, etc. Summary Files Reviews Support Source Code Forums Tickets. OpenSC and therefore Veracrypt can’t write any information to Yubikey. Visit Stack ExchangeThe RSA public and private keys at the YubiKey PIV are static and do not change. Yubico PIV Tool. g. Step 15: mount VeraCrypt encrypted volume. Buy $80 Mooltipass, which can store multiple static. The new functionality in PIV Tool 2. Right now I'm connecting on my Windows with my Yubikey with Yubikey Login. com. Yubico Login for Windows is only compatible with machines built on the x86 architecture. In the bag was an SSD that contains a Veracrypt container, secured by a 50 character randomly generated passphrase. 509 certificate. In case an attacker forces you to reveal the password, VeraCrypt provides plausible deniability. When TrueCrypt controversially closed up shop, they recommended their users. The form and ID of the data are detailed in the PIV Specification SP 800-73-4. Wpa PTK and GTK in detail. Two-step Login. YKCS11. One of the coolest features of the Yubikey is authenticating SSH sessions via PKCS#11. This has always been part of long term objective for VeraCrypt but it has not been implemented yet because of the amount of. pfx file. I can exit that black screen by pressing ESC, and the system boots normally, but then it tells me that the test. YubiKey Security token Peripheral Computer hardware Computer Information & communications technology Technology comments sorted by Best Top New Controversial Q&A Add a Comment OP a smart card is an actual physical card that can be used to decrypt a VeraCrypt keyfile. 9. Insert the device key. So it has to be a full exact-looking replica of Yubikey, thus raising the bar even more. Yubico Authenticator for iOS released. Every time you attempt to mount your encrypted drive, you will choose the keyfile option and then select your Yubikey as an authentication method. I´m pretty happy with the regular use cases like adding security to my password manager and my google account, but now I´m wondering if the yubikey might be usable for my encrypted container as well. – Adam Katz Focuses on Yubikey GPG interface and explains how GPG works. ksnyder23. g. 0 answers. Q&A for information security professionals. Inside is a backup of my Bitwarden vault. Insert the YubiKey and press its button. Want to know what happen to: Bitlocker partition Veracrypt partition Veracrypt container If there's bad sector appear in the encryption area. Setup. 67. You can also use the tool to check the type and firmware. fr ). Option 3: Full disk encryption (encrypted /boot) with password. 131; asked Dec 8, 2020 at 22:50. 拔掉Yubikey 证书还在,密钥当然还在Yubikey上. I agree that VeraCrypt is a great solution (I think I mentioned it), but a caveat needs to be stated for Cryptomator - it will encrypt files stored on a cloud vault, but typically the source. In part #2, I'll show how to use the Yubikey as a secure password generator. Start with having your YubiKey (s) handy. I know PIV and OpenPGP are separate standards and independent applications in the YubiKey, but for newcomers like me they look very similar with their signing, encryption and authentication keys, use. 2. Q&A for information security professionals. 👍. What I'm looking to accomplish: -Encrypt the drive with software that is both multi-platform for Windows and Android. then the Titan gives you 250 passkey slots, vs Yubikey's cheaper security key offering 25 slots for resident keys. Is there a way to use yubikey with Veracrypt other than static passwords ? I'd like yubikey to be a second factor authentication for containers. r/yubikey • In plain 2023, the state of security keys is. Do things like import x509 certificates / keypairs to your Yubikey. If this does. Download and install VeraCrypt (from veracrypt. 49k views. 4. p12). networking. " Now the moment of truth: the actual inserting of the key. Step 1: Install Software. Forum to discuss technical issues or implementation details. Download VeraCrypt, install and run it, then click ‘Create Volume’ on the main screen. Ahmed Can Unbay. wireshark. These are going to be more expensive than the cloud encryptions, but like everything else in life, you get what you pay for. Visit Stack ExchangeQ&A for information security professionals. Depends on your threats. Mount partitions using their keys. That backup includes a lot of other recovery keys, such as 2FA recovery for the password manager itself. 喜欢这篇文章的可以点个赞!YubiKey Bio: Yubico announced they are working on a FIDO2 security key with an integrated fingerprint reader. $95 USD. Why is the item that allows you to. Since Veracrypt is the latter, there's no reason to expand the key space. g. 4.