Menu

Announcement: VeraCrypt PGP key transition

General Discussion
Mounir IDRASSI
2018-09-12
2025-02-27

  • Mounir IDRASSI

    Mounir IDRASSI - 2018-09-12

    Starting from VeraCrypt version 1.23, we will be using a new PGP key for signing release files and for securing communication to VeraCrypt email address. The transition statement can be found at https://veracrypt.fr/pgp-key-transition-2018-09-12.txt which is signed with both the old key and the new key.

    The main difference between the old key and the new key is that now we have a separation between encryption key and signature key instead of a single key that performs both.

    Below is a reproduction of the transition statement which contain all needed information:

    -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

OpenPGP Key Transition Statement for VeraCrypt Team

Date: September 12th 2018

We have created a new OpenPGP key and will be transitioning away from
our old key.  The old key has not been compromised and will continue to
be valid for some time, but we prefer all future correspondence to be
encrypted to the new key, and will be making signatures with the new
key going forward starting from 1.23 release.

We would like this new key to be re-integrated into the web of trust.
This message is signed by both keys to certify the transition.  Our new
and old keys are signed by each other.  If you have signed our old key,
we would appreciate signatures on our new key as well, provided that
your signing policy permits that without re-authenticating us.

The old key, which we are transitioning away from, is:

pub   rsa4096/54DDD393 2014-06-27
      Key fingerprint = 993B7D7E8E413809828F0F29EB559C7C54DDD393

The new key, to which we are transitioning, is:

pub   rsa4096/680D16DE 2018-09-11
      Key fingerprint = 5069A233D55A0EEB174A5FC3821ACD02680D16DE

The entire new key may be downloaded from:
https://www.idrix.fr/VeraCrypt/VeraCrypt_PGP_public_key.asc

The old key can be downloaded from:
https://www.idrix.fr/VeraCrypt/VeraCrypt_PGP_public_key_2014.asc

To fetch the full new key from a public key server using GnuPG, run:

gpg --keyserver keys.gnupg.net --recv-key 5069A233D55A0EEB174A5FC3821ACD02680D16DE

If you already know my old key, you can now verify that the new key is
signed by the old one:

  gpg --check-sigs 5069A233D55A0EEB174A5FC3821ACD02680D16DE

If you are satisfied that you've got the right key, and the User IDs
match what you expect, we would appreciate it if you would sign our key:

  gpg --sign-key 5069A233D55A0EEB174A5FC3821ACD02680D16DE

You can upload your signatures to a public keyserver directly:

  gpg --keyserver keys.gnupg.net --send-key 5069A233D55A0EEB174A5FC3821ACD02680D16DE

If you'd like any further verification or have any questions about the
transition please contact us directly.

To verify the integrity of this statement:

  wget -q -O- https://veracrypt.fr/pgp-key-transition-2018-09-12.txt|gpg --verify

VeraCrypt Team


-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEmTt9fo5BOAmCjw8p61WcfFTd05MFAluY8mYACgkQ61WcfFTd
05P7bhAA1GlYKFEYa2OPGDi+cNC6txofd+TtrNG2CTsrZ0HwFX10htsUOdw6qrn/
MARog1j+M0b/Hi693YidQ09U5GfoXRNe4uPaiFtfoQiRQdA77wqM1MhlohRuANOv
bdeyKJdkFG7OKMtHU2p/Ri6DILWHAWZXhGQxts+WYNA+IlGEr1t+kHZjMqNqsEF3
qJqPR6Rl3j7/Q0f6ApNBThlBkME9Jt7qqlnvnhvcPLqy2Bn1zvJHZh6R9/BKLcJc
00W7ZYsx1iNK3kgT0yzqm+vniPzpYXmgTw2+kjgQj41Zlx6H15AoBKeOuQozMUls
Ltzper5rkPWmdA+Xvnzw+2nkzW7fbn4rAxBwbKuZZ2Zy7z0tLgQam3HdCpS85SsU
yP6zOvs9MxefJySICOvyYppXDTlnilUL8Au+aHzERkmRztOBX/C/a3IkP1Knw5ro
BxMufbjP5JgMHpcngy0goT/4SdJ0OD3RTM6XhwBWkDS4rcNWlQ8c0aigcd31NwtE
ChglzqyXbWhYX+Ni0Arq0qzmRl9jau+3/a+7w+nCcPMLsP64VYDivNcx8o8UHIiq
fVSa0vBjd2rswz8QvnubNhSNjYTseHdxXvoUiWfhk0n3SUaZZlqagzlUaCAxaBlC
m9J63waJybdswrSj1ykDkMN9Lv2OgbGiLeuSYK68g44k2XF11WWJAjMEAQEKAB0W
IQRQaaIz1VoO6xdKX8OCGs0CaA0W3gUCW5jyZwAKCRCCGs0CaA0W3jvsEACx0Li2
OmjEA8UypexwBSAT2NfZAXmzK7GhKk2GeLMq82QNfSuj9dO+peqUTDqzyI3uYN3t
jcPxP4vYUZ/lLkgK6S2nqxbP+pobqqM/mtCEshCP+8VL7dhLQuqcdPmbnVNN18mK
0Gy4yrvJW7bWwSS19HDHARrssYU8lCEt+9qeoajFu4ygqNvSm2MCZ8BF6TxSbuq/
ilXwvDOEhS6q3a/w+oq32qhG7un24D3t1reo584ORWh+Ypu13JDOspBKHUvQbsyw
zixY/7kNFQpabAQqnnjs/JB6PnBhBP04FhuGxwSP0CVX6dlV9NPg+d7FCH1MEmcP
5ATI+GRtRRH88p/wH4i5V+yMOZvZu8sqRicNYOqs1CnHbpWoRRkSBrc5g1gnTGIh
utw/aWt3iOCbUHbOfuxEHrIxSKE6Ardhazhx/Emwd0m47RHYXbTXj5uCuk5qnuJ3
Gg7R2yM9g9/8l7aFWwOOm3Szu8bVtKdKHC4+7hizTDtlz1gCz+kjpo7pEg0k0Qev
z5EkMOhSwetgCwXYV38If5NqQgEX6J8RdudjHSr0tArJtSJphVEQCZaYdficd3UQ
iMT2WUYG4In+lr2KsSlb3i7DXs1TB3WJePqbBtCuRVyN/pOJiEV3ebltn1f6SaEw
bIGK5+9l3lEBL+TUokmTCmGvSmJfOZYp9shq1A==
=fW+O
-----END PGP SIGNATURE-----
     

    • William Stoett

      William Stoett - 2025-02-27

      Honestly, I prefer an SHA-256 hash. That's very easy to check, either from within Windows or using 7-zip.

      Windows Command Prompt:
      certutil -hashfile C:\path\to\software.zip SHA256

      Windows PowerShell:
      Get-FileHash -Algorithm SHA256 -Path C:\path\to\software.zip

      If you're concerned about key integrity, there are ways of doing so on a read-only server with high security.

       

  • Mister Chang

    Mister Chang - 2018-10-02

    It doesn't seem that the new key is signed by the old one...

     

    • Mounir IDRASSI

      Mounir IDRASSI - 2018-10-03

      I don't know how you performed the check but you are mistaken because
      the new key is indeed signed with the old key (I performed the key
      ceremony myself!).
      You can check this on all key servers. For example:
      https://pgp.mit.edu/pks/lookup?op=vindex&search=0x821ACD02680D16DE
      In the link above, you will see that the old key has signed the new key
      the same day it was created.

      Moreover, you can also check this locally by running the following
      command on the public key available at
      https://www.idrix.fr/VeraCrypt/VeraCrypt_PGP_public_key.asc:

      gpg --list-packets VeraCrypt_PGP_public_key.asc  | grep "signature packet"

      One of the line will be :
      :signature packet: algo 1, keyid EB559C7C54DDD393

      which indicates that the old key (whose 64-bit ID is EB559C7C54DDD393)
      has signed the new key.

      I hope this clarifies any doubts you may have.

       

  • Mister Chang

    Mister Chang - 2018-10-04

    I'm unsure what I did wrong too: it all checks out today. Thank you!

     

  • Michael Kankana

    Michael Kankana - 2019-07-05

    Starting from VeraCrypt version 1.23, we will be using a new PGP key for signing release files and for securing communication to VeraCrypt email address. The transition statement can be found at https://veracrypt.fr/pgp-key-transition-2018-09-12.txt which is signed with both the old key and the new key.

    Thanks man have been using veracrypt since always its insanely good

     

  • Alex

    Alex - 2021-12-27

    Btw, which PGP key is this one:
    607E5A7AD030D38E5E5C2CA502C30AE90FAE4A6F
    Is this Mounir's personal key ?

     

  • Mounir IDRASSI

    Mounir IDRASSI - 2021-12-27

    @alex2048:
    Yes, the key 0x607E5A7AD030D38E5E5C2CA502C30AE90FAE4A6F is mine and I created it on 2018. It is associated with my 3 main email addresses. For example, you can check it using the query URL below which will return the same key:
    https://keys.openpgp.org/search?q=mounir.idrassi%40idrix.fr

     

    • Alex

      Alex - 2021-12-27

      Thanks Mounir,
      and congratulation for all your great work!

       

  • Erwin lagu

    Erwin lagu - 2022-01-18

    Good work

     

  • Hisham

    Hisham - 2023-09-11

    Nice work!

     

Log in to post a comment.