Full support for custom screen DPI settings.  (Windows, GUI)

Fixed bug that in some cases caused the 'Safely Remove Hardware' function to fail.

In Windows Vista, it is now possible to read data from file-hosted TrueCrypt volumes located on UDF-formatted media mounted in read-only mode.

All Volume Creation Wizard GUI elements are now correctly displayed on systems with custom DPI settings.  (Windows, GUI)

Linux: When running without administrator privileges, TrueCrypt automatically attempts to elevate its access rights (if necessary) using the sudo command. The Linux version of TrueCrypt no longer supports the set-euid root mode of execution. These changes also prevent all discovered and undiscovered (if any) security issues related to the set-euid root mode of execution, including an issue affecting all previous Linux versions of TrueCrypt where a local non-administrator user could cause a denial of service or gain administrator privileges.

If dismount is forced on a TrueCrypt volume when TrueCrypt runs in portable mode, the TrueCrypt driver will not be unloaded when TrueCrypt exits (it will be unloaded only when the system is restarted or shut down). This prevents various problems caused by a bug in Windows (for instance, it would be impossible to start TrueCrypt again as long as there are applications using the dismounted volume).  (Windows)

Full compatibility with 32-bit and 64-bit Windows Vista:

TrueCrypt volume is automatically dismounted if its host device is inadvertently removed.

Important: Before you physically remove a device (such as a USB flash drive) where a mounted TrueCrypt volume resides, you should always dismount the volume in TrueCrypt first, and then perform the 'Eject' operation (right-click the host device in the 'Computer' or 'My Computer' list) or use the 'Safely Remove Hardware' function (built in Windows, accessible via the taskbar notification area).

Ability to write data to file-hosted volumes located on devices that use a sector size other than 512 bytes (e.g., new hard drives, DVD-RAM, some MP3 players and USB flash drives, etc.)

Support for devices with a GPT partition table (GUID partitions).  (Windows Vista/2003/XP)

After a partition is successfully encrypted, the drive letter assigned to it (if any) is automatically removed.  (Windows)

Volume name (label) is displayed in device/partition selector.  (Windows)

New hotkey: 'Wipe Cache'.  (Windows)

New command line switch '/q background' for launching the TrueCrypt Background Task.  (Windows)

Portions of the TrueCrypt device driver redesigned.

Maximum allowed size of FAT32 volumes increased to 2 TB (note that NTFS volumes can be larger than 2 TB).

Traveler Disk Setup improved.  (Windows)

Volumes hosted on read-only media will always be mounted in read-only mode.  (Windows Vista/2003/XP)

Improved support for big-endian platforms.

The built-in FAT format facility now functions correctly on big-endian platforms.

Improved handling of partitions and devices during volume creation.  (Windows)

Improved handling of low-memory conditions.  (Windows)

Fixed bug that rarely caused system errors when dismounting all volumes.  (Windows)

Tray icon is recreated when Windows Explorer is restarted (e.g. after a system crash).

Improved security of set-euid root mode of execution. Volume can be dismounted only by the user who mounted it or by an administrator (root).  (Linux)

Writing to a TrueCrypt volume under Linux no longer causes the system to stop responding under certain conditions.

Occasional application errors no longer occur when selecting a file (Windows XP SP2 issue).

Fixed bug that caused installation of the TrueCrypt driver to fail under certain configurations of 64-bit Windows.

TrueCrypt volumes mounted in a remote session under Windows 2000 can now be accessed.

TrueCrypt Volume Creation Wizard no longer blocks hot keys of certain applications.  (Windows)

Other minor bug fixes  (Windows and Linux)

It will not be required to reinstall the TrueCrypt kernel module after every minor Linux kernel update.

The Linux version of TrueCrypt now uses the TrueCrypt Random Number Generator (ported from the Windows version of TrueCrypt) instead of using only the Linux built-in random number generator. (This change was necessary due to a flaw in the Linux built-in random number generator: Data from the mouse and keyboard, which are the most important sources of random data, are not read by the Linux built-in random number generator when the user has only a USB mouse/keyboard.)
Note: The Linux version of TrueCrypt still uses the Linux built-in random number generator. However, it is now merely one of the data sources used by the TrueCrypt random number generator.

Interactive mount mode, which allows the user to avoid passing sensitive parameters via command line.  (Linux)

TrueCrypt volume is unmapped if mounting it to a directory fails.  (Linux)

When the 'Never Save History' option is enabled, TrueCrypt sets its "current directory" to the user's home directory (in portable mode, to the directory from which TrueCrypt was launched) after a container or keyfile is selected via the Windows file selector. Therefore, the Windows file selector will not "remember" the path of the last selected container or keyfile. (Windows)

TrueCrypt volumes can now be created under Linux.

Ability to create a 'dynamic' container whose physical size (actual disk space used) grows as new data is added to it. (Dynamic containers are pre-allocated NTFS sparse files.)

Volume passwords/keyfiles can be changed under Linux.

Keyfiles can be created under Linux.

Volume headers can be backed up and restored under Linux.

Multiple keyfiles can be selected in the file selector by holding the Control (Ctrl) or Shift key (Windows).

It is now possible to enable and directly set keyfiles by dragging the icon of keyfile(s) or of keyfile search path(s) to the password entry window (Windows only).

New Linux command line option: -u, --user-mount, which can be used to set default user and group ID of the file system being mounted to the user and group ID of the parent process. Some file systems (such as FAT) do not support user permissions and, therefore, it is necessary to supply a default user and group ID to the system when mounting such file systems.

The build.sh script can now perform automatic configuration of the Linux kernel source code, which is necessary in order to compile TrueCrypt on Linux. Note that this works only if the installed version of the kernel enables/supports it.

TrueCrypt volume properties can be viewed under Linux.

It is now possible to mount a single TrueCrypt volume from multiple operating systems at once (for example, a volume shared over network), provided that the volume is mounted as read-only under each system (Windows).

Current directory is never left set to a removable device after a file (e.g., a container, keyfile, header backup) stored on it is selected via file selector in TrueCrypt. Therefore, it will be possible to 'Safely Remove' the device in such cases. (Windows)

Improved security of set-euid root mode of execution (Linux).

Other minor improvements

It is now possible to dismount volumes that cannot be opened (for example, after disconnecting and reconnecting a USB flash drive formatted as NTFS containing a mounted TrueCrypt volume).

Fixed bug that sometimes caused the mount process to fail under Linux when one or more TrueCrypt volumes were already mounted.

Command line argument buffer is now wiped upon exit (Windows, command line usage).

Other minor bug fixes

New mode of operation implemented: LRW.

LRW mode is more secure than CBC mode and is suitable for disk encryption. LRW mode is to become an IEEE standard for sector-based storage encryption. (For more information on LRW mode, see chapter Technical Details, section Modes of Operation in the documentation).

Volumes created by this version of TrueCrypt can be encrypted only in LRW mode. However, volumes created by previous versions of TrueCrypt can still be mounted by this version of TrueCrypt.

To prevent a recently discovered attack, which affects plausible deniability, we strongly recommend that you move data from your TrueCrypt volume to a new volume created by this version. Description of the attack: If a series of certain plaintext blocks is written to a mounted volume (i.e., if it is correctly encrypted), it is, with a very high probability, possible to distinguish the volume from random data. This affects volumes created by all versions of TrueCrypt prior to 4.1, except volumes encrypted with AES-Blowfish or AES-Blowfish-Serpent.

The encryption algorithm test facility (Tools -> Test Vectors) now supports LRW mode.

AES routines by Dr. Brian Gladman updated to the latest version.

Improved support for using TrueCrypt under non-administrator accounts on Linux (set-euid root).

A new instance of TrueCrypt will be created only if necessary.

Other minor improvements

Password input field will be correctly wiped after each mount attempt.

Hidden volume protection now works if set via 'Mount with Options'.

Containers located on volumes that are accessible only in local user name space can now be mounted.

The option /keyfile now works if specified with '/auto devices' or '/auto favorites' (command line usage)

Volumes whose paths contain spaces can be mounted (Linux)

Several localization issues fixed

Other minor bug fixes

TrueCrypt volumes can now be mounted on Linux. The Linux version of TrueCrypt is available at ../../downloads

It is now possible to write to outer volume without risking that a hidden volume within it will get damaged (overwritten):

When mounting an outer volume, the user can now enter two passwords: One for the outer volume, and the other for a hidden volume within it, which he/she wants to protect. In this mode, TrueCrypt does not actually mount the hidden volume. It only decrypts its header and retrieves information about the size of the hidden volume (from the decrypted header). Then, the outer volume is mounted and any attempt to save data to the area of the hidden volume will be rejected by the driver (until the outer volume is dismounted). For further details, please see the section 'Protection of Hidden Volumes Against Damage' in the documentation.

Support for the x86-64 (64-bit) platform

TrueCrypt now runs on Windows XP x64 Edition (64-bit) and Windows Server 2003 x64.

Support for big-endian hardware platforms (PowerPC, SPARC, Motorola, etc.)

Full support for keyfiles. Keyfiles provide protection against keystroke loggers and may strengthen protection against brute force attacks. Keyfile is a file whose content is combined with a password. Until correct keyfile is provided, no volume that uses the keyfile can be mounted. Any number of, and any kind of files (for example, .mp3, .jpg, .exe, .avi) may be used as TrueCrypt keyfiles. TrueCrypt never modifies the keyfile contents. Therefore, it is possible to use, for example, five files in your large mp3 collection as TrueCrypt keyfiles (and inspection of the files will not reveal that they are used as keyfiles). TrueCrypt can also generate a file with random content, which can be used as a keyfile. For more information on keyfiles, see the chapter Keyfiles in the documentation.

Support for language packs (localizations). Language packs may be downloaded at: ../../localizations

Whirlpool hash algorithm added.

The size of the output of this hash algorithm is 512 bits. It was designed by Vincent Rijmen (co-designer of the AES encryption algorithm) and Paulo S. L. M. Barreto. The first version of Whirlpool was published in November 2000. The second version, now called Whirlpool-T, was selected for the NESSIE ("New European Schemes for Signatures, Integrity and Encryption") portfolio of cryptographic primitives (a project organized by the European Union, similar to the AES contest). TrueCrypt uses the third (final) version of Whirlpool, which was adopted by the International Organization for Standardization (ISO) and the IEC in the ISO/IEC 10118-3:2004 international standard.

Auto-Dismount facility, which can be set to dismount a volume after no data has been written/read to/from it for specified number minutes. It can also be set to dismount all mounted TrueCrypt volumes when:
- user logs off
- entering power saving mode
- screen saver is launched
Auto-dismount can be configured and activated in the Preferences (select Settings -> Preferences)

TrueCrypt settings are not saved to the Windows registry file. Instead, they are stored in XML files in the folder where application data are saved on the system (for example, in C:\Documents and Settings\YourUserName\Application Data\TrueCrypt). In portable mode, the configuration XML files are saved to the folder from which you run the file TrueCrypt.exe.

Note: When you install this version of TrueCrypt, all TrueCrypt settings that were stored by previous versions in the registry file will be automatically removed.

Tray icon. Right-clicking the tray icon opens a popup menu with the most used functions. Left-clicking the tray icon opens the main TrueCrypt window and puts it into the foreground.

Optionally, TrueCrypt can now continue running in the background after its main window is closed. This is referred to as TrueCrypt Background Task. When the main TrueCrypt window is closed, the TrueCrypt Background Task handles the following tasks/functions:
1) Hot keys
2) Auto-dismount
3) Notifications (e.g., when damage to hidden volume is prevented)
4) Tray icon
For more information, see the chapter TrueCrypt Background Task in the documentation.

When a mounted volume is right-clicked in the drive list (in the main TrueCrypt window), a context menu is opened. From this menu, the user can select functions such as 'Repair Filesystem' or 'Check Filesystem' (front-end to the 'chkdsk' tool).

Containers stored on a locally mapped network drive can now be mounted.

Container stored on a remote server can be mounted via UNC path (e.g., \\server\share\volume).

Option to display password (typed in input field)

'Favorite Volumes' facility, which is useful if you often work with more than one TrueCrypt volume at a time and you need each of them to be mounted as the same drive letter every time. For more information, see the chapter 'Main Program Window', section 'Program Menu' in the documentation.

Functions 'Backup Volume Header' and 'Restore Volume Header' added to the Tools menu. Both the standard volume header and the hidden volume header area are always backed up (copied to the backup file) even if there is no hidden volume within the volume (to preserve plausible deniability of hidden volumes).

Note: If you do not have enough free space to backup all files, we highly recommend that you at least use this facility to backup the volume header, which contains the master key (size of the backup file will be 1024 bytes). If the volume header is damaged, the volume is, in most cases, impossible to mount.

System-wide hot keys (which can be used, for example, to dismount all TrueCrypt volumes, etc.)

Users can now set actions to perform upon logon to Windows. The actions can be any of the following:
- Start TrueCrypt
- Mount all device-hosted TrueCrypt volumes
- Mount favorite volumes
These actions can be enabled in the Preferences (select Settings -> Preferences).

Title bar of the password prompt dialog window now displays path to volume being mounted

When the 'Never save history' option is enabled, TrueCrypt clears the registry entries created by the Windows file selector for TrueCrypt. Therefore, the Windows file selector will not remember the path of the last mounted container after you exit TrueCrypt. Note that even when this option is enabled, the file selector will still remember the path, but only until you exit TrueCrypt.

'Set Header Key Derivation Algorithm' added to the Volumes menu. It allows the user to re-encrypt a volume header with a header key derived using a different PRF function (e.g., instead of HMAC-SHA-1 you could use HMAC-Whirlpool). Note: Volume header contains master encryption key with which volume is encrypted. Therefore, data stored on the volume will not be lost after this function is used.

Number of bytes read/written from/to a volume since it was mounted is displayed in the Volume Properties window.

Preserving container timestamps can now disabled in the Preferences (Settings -> Preferences).

Command line usage:

if '/silent' is specified, interaction with user (prompts, error messages, warnings, etc.) is suppressed.

If '/m timestamp' is specified, volume/keyfile timestamps are not preserved.

'/keyfile' can be used to specify a keyfile or a keyfile search path.

'/auto favorites' can be used to mount favorite volumes.

'/auto' is implicit if '/quit' and '/volume' are specified.

If '/q preferences' is specified, TrueCrypt loads/saves settings.

Auto-Mount Devices keeps prompting for a password until a volume is successfully mounted or until cancelled. Warning is displayed after each unsuccessful mount.

If the Shift key is down when clicking 'Auto-Mount Devices' and if there are cached passwords, then password prompt will be bypassed (mounting will be attempted only with cached passwords).

It is now possible to run multiple instances of the TrueCrypt application simultaneously.

Mounting of fragmented file-hosted volumes (containers) takes significantly less time.

New SHA-1 routines by Brian Gladman, which are approx. three times faster than the original ones (speeds up mounting).

Enhancements to the random number generator:

Hash function output is XORed into the pool (in E4M and the previous versions of TrueCrypt the values produced by a hash function replaced the original values in the pool).

Input to hash function will always be the entire pool.

Position of the pool cursor does not change when the FastPoll function is applied. This ensures that mouse coordinates are always evenly distributed in the pool (significant particularly when moving the mouse uninterruptedly).

Event delta/absolute time will be added modulo 2^32 to the pool at the same position as the event data. (In the previous versions, event delta times were added separately modulo 2^32 to the pool. Delta times provide only a small amount of entropy, particularly when moving the mouse uninterruptedly.)

For more information see the chapter Technical Details, section Random Number Generator in the documentation.

Important: That we made these enhancements to the random number generator does NOT mean that volumes created using previous versions of TrueCrypt are insecure.

File-hosted volumes are pre-allocated before they are formatted. Therefore, containers are created faster and less fragmented.

When TrueCrypt re-encrypts a volume header (for example, when changing a password), the original volume header is first overwritten 35 times with random data to prevent adversaries from using techniques such as magnetic force microscopy to recover the overwritten header.

Traveler disk can be created when TrueCrypt is running in portable mode.

TrueCrypt warns if automatic mounting of new volumes is disabled in Windows and informs the user how to enable this functionality.

Other minor improvements

Hidden volume password can now be changed on all types of removable media (e.g., all types of USB memory sticks).

When changing a password and an error occurs during the creation of a new volume header, the header will not be written and the error will be reported.

FAT file system created by TrueCrypt will have the same properties as FAT file system created by Windows.

Drive list will be updated whenever drive letter assignments change.

If an error occurs, TrueCrypt returns exit code 1, otherwise it returns 0 (command line usage).

Password specified on command line (/p ) now also works with '/a devices' (command line usage).

Other minor bug fixes

Size of the random number generator pool increased from 256 to 320 bytes

The command line option '/quiet' has been renamed to '/quit'

The Serpent routines written in assembly have been replaced with routines written in C, so that the whole source code is more portable.

Volumes mounted as removable media can now be checked/repaired ('chkdsk.exe'), defragmented, formatted, etc.

Volume Creation Wizard now respects default mount options set via Tools > Preferences.

Fixed bug that caused mount/dismount to fail on some systems.

The TrueCrypt uninstaller is now always installed during installation.

Relative paths can be used with the /volume option (command line usage).

Drive A: will no longer disappear from Windows Explorer (e.g., 'My Computer' list) after 'Dismount All'.

Other minor bug fixes

When running in portable mode, the TrueCrypt driver will be unloaded when no longer needed (e.g., when the main application and/or the last instance of the Volume Creation Wizard is closed and no TrueCrypt volumes are mounted).

Access mode (read-only or read-write) is now displayed in the volume properties dialog.

Other minor improvements

Partitions/devices that are already in use by another driver (usually an anti-virus utility) can now be mounted.

It is now possible to run multiple instances of the TrueCrypt Volume Creation Wizard.

TrueCrypt can now run in portable mode, which means that it does not have to be installed on the operating system under which it is run. There are two ways to run TrueCrypt in portable mode:

1) After you unpack the binary distribution archive, you can directly run 'TrueCrypt.exe'.

2) You can use the new 'Traveler Disk Setup' facility (accessible from the 'Tools' menu) to prepare a special traveler disk and launch TrueCrypt from it. This facility can also configure a traveler disk in a way that when it is inserted, TrueCrypt is automatically started or a specified volume is mounted (note that this works only when the traveler disk is a removable medium such as a CD or DVD; Windows XP SP2 is required in case of USB memory sticks).

Volumes can now be mounted as read-only. This can be set in the newly implemented 'Mount Options' dialog, which can be opened from the password entry dialog or by holding Control while clicking 'Mount'. (Command line usage: '/mountoption ro')

Volumes can now be mounted as removable media (for example to prevent Windows from creating the 'Recycled' and/or 'System Volume Information' folders on the volume). This can be set in the newly implemented 'Mount Options' dialog, which can be opened from the password entry dialog or by holding Control while clicking 'Mount'. (Command line usage: '/mountoption rm')

Default mount options can be configured in the main program preferences (Tools -> Preferences).

'Refresh Drive Letters' function added to the tools menu. It can be used when Windows Explorer fails to register a newly mounted volume (for example when it is not shown in the 'My Computer' list).

Volume can now be selected by dragging its icon to the TrueCrypt program window (this also allows to avoid the Windows file selector).

'/auto devices' auto-mounts all device/partition-hosted TrueCrypt volumes (command line usage).

The 'Auto-Mount Devices' facility will not mount 'phantom' partitions on some removable media (e.g. USB memory sticks).

In some cases TrueCrypt did not use all available space on some removable media (such as USB memory sticks).
Remark: This bug was inherited from E4M, so it applies also to volumes created by E4M.

Warning: Note that this means it will not be possible to mount hidden volumes (does not apply to file-hosted containers) created with TrueCrypt 3.0 or 3.0a that are located on some removable media, e.g., some USB memory sticks, (because the expected position of a hidden volume changes with the size of its host volume). If that is the case, please before upgrading to TrueCrypt 3.1, move your files to a temporary TrueCrypt volume on a non-removable medium or to a non-hidden volume on a removable medium and move the data from the old hidden volume to this temporary one. Then install TrueCrypt 3.1, create a new hidden volume and move your files from the temporary volume to it.

Users are now prevented from setting a too small cluster size when creating a FAT volume (which caused various problems).

The command line parser no longer causes TrueCrypt to crash.

Data corruption will not occur when data is written to a volume encrypted with Twofish or Serpent while another TrueCrypt volume is mounted (applies also to volumes encrypted using a cascade of ciphers, out of which one is Twofish or Serpent).

Other minor bug fixes

For more information, refer to www.truecrypt.org/hiddenvolume

Serpent encryption algorithm (256-bit key)

Twofish encryption algorithm (256-bit key)

Forced/"brutal" dismount (allows dismounting a volume containing files being used by the system or an application).

Cascades of ciphers added (e.g., AES-Twofish-Serpent, AES-Blowfish, etc.) Each of the ciphers in a cascade uses its own encryption key (the keys are mutually independent).

Ability to mount a TrueCrypt volume that is being used by the system or an application (shared access mode).

Ability to encrypt devices/partitions that are being used by the system or an application.

The 'Select Device' dialog and the 'Auto-Mount Partitions' facility now support devices that do not contain any partitions.

Encryption Algorithm Benchmark facility added to the Tools menu and to the Volume Creation Wizard.

A warning is displayed if Caps Lock is on when creating a new volume or changing a password.

When /l is omitted and /a is used, the first free drive letter is used (command line usage)

New command line option: /force or /f enables forced ("brutal") dismount or mounting in shared mode (i.e., without exclusive access).

'Blue screen' errors (system crashes) will not occur when dismounting a volume (remark: this bug also affects E4M).

The 'Select Device' dialog will display also partitions being used by the system or an application.

If the size of a partition/device was not a multiple of 1024 bytes, its last sector (512 bytes) was not used for TrueCrypt volume (the volume was 512 bytes shorter than the partition/device).
Remark: This bug was inherited from E4M, so it applies also to encrypted partitions/devices created by E4M.

FAT volumes that are exactly 129 MB in size will not have zero size of free space (129-MB FAT volumes created by the previous versions had no free space available).

The timestamp of a container (the date and time that the container was last modified) will not be updated when TrueCrypt accesses the container (i.e., after dismounting, creating a hidden volume within it, or changing the password).

The TrueCrypt Service is no longer necessary and has been removed because its functions are now handled by the TrueCrypt driver.

Important: TrueCrypt volumes encrypted using the IDEA encryption algorithm cannot be mounted using TrueCrypt 2.1a. If you have such a volume, before upgrading to TrueCrypt 2.1a, please create a new TrueCrypt volume using a cipher other than IDEA and move your files to this new volume.

Note: RIPEMD-160, which was designed by an open academic community, represents a valuable alternative to SHA-1 designed by the NSA and NIST. In the previous versions there was a risk that the whole program would be practically useless, should a major weakness be found in SHA-1. The user-selected hash algorithm is used by the random number generator when creating new volumes, and by the header key derivation function (HMAC based on a hash function, as specified in PKCS #5 v2.0). The random number generator generates the master encryption key, salt, and the values used to create IV and 'whitening' values.

When changing a volume password, the user can now select the HMAC hash algorithm that will be used in deriving the new volume header key.

It is now possible to create NTFS TrueCrypt volumes and unformatted TrueCrypt volumes. This enhancement also removes the 2048 GB volume size limit. (Only FAT volumes can be created using the previous versions of TrueCrypt. Any FAT volume, encrypted or not, cannot be over 2048 GB.)

Header key content is now displayed in the Volume Creation Wizard window (instead of salt).

Random pool, master key, and header key contents can be prevented from being displayed in the Volume Creation Wizard window.