CoreMacOSX::CheckFilesystem() ignored both its mountedVolume and repair arguments and always just launched Disk Utility.app, so the "Check Filesystem" and "Repair Filesystem" menu items behaved identically and neither acted on the mounted volume. On Linux/BSD the same operation runs fsck and honors the flag (passing -n only when repair is false). Run diskutil on the VeraCrypt virtual device, choosing verifyVolume or repairVolume per the flag (diskutil unmounts the inner filesystem itself as needed). The Core layer has no GUI, so the result is shown in a Terminal window via a temporary .command script; it falls back to launching Disk Utility.app when no virtual device is available. Run the macOS check in the unprivileged application process. VeraCrypt does not need to create or launch the helper script from the elevated core service: diskutil operates on the mounted virtual device and macOS handles any device authorization requirements. Once a device-hosted mount has started the elevated core service, every later service request is routed to that root process. There it would create the helper script as root (0700) and open a Terminal in the GUI session that the user could neither read nor execute. CoreServiceProxy::CheckFilesystem now invokes the core implementation directly on macOS instead of sending a service request, so the script is always owned by the GUI user. The device path is strictly validated as /dev/[r]diskN[sM] before being single-quoted into the command. The helper script is created securely in the per-user temp directory via mkstemps() (atomic O_EXCL/0600, fchmod 0700 by descriptor, close() checked for deferred write errors, unlinked on any failure) rather than at a predictable, enumerable path in the world-writable /tmp, guarding against a symlink/race on the executed script. A trap removes the script on exit even if the window is closed early, and it is also unlinked if launching Terminal fails. The script captures $? so diskutil's result, including failures, is shown before the script exits. Replace the macOS pre-check message (which still told the user Disk Utility would open and to pick Verify/Repair manually) with check- and repair-specific text describing the new automatic diskutil flow. Seed the two new strings into all translation files with the English text so the XML key-completeness check passes; localization can follow. Co-authored-by: Damian Rickard <damian@rickard.us>
This archive contains the source code of VeraCrypt. It is based on the original TrueCrypt 7.1a with security enhancements and modifications.
Important
You may use the source code contained in this archive only if you accept and agree to the license terms contained in the file 'License.txt', which is included in this archive.
Note that the license specifies, for example, that a derived work must not be called 'TrueCrypt' or 'VeraCrypt'
Contents
IV. Third-Party Developers (Contributors)
I. Windows
Requirements for Building VeraCrypt for Windows:
A detailed guide on how to build VeraCrypt on Windows can be found in the documentation in the repository and it is also available online or on the mirror.
IMPORTANT:
The 64-bit editions of Windows Vista and later versions of Windows, and in some cases (e.g. playback of HD DVD content) also the 32-bit editions do not allow the VeraCrypt driver to run without an appropriate digital signature. Therefore, all .sys files in official VeraCrypt binary packages are digitally signed with the digital certificate of the IDRIX, which was issued by GlobalSign certification authority. At the end of each official .exe and .sys file, there are embedded digital signatures and all related certificates (i.e. all certificates in the relevant certification chain, such as the certification authority certificates, CA-MS cross-certificate, and the IDRIX certificate).
Keep this in mind if you compile VeraCrypt and compare your binaries with the official binaries. If your binaries are unsigned, the sizes of the official binaries will usually be approximately 10 KiB greater than the sizes of your binaries (there may be further differences if you use a different version of the compiler, or if you install a different or no service pack for Visual Studio, or different hotfixes for it, or if you use different versions of the required SDKs).
Instructions for Signing and Packaging VeraCrypt for Windows:
First, create an environment variable 'WSDK81' pointing to the Windows SDK for Windows 8.1 installation directory.
The folder "Signing" contains a batch file (sign.bat) that will sign all VeraCrypt components using a code signing certificate present on the certificate store and build the final installation setup and MSI package. The batch file assumes that the code signing certificate is issued by GlobalSign. This is the case for IDRIX's certificate. If yours is issued by another CA, then you should put its intermediate certificates in the "Signing" folder and modify sign.bat accordingly.
To generate MSI packages, WiX Toolset v3.11 must be installed.
VeraCrypt EFI Boot Loader:
VeraCrypt source code contains pre-built EFI binaries under src\Boot\EFI. The source code of VeraCrypt EFI Boot Loader is licensed under LGPL and it is available at https://github.com/veracrypt/VeraCrypt-DCS. For build instructions, please refer to the file src\Boot\EFI\Readme.txt.
II. Linux and Mac OS X
A detailed guide on how to build VeraCrypt on Linux can be found in the documentation in the repository and it is also available online or on the mirror.
Requirements for Building VeraCrypt for Linux and Mac OS X:
- GNU Make
- GNU C++ Compiler 4.0 or compatible
- Apple Xcode or Xcode command line tools (Mac OS X only)
- YASM 1.3.0 or newer (Linux only, x86/x64 architecture only)
- pkg-config
- wxWidgets 3.0 shared library and header files installed or wxWidgets 3.0 library source code (available at https://www.wxwidgets.org)
- FUSE library and header files (available at https://github.com/libfuse/libfuse and https://macfuse.github.io/)
- PCSC-lite library and header files (available at https://github.com/LudovicRousseau/PCSC)
Instructions for Building VeraCrypt for Linux and Mac OS X:
-
Change the current directory to the root of the VeraCrypt source code.
-
If you have no wxWidgets shared library installed, run the following command to configure the wxWidgets static library for VeraCrypt and to build it:
$ make WXSTATIC=1 WX_ROOT=/usr/src/wxWidgets wxbuildThe variable
WX_ROOTmust point to the location of the source code of the wxWidgets library. Output files will be placed in the './wxrelease/' directory. -
To build VeraCrypt, run the following command:
$ makeor if you have no wxWidgets shared library installed:
$ make WXSTATIC=1 -
If successful, the VeraCrypt executable should be located in the directory 'Main'.
Reproducible build note: when SOURCE_DATE_EPOCH is not set, a build from a
git checkout uses the HEAD commit timestamp, while a build from a release
tarball uses the release date in src/Common/Tcdefs.h at 00:00 UTC. To
reproduce official release artifacts from a git checkout, set
SOURCE_DATE_EPOCH explicitly or build from the release tarball. Vendored
VeraCrypt sources tracked in another git checkout are treated the same way and
use that checkout's HEAD timestamp.
Both the generated .deb and .rpm packages are reproducible, including on older rpm (e.g. CentOS/RHEL 7) that lacks the SOURCE_DATE_EPOCH/_buildhost build macros.
By default, a universal executable supporting both graphical and text user interface (through the switch --text) is built. On Linux, a console-only executable, which requires no GUI library, can be built using the 'NOGUI' parameter:
$ make NOGUI=1 WXSTATIC=1 WX_ROOT=/usr/src/wxWidgets wxbuild
$ make NOGUI=1 WXSTATIC=1
Arch Linux package build:
Arch Linux users can build and install a package from the current checkout with makepkg:
$ cd src/Build/Packaging/arch
$ makepkg -si
On MacOSX, building a console-only executable is not supported.
Mac OS X specifics:
Under MacOSX, the latest installed SDK is used by default. To use a different version of the SDK when building using make, you can export the environment variable VC_OSX_SDK:
$ export VC_OSX_SDK=13.0
For development dependencies management, you can use homebrew.
$ brew install pkg-config yasm wxwidgets
You also need system dependencies
$ brew install --cask macfuse packages
After installing dependencies via brew, you can build a local development build
$ ./src/Build/build_veracrypt_macosx.sh -b
If you want to build the package, you must pass -p to the build script above. The built
executable will be in .src/Main
If you prefer to build from sources, or without homebrew, pkg-config and packages must be installed.
Get pkg-config from https://pkgconfig.freedesktop.org/releases/pkg-config-0.29.2.tar.gz and compile using the following commands:
$ CFLAGS="-Wno-int-conversion" CXXFLAGS="-Wno-int-conversion" ./configure --with-internal-glib
$ make
$ sudo make install
After making sure pkg-config is available, download and install macFUSE from https://macfuse.github.io/
The build_veracrypt_macosx.sh script performs the full build of VeraCrypt including the creation of the installer pkg. It expects to find the wxWidgets 3.2.5 sources at the same level as where you put VeraCrypt sources (i.e. if "src" path is "/Users/joe/Projects/VeraCrypt/src" then wxWidgets should be at "/Users/joe/Projects/wxWidgets-3.2.5")
The make build process uses Code Signing certificates whose ID is specified in src/Main/Main.make (look for lines containing "Developer ID Application" and "Developer ID Installer"). You'll have to modify these lines to put the ID of your Code Signing certificates or comment them out if you don't have one.
Because of incompatibility issues with macFUSE, the SDK 10.9 generates a VeraCrypt binary that has issues communicating with the macFUSE kernel extension. Thus, we recommend using a different macOS SDK version for building VeraCrypt.
The Packages installer that is used for the VeraCrypt official build has been notarized by IDRIX and it is available at https://github.com/idrassi/packages/releases
III. FreeBSD and OpenBSD
FreeBSD is supported starting from version 14. OpenBSD is supported starting from version 7.8. The build requirements and instructions are the same as Linux except that gmake should be used instead of make.
IV. Third-Party Developers (Contributors)
If you intend to implement a feature, please contact us first to make sure:
- That the feature has not been implemented (we may have already implemented it, but haven't released the code yet).
- That the feature is acceptable.
- Whether we need the help of third-party developers with implementing the feature.
Information on how to contact us can be found at: https://veracrypt.jp or https://veracrypt.io (mirror)
V. Legal Information
Copyright Information
This software as a whole:
Copyright (c) 2026 AM Crypto. All rights reserved.
Portions of this software:
Copyright (c) 2026 AM Crypto. All rights reserved.
Copyright (c) 2013-2025 IDRIX. All rights reserved.
Copyright (c) 2003-2012 TrueCrypt Developers Association. All rights reserved.
Copyright (c) 1998-2000 Paul Le Roux. All rights reserved.
Copyright (c) 1998-2008 Brian Gladman, Worcester, UK. All rights reserved.
Copyright (c) 1995-2023 Jean-loup Gailly and Mark Adler.
Copyright (c) 2016 Disk Cryptography Services for EFI (DCS), Alex Kolotnikov
Copyright (c) 1999-2023 Dieter Baron and Thomas Klausner.
Copyright (c) 2013, Alexey Degtyarev. All rights reserved.
Copyright (c) 1999-2016 Jack Lloyd. All rights reserved.
Copyright (c) 2013-2019 Stephan Mueller smueller@chronox.de
Copyright (c) 1999-2023 Igor Pavlov
For more information, please see the legal notices attached to parts of the source code.
Trademark Information
Any trademarks contained in the source code, binaries, and/or in the documentation, are the sole property of their respective owners.
VI. Further Information
https://veracrypt.jp
https://veracrypt.io (mirror)