Keyfile is a file whose content is combined with a password (for information on the method used to combine a keyfile with password, see the section Keyfiles in the chapter Technical Details). Until the correct keyfile is provided, no volume that uses the keyfile can be mounted.

You do not have to use keyfiles. However, using keyfiles has various advantages:

* Provides protection against keystroke loggers (even if an adversary captures your password using a keystroke logger, he will not be able to mount the volume without your keyfile).
* May improve protection against brute force attacks (significant particularly if the volume password is weak).
* Allows managing multi-user shared access (all keyfile holders must present their keyfiles before a volume can be mounted).

Any kind of file (for example, .txt, .exe, mp3**, .avi) may be used as a TrueCrypt keyfile (however, we recommend that you prefer compressed files, such as .mp3, .jpg, .zip, etc).

Note that TrueCrypt never modifies the keyfile contents. Therefore, it is possible to use, for example, five files in your large mp3 collection as TrueCrypt keyfiles (and inspection of the files will not reveal that they are used as keyfiles).

You can select more than one keyfile; the order does not matter. You can also let TrueCrypt generate a file with random content and use it as a keyfile. To do so, select Keyfiles -> Generate Random Keyfile.

IMPORTANT: To make brute force attacks on a keyfile infeasible, the size of the keyfile should be at least 30 bytes. If a volume uses multiple keyfiles, then at least one of the keyfiles should be 30 bytes in size or larger. Note that the 30-byte limit assumes a large amount of entropy in the keyfile. If the first 1024 kilobytes of a file contain only a small amount of entropy, it should not be used as a keyfile (regardless of the file size). If you are not sure what entropy means, we recommend that you let TrueCrypt generate a file with random content and that you use it as a keyfile (select Keyfiles -> Generate Random Keyfile).

WARNING: If you lose a keyfile or if any bit of its first 1024 kilobytes changes, it will be impossible to mount volumes that use the keyfile!

WARNING: If password caching is enabled, the password cache also contains the processed contents of keyfiles used to successfully mount a volume. Then it is possible to remount the volume even if the keyfile is not available/accessible. To prevent this, click 'Wipe Cache' or disable password caching (for more information, please see the subsection 'Settings -> Preferences', item 'Cache passwords in driver memory' in the section Program Menu).

Keyfiles Dialog Window

If you want to use keyfiles (i.e. “apply” them) when creating or mounting volumes, or changing passwords, look for the Use keyfiles option and the button Keyfile below a password input field.

TrueCrypt GUI

These control elements appear in various dialog windows and always have the same functions. Check the Use keyfiles option and click Keyfiles. The keyfile dialog window should appear where you can specify keyfiles (to do so, click Add File) or keyfile search paths (click Add Path). Note that keyfiles and keyfile search paths can also be selected by dragging the corresponding file/folder icons to the keyfile dialog window.

Keyfile Search Path

By adding a folder in the keyfile dialog window (click Add Path), you specify a keyfile search path. All files found in the keyfile search path* will be used as keyfiles.

Important: Note that folders (and files they contain) found in keyfile search paths are ignored.

Keyfile search paths are especially useful if you, for example, store keyfiles on a USB memory stick that you carry with you. You can set the drive letter of the USB memory stick as a default keyfile search path. To do so, select Keyfiles -> Set Default Keyfiles/Paths. Then click
Add Path, browse to the drive letter assigned to the USB memory stick, and click OK. Now each time you mount a volume (and if the option Use keyfiles is checked in the password dialog window), TrueCrypt will scan the path and use all files that it finds on the USB memory stick as keyfiles.

WARNING: When you add a folder (as opposed to a file) to the list of keyfiles, only the path is remembered, not the filenames! This means e.g. that if you create a new file in the folder or if you copy an additional file to the folder, then all volumes that used keyfiles from the folder will be impossible to mount (until you remove the newly added file from the folder).

Empty Password & Keyfile

When a keyfile is used, the password may be empty, so the keyfile may become the only item necessary to mount the volume (which we do not recommend). If default keyfiles are set and enabled when mounting a volume, then before prompting for a password, TrueCrypt first automatically attempts to mount using an empty password plus default keyfiles. If you need to set Mount Options (e.g., mount as read-only, protect hidden volume etc.) for a volume being mounted this way, h old down the Control (Ctrl) key while clicking Mount (or select Mount with Options from the Volumes menu). This will open the Mount Options dialog.

Keyfiles -> Add/Remove Keyfiles to/from Volume

This function allows you to re-encrypt a volume header with a header encryption key derived from any number of keyfiles (with or without a password), or no keyfiles at all. Thus, a volume which is possible to mount using only a password can be converted to a volume that require keyfiles (in addition to the password) in order to be possible to mount. Note that the volume header contains the master encryption key with which the volume is encrypted. Therefore, the data stored on the volume will not be lost after you use this function.

This function can also be used to change/set volume keyfiles (i.e., to remove some or all keyfiles, and to apply new ones).

Remark: This function is internally equal to the Password Change function.

When TrueCrypt re-encrypts a volume header, the original volume header is first overwritten 200 times with random data to prevent adversaries from using techniques such as magnetic force microscopy or magnetic force scanning tunnelling microscopy [17] to recover the overwritten header (however, see also the chapter Security Precautions).

Keyfiles -> Remove All Keyfiles from Volume

This function allows you to re-encrypt a volume header with a header encryption key derived from a password and no keyfiles (so that it can be mounted using only a password, without any keyfiles). Note that the volume header contains the master encryption key with which the volume is encrypted. Therefore, the data stored on the volume will not be lost after you use this function.

Remark: This function is internally equal to the Password Change function.

When TrueCrypt re-encrypts a volume header, the original volume header is first overwritten 200 times with random data to prevent adversaries from using techniques such as magnetic force microscopy or magnetic force scanning tunnelling microscopy [17] to recover the overwritten header (however, see also the chapter Security Precautions).

Keyfiles -> Generate Random Keyfile

You can use this function to generate a file with random content, which you can use as a keyfile (recommended). This function uses the TrueCrypt Random Number Generator. Note that the resulting file size is always 64 bytes (i.e., 512 bits), which is also the maximum possible TrueCrypt password length.

Keyfiles -> Set Default Keyfile/Paths

Use this function to set default keyfiles and/or default keyfile search paths. This function is particularly useful if you, for example, store keyfiles on a USB memory stick that you carry with you. You can add its drive letter to the default keyfile configuration. To do so, click Add Path, browse to the drive letter assigned to the USB memory stick, and click OK. Now each time you mount a volume (and if Use keyfiles is checked in the password dialog), TrueCrypt will scan the path and use all files that it finds there as keyfiles.

WARNING: When you add a folder (as opposed to a file) to your default keyfile list, only the path is remembered, not the filenames! This means e.g. that if you create a new file in the folder or if you copy an additional file to the folder, then all volumes that used keyfiles from the folder will be impossible to mount (until you remove the newly added file from the folder).

IMPORTANT: Note that when you set default keyfiles and/or default keyfile search paths, the filenames and paths are saved unencrypted in the file Default Keyfiles.xml. For more information, please see the chapter TrueCrypt System Files & Application Data.

* Found at the time when you are mounting the volume, changing its password, or performing any other operation that involves re-encryption of the volume header.
** However, if you use an MP3 file as a keyfile, you must ensure that no program modifies the ID3 tags within the MP3 file (e.g. song title, name of artist, etc.). Otherwise, it will be impossible to mount volumes that use the keyfile.