Block Device Encryption - VeraCrypt

From Embedded Lab Vienna for IoT & Security
Jump to: navigation, search

This document describes how to create, mount and dismount a virtual encrypted disk with hidden container using VeraCrypt for Linux from the terminal.

TL;DR

# Install (https://www.veracrypt.fr/en/Downloads.html)
sudo dpkg -i $DEB_PACKAGE

# Create encrypted volume (interactive)
veracrypt -c
# Mount encrypted volume (interactive)
veracrypt $ENC_FILE $MOUNT_POINT
# List mounted volumes
veracrypt -l
# Unmount a specific Veracrypt volumes
veracrypt -d $ENC_FILE
# Unmount all Veracrypt volumes
veracrypt -d

# USE IT.
veracrypt -h

Prerequisites

  • Linux-based Operating System (Here: Ubuntu 20.04 LTS)
  • VeraCrypt Console (Installation notes below) (Here: VeraCrypt 1.24-update7)

Install pre-build binary

This section downloads the the veracrypt package, verify its integrity and finally installs it. Get the download link for the appropriate System from https://www.veracrypt.fr/en/Downloads.html and copy the download link to the variable in the variable DEB_PACKAGE_HREF. For all unsupported Linux-based OS, proceed to the next section "build from source".

# CHANGE THIS VARIABLE TO THE DESIRED VERSION AND DISTRO
# Here: VeraCrypt Console 1.24u7 for Ubuntu 20.04 (amd64)
DEB_PACKAGE_HREF="https://launchpad.net/veracrypt/trunk/1.24-update7/+download/veracrypt-console-1.24-Update7-Ubuntu-20.04-amd64.deb"

# Helper variables used in the following for a better overview
# Simply copy paste this block to the terminal
SIG_DEB_PACKAGE_HREF=$DEB_PACKAGE_HREF".sig"
PGP_PUBLIC_KEY_HREF="https://www.idrix.fr/VeraCrypt/VeraCrypt_PGP_public_key.asc"
# Reference to the local file names
LOCAL_PATH="/var/tmp/"
DEB_PACKAGE=$LOCAL_PATH${DEB_PACKAGE_HREF##*/}
SIG_DEB_PACKAGE=$LOCAL_PATH${SIG_DEB_PACKAGE_HREF##*/}
PGP_PUBLIC_KEY=$LOCAL_PATH${PGP_PUBLIC_KEY_HREF##*/}
# VeraCrypt PGP public key RSA fingerprint 
FINGERPRINT="5069A233D55A0EEB174A5FC3821ACD02680D16DE"

# Download the necessary files
wget $DEB_PACKAGE_HREF -O $DEB_PACKAGE
wget $SIG_DEB_PACKAGE_HREF -O $SIG_DEB_PACKAGE
wget $PGP_PUBLIC_KEY_HREF -O $PGP_PUBLIC_KEY

# Verify PGP Signature
gpg --import --import-options show-only $PGP_PUBLIC_KEY | grep $FINGERPRINT
# Only continue if the $PGP_PUBLIC_KEY matches the static $FINGERPRINT. 
# Else, someone tries to trick you.
gpg --import $PGP_PUBLIC_KEY
gpg --verify $SIG_DEB_PACKAGE $DEB_PACKAGE
# Only continue if the $SIG_DEB_PACKAGE verfies the $DEB_PACKAGE's integrity

# Install the veracrypt package
sudo dpkg -i $DEB_PACKAGE

Build from source

# Required packages (Adapt to the OS specific package manager)
sudo apt update && sudo apt install yasm make gcc pkg-config fuse libfuse-dev

# Download source code
git clone https://github.com/veracrypt/VeraCrypt /var/tmp/VeraCrypt
# Won't build without this library eventhough the NOGUI bit is set
git clone https://github.com/wxWidgets/wxWidgets /var/tmp/VeraCrypt/src/wxWidgets
git -C /var/tmp/VeraCrypt/src/wxWidgets/ submodule update --init 3rdparty/catch

# Build and link
make WXSTATIC=1 WX_ROOT=/var/tmp/VeraCrypt/src/wxWidgets/ wxbuild -C /var/tmp/VeraCrypt/src/
make WXSTATIC=1 -C /var/tmp/VeraCrypt/src/
sudo mv /var/tmp/VeraCrypt/src/Main/varacrypt /usr/bin/

# Test
veracrypt --version# Here: VeraCrypt 1.24-Update7

Procedure

VeraCrypt 1.24 Parameters:

Volume types:
[1] Normal [2] Hidden

Encryption Algorithms:
[1] AES [2] Serpent [3] Twofish [4] Camellia [5] Kuznyechik [6] AES(Twofish) [7] AES(Twofish(Serpent)) [8] Camellia(Kuznyechik) [9] Camellia(Serpent) [10] Kuznyechik(AES) [11] Kuznyechik(Serpent(Camellia)) [12] Kuznyechik(Twofish) [13] Serpent(AES) [14] Serpent(Twofish(AES)) [15] Twofish(Serpent)

Hash Algorithms:
[1] SHA-512 [2] Whirlpool [3] SHA-256 [4] Streebog

Filesystems:

[1] None [2] FAT [3] Linux Ext2 [4] Linux Ext3 [5] Linux Ext4 [6] NTFS [7] exFAT [8] Btrfs

Create outter container

The outter container will be configured using a basic {AES, SHA256, Password} configuration and size of 25MB, for the sake of an example. Any parameters may be adapted as needed while using the -c flag, and are elaborated sufficiently in the interactive prompt. The -h flag may be used to access the help for further information. Note that Veracrypt volume sizes are indicated in KiB, MiB, GiB or TiB.

veracrypt -c

Via interactive text user interface (-t, --text):

Volume type: 1
Volume path: FILENAME.hc
Volume size (sizeK/size[M]/sizeG): 24414K
Encryption Algorithm: 1
Hash algorithm: 3
Filesystem: 2
Password: OUTTER_PW
PIM: [ENTER]
Enter keyfile path [none]: [ENTER]
Type at least 320 randomly chosen characters and then press Enter: [ENTER]

Add hidden container

After creating the outter container, an inner hidden container can be added. The hidden container will be configured using s sophisticated {AES(Twofish), SHA512, {Password, custom PIM, Keyfile}} configuration and size of 5MB, for the sake of an example. Note that Veracrypt volume sizes are indicated in KiB, MiB, GiB or TiB.

$ veracrypt -c

Via interactive text user interface (-t, --text):

Volume type: 2
Volume path: FILENAME.hc
Hidden volume size (sizeK/size[M]/sizeG): 3883K
Encryption Algorithm: 6
Hash algorithm: 1
Filesystem: 2
Password: HIDDEN_PW
PIM: 50000
Keyfile path [none]: ./Example_Keyfile.png
Keyfile path [finish]: [ENTER]
Type at least 320 randomly chosen characters and then press Enter: [ENTER]

Mount container

Simply mount VeraCrypt container via text user interface -t, --text, which is enabled by default. Or mount in a single command referencing to -h.

veracrypt $ENC_CONTAINER_FILE $MOUNT_POINT

Example: Mount FILENAME.hc outter container

Via interactive text user interface (-t, --text):

Password: OUTTER_PW
PIM: [ENTER]
Keyfile [none]: [ENTER]
Protect hidden volume? [No]: [ENTER]

Example: Mount FILENAME.hc hidden container

Via interactive text user interface (-t, --text):

Password: HIDDEN_PW
PIM: 50000
Keyfile [none]: Keyfile.png
Protect hidden volume? [No]: [ENTER]

List Mounted Container

veracrypt -l

Dismount Container

# Specific
veracrypt -d $MOUNTPOINT
# All
veracrypt -d

References