Block Device Encryption - VeraCrypt
This document describes how to create, mount and dismount a virtual encrypted disk with hidden container using VeraCrypt for Linux from the terminal.
TL;DR
# Install (https://www.veracrypt.fr/en/Downloads.html)
sudo dpkg -i $DEB_PACKAGE
# Create encrypted volume (interactive)
veracrypt -c
# Mount encrypted volume (interactive)
veracrypt $ENC_FILE $MOUNT_POINT
# List mounted volumes
veracrypt -l
# Unmount a specific Veracrypt volumes
veracrypt -d $ENC_FILE
# Unmount all Veracrypt volumes
veracrypt -d
# USE IT.
veracrypt -h
Prerequisites
- Linux-based Operating System (Here: Ubuntu 20.04 LTS)
- VeraCrypt Console (Installation notes below) (Here: VeraCrypt 1.24-update7)
Install pre-build binary
This section downloads the the veracrypt package, verify its integrity and finally installs it. Get the download link for the appropriate System from https://www.veracrypt.fr/en/Downloads.html and copy the download link to the variable in the variable DEB_PACKAGE_HREF. For all unsupported Linux-based OS, proceed to the next section "build from source".
# CHANGE THIS VARIABLE TO THE DESIRED VERSION AND DISTRO
# Here: VeraCrypt Console 1.24u7 for Ubuntu 20.04 (amd64)
DEB_PACKAGE_HREF="https://launchpad.net/veracrypt/trunk/1.24-update7/+download/veracrypt-console-1.24-Update7-Ubuntu-20.04-amd64.deb"
# Helper variables used in the following for a better overview
# Simply copy paste this block to the terminal
SIG_DEB_PACKAGE_HREF=$DEB_PACKAGE_HREF".sig"
PGP_PUBLIC_KEY_HREF="https://www.idrix.fr/VeraCrypt/VeraCrypt_PGP_public_key.asc"
# Reference to the local file names
LOCAL_PATH="/var/tmp/"
DEB_PACKAGE=$LOCAL_PATH${DEB_PACKAGE_HREF##*/}
SIG_DEB_PACKAGE=$LOCAL_PATH${SIG_DEB_PACKAGE_HREF##*/}
PGP_PUBLIC_KEY=$LOCAL_PATH${PGP_PUBLIC_KEY_HREF##*/}
# VeraCrypt PGP public key RSA fingerprint
FINGERPRINT="5069A233D55A0EEB174A5FC3821ACD02680D16DE"
# Download the necessary files
wget $DEB_PACKAGE_HREF -O $DEB_PACKAGE
wget $SIG_DEB_PACKAGE_HREF -O $SIG_DEB_PACKAGE
wget $PGP_PUBLIC_KEY_HREF -O $PGP_PUBLIC_KEY
# Verify PGP Signature
gpg --import --import-options show-only $PGP_PUBLIC_KEY | grep $FINGERPRINT
# Only continue if the $PGP_PUBLIC_KEY matches the static $FINGERPRINT.
# Else, someone tries to trick you.
gpg --import $PGP_PUBLIC_KEY
gpg --verify $SIG_DEB_PACKAGE $DEB_PACKAGE
# Only continue if the $SIG_DEB_PACKAGE verfies the $DEB_PACKAGE's integrity
# Install the veracrypt package
sudo dpkg -i $DEB_PACKAGE
Build from source
# Required packages (Adapt to the OS specific package manager)
sudo apt update && sudo apt install yasm make gcc pkg-config fuse libfuse-dev
# Download source code
git clone https://github.com/veracrypt/VeraCrypt /var/tmp/VeraCrypt
# Won't build without this library eventhough the NOGUI bit is set
git clone https://github.com/wxWidgets/wxWidgets /var/tmp/VeraCrypt/src/wxWidgets
git -C /var/tmp/VeraCrypt/src/wxWidgets/ submodule update --init 3rdparty/catch
# Build and link
make WXSTATIC=1 WX_ROOT=/var/tmp/VeraCrypt/src/wxWidgets/ wxbuild -C /var/tmp/VeraCrypt/src/
make WXSTATIC=1 -C /var/tmp/VeraCrypt/src/
sudo mv /var/tmp/VeraCrypt/src/Main/varacrypt /usr/bin/
# Test
veracrypt --version# Here: VeraCrypt 1.24-Update7
Procedure
Volume types:
[1] Normal [2] Hidden
Encryption Algorithms:
[1] AES [2] Serpent [3] Twofish [4] Camellia [5] Kuznyechik [6] AES(Twofish) [7] AES(Twofish(Serpent)) [8] Camellia(Kuznyechik) [9] Camellia(Serpent) [10] Kuznyechik(AES) [11] Kuznyechik(Serpent(Camellia)) [12] Kuznyechik(Twofish) [13] Serpent(AES) [14] Serpent(Twofish(AES)) [15] Twofish(Serpent)
Hash Algorithms:
[1] SHA-512 [2] Whirlpool [3] SHA-256 [4] Streebog
Filesystems:
Create outter container
The outter container will be configured using a basic {AES, SHA256, Password} configuration and size of 25MB, for the sake of an example. Any parameters may be adapted as needed while using the -c flag, and are elaborated sufficiently in the interactive prompt. The -h flag may be used to access the help for further information. Note that Veracrypt volume sizes are indicated in KiB, MiB, GiB or TiB.
veracrypt -c
Via interactive text user interface (-t, --text):
Volume type: 1 Volume path: FILENAME.hc Volume size (sizeK/size[M]/sizeG): 24414K Encryption Algorithm: 1 Hash algorithm: 3 Filesystem: 2 Password: OUTTER_PW PIM: [ENTER] Enter keyfile path [none]: [ENTER] Type at least 320 randomly chosen characters and then press Enter: [ENTER]
After creating the outter container, an inner hidden container can be added. The hidden container will be configured using s sophisticated {AES(Twofish), SHA512, {Password, custom PIM, Keyfile}} configuration and size of 5MB, for the sake of an example. Note that Veracrypt volume sizes are indicated in KiB, MiB, GiB or TiB.
$ veracrypt -c
Via interactive text user interface (-t, --text):
Volume type: 2 Volume path: FILENAME.hc Hidden volume size (sizeK/size[M]/sizeG): 3883K Encryption Algorithm: 6 Hash algorithm: 1 Filesystem: 2 Password: HIDDEN_PW PIM: 50000 Keyfile path [none]: ./Example_Keyfile.png Keyfile path [finish]: [ENTER] Type at least 320 randomly chosen characters and then press Enter: [ENTER]
Mount container
Simply mount VeraCrypt container via text user interface -t, --text, which is enabled by default. Or mount in a single command referencing to -h.
veracrypt $ENC_CONTAINER_FILE $MOUNT_POINT
Example: Mount FILENAME.hc outter container
Via interactive text user interface (-t, --text):
Password: OUTTER_PW PIM: [ENTER] Keyfile [none]: [ENTER] Protect hidden volume? [No]: [ENTER]
Via interactive text user interface (-t, --text):
Password: HIDDEN_PW PIM: 50000 Keyfile [none]: Keyfile.png Protect hidden volume? [No]: [ENTER]
List Mounted Container
veracrypt -l
Dismount Container
# Specific
veracrypt -d $MOUNTPOINT
# All
veracrypt -d