Skip to content

Instantly share code, notes, and snippets.

@rocodes

rocodes/veracrypt_instructions.md

Last active January 18, 2024 17:40
Show Gist options
  • Star 1 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save rocodes/b2859584b7b3bd7c407e805575d4620c to your computer and use it in GitHub Desktop.
Save rocodes/b2859584b7b3bd7c407e805575d4620c to your computer and use it in GitHub Desktop.
Download ZIP
veracrypt setup
Raw
veracrypt_instructions.md

VeraCrypt setup/usage

(These instructions are for QA testing/evaluation purposes only)

To provision a veracrypt drive

  • Download VeraCrypt CLI from https://www.veracrypt.fr/
    • Verify signatures before installing any software. From their site, Veracrypt's PGP key: ID=0x680D16DE, Fingerprint=5069A233D55A0EEB174A5FC3821ACD02680D16DE
    • On debian-based systems, apt-get install libccid pcscd to install VeraCrypt's dependencies. (apt --fix-broken install to resolve dependency issues).
    • Install VeraCrypt or VeraCrypt CLI deb using dpkg. (These instructions will refer to veracrypt cli on Linux. For GUI instructions or Windows CLI instructions, see https://www.veracrypt.fr/en/Documentation.html).
  • Insert USB, attach it, and note its device indentifier (eg /dev/sda)
  • To create a VeraCrypt volume on the CLI, type veracrypt -t -c and follow the prompts. The VeraCrypt documentation will guide you through some of the options; if unsure, it's generally best to use the defaults they provide. Read at least this section on PIM (Personal Iterations Multiplier): https://documentation.help/VeraCrypt/Personal%20Iterations%20Multiplier%20(PIM).html
    • Note that you will be overwriting the contents of your target disk with this step. Be sure to select the correct disk. Be sure you are not destroying any needed data.
    • There are other ways to create a VeraCrypt container (file-based container, which can be mounted in any filesystem; or a full system container that encrypts a bootable system, or one VC partition on a multi-partition drive). See VeraCrypt documentation for those ways.
  • Formatting a VC drive is time-consuming and depends on the size of the drive and your computer's specs. For testing, you may want to set up a smaller drive.

To unlock and mount a veracrypt drive

Using udisks

  • Create (empty) flag file /etc/udisks2/tcrypt.conf.
  • udisksctl unlock -b /dev/sdX and enter the passphrase when prompted. The unlocked drive will appear at /dev/dm-Y (see cli output) and can be mounted with udisksctl mount -b /dev/dm-Y. This method does not work for drives that have PIM numbers or keyfiles. It only works for block devices (For encrypted file containers, use losetup then mount the container as a block device).

Using veracrypt cli

  • Choose a mountpoint (directory), then veracrypt /path/to/veracrypt/volume mount_name, and enter passphrase when prompted. (For testing purposes we don't bother with a custom PIM number or keyfile, and we don't create hidden volumes, so can skip through the rest of the prompts). The unlocked device will appear at /dev/mapper/mount_name, and can then be mounted normally.

Using cryptsetup

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment