(These instructions are for QA testing/evaluation purposes only)
- Download VeraCrypt CLI from https://www.veracrypt.fr/
- Verify signatures before installing any software. From their site, Veracrypt's PGP key:
ID=0x680D16DE
,Fingerprint=5069A233D55A0EEB174A5FC3821ACD02680D16DE
- On debian-based systems,
apt-get install libccid pcscd
to install VeraCrypt's dependencies. (apt --fix-broken install
to resolve dependency issues). - Install VeraCrypt or VeraCrypt CLI deb using
dpkg
. (These instructions will refer to veracrypt cli on Linux. For GUI instructions or Windows CLI instructions, see https://www.veracrypt.fr/en/Documentation.html).
- Verify signatures before installing any software. From their site, Veracrypt's PGP key:
- Insert USB, attach it, and note its device indentifier (eg
/dev/sda
) - To create a VeraCrypt volume on the CLI, type
veracrypt -t -c
and follow the prompts. The VeraCrypt documentation will guide you through some of the options; if unsure, it's generally best to use the defaults they provide. Read at least this section on PIM (Personal Iterations Multiplier): https://documentation.help/VeraCrypt/Personal%20Iterations%20Multiplier%20(PIM).html- Note that you will be overwriting the contents of your target disk with this step. Be sure to select the correct disk. Be sure you are not destroying any needed data.
- There are other ways to create a VeraCrypt container (file-based container, which can be mounted in any filesystem; or a full system container that encrypts a bootable system, or one VC partition on a multi-partition drive). See VeraCrypt documentation for those ways.
- Formatting a VC drive is time-consuming and depends on the size of the drive and your computer's specs. For testing, you may want to set up a smaller drive.
- Create (empty) flag file
/etc/udisks2/tcrypt.conf
. udisksctl unlock -b /dev/sdX
and enter the passphrase when prompted. The unlocked drive will appear at/dev/dm-Y
(see cli output) and can be mounted withudisksctl mount -b /dev/dm-Y
. This method does not work for drives that have PIM numbers or keyfiles. It only works for block devices (For encrypted file containers, uselosetup
then mount the container as a block device).
- Choose a mountpoint (directory), then
veracrypt /path/to/veracrypt/volume mount_name
, and enter passphrase when prompted. (For testing purposes we don't bother with a custom PIM number or keyfile, and we don't create hidden volumes, so can skip through the rest of the prompts). The unlocked device will appear at /dev/mapper/mount_name, and can then be mounted normally.
cryptsetup open --type tcrypt --veracrypt /path/to/veracrypt/volume/ mount_name
. The unlocked device will appear at /dev/mapper/mount_name, and can then be mounted normally.- More details on cryptsetup tcrypt/veracrypt extension: https://www.man7.org/linux/man-pages/man8/cryptsetup.8.html#TCRYPT_(TRUECRYPT_AND_VERACRYPT_COMPATIBLE)_EXTENSION