Encryption with VeraCrypt
Hidden
The VeraCrypt encryption software comes with a handy graphical interface, and the ability to hide a container in an encrypted volume adds a unique professional feature: plausibly deniable encryption.
When the TrueCrypt developers dissuaded people from further use of its software with an ominous security warning [1], many users were confused and concerned about their privacy, especially in the Windows camp, where TrueCrypt was a popular open source encryption solution (see the "TrueCrypt" box).
TrueCrypt
By the spring of 2015, the open source and free encryption software TrueCrypt stood alone. Some users, however, were disturbed because the developers were never identified, leading to speculation. At the end of May 2015, the developers terminated the project and advised users to switch to non-open-source Windows on-board encryption with the words, "Using TrueCrypt is not secure as it may contain unfixed security issues."
Clarity about the actual security of the software was achieved by an independent security audit [3]. However, except for some problems with Windows drivers, the examiners only objected to the low number of hash iterations required to derive the key, which was too small for the computing power of its day. This failed to slow down attackers attempting to brute force passwords; containers with weak passwords were therefore easier to crack. VeraCrypt improved this point promptly, but it also made mounting encrypted objects take considerably more time.
Google employees finally found two critical vulnerabilities that were not directly related to encryption, allowing attackers on Windows [4] – given certain conditions [5] – to gain administrative privileges. The Windows version of VeraCrypt ironed out these weaknesses in the meantime.
In the meantime, TrueCrypt fork VeraCrypt [2], which dates back to 2013, has inherited its predecessor's followers and introduced Linux support in 2014. Given that the Linux kernel already ciphers directories or entire partitions, why would Linux users want to embrace a program with a black spot in its history? VeraCrypt provides some solid reasons for doing so.
Plausible Reasons
One strong motive for the use of VeraCrypt is its guaranteed "plausibly deniable encryption": The encrypted container can embed a hidden inner container (Figure 1). Should you ever be forced to reveal your encryption password, you could do so for the outer container only (see the box "Plausible Deniability").
Plausible Deniability
Some countries (e.g., the UK) by law compel computer owners to disclose their passwords on demand for encrypted data [6]. With the standard Linux encryption tools dm-crypt/LUKS [7], you could be in trouble. A partition encrypted in this way can be identified readily, and the user would not be able to deny its existence (Figure 4) and thus the presence of encrypted data.
The same is true for normal VeraCrypt volumes: Good encryption does not allow any conclusions as to the encrypted data; the content of a container thus looks from the outside like a random numeric sequence. By contrast, unencrypted data (text, video, images) always exhibits certain regularities. The difference can be demonstrated statistically, thus revealing encrypted files.
Precisely the quality that reveals the existence of encrypted filesystems gives VeraCrypt the ability to create a secure hiding place in an inner container. The inner container looks like a random bit sequence and transitions seamlessly and undetectably past statistical analysis into the outer container.
In practice, when creating the outer container, VeraCrypt first overwrites the intended disk space with a random number sequence. A second step embeds a hidden container with its own password. When opening a VeraCrypt volume, you then decide with the choice of a password whether to unlock the outer or inner container.
In the outer container, you will want to store a sufficient number of alibi files as camouflage. The inner container hides in the free space, remaining invisible, unless you know the corresponding password. This is also true of VeraCrypt itself: The content of the outer container will overwrite the hidden volume without warning if it becomes too big. To prevent this, you enter a kind of mixed mode in which you enter the passwords of both containers: Only then will the software detect the position of the inner container and prevent overwriting.
Without the second password, you cannot even prove the existence of an inner container. After unlocking the outer container, it appears to be a blank space. Information relating to its extent is encrypted with the second password in a special reserved memory space. The metadata, like the entire inner container, looks like random values before you unlock them separately.
Although standard Linux tools dm-crypt and eCryptfs [8] are well suited for integration with the operating system (e.g., to encrypt the entire system or the home partition), in contrast, the VeraCrypt GUI lends itself to opening containers for particularly security-critical files as needed. To do this, you create a file-based container with a few mouse clicks (Figure 2); the container can be used not only on Linux, but also on Mac OS X and Windows.
The simple user interface (Figure 3) also handles the task of mounting encrypted volumes, which the program mounts transparently in the filesystem below /mnt
or /media
. Alternatively, VeraCrypt encrypts entire partitions. The command-line option --text
eliminates the need to start the graphical user interface; you can control all the functions from the command line or with a script.
Secure?
Features like plausibly deniable encryption or a practical GUI are of little use if the underlying encryption method proves to be insecure. As always with security issues, you can only follow circumstantial evidence with known factors; potentially unknown vulnerabilities remain undetected.
To the best of my knowledge and belief, the security of VeraCrypt looks good. The software has a long history in open source: It is based on TrueCrypt, which in turn was based on Encryption for the Masses (E4M), launched in 1997 [9]. The TrueCrypt heritage might initially cause some concern, but the VeraCrypt developers understandably explain how they ironed out its known vulnerabilities [10]; in any case, they only affected the Linux version in part. The developers also subjected the code to two static analyses, which revealed some critical programming errors. An expert audit of VeraCrypt itself is still pending.
The software is available from SourceForge [11] in the form of an installer, which only installs a binary and some additional files. As always with security-related software, it pays to verify the integrity of the installation files with sha512sum
. Compiling the software turns out to be difficult at present: The current openSUSE and Ubuntu releases include a compiler that uses the new C++ ABI by default, but not all of the utilities you need are available in this format.
Handy
The current documentation [12] for VeraCrypt leaves no questions unanswered. The basic functions of the software can be used without reading the manual anyway, thanks to the intuitively designed graphical interface. The Create Volume button starts the Volume Creation Wizard. You first need to decide whether you want to create a container or encrypt a hard disk partition. Then the wizard asks whether you want to create a standard volume or a container with an embedded hidden partition for plausibly deniable encryption (Figure 5).
You always need to create a standard outer container. To do so, stipulate a file path in which the software will create the container or the device file of a disk partition (e.g., /dev/sda3
). In the Encryption Options dialog, the Encryption Algorithm default is AES and the Hash Algorithm default is SHA-512, which offer good run-time performance and impeccable security features from today's perspective.
Alternative encryption algorithms (Figure 6) are available in line with the common practice in cryptography of keeping all sensitive components interchangeable. Should future attack vectors compromise the current secure process, you can then change the algorithm but continue using the familiar software.
After entering the desired volume size, type your password twice or select one or more keyfiles, which may consist of any number of files. For the filesystem, VeraCrypt uses the system global default, FAT; more sophisticated filesystems, such as NTFS and ext2/3/4, are also available for use. Of course, selecting an ext filesystem will impair compatibility with Windows. In the final dialog box, click on Format to start the process of generating the container.
Buy this article as PDF
(incl. VAT)
Buy Linux Magazine
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs
Subscribe to our ADMIN Newsletters
Support Our Work
Linux Magazine content is made possible with support from readers like you. Please consider contributing when you’ve found an article to be beneficial.
News
-
Halcyon Creates Anti-Ransomware Protection for Linux
As more Linux systems are targeted by ransomware, Halcyon is stepping up its protection.
-
Valve and Arch Linux Announce Collaboration
Valve and Arch have come together for two projects that will have a serious impact on the Linux distribution.
-
Hacker Successfully Runs Linux on a CPU from the Early ‘70s
From the office of "Look what I can do," Dmitry Grinberg was able to get Linux running on a processor that was created in 1971.
-
OSI and LPI Form Strategic Alliance
With a goal of strengthening Linux and open source communities, this new alliance aims to nurture the growth of more highly skilled professionals.
-
Fedora 41 Beta Available with Some Interesting Additions
If you're a Fedora fan, you'll be excited to hear the beta version of the latest release is now available for testing and includes plenty of updates.
-
AlmaLinux Unveils New Hardware Certification Process
The AlmaLinux Hardware Certification Program run by the Certification Special Interest Group (SIG) aims to ensure seamless compatibility between AlmaLinux and a wide range of hardware configurations.
-
Wind River Introduces eLxr Pro Linux Solution
eLxr Pro offers an end-to-end Linux solution backed by expert commercial support.
-
Juno Tab 3 Launches with Ubuntu 24.04
Anyone looking for a full-blown Linux tablet need look no further. Juno has released the Tab 3.
-
New KDE Slimbook Plasma Available for Preorder
Powered by an AMD Ryzen CPU, the latest KDE Slimbook laptop is powerful enough for local AI tasks.
-
Rhino Linux Announces Latest "Quick Update"
If you prefer your Linux distribution to be of the rolling type, Rhino Linux delivers a beautiful and reliable experience.