Encryption with VeraCrypt
Key Function
To mount a volume, just access the container or device file of a disk partition in the main dialog by clicking Select File or Select Device. In the list box in the upper half of the window, you then select a volume under Slot. On Linux, you define a slot number (<n>) in the mountpoint /media/veracrypt<n>
, and on Windows, a drive letter. If you want to mount the object in a different directory, click Options in the Mount dialog, and in Mount at directory, enter the target path.
Then specify the password or keyfile. Whether you mount the outer container or – if available – the inner container, is decided exclusively by the password and keyfile. As explained in the "Plausible Deniability" box, you will always use the inner volume in daily operation, but if you mount an outer container with an embedded inner container, in Options you need to check the Protect hidden volume when mounting outer volume box and enter the password for the inner container, too (Figure 7).
![](/var/linux_magazin/storage/images/issues/2016/188/veracrypt/figure-7/672629-1-eng-US/Figure-7_large.png)
Clicking Dismount unmounts the device, and VeraCrypt explicitly clears the password from memory. Besides this, VeraCrypt offers a Dismount All button, which closes all open containers as soon as possible. Because the software needs the password constantly during operation, you cannot prevent it remaining in memory while containers are active. This also applies to both of the Linux on-board solutions.
If the system crashes with open containers, you face a residual risk: In case of memory shortage, the operating system writes sections of the main memory to a swap file on the hard disk. Under certain circumstances, the password for active VeraCrypt volumes could thus survive a system power off – if you suspend to disk, this happens in any case. However, this usually only proves to be risky if it falls into the hands of a forensics professional with appropriate knowledge of the system.
You can avoid this risk with full system encryption (e.g., as set up by the Linux installer on Ubuntu) because this also encrypts the swap partition.
Systematically Hidden
On Windows, VeraCrypt's capabilities go much further: In the hidden inner container on Windows you can install a second hidden operating system whose existence is not demonstrable (Figure 8). The special bootloader used for this does not work with Linux, and a posting from the VeraCrypt forum suggests that this situation is not likely to change any time in the near future [13].
![](/var/linux_magazin/storage/images/issues/2016/188/veracrypt/figure-8/672632-1-eng-US/Figure-8_large.png)
Of course, the free operating systems offer many well-known solutions: cryptsetup
, a tool that offers full system encryption and comes with many Linux installers, has been able to unlock VeraCrypt volumes since version 1.6.7 from spring 2015. However, both Ubuntu 15.10 and openSUSE 42.1 still use older versions; only Arch Linux already uses the current Cryptsetup release. It relies on a shell script to unlock the root filesystem embedded in the initial ramdisk, which is a file archive the kernel mounts provisionally as root at bootup. This archive contains kernel modules for the filesystems and a shell. Scripts create the conditions for mounting the final root filesystem.
To cooperate with VeraCrypt volumes, you need to extend the standard version of this script; for users with shell skills, this is not too difficult. The initial ramdisks of other distributions [14] work in a similar way to those for Arch, which is why the process can be transferred in principle to this script [15].
Listing 1 shows a section of the /usr/lib/initcpio/encrypt
shell script, which asks for the password that will unlock the root filesystem. Line 5 shows the call to dm-crypt via cryptsetup
with the parameter --type luks
, which is the most common encryption format for Linux partitions.
Listing 1
Unlocking LUKS
To use VeraCrypt instead of LUKS, you just need to replace the parameter --type luks
with --type tcrypt --veracrypt
for a TrueCrypt container with the VeraCrypt sub-format. To ensure that encryption with LUKS still works, all you need is a simple if
clause to check for the existence of the vera=1
boot parameter and store the container type in a variable (Listing 2).
Listing 2
Using VeraCrypt
In the Cryptsetup call, simply replace --type luks
with the ${type}
variable. Dm-crypt does not automatically search for a hidden container; instead, you need to stipulate the additional --tcrypt-hidden
option. The script thus handles the task of checking for both versions. In the tuned version, it tries the first password entered for the outer container. If it fails to unlock the container, it again prompts for a password, but now tries this on the inner container, then again on the outer container, and so on.
This process is not particularly convenient, especially because it takes time for VeraCrypt to reject an incorrect password. However, at least this process does not reveal any evidence of the hidden container. You need to replace the code in Listing 1 with the code shown in Listing 3 for this. You can download the complete vencrypt
script file for Arch Linux online [16].
Listing 3
Unlocking VeraCrypt
Now the question arises as to how to install Arch Linux instead of Windows in a hidden VeraCrypt partition. The easiest way is by preparing an Arch Linux machine with the VeraCrypt GUI in a partition on a second hard drive and mounting the hidden container. It must be at least the same size as the current system. You need to consider whether you want to set up an alibi system in the outer container when defining the size of the container.
Installing on a second disk is safer because you do not need to touch the bootloader of the old system. You decide in the BIOS/EFI which system boots. An Rsync call [17] transfers the current system to the mounted VeraCrypt partition – in the example in Listing 4, to /mnt/veracrypt1
.
Listing 4
Using a Second Disk
In addition to the root partition, an encrypted system needs an unencrypted boot partition, for which you need to create another 100MB partition. Format it with:
mkfs.ext4 /dev/sd<xN>
You replace <xN>
with the identifier for the matching device file and copy to it the contents of the /boot
directory from the current system.
Startup Aid
What now follows are some steps already familiar to Arch Linux users from the initial installation of their system. On the mirrored system, first change the fifth line in <Mountpoint>/etc/default/grub
to:
GRUB_CMDLINE_LINUX="cryptdevice=/dev/sd<xN>:veracrypt1 vera=1"
The cryptdevice
keyword points to the partition encrypted with VeraCrypt. The colon is followed by the name of the mapper in /dev/mapper/
(e.g., veracrypt1
here), which VeraCrypt uses to access the currently mounted partition.
Copy the modified vencrypt
script available online [16] to the <Mountpoint>/usr/lib/initcpio/hooks/
directory. To be able to install in the initial ramdisk, you need to duplicate <Mountpoint>/usr/lib/initcpio/install/encrpyt
as vencrypt
.
Now register the modified vencrypt
script under <Mountpoint>/etc/mkinitcpio.conf
; optionally, replace the existing original Arch Linux encrpyt
version. The HOOKS line responsible for this [18] might then read as follows:
HOOKS="base udev autodetect modconf block filesystems keyboard keymap vencrypt fsck"
The order is important: vencrypt
needs to follow filesystems
and keyboard
but must occur before fsck
. The keymap
lets you change the keyboard mapping if needed; otherwise, leave any existing hooks in your system unchanged.
Now it is time to use chroot
(change root) to change to the new system. The arch-chroot script from the Arch Linux installation medium [19] handles this task; you can call it with ./arch-chroot <Mountpoint>
. The Ubuntu guide for fixing GRUB [20] also starts a chroot environment. Now you should change /etc/fstab
as shown in Listing 5.
Listing 5
/etc/fstab
Now mount /boot
and install GRUB on the new disk. On BIOS systems, use the grub-install /dev/sd<X>
command; for EFI systems, check out the Arch wiki [21]. Next, generate a grub configuration with the parameters inserted into /etc/default/grub
with:
$ grub-mkconfig -o /boot/grub/grub.cfg
The only thing missing is the initial ramdisk, which you can created with mkinitcpio -p linux
. Now the encrypted system should boot from the second hard drive. Acknowledge the first password prompt after the GRUB menu by pressing Enter; the password is for the outer volume and will fail accordingly. After entering the password for the hidden volume at the second prompt, the system derived from the unencrypted original system boots (Figure 9).
![](/var/linux_magazin/storage/images/issues/2016/188/veracrypt/figure-9/672635-1-eng-US/Figure-9_large.png)
For maximum deniability, use Rsync to mirror a Linux system in the outer container as well, and give it the same /etc/fstab
file. The entry in the bootloader is fine for both systems and therefore does not require any further modification.
« Previous 1 2 3 Next »
Buy this article as PDF
(incl. VAT)
Buy Linux Magazine
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs
Subscribe to our ADMIN Newsletters
Support Our Work
Linux Magazine content is made possible with support from readers like you. Please consider contributing when you’ve found an article to be beneficial.
![Learn More](https://www.linux-magazine.com/var/linux_magazin/storage/images/media/linux-magazine-eng-us/images/misc/learn-more/834592-1-eng-US/Learn-More_medium.png)
News
-
NVIDIA Released Driver for Upcoming NVIDIA 560 GPU for Linux
Not only has NVIDIA released the driver for its upcoming CPU series, it's the first release that defaults to using open-source GPU kernel modules.
-
OpenMandriva Lx 24.07 Released
If you’re into rolling release Linux distributions, OpenMandriva ROME has a new snapshot with a new kernel.
-
Kernel 6.10 Available for General Usage
Linus Torvalds has released the 6.10 kernel and it includes significant performance increases for Intel Core hybrid systems and more.
-
TUXEDO Computers Releases InfinityBook Pro 14 Gen9 Laptop
Sporting either AMD or Intel CPUs, the TUXEDO InfinityBook Pro 14 is an extremely compact, lightweight, sturdy powerhouse.
-
Google Extends Support for Linux Kernels Used for Android
Because the LTS Linux kernel releases are so important to Android, Google has decided to extend the support period beyond that offered by the kernel development team.
-
Linux Mint 22 Stable Delayed
If you're anxious about getting your hands on the stable release of Linux Mint 22, it looks as if you're going to have to wait a bit longer.
-
Nitrux 3.5.1 Available for Install
The latest version of the immutable, systemd-free distribution includes an updated kernel and NVIDIA driver.
-
Debian 12.6 Released with Plenty of Bug Fixes and Updates
The sixth update to Debian "Bookworm" is all about security mitigations and making adjustments for some "serious problems."
-
Canonical Offers 12-Year LTS for Open Source Docker Images
Canonical is expanding its LTS offering to reach beyond the DEB packages with a new distro-less Docker image.
-
Plasma Desktop 6.1 Released with Several Enhancements
If you're a fan of Plasma Desktop, you should be excited about this new point release.