How to Use VeraCrypt on Command Line to Encrypt Drives on Ubuntu 18.04

0
5811

In our previous article, we discussed how to install and use VeraCrypt to encrypt drives on Ubuntu 18.04. We used the VeraCrypt GUI method. In this article, we are going to learn how to use VeraCrypt on command line interface to achieve the same encryption.

To run VeraCrypt in text user interface, just type veracrypt and pass the -t/–text option.

The command line synopsis of the veracrypt command is;

veracrypt [OPTIONS] COMMAND
veracrypt [OPTIONS] VOLUME_PATH [MOUNT_DIRECTORY]

To learn more about VeraCrypt command line options, run veracrypt -h

Use VeraCrypt on Command Line to Encrypt Drives

Create a Hidden VeraCrypt Volume

To create a hidden VeraCrypt volume, step through the following procedure.

Create an outer volume

Launch veracrypt command from the terminal and pass option -c/–create and of course the -t/–text option. Most of the options will be requested if you don’t specify them on the command line and thus the setup becomes interactive.

# veracrypt -t -c

When you run the command, you are prompted to choose the type of volume. In this case, we are going to setup a Normal volume.

Volume type:
 1) Normal
 2) Hidden
Select [1]: 1

Next, define the Encryption as well as the hashing algorithms;

Encryption Algorithm:
 1) AES
 2) Serpent
 3) Twofish
 4) Camellia
 5) Kuznyechik
 6) AES(Twofish)
 7) AES(Twofish(Serpent))
 8) Camellia(Kuznyechik)
 9) Camellia(Serpent)
 10) Kuznyechik(AES)
 11) Kuznyechik(Serpent(Camellia))
 12) Kuznyechik(Twofish)
 13) Serpent(AES)
 14) Serpent(Twofish(AES))
 15) Twofish(Serpent)
Select [1]: 1 

Hash algorithm:
 1) SHA-512
 2) Whirlpool
 3) SHA-256
 4) Streebog
Select [1]: 1

In the above, we chose the AES and SHA 512 as encryption and hashing algorithms respectively. You can also just press enter to accept the defaults.

Define the filesystem to format the volume with.

Filesystem:
 1) None
 2) FAT
 3) Linux Ext2
 4) Linux Ext3
 5) Linux Ext4
 6) NTFS
 7) exFAT
Select [2]: 5

In this case, we are going with Linux Ext4.

Next, you need to set the password for encrypting outer volume. For PIM and keyfile path, press enter to set empty values.

Enter password: Enter STRONGPASSWORD
Re-enter password: Re-Enter STRONGPASSWORD

Enter PIM: Enter

Enter keyfile path [none]: Enter

Next, type random numbers that can be use to improve the cryptographic strength of the encryption key. In this case, you are required to enter at least 320 random numbers.

Please type at least 320 randomly chosen characters and then press Enter:
<PASTE YOUR 320 CHARACTERS HERE >

Done: 100.000%  Speed:   54 MB/s  Left: 0 s          

The VeraCrypt volume has been successfully created.

To create the outer volume in non-interactive mode, run the command below;

# veracrypt -t -c --volume-type=normal /dev/sdb1 --encryption=aes --hash=sha-512 --filesystem=ext4 -p [email protected] --pim=0 -k "" --random-source=/dev/urandom

Create a hidden volume within the outer volume

Once the outer volume is created, you need to create the hidden volume within it. So repeat the above procedure but this time round;

  • Define the volume type as hidden.
Volume type:
1) Normal
2) Hidden
Select [1]: 2
  • Define the size of the hidden volume.
Enter volume path: /dev/sdb1

Enter hidden volume size (sizeK/size[M]/sizeG): 500M

Set a different Password for hidden volume

...
Enter password: STRONGPASSWORDFORHIDDENVOLUME
Re-enter password: STRONGPASSWORDFORHIDDENVOLUME

Enter PIM: Enter 

Enter keyfile path [none]: Enter
...

If all is well, then your hidden volume should be successfully created.

...
Please type at least 320 randomly chosen characters and then press Enter:
<PASTE YOUR 320 CHARACTERS HERE >

Done: 100.000%  Speed:  256 MB/s  Left: 0 s         

The hidden VeraCrypt volume has been successfully created and is ready for use. If all the instructions have been followed and if the precautions and requirements listed in the section "Security Requirements and Precautions Pertaining to Hidden Volumes" in the VeraCrypt User's Guide are followed, it should be impossible to prove that the hidden volume exists, even when the outer volume is mounted.

WARNING: IF YOU DO NOT PROTECT THE HIDDEN VOLUME (FOR INFORMATION ON HOW TO DO SO, REFER TO THE SECTION "PROTECTION OF HIDDEN VOLUMES AGAINST DAMAGE" IN THE VERACRYPT USER'S GUIDE), DO NOT WRITE TO THE OUTER VOLUME. OTHERWISE, YOU MAY OVERWRITE AND DAMAGE THE HIDDEN VOLUME!

To create a hidden volume in non-interactive mode, run the command below;

# veracrypt -t -c --volume-type=hidden /dev/sdb2 --size=500M --encryption=aes --hash=sha-512 --filesystem=ext4 -p [email protected] --pim=0 -k "" --random-source=/dev/urandom

Mount the Volumes

Once you are done creating the volumes, you can now mount them and write your files or data to them as you wish.

Mounting Outer Volume

To mount the outer volume, run the command below. When prompted for a password, use the password set for the outer volume above.

# veracrypt /dev/sdb1 /mnt/sdb1/
Enter password for /dev/sdb1: STRONGPASSWORD
Enter PIM for /dev/sdb1: Enter
Enter keyfile [none]: Enter
Protect hidden volume (if any)? (y=Yes/n=No) [No]: Enter

To mount a volume prompting only for its password:

# veracrypt -t -k "" --pim=0 --protect-hidden=no /dev/sdb1 /mnt/sdb1/

List the mounted VeraCrypt volumes.

# veracrypt -l
1: /dev/sdb1 /dev/mapper/veracrypt1 /mnt/sdb1

To unmount the volume,

# veracrypt -d /dev/sdb1
Mounting the hidden volume

To mount the hidden volume, run veracrypt command as shown above but this time, use the password defined for the hidden volume.

Seen how easy it is to use VeraCrypt on command line to encrypt your storage volumes? You can now create or put your sensitive data into the hidden volume. Enjoy the power of encryption.

LEAVE A REPLY

Please enter your comment!
Please enter your name here