Encrypt Device With Veracrypt From the Command Line

Jan 6, 2019
Modified on Jan 1, 2021
Categories: bash , cli , linux , tutorials , windows
#encryption , #veracrypt
4 minute read

You have a drive that you want to encrypt and use in Linux and other OSes. Then Veracrypt, the successor of Truecrypt, is a good choice. In this tutorial, I will show you how to quickly encrypt a drive and mount and unmount it from the command line.

The prerequisite for this tutorial is that you already have created a partition on a drive. See my previous blog post on how to accomplish that. Creating a volume on a partition with data on it will permanently destroy that data, so make sure you are encrypting the correct partition (fdisk -l is your friend).

Encrypt a volume interactively from the command line using Veracrypt…

(The # sign at the beginning of the code examples indicates that the command should be executed as root. You can either use su - or sudo to accomplish this.)

# veracrypt -t --quick -c /dev/sdXX

-t is short for --text (meaning you don’t want the GUI) and should always be used first after the command name. The --quick option is explained in the docs:

If unchecked, each sector of the new volume will be formatted. This means that the new volume will be entirely filled with random data. Quick format is much faster but may be less secure because until the whole volume has been filled with files, it may be possible to tell how much data it contains (if the space was not filled with random data beforehand). If you are not sure whether to enable or disable Quick Format, we recommend that you leave this option unchecked. Note that Quick Format can only be enabled when encrypting partitions/devices.

So, using --quick is less secure, but not specifying it could take (a lot) longer, especially on traditional hard drives (we’re talking hours for 500GB).

Finally, the -c or --create command allows us to specify on which partition we want to create a VeraCrypt volume. Make sure you change the /dev/sdXX from the example above to the appropriate output of fdisk -l (for example, /dev/sdc1).

This command will interactively guide us to create a new volume:

Volume type:
 1) Normal
 2) Hidden
Select [1]: 1

Encryption Algorithm:
 1) AES
 2) Serpent
 3) Twofish
 4) Camellia
 5) Kuznyechik
 6) AES(Twofish)
 7) AES(Twofish(Serpent))
 8) Camellia(Kuznyechik)
 9) Camellia(Serpent)
 10) Kuznyechik(AES)
 11) Kuznyechik(Serpent(Camellia))
 12) Kuznyechik(Twofish)
 13) Serpent(AES)
 14) Serpent(Twofish(AES))
 15) Twofish(Serpent)
Select [1]: 1

Hash algorithm:
 1) SHA-512
 2) Whirlpool
 3) SHA-256
 4) Streebog
Select [1]: 1

Filesystem:
 1) None
 2) FAT
 3) Linux Ext2
 4) Linux Ext3
 5) Linux Ext4
 6) NTFS
 7) exFAT
Select [2]: 6

Enter password:
WARNING: Short passwords are easy to crack using brute force techniques!

We recommend choosing a password consisting of 20 or more characters. Are you sure you want to use a short password? (y=Yes/n=No) [No]: y

Re-enter password:

Enter PIM:

Enter keyfile path [none]:

Please type at least 320 randomly chosen characters and then press Enter:
Characters remaining: 4

Done: 100.000%  Speed: 61.8 GB/s  Left: 0 s

The VeraCrypt volume has been successfully created.

The volume is now created in the partition and is ready to be mounted.

… Or do it all in a one-liner

# veracrypt --text --quick                      \
        --non-interactive                       \
        --create /dev/sdXX                      \
        --volume-type=normal                    \
        --encryption=AES                        \
        --hash=SHA-512                          \
        --filesystem=NTFS                       \
        --password='Un$@f3'

Use --stdin to read the password from the standard in, instead of supplying it directly to the command, which is considered unsecure.

Mounting the volume

Linux:

# mkdir /tmp/vera
# veracrypt -t /dev/sdXX /tmp/vera

Windows:

>:: first find the VolumeName of the partition
> mountvol.exe
... snip ...
Possible values for VolumeName along with current mount points are:

    \\?\Volume{3676a1ae-0000-0000-0000-100000000000}\
        *** NO MOUNT POINTS ***

    \\?\Volume{1b98f0ba-8bc1-b740-b21f-f570bf2367dd}\
        E:\

    \\?\Volume{3676a1ae-0000-0000-0000-300300000000}\
        C:\

    \\?\Volume{3676a1ae-0000-0000-0000-c0a01f000000}\
        *** NOT MOUNTABLE UNTIL A VOLUME MOUNT POINT IS CREATED ***

    \\?\Volume{813379b4-3e59-11eb-bbcd-806e6f6e6963}\
        D:\
New volumes are not mounted automatically when added to the system.  To mount a
volume, you must create a volume mount point.
>
>:: in my case, the VeraCrypt partition is mounted at E:
>:: I'll make it available decrypted at Z:
>
>VeraCrypt.exe /v \\?\Volume{1b98f0ba-8bc1-b740-b21f-f570bf2367dd}\ /l z /q

At this point, a dialog shows where you can enter you password. I wouldn’t recommend it, but you can also specify /p <password> or /password <password> on the command line and skip the dialog.

The /q or /quit option makes sure the main VeraCrypt window is not displayed.

Of course, using the GUI makes all of this even simpler, as you don’t have to bother with finding the VolumeName yourself.

Unmounting the volume

Linux:

# veracrypt -d /tmp/vera

Windows:

>VeraCrypt.exe /d Z:

More info

Linux:

$ veracrypt -t -h

-h is short for --help and should be self-explanatory.

Windows:

>VeraCrypt.exe /help

Or read about the command-line options for Windows online.