Encrypt Device With Veracrypt From the Command Line
You have a drive that you want to encrypt and use in Linux and other OSes. Then Veracrypt, the successor of Truecrypt, is a good choice. In this tutorial, I will show you how to quickly encrypt a drive and mount and unmount it from the command line.
The prerequisite for this tutorial is that you already have created a partition
on a drive. See my previous blog
post on how to accomplish that.
Creating a volume on a partition with data on it will permanently destroy
that data, so make sure you are encrypting the correct partition (
fdisk -l is
Encrypt a volume interactively from the command line using Veracrypt…
# sign at the beginning of the code examples indicates that the
command should be executed as root. You can either use
su - or
to accomplish this.)
# veracrypt -t --quick -c /dev/sdXX
-t is short for
--text (meaning you don’t want the GUI) and should
always be used first after the command name. The
--quick option is
explained in the
If unchecked, each sector of the new volume will be formatted. This means that the new volume will be entirely filled with random data. Quick format is much faster but may be less secure because until the whole volume has been filled with files, it may be possible to tell how much data it contains (if the space was not filled with random data beforehand). If you are not sure whether to enable or disable Quick Format, we recommend that you leave this option unchecked. Note that Quick Format can only be enabled when encrypting partitions/devices.
--quick is less secure, but not specifying it could take (a
lot) longer, especially on traditional hard drives (we’re talking hours
--create command allows us to specify on which
partition we want to create a veracrypt volume. Make sure you change the
/dev/sdXX from the example above to the appropriate output of
fdisk -l (for example,
This command will interactively guide us to create a new volume:
Volume type: 1) Normal 2) Hidden Select : 1 Encryption Algorithm: 1) AES 2) Serpent 3) Twofish 4) Camellia 5) Kuznyechik 6) AES(Twofish) 7) AES(Twofish(Serpent)) 8) Camellia(Kuznyechik) 9) Camellia(Serpent) 10) Kuznyechik(AES) 11) Kuznyechik(Serpent(Camellia)) 12) Kuznyechik(Twofish) 13) Serpent(AES) 14) Serpent(Twofish(AES)) 15) Twofish(Serpent) Select : 1 Hash algorithm: 1) SHA-512 2) Whirlpool 3) SHA-256 4) Streebog Select : 1 Filesystem: 1) None 2) FAT 3) Linux Ext2 4) Linux Ext3 5) Linux Ext4 6) NTFS 7) exFAT Select : 6 Enter password: WARNING: Short passwords are easy to crack using brute force techniques! We recommend choosing a password consisting of 20 or more characters. Are you sure you want to use a short password? (y=Yes/n=No) [No]: y Re-enter password: Enter PIM: Enter keyfile path [none]: Please type at least 320 randomly chosen characters and then press Enter: Characters remaining: 4 Done: 100.000% Speed: 61.8 GB/s Left: 0 s The VeraCrypt volume has been successfully created.
The volume is now created in the partition and is ready to be mounted.
… Or do it all in a one-liner
# veracrypt --text --quick \ --non-interactive \ --create /dev/sdXX \ --volume-type=normal \ --encryption=AES \ --hash=SHA-512 \ --filesystem=NTFS \ --password='Un$@f3'
--stdin to read the password from the standard in, instead of
supplying it directly to the command, which is considered unsecure.
Mounting the volume
# mkdir /tmp/vera # veracrypt -t /dev/sdXX /tmp/vera
Unmounting the volume
# veracrypt -d /tmp/vera
$ veracrypt -t -h
-h is short for
--help and should be self-explanatory.