VeraCrypt on-the-fly data encryption

Introduction

Veracrypt is software for encrypting data. It is on-the-fly, cause data is automatically encrypted right before it is saved and decrypted right after it is opened. Data stored in an encrypted volume(data storage device) cannot be decrypted without the right password or keyfile(s). Data is accessible after mounting the volume with the right credentials, post which files can be copied to and from as done on a normal folder.

Here are some of the key features:-

  • Platform independent. It works on Windows, MacOSX, Linux (kernel 2.6+).
  • It supports TrueCrypt format, offering an alternative to discontinued TrueCrypt.
  • It is said to have security improvements over TrueCrypt.
  • Supports plausbile deniability using "hidden volumes" within a volume.
  • Support for AES, Twofish, Serpent encryption algorithms with combinations.
  • It has command line options, which makes it easy to operate on linux, which is discussed further.
  • It can do full system level encryption with VeraCrypt rescue disk.

Little concerns, though(as I safely put it):-

  • Unencrypted data and keys are stored in memory, making it susceptible to cold boot attacks, which needs physical access to the computer.
  • If an attacker can gain remote access to a computer with volume mounted, attacker can access the mounted volume. Keylogger can capture keystrokes logging passwords. So, if the computer is already infested with malware, there is little protection that VeraCrypt can do for you.
  • While using hidden volumes, ensure that outer volume data is mounted with "Protect Hidden" option or make sure you do not overwrite hidden volume part.
  • I observed that tool takes more time to decrypt, when compared to TrueCrypt.

Quick Howto

I have written too much. It is time for a quick demo and command line options. For GUI mode, checkout the pdf file which comes with the download. I felt it was a very comprehensive document.

Installation

VeraCrypt Version - 1.0f-2
Desktop - Ubuntu Desktop 14.04.2 LTS 64bit

Download

Download the below from codeplex downloads page (as on 18 April 2015):-

Verify

Verify sha512 sum

$ sha512sum  veracrypt-1.0f-2-setup.tar.bz2  
e2d941e5d7734cb201ada95029d9fcf68eca0f52cc4f988e20d8bd6a0fb2e9d65d2bb37da7229f6a4f0922681ce88ef06c6f418a3f4505b49ecb2be21cb8dbee  veracrypt-1.0f-2-setup.tar.bz2
$ grep veracrypt-1.0f-2-setup.tar.bz2 veracrypt-1.0.f-2-sha512sum.txt  
e2d941e5d7734cb201ada95029d9fcf68eca0f52cc4f988e20d8bd6a0fb2e9d65d2bb37da7229f6a4f0922681ce88ef06c6f418a3f4505b49ecb2be21cb8dbee  veracrypt-1.0f-2-setup.tar.bz2

Verify gpg signature:-

$ gpg veracrypt-1.0f-2-setup.tar.bz2.sig   
gpg: Signature made Monday 06 April 2015 11:46:07 PM IST using RSA key ID 54DDD393
gpg: Can't check signature: public key not found '

$ gpg --keyserver pgpkeys.mit.edu --recv-key 54DDD393    
gpg: requesting key 54DDD393 from hkp server pgpkeys.mit.edu
gpg: /home/osdefsec/.gnupg/trustdb.gpg: trustdb created
gpg: key 54DDD393: public key "VeraCrypt Team <[email protected]>" imported
gpg: no ultimately trusted keys found
gpg: Total number processed: 1
gpg:               imported: 1  (RSA: 1)


$ gpg --edit-key [email protected]  trust  
gpg (GnuPG) 1.4.16; Copyright (C) 2013 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.


pub  4096R/54DDD393  created: 2014-06-27  expires: never       usage: SCE 
trust: unknown       validity: unknown
[ unknown] (1). VeraCrypt Team <[email protected]>

pub  4096R/54DDD393  created: 2014-06-27  expires: never       usage: SCE 
trust: unknown       validity: unknown
[ unknown] (1). VeraCrypt Team <[email protected]>

Please decide how far you trust this user to correctly verify other users' keys
(by looking at passports, checking fingerprints from different sources, etc.)

1 = I don't know or won't say
2 = I do NOT trust
3 = I trust marginally
4 = I trust fully
5 = I trust ultimately
m = back to the main menu

Your decision? 5
Do you really want to set this key to ultimate trust? (y/N) y

pub  4096R/54DDD393  created: 2014-06-27  expires: never       usage: SCE 
trust: ultimate      validity: unknown
[ unknown] (1). VeraCrypt Team <[email protected]>
Please note that the shown key validity is not necessarily correct
unless you restart the program.

gpg> q


$ gpg veracrypt-1.0f-2-setup.tar.bz2.sig       
gpg: Signature made Monday 06 April 2015 11:46:07 PM IST using RSA key ID 54DDD393
gpg: checking the trustdb
gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
gpg: depth: 0  valid:   1  signed:   0  trust: 0-, 0q, 0n, 0m, 0f, 1u
gpg: Good signature from "VeraCrypt Team <[email protected]>"

Extract and Install

Extract the bzipped tar file:-

$ tar xvjf veracrypt-1.0f-2-setup.tar.bz2    
veracrypt-1.0f-2-setup-console-x64
veracrypt-1.0f-2-setup-console-x86
veracrypt-1.0f-2-setup-gui-x64
veracrypt-1.0f-2-setup-gui-x86

Run the installer for 64bit, as user with sudo rights(or root, if you like):-

$ sh veracrypt-1.0f-2-setup-console-x64  
Verifying archive integrity... All good.
Uncompressing VeraCrypt 1.0f-2 Installer..

... 
<Option 1 - Install veracrypt_1.0f-2_console_amd64.tar.gz>
<Prompt for license>
<Sudo password> 

Hands on first volume

To create your first volume, with only password:-

$ veracrypt -t  --keyfiles ''  --volume-type=normal --size=1024000   --encryption=AES --hash=SHA-512  --filesystem=FAT   --create confidential.tc    

Enter password: vahsh7feekie7shohCiy3coo8Sah6aithuwei0Tidaph2MohPa
Re-enter password: vahsh7feekie7shohCiy3coo8Sah6aithuwei0Tidaph2MohPa

Please type at least 320 randomly chosen characters and then press Enter:
... `pwgen -s 320 1 ` to generate characters

Done: 100.000%  Speed:   96 KB/s  Left: 0 s         

The VeraCrypt volume has been successfully created.

Decoding the command line:-
veracrypt -t --keyfiles '' --volume-type=normal --size=1024000 --encryption=AES
--hash=SHA-512 --filesystem=FAT --create confidential.tc

  • --keyfiles - Keyfile to use for encryption, which is none in this test case. Hence, the empty string ''.
  • --volume-type - Volume type which can be hidden or normal.
  • --size - Size of volume in bytes.
  • --encryption - Encryption algorithm to use.
  • --hash - Cryptographic hash function to use.
  • --filesystem - Filesystem to use for the data within. You can also choose none, and format a partition manually.
  • --create - Volume name to create.

Mounting the new volume:-

$ # Create mount directory 
$ mkdir Confidential

$ # mount the directory 
$ veracrypt   -t  --keyfiles "" --filesystem=vfat  --protect-hidden=no  confidential.tc  Confidential/  
Enter password for /home/osdefsec/Documents/confidential.tc: vahsh7feekie7shohCiy3coo8Sah6aithuwei0Tidaph2MohPa
Enter your user password or administrator password: <wellnotreally>


$ # Use the folder like a normal folder
$ echo "Really confidential document" > Confidential/NOTES.txt

Two options to note:-

  • --filesystem - This options is used by the mount command for filesystem type.
  • --protect-hidden - In case there is a hidden volume, this will have to set as yes.

List the mounted volumes.

$ veracrypt -t -l  
1: /home/osdefsec/Documents/confidential.tc /dev/mapper/veracrypt1 /home/osdefsec/Documents/Confidential

More details:-

$ veracrypt -t --volume-properties confidential.tc  
Slot: 1
Volume: /home/osdefsec/Documents/confidential.tc
Virtual Device: /dev/mapper/veracrypt1
Mount Directory: /home/osdefsec/Documents/Confidential
Size: 744 KB
Type: Normal
Read-Only: No
Hidden Volume Protected: No
Encryption Algorithm: AES
Primary Key Size: 256 bits
Secondary Key Size (XTS Mode): 256 bits
Block Size: 128 bits
Mode of Operation: XTS
PKCS-5 PRF: HMAC-SHA-512
Volume Format Version: 2
Embedded Backup Header: Yes

Unmount the Volume:-

$ veracrypt -t --dismount   confidential.tc

Adding keyfile to the created volume

Create keyfile.

$ veracrypt -t --create-keyfile   confidential.key    

Please type at least 320 randomly chosen characters and then press Enter:

Keyfiles have been successfully created.

Add new keyfile.

$ veracrypt -t --change --new-keyfiles confidential.key  confidential.tc   
Enter password: vahsh7feekie7shohCiy3coo8Sah6aithuwei0Tidaph2MohPa
Enter new password: vahsh7feekie7shohCiy3coo8Sah6aithuwei0Tidaph2MohPa
Re-enter password: vahsh7feekie7shohCiy3coo8Sah6aithuwei0Tidaph2MohPa

Please type at least 320 randomly chosen characters and then press Enter:
...  `op of pwgen -s 320 1 `
Password and/or keyfile(s) successfully changed.

Read [Changing Passwords and Keyfiles](https://veracrypt.codeplex.com/wikipage?title=Changing%20Passwords%20and%20Keyfiles)

Mounting the Volume.

$ veracrypt -t --keyfiles  confidential.key  --protect-hidden=no --filesystem=vfat   confidential.tc Confidential/   
Enter password for /home/osdefsec/Documents/confidential.tc: 

$ # checking contents 
$ cat Confidential/NOTES.txt 
Really confidential document
$ 

Creating Hidden Volume

For basics about hidden volume, read this.
Lets create a new volume:-

$ # create outer volume 
$ veracrypt -t -k '' -c OuterHidden.tc  --volume-type=normal --size=10096000    --encryption=AES --hash=SHA-512  --filesystem=FAT   

Enter password: Fei1Di4eetah1esh5BageovaeY0kohShoC3
Re-enter password: Fei1Di4eetah1esh5BageovaeY0kohShoC3

Please type at least 320 randomly chosen characters and then press Enter:


Done: 100.000%  Speed:  894 KB/s  Left: 0 s         

The VeraCrypt volume has been successfully created.

Note the password used for outer volume. Now create hidden volume.

$ # Create  hidden volume 
$ veracrypt -t -k '' -c OuterHidden.tc --volume-type=hidden --size=1548000  --encryption=AES --hash=SHA-512 --filesystem=FAT 

. . . 
Enter password: ra9ohlier9IemeN6Ve5ierie9aeyieToh8E
Re-enter password: ra9ohlier9IemeN6Ve5ierie9aeyieToh8E

Please type at least 320 randomly chosen characters and then press Enter:


Done: 100.000%  Speed:  143 KB/s  Left: 0 s         

. . . 

Mount the volume with --protect-hidden option to avoid writing into hidden data within outer volume. 

$ # mount Outer volume 
$ veracrypt -t -k ''   --protect-hidden=yes  --protection-keyfiles=""  --filesystem=vfat  OuterHidden.tc  Confidential
Enter password for /home/osdefsec/Documents/OuterHidden.tc: Fei1Di4eetah1esh5BageovaeY0kohShoC3
Enter password for hidden volume: ra9ohlier9IemeN6Ve5ierie9aeyieToh8E
The hidden volume is now protected against damage until the outer volume is dismounted.

. . . 

$ # write some data 
$ echo "This is confidential and can be leaked" > Confidential/conf.txt  

$ # unmount all volumes 
$ veracrypt -t -d  

Mount hidden volume and write some data:-

$ # mount hidden volume 
$ veracrypt -t -k '' --protect-hidden=no   --filesystem=vfat  OuterHidden.tc  Confidential  
Enter password for /home/osdefsec/Documents/OuterHidden.tc: ra9ohlier9IemeN6Ve5ierie9aeyieToh8E


$ echo "This has to be protected at all cost " > Confidential/realconf.txt  
$ ls Confidential/
realconf.txt


$ veracrypt -t -d  

Note the difference in passwords entered while mounting OuterHidden.tc. If outer volume password is entered, the outer volume is mounted. If hidden volume password is entered, then hidden volume is mounted.

Lets try to mount the Volumes again.

$ veracrypt -t  -k ''  --protect-hidden=no   --filesystem=vfat  OuterHidden.tc  Confidential  
Enter password for /home/osdefsec/Documents/OuterHidden.tc: Fei1Di4eetah1esh5BageovaeY0kohShoC3
Enter your user password or administrator password: <ah!forgetit>
$ ls Confidential/
conf.txt
$ cat Confidential/conf.txt 
This is confidential and can be leaked
$ 

$ veracrypt -t -k ''  --protect-hidden=no   --filesystem=vfat  OuterHidden.tc  Confidential    
Enter password for /home/osdefsec/Documents/OuterHidden.tc: ra9ohlier9IemeN6Ve5ierie9aeyieToh8E
$ ls Confidential/
realconf.txt
$ cat Confidential/realconf.txt   
This has to be protected at all cost 
$ 

As shown above, there is no difference in mount commands. The only difference is the password entered which decides which volume to mount. In this case, avoid using outer volume, as there are chances of overwriting hidden volume data.


Quick Shortcuts

#create volume
$ veracrypt -t -k "" --volume-type=normal --size=1024000    --encryption=AES --hash=SHA-512  --filesystem=FAT   -c VOLNAME.tc 

# Mount 
$ veracrypt -t -k "" --protect-hidden=no --filesystem=vfat VOLNAME.tc  MOUNTDIR 

# List 
$ veracrypt -t -l 

# Unmount all 
$ veracrypt -t -d 

# Change password 
$ veracrypt -t --change --newkeyfiles "" VOLNAME.tc 

# Add key 
$ veracrypt -t --create-keyfile  KEYNAME.key 
$ veracrypt -t --change --new-keyfiles  KEYNAME.key VOLNAME.tc   

# lazy for typing random data , use --random-source 
$ openssl rand  320   > randomfile  
$ veracrypt -t -c /var/tmp/test.tc  --random-source randomfile       -k ''  --volume-type=normal --size=1024000    --encryption=AES   --hash=SHA-512  --filesystem=FAT     

I hope you find this document useful.

Dinesh Gunasekar - | Tags : VeraCrypt, Encryption
comments powered by Disqus