Monday, July 24, 2017

Veracrypt revisited

I like veracrypt, I use encrypted volumes and up till now I've been using the GUI interface but recently the need changed to work from the command line and thus this is my little brain dump.

Creating a key file
veracrypt --text --create-keyfile --random-source=/dev/random /home/erik/key.vc

By keeping the key stored in a different place than the volume you make it a bit harder to access it but if you want more security it is a good thing. You can for example store it on an external volume or store it in your keepass password vault.

Creating a volume
veracrypt --text --create --volume-type=normal --size=10M --encryption=AES --hash=SHA-512 --filesystem=NTFS --password=Password --random-source=/dev/random --keyfiles=/home/erik/key.vc --pim=0 volume.vc

Remember that you need to take a precaution so that the command is not logged in your histfile. On my system this is done by putting a space in front of the command, my HISTCONTROL system variable is set to ignoreboth.

The reason to do this is that you give away the password you used for this volume. When your password is stored in your command line history you should consider it as known to the rest of the world.

The PIM is a second 'secret' value you will need to know, the default value is 0 but it is of course a good idea to have a different one than 0.


Mounting a volume
mkdir -p /home/erik/veracrypt
sudo veracrypt --text --password=Password --pim=0 --keyfiles=/home/erik/key.vc --protect-hidden=no volume.vc /home/erik/veracrypt

Again it is a good idea to take the precaution so that your mounting doesn't give away the the password or the pim.

Unmounting a volume
sudo veracrypt -d volume.vc