Zum Inhalt springen
1337skills 1337skills - Referenzen

VeraCrypt

VeraCrypt is the modern successor to TrueCrypt with enhanced security, additional ciphers, and continued development.

Installation

Linux

# Ubuntu/Debian
sudo apt-get install veracrypt

# RHEL/CentOS/Fedora
sudo dnf install veracrypt

# Arch
sudo pacman -S veracrypt

# From source
wget https://launchpad.net/veracrypt/trunk/1.25.9/+download/veracrypt-1.25.9-Linux-x64.tar.bz2
tar xjf veracrypt-1.25.9-Linux-x64.tar.bz2
./veracrypt-1.25.9-Linux-x64/install

macOS

# Homebrew
brew install veracrypt

# Manual download
wget https://launchpad.net/veracrypt/trunk/1.25.9/+download/VeraCrypt_1.25.9.dmg
hdiutil mount VeraCrypt_1.25.9.dmg
sudo /Volumes/VeraCrypt/VeraCrypt\ Installer.app/Contents/MacOS/VeraCrypt\ Installer

# Uninstall
sudo /Applications/VeraCrypt.app/Contents/MacOS/VeraCrypt\ Installer

Windows

# Chocolatey
choco install veracrypt

# Scoop
scoop install veracrypt

# Manual download
# https://www.veracrypt.fr/en/Downloads.html

Basic Volume Operations

Create Volume

# GUI
veracrypt

# Command-line create (interactive)
veracrypt --create

# Non-interactive volume creation
veracrypt --create /path/to/volume.img \
  --size 1000M \
  --filesystem ext4 \
  --password "yourpassword" \
  --encryption AES \
  --hash SHA-512

# Create hidden volume
veracrypt --create --hidden /path/to/volume.img

Mount Volume

# Interactive mount
veracrypt

# Command-line mount
veracrypt --mount /path/to/volume.img /mnt/encrypted

# Mount specific device
veracrypt --mount /dev/sdX1 /mnt/encrypted

# Mount with key file
veracrypt --mount /path/to/volume.img /mnt/encrypted \
  --keyfile keyfile.key

# Mount read-only
veracrypt --mount /path/to/volume.img /mnt/encrypted \
  --mount-options ro

# Mount without password prompt
echo "yourpassword" | veracrypt --mount /path/to/volume.img \
  /mnt/encrypted --password /dev/stdin

Unmount Volume

# Unmount specific volume
veracrypt --dismount /mnt/encrypted

# Dismount all VeraCrypt volumes
veracrypt --dismount-all

# Force unmount (risky)
veracrypt --dismount /mnt/encrypted --force

# Dismount by slot number
veracrypt --dismount /mnt/v1 /mnt/v2 /mnt/v3

Volume Types

Standard Volume

# Creates single-password encrypted volume
veracrypt --create standard.img \
  --size 1000M \
  --password "mysecurepass" \
  --encryption AES \
  --hash SHA-512 \
  --filesystem ext4

Hidden Volume

# Create hidden volume (stores data in outer volume slack space)
veracrypt --create hidden.img --hidden

# Three-step process:
# 1. Create outer volume with one password
# 2. Mount and allocate space
# 3. Create hidden volume with different password

# Mount hidden volume (use hidden volume password)
veracrypt --mount hidden.img /mnt/secure \
  --protect-hidden-volume=no

System Partition Encryption

# Windows system drive encryption
# Note: Requires reboot and recovery key
# GUI recommended for system partitions

# Linux root partition encryption
# Typically handled at installation time
# Requires bootloader support (GRUB, systemd-boot)

Encryption Algorithms

Available Ciphers

# List supported algorithms
veracrypt --text --list-ciphers

# Common ciphers:
# - AES (FIPS approved)
# - Twofish
# - Serpent
# - Kuznyechik
# - Camellia

# Cipher combinations (cascade):
# - AES-Twofish
# - AES-Twofish-Serpent
# - Serpent-AES
# - Serpent-Twofish-AES

Create with Specific Cipher

# AES (fastest, NIST standard)
veracrypt --create vol.img \
  --encryption AES \
  --size 1G

# AES-Twofish (balanced)
veracrypt --create vol.img \
  --encryption AES-Twofish \
  --size 1G

# Serpent-Twofish-AES (slowest, most paranoid)
veracrypt --create vol.img \
  --encryption Serpent-Twofish-AES \
  --size 1G

# Kuznyechik (Russian GOST standard)
veracrypt --create vol.img \
  --encryption Kuznyechik \
  --size 1G

Hash Functions

# Available hash algorithms
veracrypt --text --list-hash-algorithms

# Recommended:
# - SHA-512 (default, fast)
# - SHA-256
# - Whirlpool (slower, paranoid)
# - Blake2s (modern)

Key and Password Management

Change Password

# Interactive password change
veracrypt --change-password /path/to/volume.img

# Non-interactive change
echo -e "oldpass\nnewpass" | \
veracrypt --change-password /path/to/volume.img --password /dev/stdin

Add Keyfile

# Generate keyfile
dd if=/dev/urandom of=keyfile.key bs=1024 count=4
chmod 600 keyfile.key

# Add keyfile to existing volume
veracrypt --add-keyfile /path/to/volume.img \
  --keyfile keyfile.key

# Mount with keyfile
veracrypt --mount /path/to/volume.img /mnt/encrypted \
  --keyfile keyfile.key

# Multiple keyfiles
veracrypt --mount /path/to/volume.img /mnt/encrypted \
  --keyfile keyfile1.key,keyfile2.key,keyfile3.key

Remove Keyfile

# Remove keyfile from volume
veracrypt --remove-keyfile /path/to/volume.img \
  --keyfile keyfile.key

Volume Information

Display Details

# List mounted volumes
veracrypt --text --list

# Detailed mounted volumes
veracrypt --text --list-detailed

# Volume header information
veracrypt --info /path/to/volume.img

# Get volume properties
veracrypt --text --info /path/to/volume.img

Backup and Recovery

Backup Volume Header

# Export header
dd if=/path/to/volume.img of=header.bak bs=512 count=1

# Restore header
dd if=header.bak of=/path/to/volume.img bs=512 count=1

# Backup partition header
sudo dd if=/dev/sdX1 of=partition-header.bak bs=512 count=1

Backup Entire Volume

# Create compressed backup
tar czf volume-backup.tar.gz /path/to/volume.img

# Verify backup integrity
tar tzf volume-backup.tar.gz

# Encrypt backup
gpg --symmetric volume-backup.tar.gz

# Restore from backup
tar xzf volume-backup.tar.gz

Scripting and Automation

Auto-Mount Script

#!/bin/bash
# Auto-mount VeraCrypt volume

VOLUME="/home/user/encrypted.img"
MOUNT_POINT="/mnt/secure"
KEYFILE="/home/user/.keys/volume.key"
PASSWORD="yourpassword"

# Create mount point
mkdir -p "$MOUNT_POINT"

# Mount with keyfile
veracrypt --mount "$VOLUME" "$MOUNT_POINT" \
  --keyfile "$KEYFILE" \
  --non-interactive

if [ $? -eq 0 ]; then
    echo "Volume mounted: $MOUNT_POINT"
else
    echo "Mount failed"
    exit 1
fi

Batch Volume Creation

#!/bin/bash
# Create multiple encrypted volumes

VOLUMES=(
    "backup:500M"
    "projects:1G"
    "archive:2G"
)

for SPEC in "${VOLUMES[@]}"; do
    NAME="${SPEC%%:*}"
    SIZE="${SPEC##*:}"
    FILE="${NAME}.img"

    veracrypt --create "$FILE" \
        --size "$SIZE" \
        --encryption AES \
        --password "yourpass" \
        --filesystem ext4 \
        --non-interactive

    echo "Created $FILE"
done

Scheduled Backup

#!/bin/bash
# Automated encrypted backup

VOLUME="/mnt/secure"
BACKUP_DIR="/backup/encrypted"
TIMESTAMP=$(date +%Y%m%d_%H%M%S)

# Perform backup
tar czf "$BACKUP_DIR/backup_$TIMESTAMP.tar.gz" "$VOLUME"

# Keep only last 7 days
find "$BACKUP_DIR" -mtime +7 -delete

echo "Backup completed: $BACKUP_DIR/backup_$TIMESTAMP.tar.gz"

Performance Tuning

Benchmark Ciphers

# Measure encryption speed
veracrypt --text --benchmark

# Benchmark specific cipher
dd if=/dev/zero bs=1M count=100 | \
veracrypt --stdin-password --password password --mount /dev/stdin /mnt/test &
time dd if=/mnt/test/testfile bs=1M count=100 of=/dev/null

Optimize for Performance

# Use fast cipher (AES)
veracrypt --create perf.img \
  --encryption AES \
  --hash SHA-512

# Use fast hash
veracrypt --create perf.img \
  --encryption AES \
  --hash SHA-512

Troubleshooting

Common Issues

Issue: “Device is already in use”

# Check mount status
mount | grep veracrypt
lsof /mnt/encrypted

# Force unmount
veracrypt --dismount /mnt/encrypted --force

# Clear FUSE mounts
fusermount -u /mnt/encrypted

Issue: “Not a VeraCrypt volume”

# Verify file integrity
ls -lh volume.img

# Check magic bytes
hexdump -C volume.img | head

# Try with different password
veracrypt --mount volume.img /mnt/test

# Verify backup header
veracrypt --info volume.img

Issue: “Permission denied”

# Run with sudo
sudo veracrypt --mount volume.img /mnt/encrypted

# Fix mount point permissions
sudo chown $USER:$USER /mnt/encrypted

# Make FUSE accessible to user
sudo usermod -a -G fuse $USER

Issue: “FUSE module not available”

# Install FUSE
sudo apt-get install libfuse-dev

# Load fuse module
sudo modprobe fuse

# Check if loaded
lsmod | grep fuse

Security Best Practices

Password Management

  • Use 15+ character passwords with mixed case, numbers, symbols
  • Avoid dictionary words and personal information
  • Use unique password for each volume
  • Consider passphrase (multiple words) instead of single word

Key File Security

  • Generate with /dev/urandom or /dev/random
  • Store separately from encrypted volume
  • Use restrictive permissions (600 or 400)
  • Back up key files in secure location
  • Never email or transmit unencrypted

Encryption Practices

  • Use AES for standard security
  • Use AES-Twofish-Serpent for maximum paranoia
  • Benchmark performance vs security tradeoff
  • Consider local threat model
  • Update VeraCrypt regularly for security patches

Comparison with Alternatives

FeatureVeraCryptLUKSTrueCrypt
DevelopmentActiveActiveStopped
Hidden VolumesYesNoYes
Multiple CiphersYesLimitedLimited
Cross-platformYesLinuxYes
KeyfilesYesYesYes
CascadingYesNoYes
PerformanceGoodExcellentGood
RecommendationGeneral useLinuxLegacy only

Last updated: 2026-03-30