{"id":1271,"date":"2018-11-04T16:08:06","date_gmt":"2018-11-04T13:08:06","guid":{"rendered":"http:\/\/kifarunix.com\/?p=1271"},"modified":"2024-03-11T21:38:30","modified_gmt":"2024-03-11T18:38:30","slug":"how-to-use-veracrypt-on-command-line-to-encrypt-drives-on-ubuntu","status":"publish","type":"post","link":"https:\/\/kifarunix.com\/how-to-use-veracrypt-on-command-line-to-encrypt-drives-on-ubuntu\/","title":{"rendered":"How to Use VeraCrypt on Command Line to Encrypt Drives on Ubuntu"},"content":{"rendered":"\n<p>In this tutorial, you will learn how to use VeraCrypt on Command Line to Encrypt Drives on Ubuntu. In our previous article, we discussed <a href=\"https:\/\/kifarunix.com\/security\/encryption\/how-to-install-and-use-veracrypt-to-encrypt-drives-on-ubuntu-18-04\/\" target=\"_blank\" rel=\"noopener\">how to install and use VeraCrypt to encrypt drives on Ubuntu<\/a>.<\/p>\n\n\n\n<p>We used the VeraCrypt GUI method. In this article, we are going to learn how to use VeraCrypt on command line interface to achieve the same encryption.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Using VeraCrypt to Encrypt Drives on Command Line<\/h2>\n\n\n\n<p>To run VeraCrypt in text user interface, just type <strong class=\"userinput\"><code>veracrypt<\/code> <\/strong>and pass the <strong>-t\/&#8211;text<\/strong> option.<\/p>\n\n\n\n<p>The command line synopsis of the <strong class=\"userinput\"><code>veracrypt<\/code> <\/strong>command is;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>veracrypt &#91;OPTIONS] COMMAND\nveracrypt &#91;OPTIONS] VOLUME_PATH &#91;MOUNT_DIRECTORY]<\/code><\/pre>\n\n\n\n<p>To learn more about VeraCrypt command line options, run <strong class=\"userinput\"><code>veracrypt -h<\/code><\/strong>.<\/p>\n\n\n\n<p>With VeraCrypt, you can create two types of volumes;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><a href=\"#outer-volume\">VeraCrypt Outer Volume<\/a><\/li>\n\n\n\n<li><a href=\"#inner-volume\">VeraCrypt Hidden Volume<\/a>. <em>This is like creating another volume within an encrypted volume for more security!<\/em><\/li>\n<\/ul>\n\n\n\n<p>While creating each volume, you can choose to use an unused partition or just create a file-based volume to store your data.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"outer-volume\">Create VeraCrypt Outer Volume on Command Line<\/h3>\n\n\n\n<p>Launch <strong class=\"userinput\"><code>veracrypt<\/code><\/strong> command from the terminal and pass option <strong>-c\/&#8211;create<\/strong> and of course the <strong>-t\/&#8211;text<\/strong> option. Most of the options will be requested if you don&#8217;t specify them on the command line and thus the setup becomes interactive.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>sudo veracrypt -t -c<\/code><\/pre>\n\n\n\n<p>When you run the command, you are prompted to choose the type of volume. In this case, we are going to setup a Normal volume.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>Volume type:\n 1) Normal\n 2) Hidden\nSelect &#91;1]: 1<\/code><\/pre>\n\n\n\n<p>Next, enter the volume path. For example, \/dev\/sdb1.<\/p>\n\n\n\n<p><strong>CAUTION: If you are encrypting a partition, ensure that there is no data in it or the data has been backed up and backup confirmed. The process will wipe the partition clean and you will all data, if any was stored in it.<\/strong><\/p>\n\n\n\n<p>Note that I have unused partition,&nbsp;<strong><code>\/dev\/sdb1<\/code><\/strong>.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>lsblk<\/code><\/pre>\n\n\n\n<pre class=\"scroll-box\"><code>\nNAME   MAJ:MIN RM   SIZE RO TYPE MOUNTPOINT\nsda      8:0    0    20G  0 disk \n\u2514\u2500sda1   8:1    0    20G  0 part \/\n<strong>sdb      8:16   0     4G  0 disk \n\u2514\u2500sdb1   8:17   0     4G  0 part <\/strong>\nsr0     11:0    1  1024M  0 rom  \nsr1     11:1    1  1024M  0 rom\n<\/code><\/pre>\n\n\n\n<p>Thus, if you are using a partition, enter the device;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>Enter volume path: <strong>\/dev\/sdb1<\/strong><\/code><\/pre>\n\n\n\n<p>Define the Encryption as well as the hashing algorithms;<\/p>\n\n\n\n<p>We choose the AES and SHA 512 as encryption and hashing algorithms respectively. You can also just press enter to accept the defaults.<\/p>\n\n\n\n<pre class=\"scroll-box\"><code>\nEncryption Algorithm:\n 1) AES\n 2) Serpent\n 3) Twofish\n 4) Camellia\n 5) Kuznyechik\n 6) AES(Twofish)\n 7) AES(Twofish(Serpent))\n 8) Camellia(Kuznyechik)\n 9) Camellia(Serpent)\n 10) Kuznyechik(AES)\n 11) Kuznyechik(Serpent(Camellia))\n 12) Kuznyechik(Twofish)\n 13) Serpent(AES)\n 14) Serpent(Twofish(AES))\n 15) Twofish(Serpent)\nSelect [1]: 1\n\nHash algorithm:\n 1) SHA-512\n 2) Whirlpool\n 3) SHA-256\n 4) Streebog\nSelect [1]: 1\n\n<\/code><\/pre>\n\n\n\n<p>Define the filesystem to format the volume with.<\/p>\n\n\n\n<pre class=\"scroll-box\"><code>\nFilesystem:\n 1) None\n 2) FAT\n 3) Linux Ext2\n 4) Linux Ext3\n 5) Linux Ext4\n 6) NTFS\n 7) exFAT\nSelect [2]: <strong>5<\/strong>\n<\/code><\/pre>\n\n\n\n<p>In this case, we are going with <strong>Linux Ext4<\/strong>.<\/p>\n\n\n\n<p>Next<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>you need to set the password for encrypting outer volume.<\/li>\n\n\n\n<li>For PIM and keyfile path, press enter to set empty values.<\/li>\n\n\n\n<li>Next, type random numbers that can be use to improve the cryptographic strength of the encryption key. In this case, you are required to enter at least 320 random numbers.<\/li>\n<\/ul>\n\n\n\n<pre class=\"scroll-box\"><code>\nEnter password: <strong>Enter STRONGPASSWORD<\/strong>\nRe-enter password: <strong>Re-Enter STRONGPASSWORD<\/strong>\n\nEnter PIM: <strong>Enter<\/strong>\n\nEnter keyfile path [none]: <strong>Enter<\/strong>\n\nPlease type at least 320 randomly chosen characters and then press Enter:\n&lt;<strong>PASTE  OR TYPE 320 CHARACTERS HERE ><\/strong>\n\nDone: 100.000%  Speed:   54 MB\/s  Left: 0 s          \n\nThe VeraCrypt volume has been successfully created.\n<\/code><\/pre>\n\n\n\n<p>To create the outer volume in non-interactive mode, run the command below;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>sudo veracrypt -t -c --volume-type=normal \/dev\/sdb1 \\\n--encryption=aes --hash=sha-512 --filesystem=ext4 \\\n-p STRONGP@33WORD --pim=0 -k \"\" --random-source=\/dev\/urandom<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"inner-volume\">Create Hidden Volume within the Outer volume<\/h3>\n\n\n\n<p>Once the outer volume is created, you need to create the hidden volume within it. So repeat the above procedure but this time round;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>sudo veracrypt -t -c<\/code><\/pre>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Define the volume type as <strong>hidden<\/strong>.<\/li>\n\n\n\n<li>Enter volume path: <strong>\/dev\/sdb1<\/strong>, in our example.<\/li>\n\n\n\n<li>Define the size of the hidden volume.<\/li>\n\n\n\n<li>Set the encryption and hash algorithms<\/li>\n\n\n\n<li>Define filesystem type.<\/li>\n\n\n\n<li>Enter encryption password. Press enter for PIM and key file path.<\/li>\n\n\n\n<li>Generate and enter 320 random characters.<\/li>\n\n\n\n<li>If all is well, then your hidden volume should be successfully created.<\/li>\n<\/ul>\n\n\n\n<pre class=\"scroll-box\"><code>\nVolume type:\n 1) Normal\n 2) Hidden\nSelect [1]: 2\n\nIMPORTANT: Inexperienced users should use the graphical user interface to create a hidden volume. When using the text interface, the procedure described in the command line help must be followed to create a hidden volume.\n\nEnter volume path: \/dev\/sdb1\n\nEnter hidden volume size (sizeK\/size[M]\/sizeG\/sizeT\/max): 1G\n\nEncryption Algorithm:\n 1) AES\n 2) Serpent\n 3) Twofish\n 4) Camellia\n 5) Kuznyechik\n 6) AES(Twofish)\n 7) AES(Twofish(Serpent))\n 8) Camellia(Kuznyechik)\n 9) Camellia(Serpent)\n 10) Kuznyechik(AES)\n 11) Kuznyechik(Serpent(Camellia))\n 12) Kuznyechik(Twofish)\n 13) Serpent(AES)\n 14) Serpent(Twofish(AES))\n 15) Twofish(Serpent)\nSelect [1]: 1\n\nHash algorithm:\n 1) SHA-512\n 2) Whirlpool\n 3) SHA-256\n 4) Streebog\nSelect [1]: 1\n\nFilesystem:\n 1) None\n 2) FAT\n 3) Linux Ext2\n 4) Linux Ext3\n 5) Linux Ext4\n 6) NTFS\n 7) exFAT\n 8) Btrfs\nSelect [2]: 5\n\nEnter password: <strong>STRONGPASSWORDFORHIDDENVOLUME<\/strong>\nRe-enter password: <strong>STRONGPASSWORDFORHIDDENVOLUME<\/strong>\n\nEnter PIM: Enter \n\nEnter keyfile path [none]: Enter\n\nPlease type at least 320 randomly chosen characters and then press Enter:\n&lt;<strong>PASTE YOUR 320 CHARACTERS HERE ><\/strong>\n\nDone: 100.000%  Speed:  256 MB\/s  Left: 0 s         \n\nThe hidden VeraCrypt volume has been successfully created and is ready for use. If all the instructions have been followed and if the precautions and requirements listed in the section \"Security Requirements and Precautions Pertaining to Hidden Volumes\" in the VeraCrypt User's Guide are followed, it should be impossible to prove that the hidden volume exists, even when the outer volume is mounted.\n\nWARNING: IF YOU DO NOT PROTECT THE HIDDEN VOLUME (FOR INFORMATION ON HOW TO DO SO, REFER TO THE SECTION \"PROTECTION OF HIDDEN VOLUMES AGAINST DAMAGE\" IN THE VERACRYPT USER'S GUIDE), DO NOT WRITE TO THE OUTER VOLUME. OTHERWISE, YOU MAY OVERWRITE AND DAMAGE THE HIDDEN VOLUME!\n<\/code><\/pre>\n\n\n\n<p>To create a hidden volume in non-interactive mode, run the command below;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>sudo veracrypt -t -c --volume-type=hidden \/dev\/sdb2 \\\n--size=500M --encryption=aes --hash=sha-512 \\\n--filesystem=ext4 -p STRONGP@33WORDHID --pim=0 \\\n-k \"\" --random-source=\/dev\/urandom<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">Mount the VeraCrypt Outer and Inner Volumes<\/h3>\n\n\n\n<p>Once you are done creating the volumes, you can now mount them and write your files or data to them as you wish.<\/p>\n\n\n\n<p>To mount the outer volume, run the command below. When prompted for a password, use the password set for the outer volume above.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>sudo veracrypt \/dev\/sdb1 \/mnt\/<\/code><\/pre>\n\n\n\n<p>Password wizard pops up to enter the outer volume encrypted password.<\/p>\n\n\n\n<p>Once mounted, verify.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>df -hT \/mnt<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code>Filesystem             Type  Size  Used Avail Use% Mounted on\n\/dev\/mapper\/veracrypt1 ext4  3.9G   16M  3.7G   1% \/mnt<\/code><\/pre>\n\n\n\n<p>To mount otvolume prompting only for its password:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>sudo veracrypt -t -k \"\" --pim=0 --protect-hidden=no \/dev\/sdb1 \/mnt\/sdb1\/<\/code><\/pre>\n\n\n\n<p>List the mounted VeraCrypt volumes.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>veracrypt -l<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>1: \/dev\/sdb1 \/dev\/mapper\/veracrypt1 \/mnt\/<\/code><\/pre>\n\n\n\n<p>To unmount the volume,<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>sudo veracrypt -d \/dev\/sdb1<\/code><\/pre>\n\n\n\n<p>To mount the hidden volume, run veracrypt command as shown above <strong>but this time, use the password defined for the hidden volume<\/strong>.<\/p>\n\n\n\n<p>Seen how easy it is to use VeraCrypt on command line to encrypt your storage volumes? You can now create or put your sensitive data into the hidden volume. Enjoy the power of encryption.<\/p>\n\n\n\n<p>That conclude our guide on how to use VeraCrypt on Command Line to Encrypt Drives on Ubuntu.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Other Tutorials<\/h2>\n\n\n\n<p><a href=\"https:\/\/kifarunix.com\/encrypt-files-and-directories-with-ecryptfs-on-ubuntu-20-04\/\" target=\"_blank\" rel=\"noreferrer noopener\">Encrypt Files and Directories with eCryptFS on Ubuntu 20.04<\/a><\/p>\n\n\n\n<p><a href=\"https:\/\/kifarunix.com\/encrypt-drives-with-luks-in-linux\/\" target=\"_blank\" rel=\"noreferrer noopener\">Encrypt Drives with LUKS in Linux<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>In this tutorial, you will learn how to use VeraCrypt on Command Line to Encrypt Drives on Ubuntu. In our previous article, we discussed how<\/p>\n","protected":false},"author":1,"featured_media":12819,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"rank_math_lock_modified_date":false,"footnotes":""},"categories":[121,159,34],"tags":[5200,160,228,227,5201],"class_list":["post-1271","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-howtos","category-encryption","category-security","tag-encrypte-drives-using-veracrypt","tag-encryption","tag-ubuntu18-04","tag-veracrypt","tag-veracrypt-command-line","generate-columns","tablet-grid-50","mobile-grid-100","grid-parent","grid-50","resize-featured-image"],"_links":{"self":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts\/1271"}],"collection":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/comments?post=1271"}],"version-history":[{"count":7,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts\/1271\/revisions"}],"predecessor-version":[{"id":21069,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts\/1271\/revisions\/21069"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/media\/12819"}],"wp:attachment":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/media?parent=1271"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/categories?post=1271"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/tags?post=1271"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}