Introduction
VeraCrypt is a free open source disk encryption software for Windows, Mac OSX and Linux.
VeraCrypt main features:
- Creates a virtual encrypted disk within a file and mounts it as a real disk.
- Encrypts an entire partition or storage device such as USB flash drive or hard drive.
- Encrypts a partition or drive where Windows is installed (pre-boot authentication).
- Encryption is automatic, real-time(on-the-fly) and transparent.
- Parallelization and pipelining allow data to be read and written as fast as if the drive was not encrypted.
- Encryption can be hardware-accelerated on modern processors.
- Provides plausible deniability, in case an adversary forces you to reveal the password: Hidden volume (steganography) and hidden operating system.
Using VeraCrypt with Linux
When you use the VeraCrypt GUI, and mount an encrypted volume, it will require to provide each time the user password to elevate VeraCrypt to be able to mount the volume.
To avoid this from happening the steps below will provide with a mechanism where this isn't required anymore. All the steps below require sudo rights to execute.
Install sudo package
To be able to use this steps the sudo package is required. Check with the following command if the package is already installed:
dpkg -l | grep sudo
If there is no output then the package hasn't been installed yet. Install it with:
sudo apt install sudo -y
Create VeraCrypt group
Best practise is to have a separate user group so individual users can be linked to it, without providing them with full sudo rights.
First create the new group:
sudo groupadd veracrypt
Then modify the required user(s) to join the group:
sudo usermod -aG veracrypt <username>
Provide sudo config for passwordless execution of veracrypt
These steps tell sudo that any user part of the veracrypt group is allowed to execute the veracrypt executable without password.
For this we need to edit /etc/sudoers
. We do this with the following command:
sudoedit /etc/sudoers
Then add the following line below the existing sudo
group line:
%veracrypt ALL=(root) NOPASSWD:/usr/bin/veracrypt
It will then look like this:
# Allow members of group sudo to execute any command
%sudo ALL=(ALL:ALL) ALL
%veracrypt ALL=(root) NOPASSWD:/usr/bin/veracrypt
Modify Desktop GUI menu entry
Unfortunately VeraCrypt will still ask for the user password due to the sudo implementation. To avoid this the additional argument --use-dummy-sudo-password
which will verify if sudo requires password authentication.
These steps will differ from each desktop environment (GNOME, KDE, etc) so the screenshots below are a reference only.
Open the main menu item editor:
Select the VeraCrypt item and edit the properties:
Select the command field:
Append after the command the --use-dummy-sudo-password
argument:
Now save the changes and with all the steps done VeraCrypt won't ask for the user password anymore when mounting a volume.
NOTE: If the current user is added to the veracrypt group but hasn't logged out and back in again the group setting won't have been updated.