Use VeraCrypt without using user password

Stephan Wijman -

Introduction

VeraCrypt is a free open source disk encryption software for Windows, Mac OSX and Linux.

VeraCrypt main features:

  • Creates a virtual encrypted disk within a file and mounts it as a real disk.
  • Encrypts an entire partition or storage device such as USB flash drive or hard drive.
  • Encrypts a partition or drive where Windows is installed (pre-boot authentication).
  • Encryption is automatic, real-time(on-the-fly) and transparent.
  • Parallelization and pipelining allow data to be read and written as fast as if the drive was not encrypted.
  • Encryption can be hardware-accelerated on modern processors.
  • Provides plausible deniability, in case an adversary forces you to reveal the password: Hidden volume (steganography) and hidden operating system.

Using VeraCrypt with Linux

When you use the VeraCrypt GUI, and mount an encrypted volume, it will require to provide each time the user password to elevate VeraCrypt to be able to mount the volume.
To avoid this from happening the steps below will provide with a mechanism where this isn't required anymore. All the steps below require sudo rights to execute.

Install sudo package

To be able to use this steps the sudo package is required. Check with the following command if the package is already installed:

dpkg -l | grep sudo

If there is no output then the package hasn't been installed yet. Install it with:

sudo apt install sudo -y

Create VeraCrypt group

Best practise is to have a separate user group so individual users can be linked to it, without providing them with full sudo rights.

First create the new group:

sudo groupadd veracrypt

Then modify the required user(s) to join the group:

sudo usermod -aG veracrypt <username>

Provide sudo config for passwordless execution of veracrypt

These steps tell sudo that any user part of the veracrypt group is allowed to execute the veracrypt executable without password.
For this we need to edit /etc/sudoers. We do this with the following command:

sudoedit /etc/sudoers

Then add the following line below the existing sudo group line:

%veracrypt ALL=(root) NOPASSWD:/usr/bin/veracrypt

It will then look like this:

# Allow members of group sudo to execute any command
%sudo   ALL=(ALL:ALL) ALL
%veracrypt ALL=(root) NOPASSWD:/usr/bin/veracrypt

Modify Desktop GUI menu entry

Unfortunately VeraCrypt will still ask for the user password due to the sudo implementation. To avoid this the additional argument --use-dummy-sudo-password which will verify if sudo requires password authentication.
These steps will differ from each desktop environment (GNOME, KDE, etc) so the screenshots below are a reference only.

Open the main menu item editor:

Select the VeraCrypt item and edit the properties:

Select the command field:

Append after the command the --use-dummy-sudo-password argument:

Now save the changes and with all the steps done VeraCrypt won't ask for the user password anymore when mounting a volume.

NOTE: If the current user is added to the veracrypt group but hasn't logged out and back in again the group setting won't have been updated.