Encryption with VeraCrypt
Hidden
The VeraCrypt encryption software comes with a handy graphical interface, and the ability to hide a container in an encrypted volume adds a unique professional feature: plausibly deniable encryption.
When the TrueCrypt developers dissuaded people from further use of its software with an ominous security warning [1], many users were confused and concerned about their privacy, especially in the Windows camp, where TrueCrypt was a popular open source encryption solution (see the "TrueCrypt" box).
TrueCrypt
By the spring of 2015, the open source and free encryption software TrueCrypt stood alone. Some users, however, were disturbed because the developers were never identified, leading to speculation. At the end of May 2015, the developers terminated the project and advised users to switch to non-open-source Windows on-board encryption with the words, "Using TrueCrypt is not secure as it may contain unfixed security issues."
Clarity about the actual security of the software was achieved by an independent security audit [3]. However, except for some problems with Windows drivers, the examiners only objected to the low number of hash iterations required to derive the key, which was too small for the computing power of its day. This failed to slow down attackers attempting to brute force passwords; containers with weak passwords were therefore easier to crack. VeraCrypt improved this point promptly, but it also made mounting encrypted objects take considerably more time.
Google employees finally found two critical vulnerabilities that were not directly related to encryption, allowing attackers on Windows [4] – given certain conditions [5] – to gain administrative privileges. The Windows version of VeraCrypt ironed out these weaknesses in the meantime.
In the meantime, TrueCrypt fork VeraCrypt [2], which dates back to 2013, has inherited its predecessor's followers and introduced Linux support in 2014. Given that the Linux kernel already ciphers directories or entire partitions, why would Linux users want to embrace a program with a black spot in its history? VeraCrypt provides some solid reasons for doing so.
Plausible Reasons
One strong motive for the use of VeraCrypt is its guaranteed "plausibly deniable encryption": The encrypted container can embed a hidden inner container (Figure 1). Should you ever be forced to reveal your encryption password, you could do so for the outer container only (see the box "Plausible Deniability").
Plausible Deniability
Some countries (e.g., the UK) by law compel computer owners to disclose their passwords on demand for encrypted data [6]. With the standard Linux encryption tools dm-crypt/LUKS [7], you could be in trouble. A partition encrypted in this way can be identified readily, and the user would not be able to deny its existence (Figure 4) and thus the presence of encrypted data.
The same is true for normal VeraCrypt volumes: Good encryption does not allow any conclusions as to the encrypted data; the content of a container thus looks from the outside like a random numeric sequence. By contrast, unencrypted data (text, video, images) always exhibits certain regularities. The difference can be demonstrated statistically, thus revealing encrypted files.
Precisely the quality that reveals the existence of encrypted filesystems gives VeraCrypt the ability to create a secure hiding place in an inner container. The inner container looks like a random bit sequence and transitions seamlessly and undetectably past statistical analysis into the outer container.
In practice, when creating the outer container, VeraCrypt first overwrites the intended disk space with a random number sequence. A second step embeds a hidden container with its own password. When opening a VeraCrypt volume, you then decide with the choice of a password whether to unlock the outer or inner container.
In the outer container, you will want to store a sufficient number of alibi files as camouflage. The inner container hides in the free space, remaining invisible, unless you know the corresponding password. This is also true of VeraCrypt itself: The content of the outer container will overwrite the hidden volume without warning if it becomes too big. To prevent this, you enter a kind of mixed mode in which you enter the passwords of both containers: Only then will the software detect the position of the inner container and prevent overwriting.
Without the second password, you cannot even prove the existence of an inner container. After unlocking the outer container, it appears to be a blank space. Information relating to its extent is encrypted with the second password in a special reserved memory space. The metadata, like the entire inner container, looks like random values before you unlock them separately.
Although standard Linux tools dm-crypt and eCryptfs [8] are well suited for integration with the operating system (e.g., to encrypt the entire system or the home partition), in contrast, the VeraCrypt GUI lends itself to opening containers for particularly security-critical files as needed. To do this, you create a file-based container with a few mouse clicks (Figure 2); the container can be used not only on Linux, but also on Mac OS X and Windows.
The simple user interface (Figure 3) also handles the task of mounting encrypted volumes, which the program mounts transparently in the filesystem below /mnt
or /media
. Alternatively, VeraCrypt encrypts entire partitions. The command-line option --text
eliminates the need to start the graphical user interface; you can control all the functions from the command line or with a script.
Secure?
Features like plausibly deniable encryption or a practical GUI are of little use if the underlying encryption method proves to be insecure. As always with security issues, you can only follow circumstantial evidence with known factors; potentially unknown vulnerabilities remain undetected.
To the best of my knowledge and belief, the security of VeraCrypt looks good. The software has a long history in open source: It is based on TrueCrypt, which in turn was based on Encryption for the Masses (E4M), launched in 1997 [9]. The TrueCrypt heritage might initially cause some concern, but the VeraCrypt developers understandably explain how they ironed out its known vulnerabilities [10]; in any case, they only affected the Linux version in part. The developers also subjected the code to two static analyses, which revealed some critical programming errors. An expert audit of VeraCrypt itself is still pending.
The software is available from SourceForge [11] in the form of an installer, which only installs a binary and some additional files. As always with security-related software, it pays to verify the integrity of the installation files with sha512sum
. Compiling the software turns out to be difficult at present: The current openSUSE and Ubuntu releases include a compiler that uses the new C++ ABI by default, but not all of the utilities you need are available in this format.
Handy
The current documentation [12] for VeraCrypt leaves no questions unanswered. The basic functions of the software can be used without reading the manual anyway, thanks to the intuitively designed graphical interface. The Create Volume button starts the Volume Creation Wizard. You first need to decide whether you want to create a container or encrypt a hard disk partition. Then the wizard asks whether you want to create a standard volume or a container with an embedded hidden partition for plausibly deniable encryption (Figure 5).
You always need to create a standard outer container. To do so, stipulate a file path in which the software will create the container or the device file of a disk partition (e.g., /dev/sda3
). In the Encryption Options dialog, the Encryption Algorithm default is AES and the Hash Algorithm default is SHA-512, which offer good run-time performance and impeccable security features from today's perspective.
Alternative encryption algorithms (Figure 6) are available in line with the common practice in cryptography of keeping all sensitive components interchangeable. Should future attack vectors compromise the current secure process, you can then change the algorithm but continue using the familiar software.
After entering the desired volume size, type your password twice or select one or more keyfiles, which may consist of any number of files. For the filesystem, VeraCrypt uses the system global default, FAT; more sophisticated filesystems, such as NTFS and ext2/3/4, are also available for use. Of course, selecting an ext filesystem will impair compatibility with Windows. In the final dialog box, click on Format to start the process of generating the container.
Buy this article as PDF
(incl. VAT)
Buy Linux Magazine
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs
Subscribe to our ADMIN Newsletters
Support Our Work
Linux Magazine content is made possible with support from readers like you. Please consider contributing when you’ve found an article to be beneficial.
News
-
Fedora Asahi Remix 41 Available for Apple Silicon
If you have an Apple Silicon Mac and you're hoping to install Fedora, you're in luck because the latest release supports the M1 and M2 chips.
-
Systemd Fixes Bug While Facing New Challenger in GNU Shepherd
The systemd developers have fixed a really nasty bug amid the release of the new GNU Shepherd init system.
-
AlmaLinux 10.0 Beta Released
The AlmaLinux OS Foundation has announced the availability of AlmaLinux 10.0 Beta ("Purple Lion") for all supported devices with significant changes.
-
Gnome 47.2 Now Available
Gnome 47.2 is now available for general use but don't expect much in the way of newness, as this is all about improvements and bug fixes.
-
Latest Cinnamon Desktop Releases with a Bold New Look
Just in time for the holidays, the developer of the Cinnamon desktop has shipped a new release to help spice up your eggnog with new features and a new look.
-
Armbian 24.11 Released with Expanded Hardware Support
If you've been waiting for Armbian to support OrangePi 5 Max and Radxa ROCK 5B+, the wait is over.
-
SUSE Renames Several Products for Better Name Recognition
SUSE has been a very powerful player in the European market, but it knows it must branch out to gain serious traction. Will a name change do the trick?
-
ESET Discovers New Linux Malware
WolfsBane is an all-in-one malware that has hit the Linux operating system and includes a dropper, a launcher, and a backdoor.
-
New Linux Kernel Patch Allows Forcing a CPU Mitigation
Even when CPU mitigations can consume precious CPU cycles, it might not be a bad idea to allow users to enable them, even if your machine isn't vulnerable.
-
Red Hat Enterprise Linux 9.5 Released
Notify your friends, loved ones, and colleagues that the latest version of RHEL is available with plenty of enhancements.