veracrypt

Create a new volume through a text user interface and use /dev/urandom as a source of random data

$ veracrypt [[-t|--text]] [[-c|--create]] --random-source=[/dev/urandom]

$ veracrypt [[-t|--text]] [path/to/volume] [path/to/mount_point]

$ veracrypt [[-k|--keyfiles]] [path/to/keyfile] [/dev/sdXN] [path/to/mount_point]

$ veracrypt [[-d|--dismount]] [path/to/mounted_point]

veracrypt [options] [volume [mount_directory]]
veracrypt --create [options]
veracrypt --dismount [options]
veracrypt --list [options]

--create
    Initiates the process to create a new VeraCrypt volume (file container or partition/device).

--dismount [MOUNT_DIRECTORY|ALL]
    Dismounts a specific VeraCrypt volume mounted at MOUNT_DIRECTORY or all currently mounted volumes if 'ALL' is specified.

--list
    Lists all currently mounted VeraCrypt volumes, showing their paths and mount points.

--mount [VOLUME] [MOUNT_DIRECTORY]
    Mounts a specified VeraCrypt VOLUME (file or device) to the designated MOUNT_DIRECTORY.

-t, --text
    Uses a text-based user interface for operations, useful for scripting or headless environments.

-k, --keyfiles=FILE[,FILE...]
    Specifies one or more keyfiles to use for authentication, in addition to or instead of a password.

-p, --password=PASSWORD
    Provides the password for the volume directly on the command line. Use with caution as it can be visible in process lists.

--protect-hidden=yes
    When mounting an outer volume, this option ensures that the hidden volume within it remains protected and unmounted.

--force
    Forces an operation, overriding warnings or confirmation prompts.

--non-interactive
    Suppresses all user prompts and relies solely on command-line arguments and configuration files for input.

--filesystem=TYPE
    Specifies the filesystem type (e.g., ext4, vfat, ntfs) to be created inside the new VeraCrypt volume.

--encryption=ALGO
    Specifies the encryption algorithm (e.g., AES, Serpent, Twofish, or cascades like AES-Twofish) for the volume.

--hash=ALGO
    Specifies the hash algorithm (e.g., SHA-512, Whirlpool, RIPEMD-160) for key derivation.

--volume-type=TYPE
    Specifies whether to create a 'normal' volume or a 'hidden' volume for plausible deniability.

VeraCrypt is a powerful, cross-platform, open-source disk encryption software that enhances security over its predecessor, TrueCrypt. It allows users to encrypt an entire storage device (hard drive, SSD, USB drive), a partition on such a device, or create a virtual encrypted disk within a file. VeraCrypt uses strong encryption algorithms like AES, Serpent, and Twofish, often combined in cascade modes, and supports plausible deniability through hidden volumes. It's widely used for protecting sensitive data against unauthorized access, even if the storage medium is lost or stolen. The Linux command-line interface provides comprehensive control for creating, mounting, and managing encrypted volumes.

Using VeraCrypt securely requires careful handling of passwords and keyfiles. Losing these credentials will result in permanent data loss. Performance overhead is expected due to real-time encryption/decryption. Ensure proper dismounting of volumes to prevent data corruption. Hidden volumes provide plausible deniability but require strict adherence to usage protocols to remain effective.

Always use strong, unique passwords or robust keyfiles. Avoid storing passwords unencrypted. Regularly back up your encrypted data, as the loss of your password or keyfiles means permanent data loss. For advanced users, consider utilizing hidden volumes for plausible deniability, understanding their specific operational requirements.

VeraCrypt is commonly used for encrypting sensitive documents on laptops, securing backups on external drives, protecting an entire system partition for enhanced operating system security, or creating a secure file container for collaborative work on sensitive data.

VeraCrypt originated as a fork of TrueCrypt 7.1a in 2013, following security concerns and the abrupt discontinuation of TrueCrypt. Its primary goal was to address identified vulnerabilities and further enhance the security and robustness of the encryption scheme. It notably increased the number of PBE (Password-Based Key Derivation Function) iterations, making brute-force attacks significantly more difficult. Development continues actively, maintaining compatibility with TrueCrypt volumes while improving security features.

cryptsetup(8), mount(8), umount(8), lsblk(8), dd(1)