Introduction to VeraCrypt
VeraCrypt is TrueCrypt's successor and offers a robust method to create Linux-encrypted volumes. Your open source has been audited and continues to receive security updates. In this article we will see how to install it, create encrypted containers and use them from both the graphical interface and the terminal.
Installation in popular distributions
In Ubuntu and derivatives you can add the official repository or download the .deb package from the download page. In Fedora and CentOS the package is available in RPM Fusion repositories. Below are the basic steps:
- Update the package index:
sudo apt update - Install the package:
sudo apt install veracrypt - In Fedora:
sudo dnf install veracrypt
If you prefer not to add repositories, download the generic installer fromveracrypt.frGive him execution permission and run it.
Creation of an encrypted volume
Once installed, open VeraCrypt from the application menu or runveracryptAt the terminal. The assistant will guide you through the following steps:
- Click onCreate volumeAnd chooseCreate an encrypted file container.
- Select the location and name of the file that will act as a virtual disk.
- Choose the encryption algorithm (AES is recommended) and hash mode (SHA-512).
- Define the size of the volume according to your needs.
- Set a strong password; you can use a key file or biometric authentication if your hardware supports it.
- Format the volume with the file system you prefer (ext4, FAT32, NTFS).
- Finish the process and wait for the container to be generated.
The result is a file that, when mounted, behaves like a normal partition.
Volume assembly and disassembly
To use your encrypted volume, select a free drive letter in the VeraCrypt interface, clickSelect FileAnd find the container you created. Then pressRideand enter the password. The volume will appear in your file manager like any other disk. When you're done, go back to the main window, select the mounted drive and pressDismount. You can also perform these actions from the command line:
- Mounting:
veracrypt --text --mount /ruta/al/contenedor.hc /mnt/miVolumen - Dismount:
veracrypt --dismount /mnt/miVolumen
Remember to create the assembly point (mkdir -p /mnt/miVolumen) before riding.
Advanced use from the terminal
VeraCrypt includes a fully text-based mode that is useful for automation servers or scripts. Some common options are:
--passwordto pass the password (although it is less safe than using an agent).--keyfilesto specify key files.--pimto use a number of custom iterations (PIM).--protect-hiddento protect hidden volumes against accidental overwriting.
You can combine these hors in a backup script that mounts the volume, copies the data and then dismounts it, all without human intervention.
Good security practices
To maximize the protection of your data with VeraCrypt in Linux, follow these recommendations:
- Use long and unique passwords, preferably generated by a password manager.
- Consider using a key file stored on a separate device (USB) in addition to the password.
- Keep the VeraCrypt system and package up to date to benefit from the security patches.
- Avoid mounting volumes in directories with excessively permissive permissions; use
chmod 700at the assembly point. - If you use hidden volumes, never reveal their existence and regularly verify integrity with the volume verification option.
- Backup volume headers (
volumen.hc) in a safe environment; without them you will not be able to recover the data.
Hidden Volumes: an extra layer of privacy
The concept of hidden volume is based on plausible denial. When creating a main container, reserve space for a secondary volume that is only revealed with a different password. Even if an attacker forces to reveal the password of the main volume, the hidden remains undetectable without the second key.
To create a hidden volume, start the volume creation wizard and choose the 'Create a hidden encrypted volume' option. Then you define the size of the outer volume (the one that will be visible) and the size of the hydrogen (the one that will remain secret). It is important that the outer be large enough to contain harmless files that can justify its existence.
Once created, the hidden volume is mounted using the same file path but specifying the hydrogen password. In the VeraCrypt interface, when trying to mount, the program automatically detects whether it is an outer or hydrated according to the given key. You should never use the same password for both volumes, as that would reduce the security of the scheme.
Some specific recommendations to work with hidden volumes:
- It uses a different key file for the hydrogen, stored in a separate medium.
- It performs writing operations only on the outer when you need to show harmless data; it avoids writing on the hydrogen unless strictly necessary.
- It regularly verifies the integrity of both volumes with the VeraCrypt volume test tool.
- Never store the hydrogen password in the same place as the outer password; use a password manager or dedicated USB memory.
Conclusion
VeraCrypt is a complete disk and container encryption solution that is perfectly integrated with Linux. Whether you need to protect personal documents, server backups or sensitive information on a laptop, your combination of strong encryption, intuitive graphical interface and powerful command line makes it an essential tool. Following the steps and best practices described in this article, you can create, mount and manage encrypted volumes with confidence and keep your data safe from unauthorized access. In addition, always remember to keep your volume headers safe backups and test the restoration in an isolated environment before relying on them for critical data.
