veracrypt.mdwn 10.7 KB
Newer Older
1
2
3
4
5
6
7
8
[[!meta title="Using VeraCrypt encrypted volumes"]]

[[!toc levels=2]]

Introduction to <span class="application">VeraCrypt</span>
==========================================================

<span class="application">[VeraCrypt](https://www.veracrypt.fr/)</span> is a
cbrownstein's avatar
cbrownstein committed
9
disk encryption tool that works on Windows, macOS, and Linux.
10
11
12
13
14
15
16
17
18
19
20

Comparison between <span class="application">LUKS</span> and <span class="application">VeraCrypt</span>
-------------------------------------------------------------------------------------------------------

You can also create and open <span class="application">LUKS</span>
encrypted volumes in Tails. <span class="application">LUKS</span> is the
standard for disk encryption in Linux. [[See our documentation about
<span class="application">LUKS</span>.|encrypted_volumes]]

[[!inline pages="doc/encryption_and_privacy/luks_vs_veracrypt.inline" raw="yes" sort="age"]]

sajolida's avatar
sajolida committed
21
22
23
24
25
26
27
To create new <span class="application">VeraCrypt</span> volumes, do so
outside of Tails. See the step-by-step guides by Security-in-a-Box:

- [VeraCrypt for Windows](https://securityinabox.org/en/guide/veracrypt/win/)
- [VeraCrypt for macOS](https://securityinabox.org/en/guide/veracrypt/mac/)
- [VeraCrypt for Linux](https://securityinabox.org/en/guide/veracrypt/linux/)

28
29
30
31
32
33
34
35
<a id="container-vs-partition"></a>

Difference between file containers and partitions
-------------------------------------------------

With <span class="application">VeraCrypt</span> you can store your files
encrypted in two different kinds of *volumes*:

36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
<h3>File containers</h3>

<div class="icon">
[[!img container-icon.png link="no"]]
<div class="text">
<p>A file container is a single big file inside which you can store
several files encrypted, a bit like a ZIP file.</p>
</div>
</div>

<h3>Partitions (or entire disks)</h3>

<div class="icon">
[[!img partition-icon.png link="no"]]
<div class="text">
cbrownstein's avatar
cbrownstein committed
51
52
<p>Usually, USB sticks and hard disks have a single partition of their
entire size. But, they can also be split into several partitions. This way,
cbrownstein's avatar
cbrownstein committed
53
you can encrypt only part of a USB stick, for example.</p>
54
55
</div>
</div>
56
57
58
59
60
61
62
63
64
65
66
67

<a id="parameters"></a>

Unlocking parameters
--------------------

To unlock a <span class="application">VeraCrypt</span> volume you might need
the following parameters, depending on the options that were selected when the
volume was created:

- **Passphrase**

cbrownstein's avatar
cbrownstein committed
68
- **Keyfiles**: instead of or in addition to the passphrase, a
69
  <span class="application">VeraCrypt</span> volume can be unlocked using a
sajolida's avatar
sajolida committed
70
  particular file or set of files.
71
72

  [See the <span class="application">VeraCrypt</span> documentation on
sajolida's avatar
sajolida committed
73
  keyfiles.](https://www.veracrypt.fr/en/Keyfiles.html)
74
75
76
77
78

- **PIM**: a number that is needed if it was specified when creating the
  <span class="application">VeraCrypt</span> volume.

  [See the <span class="application">VeraCrypt</span> documentation on
sajolida's avatar
sajolida committed
79
  PIM.](https://www.veracrypt.fr/en/Personal%20Iterations%20Multiplier%20\(PIM\).html)
80
81
82
83
84
85
86

- **Hidden volume**: if you want to open the hidden volume inside the
  <span class="application">VeraCrypt</span> volume.

  [See the <span class="application">VeraCrypt</span> documentation on hidden
  volumes.](https://www.veracrypt.fr/en/Hidden%20Volume.html)

87
88
Using a file container
======================
89

90
91
[[!img container-icon.png link="no" alt=""]]

92
93
<a id="container-files"></a>

94
95
Unlocking a file container without keyfiles
-------------------------------------------
96

97
1. Choose
98
99
100
   <span class="menuchoice">
     <span class="guimenu">Applications</span>&nbsp;▸
     <span class="guisubmenu">Accessories</span>&nbsp;▸
101
     <span class="guisubmenuitem">VeraCrypt Mounter</span></span>.
102

103
104
1. Click <span class="button">Add</span> and choose the file container
   that you want to unlock.
105
106
107
108
109
110

1. Enter the parameters to unlock the volume. For more information, see
   the [[Unlocking parameters|veracrypt#parameters]] section above.

   Click <span class="button">Unlock</span>.

111
112
1. <span class="application">VeraCrypt Mounter</span> opens your volume.

cbrownstein's avatar
cbrownstein committed
113
1. If unlocking the volume fails (for example, if you mistyped the
114
115
   password), click on <span class="button">Unlock</span> to try
   unlocking again.
116
117
118

<a id="container-disks"></a>

119
120
Unlocking a file container with keyfiles
----------------------------------------
121

122
1. Choose
123
124
125
   <span class="menuchoice">
     <span class="guimenu">Applications</span>&nbsp;▸
     <span class="guisubmenu">Utilities</span>&nbsp;▸
126
127
     <span class="guisubmenuitem">Disks</span></span>
   to start the <span class="application">Disks</span> utility.
128
129
130
131
132
133

1. Choose <span class=menuchoice">
     <span class="guimenu">Disks</span>&nbsp;▸
     <span class="guimenuitem">Attach Disk Image&hellip;</span></span> from the
     top navigation bar.

134
135
     [[!img disks-menu.png link="no" alt=""]]

136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
1. In the <span class="button">Select Disk Image to Attach</span> dialog:

   - Unselect the <span class="guilabel">Set up read-only loop device</span>
     check box in the bottom-left corner if you want to modify the content of
     the file container.

     [[!img read-only.png link="no" alt=""]]

   - Choose <span class="guilabel">All Files</span> in the file filter in the
     bottom-right corner.

     [[!img all-files.png link="no" alt=""]]

   - Navigate to the folder containing the file container that you want to open.

   - Select the file container and click <span class="button">Attach</span>.

1. In the left pane, select the new <span class="guilabel">Loop Device</span>
   that corresponds to your file container.

   In the right pane, it should have an
   <span class="guilabel">Encrypted?</span> label.

   [[!img container-locked.png link="no" alt=""]]

1. Click the <span class="button">[[!img lib/unlock.png alt="Unlock
   selected encrypted partition" class="symbolic" link="no"]]</span>
   button in the right pane.

1. Enter the parameters to unlock the volume. For more information, see
   the [[Unlocking parameters|veracrypt#parameters]] section above.

   Click <span class="button">Unlock</span>.

1. Select the file system that appears below the unlocked volume. It
   probably has a <span class="guilabel">FAT</span> or
   <span class="guilabel">NTFS</span> content.

1. Click the <span class="button">[[!img lib/media-playback-start.png
   alt="Mount selected partition" class="symbolic" link="no"]]</span>
   button to mount the volume.

1. Click on the <span class="filename">*/media/amnesia/*</span> link in
179
180
   the right pane to open the volume in the
   <span class="application">Files</span> browser.
181
182
183
184
185
186

1. Your volume opens in <span class="application">Files</span>.

Closing a file container
------------------------

187
188
189
190
191
192
193
194
You can either:

- In the sidebar of the <span class="application">Files</span> browser,
  click on the <span class="button">[[!img lib/media-eject.png
  alt="Eject" class="symbolic" link="no"]]</span> button on the label
  of the volume corresponding to your file container.

  [[!img eject-container.png link="no" alt=""]]
195

196
197
198
199
- In <span class="application">VeraCrypt Mounter</span>, click on the
  <span class="button">[[!img lib/window-close.png class="symbolic"
  link="no" alt=""]]</span> button in the line that corresponds to your
  file container.
200

201
202
Using a partition (or entire disk)
==================================
203

204
205
[[!img partition-icon.png link="no" alt=""]]

206
207
<a id="partition-files"></a>

208
209
Unlocking a partition (or entire disk) without keyfiles
-------------------------------------------------------
210

211
1. Choose
212
213
214
   <span class="menuchoice">
     <span class="guimenu">Applications</span>&nbsp;▸
     <span class="guisubmenu">Accessories</span>&nbsp;▸
215
     <span class="guisubmenuitem">VeraCrypt Mounter</span></span>.
216

sajolida's avatar
sajolida committed
217
1. Plug in the USB stick or the hard disk that you want to unlock.
218

219
   If your partition is on an internal hard disk, refer to [[Unlocking a
220
   partition (or entire disk) with keyfiles|veracrypt#partition-disks]]
221
222
   instead.

223
224
1. Click <span class="button">Unlock</span> in the line that appears in
   the list of partitions.
225
226
227

   [[!img partition-encrypted-label.png link="no" alt="Mount and open '8.2 GB Encrypted'"]]

228
229
   XXX: Update screenshot

230
231
232
233
234
1. Enter the parameters to unlock the volume. For more information, see
   the [[Unlocking parameters|veracrypt#parameters]] section above.

   Click <span class="button">Unlock</span>.

235
1. <span class="application">VeraCrypt Mounter</span> opens your volume.
236
237
238

<a id="partition-disks"></a>

239
240
Unlocking a partition (or entire disk) with keyfiles
----------------------------------------------------
241
242
243
244
245

1. If your partition is on an internal hard disk, [[set up an administration
   password|doc/first_steps/startup_options/administration_password]] when
   starting Tails.
   
246
   Otherwise, plug in the USB stick or the hard disk that you want to
sajolida's avatar
sajolida committed
247
   unlock.
248

249
1. Choose
250
251
252
   <span class="menuchoice">
     <span class="guimenu">Applications</span>&nbsp;▸
     <span class="guisubmenu">Utilities</span>&nbsp;▸
253
254
     <span class="guisubmenuitem">Disks</span></span>
   to start the <span class="application">Disks</span> utility.
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283

1. In the left pane, select the device that corresponds to your USB stick or
   hard disk.

   [[!img partition-locked.png link="no" alt=""]]

1. In the right pane, select the partition that corresponds to your *VeraCrypt*
   volume.

   It should have an <span class="guilabel">Encrypted?</span> label.

1. Click the <span class="button">[[!img lib/unlock.png alt="Unlock
   selected encrypted partition" class="symbolic" link="no"]]</span>
   button in the right pane.

1. Enter the parameters to unlock the volume. For more information, see
   the [[Unlocking parameters|veracrypt#parameters]] section above.

   Click <span class="button">Unlock</span>.

1. Select the file system that appears below the unlocked volume. It
   probably has a <span class="guilabel">FAT</span> or
   <span class="guilabel">NTFS</span> content.

1. Click the <span class="button">[[!img lib/media-playback-start.png
   alt="Mount selected partition" class="symbolic" link="no"]]</span>
   button to mount the volume.

1. Click on the <span class="filename">*/media/amnesia/*</span> link in
284
285
   the right pane to open the volume in the
   <span class="application">Files</span> browser.
286
287
288

1. Your volume opens in <span class="application">Files</span>.

289
290
Closing a partition (or entire disk)
------------------------------------
291

292
293
294
295
296
297
298
299
You can either:

- In the sidebar of the <span class="application">Files</span> browser,
  click on the <span class="button">[[!img lib/media-eject.png
  alt="Eject" class="symbolic" link="no"]]</span> button on the label
  of the volume corresponding to your partition.

  [[!img eject-partition.png link="no" alt=""]]
300

301
302
303
304
- In <span class="application">VeraCrypt Mounter</span>, click on the
  <span class="button">[[!img lib/window-close.png class="symbolic"
  link="no" alt=""]]</span> button in the line that corresponds to your
  partition.