veracrypt.mdwn 11.1 KB
Newer Older
1
2
3
4
5
6
7
8
[[!meta title="Using VeraCrypt encrypted volumes"]]

[[!toc levels=2]]

Introduction to <span class="application">VeraCrypt</span>
==========================================================

<span class="application">[VeraCrypt](https://www.veracrypt.fr/)</span> is a
cbrownstein's avatar
cbrownstein committed
9
disk encryption tool that works on Windows, macOS, and Linux.
10
11
12
13
14
15
16
17
18
19
20

Comparison between <span class="application">LUKS</span> and <span class="application">VeraCrypt</span>
-------------------------------------------------------------------------------------------------------

You can also create and open <span class="application">LUKS</span>
encrypted volumes in Tails. <span class="application">LUKS</span> is the
standard for disk encryption in Linux. [[See our documentation about
<span class="application">LUKS</span>.|encrypted_volumes]]

[[!inline pages="doc/encryption_and_privacy/luks_vs_veracrypt.inline" raw="yes" sort="age"]]

sajolida's avatar
sajolida committed
21
22
23
24
25
26
27
To create new <span class="application">VeraCrypt</span> volumes, do so
outside of Tails. See the step-by-step guides by Security-in-a-Box:

- [VeraCrypt for Windows](https://securityinabox.org/en/guide/veracrypt/win/)
- [VeraCrypt for macOS](https://securityinabox.org/en/guide/veracrypt/mac/)
- [VeraCrypt for Linux](https://securityinabox.org/en/guide/veracrypt/linux/)

28
29
30
31
32
33
34
35
<a id="container-vs-partition"></a>

Difference between file containers and partitions
-------------------------------------------------

With <span class="application">VeraCrypt</span> you can store your files
encrypted in two different kinds of *volumes*:

36
37
38
39
40
41
42
43
44
45
<h3>File containers</h3>

<div class="icon">
[[!img container-icon.png link="no"]]
<div class="text">
<p>A file container is a single big file inside which you can store
several files encrypted, a bit like a ZIP file.</p>
</div>
</div>

46
<h3>Partitions or drives</h3>
47
48
49
50

<div class="icon">
[[!img partition-icon.png link="no"]]
<div class="text">
51
<p>Usually, drives (USB sticks and hard disks) have a single partition of their
sajolida's avatar
sajolida committed
52
entire size. This way, you can encrypt a whole USB stick, for example.
53
But, drives can also be split into several partitions.
54
55
</div>
</div>
56
57
58
59
60
61

<a id="parameters"></a>

Unlocking parameters
--------------------

cbrownstein's avatar
cbrownstein committed
62
To unlock a <span class="application">VeraCrypt</span> volume, you might need
63
64
65
66
67
the following parameters, depending on the options that were selected when the
volume was created:

- **Passphrase**

cbrownstein's avatar
cbrownstein committed
68
- **Keyfiles**: instead of or in addition to the passphrase, a
69
  <span class="application">VeraCrypt</span> volume can be unlocked using a
sajolida's avatar
sajolida committed
70
  particular file or set of files.
71
72

  [See the <span class="application">VeraCrypt</span> documentation on
sajolida's avatar
sajolida committed
73
  keyfiles.](https://www.veracrypt.fr/en/Keyfiles.html)
74
75
76
77
78

- **PIM**: a number that is needed if it was specified when creating the
  <span class="application">VeraCrypt</span> volume.

  [See the <span class="application">VeraCrypt</span> documentation on
sajolida's avatar
sajolida committed
79
  PIM.](https://www.veracrypt.fr/en/Personal%20Iterations%20Multiplier%20\(PIM\).html)
80

81
82
83
84
85
86
87
<div class="bug">

<p>Due to current limitations in Debian, using a PIM fails in Tails. It
will become possible in Tails 4.0 (late 2019).</p>

</div>

sajolida's avatar
sajolida committed
88
- **Hidden volume**: if you want to unlock the hidden volume inside the
89
90
91
92
93
  <span class="application">VeraCrypt</span> volume.

  [See the <span class="application">VeraCrypt</span> documentation on hidden
  volumes.](https://www.veracrypt.fr/en/Hidden%20Volume.html)

94
95
96
97
98
- **System volume**: if you want to unlock an encrypted Windows system partition.

  [See the <span class="application">VeraCrypt</span> documentation on
  encrypting a Windows system partition.](https://www.veracrypt.fr/en/System%20Encryption.html)

99
100
Using a file container
======================
101

102
103
[[!img container-icon.png link="no" alt=""]]

104
105
<a id="container-files"></a>

106
107
Unlocking a file container without keyfiles
-------------------------------------------
108

109
1. Choose
110
111
   <span class="menuchoice">
     <span class="guimenu">Applications</span>&nbsp;▸
112
     <span class="guisubmenu">Utilities</span>&nbsp;▸
113
     <span class="guisubmenuitem">Unlock VeraCrypt Volumes</span></span>.
114

115
116
1. Click <span class="button">Add</span> and choose the file container
   that you want to unlock.
117
118
119
120
121
122

1. Enter the parameters to unlock the volume. For more information, see
   the [[Unlocking parameters|veracrypt#parameters]] section above.

   Click <span class="button">Unlock</span>.

123
1. <span class="application">Unlock VeraCrypt Volumes</span> opens your volume.
124

cbrownstein's avatar
cbrownstein committed
125
1. If unlocking the volume fails (for example, if you mistyped the
126
127
   password), click on <span class="button">Unlock</span> to try
   unlocking again.
128
129
130

<a id="container-disks"></a>

131
132
Unlocking a file container with keyfiles
----------------------------------------
133

134
1. Choose
135
136
137
   <span class="menuchoice">
     <span class="guimenu">Applications</span>&nbsp;▸
     <span class="guisubmenu">Utilities</span>&nbsp;▸
138
139
     <span class="guisubmenuitem">Disks</span></span>
   to start the <span class="application">Disks</span> utility.
140
141
142
143
144
145

1. Choose <span class=menuchoice">
     <span class="guimenu">Disks</span>&nbsp;▸
     <span class="guimenuitem">Attach Disk Image&hellip;</span></span> from the
     top navigation bar.

146
147
     [[!img disks-menu.png link="no" alt=""]]

148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
1. In the <span class="button">Select Disk Image to Attach</span> dialog:

   - Unselect the <span class="guilabel">Set up read-only loop device</span>
     check box in the bottom-left corner if you want to modify the content of
     the file container.

     [[!img read-only.png link="no" alt=""]]

   - Choose <span class="guilabel">All Files</span> in the file filter in the
     bottom-right corner.

     [[!img all-files.png link="no" alt=""]]

   - Navigate to the folder containing the file container that you want to open.

   - Select the file container and click <span class="button">Attach</span>.

1. In the left pane, select the new <span class="guilabel">Loop Device</span>
   that corresponds to your file container.

   In the right pane, it should have an
   <span class="guilabel">Encrypted?</span> label.

   [[!img container-locked.png link="no" alt=""]]

1. Click the <span class="button">[[!img lib/unlock.png alt="Unlock
   selected encrypted partition" class="symbolic" link="no"]]</span>
   button in the right pane.

1. Enter the parameters to unlock the volume. For more information, see
   the [[Unlocking parameters|veracrypt#parameters]] section above.

   Click <span class="button">Unlock</span>.

1. Select the file system that appears below the unlocked volume. It
   probably has a <span class="guilabel">FAT</span> or
   <span class="guilabel">NTFS</span> content.

1. Click the <span class="button">[[!img lib/media-playback-start.png
   alt="Mount selected partition" class="symbolic" link="no"]]</span>
   button to mount the volume.

1. Click on the <span class="filename">*/media/amnesia/*</span> link in
191
192
   the right pane to open the volume in the
   <span class="application">Files</span> browser.
193
194
195
196
197
198

1. Your volume opens in <span class="application">Files</span>.

Closing a file container
------------------------

199
200
201
202
203
204
205
206
You can either:

- In the sidebar of the <span class="application">Files</span> browser,
  click on the <span class="button">[[!img lib/media-eject.png
  alt="Eject" class="symbolic" link="no"]]</span> button on the label
  of the volume corresponding to your file container.

  [[!img eject-container.png link="no" alt=""]]
207

208
- In <span class="application">Unlock VeraCrypt Volumes</span>, click on the
209
210
211
  <span class="button">[[!img lib/window-close.png class="symbolic"
  link="no" alt=""]]</span> button in the line that corresponds to your
  file container.
212

213
214
Using a partition or drive
==========================
215

216
217
[[!img partition-icon.png link="no" alt=""]]

218
219
<a id="partition-files"></a>

220
221
Unlocking a partition or drive without keyfiles
-----------------------------------------------
222

223
1. If your partition or drive is on an internal hard disk, [[set up an administration
224
225
226
227
228
229
   password|doc/first_steps/startup_options/administration_password]] when
   starting Tails.

   Otherwise, plug in the USB stick or the hard disk that you want to
   unlock.

230
1. Choose
231
232
   <span class="menuchoice">
     <span class="guimenu">Applications</span>&nbsp;▸
233
     <span class="guisubmenu">Utilities</span>&nbsp;▸
234
     <span class="guisubmenuitem">Unlock VeraCrypt Volumes</span></span>.
235

236
237
1. In the list of partitions, click <span class="button">Unlock</span> in the
   line that corresponds to your USB stick or hard disk.
238
239
240

   [[!img partition-encrypted-label.png link="no" alt="Mount and open '8.2 GB Encrypted'"]]

241
242
   XXX: Update screenshot

243
244
245
246
247
1. Enter the parameters to unlock the volume. For more information, see
   the [[Unlocking parameters|veracrypt#parameters]] section above.

   Click <span class="button">Unlock</span>.

248
1. <span class="application">Unlock VeraCrypt Volumes</span> opens your volume.
249
250
251

<a id="partition-disks"></a>

252
253
Unlocking a partition or drive with keyfiles
--------------------------------------------
254

255
1. If your partition or drive is on an internal hard disk, [[set up an administration
256
257
258
   password|doc/first_steps/startup_options/administration_password]] when
   starting Tails.
   
259
   Otherwise, plug in the USB stick or the hard disk that you want to
sajolida's avatar
sajolida committed
260
   unlock.
261

262
1. Choose
263
264
265
   <span class="menuchoice">
     <span class="guimenu">Applications</span>&nbsp;▸
     <span class="guisubmenu">Utilities</span>&nbsp;▸
266
267
     <span class="guisubmenuitem">Disks</span></span>
   to start the <span class="application">Disks</span> utility.
268

sajolida's avatar
sajolida committed
269
1. In the left pane, select the drive that corresponds to your USB stick or
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
   hard disk.

   [[!img partition-locked.png link="no" alt=""]]

1. In the right pane, select the partition that corresponds to your *VeraCrypt*
   volume.

   It should have an <span class="guilabel">Encrypted?</span> label.

1. Click the <span class="button">[[!img lib/unlock.png alt="Unlock
   selected encrypted partition" class="symbolic" link="no"]]</span>
   button in the right pane.

1. Enter the parameters to unlock the volume. For more information, see
   the [[Unlocking parameters|veracrypt#parameters]] section above.

   Click <span class="button">Unlock</span>.

1. Select the file system that appears below the unlocked volume. It
   probably has a <span class="guilabel">FAT</span> or
   <span class="guilabel">NTFS</span> content.

1. Click the <span class="button">[[!img lib/media-playback-start.png
   alt="Mount selected partition" class="symbolic" link="no"]]</span>
   button to mount the volume.

1. Click on the <span class="filename">*/media/amnesia/*</span> link in
297
298
   the right pane to open the volume in the
   <span class="application">Files</span> browser.
299
300
301

1. Your volume opens in <span class="application">Files</span>.

302
303
Closing a partition or drive
----------------------------
304

305
306
307
308
309
310
311
312
You can either:

- In the sidebar of the <span class="application">Files</span> browser,
  click on the <span class="button">[[!img lib/media-eject.png
  alt="Eject" class="symbolic" link="no"]]</span> button on the label
  of the volume corresponding to your partition.

  [[!img eject-partition.png link="no" alt=""]]
313

314
- In <span class="application">Unlock VeraCrypt Volumes</span>, click on the
315
316
  <span class="button">[[!img lib/window-close.png class="symbolic"
  link="no" alt=""]]</span> button in the line that corresponds to your
317
  USB stick or hard disk.