[[!meta title="Using VeraCrypt encrypted volumes"]] [[!toc levels=2]] Introduction to VeraCrypt ========================================================== [VeraCrypt](https://www.veracrypt.fr/) is a disk encryption software that works on on Windows, macOS, and Linux. Use VeraCrypt to share encrypted files across different operating systems. In Tails, you can only open VeraCrypt volumes but you cannot create new ones. - To create VeraCrypt volumes, do so outside of Tails. See the step-by-step guides by Security-in-a-Box: - [VeraCrypt for Windows](https://securityinabox.org/en/guide/veracrypt/win/) - [VeraCrypt for macOS](https://securityinabox.org/en/guide/veracrypt/mac/) - [VeraCrypt for Linux](https://securityinabox.org/en/guide/veracrypt/linux/) - To create encrypted volumes in Tails, use [[LUKS|encrypted_volumes]] instead. LUKS works only on Linux. Comparison between LUKS and VeraCrypt ------------------------------------------------------------------------------------------------------- You can also create and open LUKS encrypted volumes in Tails. LUKS is the standard for disk encryption in Linux. [[See our documentation about LUKS.|encrypted_volumes]] [[!inline pages="doc/encryption_and_privacy/luks_vs_veracrypt.inline" raw="yes" sort="age"]] Difference between file containers and partitions ------------------------------------------------- With VeraCrypt you can store your files encrypted in two different kinds of *volumes*: - *File containers*. A file container is a single big file inside which you can store several files encrypted, a bit like a ZIP file. - *Partitions (or entire disk)*. Usually USB sticks and hard disks have a single partition of their entire size but they can also be split into several partitions. This way you can encrypted a whole USB stick for example. Unlocking parameters -------------------- To unlock a VeraCrypt volume you might need the following parameters, depending on the options that were selected when the volume was created: - **Passphrase** - **Keyfiles**: instead, or in addition to, the passphrase a VeraCrypt volume can be unlocked using a particular files or set of files. [See the VeraCrypt documentation on keyfiles.](https://www.veracrypt.fr/en/Keyfiles.html). - **PIM**: a number that is needed if it was specified when creating the VeraCrypt volume. [See the VeraCrypt documentation on PIM.](https://www.veracrypt.fr/en/Personal%20Iterations%20Multiplier%20(PIM).html) - **Hidden volume**: if you want to open the hidden volume inside the VeraCrypt volume. [See the VeraCrypt documentation on hidden volumes.](https://www.veracrypt.fr/en/Hidden%20Volume.html) Using a file container ====================== Unlocking a file container without keyfiles ------------------------------------------- 1. Choose Applications ▸ Accessories ▸ Files to start the Files browser. 1. Navigate to the folder containing the file container that you want to open. 1. Right-click on the file container and choose Open With Other Application. 1. In the Select Application dialog, click the View All Applications button. 1. In the list of applications, choose Disk Image Mounter. [[!img disk-image-mounter.png link="no" alt=""]] 1. Click on the Encrypted label of the new volume that appears in the sidebar. [[!img container-encrypted-label.png link="no" alt="105 MB Encrypted"]] 1. Enter the parameters to unlock the volume. For more information, see the [[Unlocking parameters|veracrypt#parameters]] section above. Click Unlock. 1. Files opens your volume. Unlocking a file container with keyfiles ---------------------------------------- 1. Choose Applications ▸ Utilities ▸ Disks to start the Disks utility. 1. Choose Disks ▸ Attach Disk Image… from the top navigation bar. [[!img disks-menu.png link="no" alt=""]] 1. In the Select Disk Image to Attach dialog: - Unselect the Set up read-only loop device check box in the bottom-left corner if you want to modify the content of the file container. [[!img read-only.png link="no" alt=""]] - Choose All Files in the file filter in the bottom-right corner. [[!img all-files.png link="no" alt=""]] - Navigate to the folder containing the file container that you want to open. - Select the file container and click Attach. 1. In the left pane, select the new Loop Device that corresponds to your file container. In the right pane, it should have an Encrypted? label. [[!img container-locked.png link="no" alt=""]] 1. Click the [[!img lib/unlock.png alt="Unlock selected encrypted partition" class="symbolic" link="no"]] button in the right pane. 1. Enter the parameters to unlock the volume. For more information, see the [[Unlocking parameters|veracrypt#parameters]] section above. Click Unlock. 1. Select the file system that appears below the unlocked volume. It probably has a FAT or NTFS content. 1. Click the [[!img lib/media-playback-start.png alt="Mount selected partition" class="symbolic" link="no"]] button to mount the volume. 1. Click on the */media/amnesia/* link in the right pane to open the volume in the Files browser. 1. Your volume opens in Files. Closing a file container ------------------------ 1. Click on the [[!img lib/media-eject.png alt="Eject" class="symbolic" link="no"]] button on the label of the volume corresponding to your file container in the sidebar of the Files browser. [[!img eject-container.png link="no" alt=""]] Using a partition (or entire disk) ================================== Unlocking a partition (or entire disk) without keyfiles ------------------------------------------------------- 1. Choose Applications ▸ Accessories ▸ Files to start the Files browser. 1. Plug in the USB stick or the hard disk which has the partition. If your partition is on an internal hard disk, refer to [[Unlocking a partition (or entire disk) with keyfiles|veracrypt#partition-disks]] instead. 1. Click on the Encrypted label of the new volume that appears in the sidebar. [[!img partition-encrypted-label.png link="no" alt="Mount and open '8.2 GB Encrypted'"]] 1. Enter the parameters to unlock the volume. For more information, see the [[Unlocking parameters|veracrypt#parameters]] section above. Click Unlock. 1. Files opens your volume. Unlocking a partition (or entire disk) with keyfiles ---------------------------------------------------- 1. If your partition is on an internal hard disk, [[set up an administration password|doc/first_steps/startup_options/administration_password]] when starting Tails. Otherwise, plug in the USB stick or the hard disk that you want to unlock or which has the partition. 1. Choose Applications ▸ Utilities ▸ Disks to start the Disks utility. 1. In the left pane, select the device that corresponds to your USB stick or hard disk. [[!img partition-locked.png link="no" alt=""]] 1. In the right pane, select the partition that corresponds to your *VeraCrypt* volume. It should have an Encrypted? label. 1. Click the [[!img lib/unlock.png alt="Unlock selected encrypted partition" class="symbolic" link="no"]] button in the right pane. 1. Enter the parameters to unlock the volume. For more information, see the [[Unlocking parameters|veracrypt#parameters]] section above. Click Unlock. 1. Select the file system that appears below the unlocked volume. It probably has a FAT or NTFS content. 1. Click the [[!img lib/media-playback-start.png alt="Mount selected partition" class="symbolic" link="no"]] button to mount the volume. 1. Click on the */media/amnesia/* link in the right pane to open the volume in the Files browser. 1. Your volume opens in Files. Closing a partition (or entire disk) ------------------------------------ 1. Click on the [[!img lib/media-eject.png alt="Eject" class="symbolic" link="no"]] button on the label of the volume corresponding to your file container in the sidebar of the Files browser. [[!img eject-partition.png link="no" alt=""]]