How would I encrypt my whole Linux filesystem with Veracrypt?

linux hard-drive encryption truecrypt veracrypt
16,084

Linux has supported boot/system volume encryption like Veracrypt for a long time using its own separate integrated system called LUKS, which is not compatible with Truecrypt/Veracrypt.

Veracrypt (if it's like Truecrypt) is implemented on Linux via FUSE. FUSE is a way to implement filesystems without writing a kernel driver, the cost of this is speed. LUKS is part of the kernel and is faster than Veracrypt would be, so this is why LUKS is preferred if you are using Linux.

LUKS is well supported by Debian and other distribution installers, it's fairly simple to encrypt your full system, or full Linux partition, except for a small boot partition containing the kernel and initial RAM disk. This is equivalent to everything being encrypted on Truecrypt/Veracrypt except the bootloader, which has to be unencrypted so the BIOS/UEFI can read it.

I have never used Kali, but if it uses the standard Debian installer, you do this to encrypt the full partition (reference):

To create an encrypted partition, you must first assign an available partition for this purpose.

To do so, select a partition and indicate that it is to be used as a “physical volume for encryption”. After partitioning the disk containing the physical volume to be made, choose “Configure encrypted volumes”.

The software will then propose to initialize the physical volume with random data (making the localization of the real data more difficult), and will ask you to enter an “encryption passphrase”, which you will have to enter every time you boot your computer in order to access the content of the encrypted partition.

Once this step has been completed, and you have returned to the partitioning tool menu, a new partition will be available in an “encrypted volume”, which you can then configure just like any other partition.

In most cases, this partition is used as a physical volume for LVM so as to protect several partitions (LVM logical volumes) with the same encryption key, including the swap partition (see sidebar SECURITY Encrypted swap partition).

One thing to note is that I don't believe there is a tool that will encrypt/decrypt a currently running system like Truecrypt/Veracrypt does.

It's technically possible to mount the root filesystem via FUSE - meaning I believe it's possible to boot Linux off of a Veracrypt-encrypted partition if you really wanted to, but since it provides inferior speed to LUKS under Linux, it's not surprising if no one has developed this method.

Share:
16,084

Related videos on Youtube

btf1998
Author by

btf1998

Updated on September 18, 2022

Comments

  • btf1998
    btf1998 over 1 year

    I'm running Kali Dojo 2.0 and I'd like to encrypt the entire drive.

    I've encrypted my Windows 7 Home Premium drive with Veracrypt, and it was a simple setup and I'd like to do something similar on this drive.

    On that drive, everything was encrypted, aside from boot files, and thats what I would like to do with this drive as well. It doesn't have to be Veracrypt that is just a preference.

    Unless it is my only option, I do not want to make a container to put certain files in.

  • btf1998
    btf1998 over 8 years
    After doing a little reading, it seems that I have to back up data and reload it onto the partition that LUKS creates. Am I right in saying that? Also, you've said that you don't think there is a tool to decrypt/encrypt a running system. Does that mean that LUKS encrypts and decrypts everything at startup/shutdown? Also, is there a special process by which I would have to shut down my system to ensure it re-encrypts? And thank you for the reference and the help you have given me already
  • LawrenceC
    LawrenceC over 8 years
    LUKS encrypts/decrypts in realtime. It takes a partition like /dev/sda1 and creates an "encrypted version" /dev/mapper/something. You (or a script) mount/use the /dev/mapper device, anything read/written is de/encrypted automatically.
  • LawrenceC
    LawrenceC over 8 years
    You can't change a volume from unencrypted to encrypted while it is mounted/you are using it like TrueCrypt does for Windows system volumes. LUKS volumes can only start off encrypted in the first place.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

"Hacking" Into my own 500 GB Seagate External Hard-drive
Debian : Encrypted Raid 1 setup.
Turn off write cache on all USB External Drives (Debian / Ubuntu / Linux)
Full Disk Encryption in existing Linux system without erasing any content from the drives
Truecrypt or LUKS?
can't read superblock on /dev/mapper/veracrypt1
Windows 7 startup repair with Truecrypt
Bootable USB stick with Truecrypt
How can mounting a VeraCrypt drive be done without root in Linux?
How to give permission to user after mounting a hard disk on Centos 7?