Discopter Pi Guide

Chapter 7: Command Line VeraCrypt

VeraCrypt, love it or hate it, is basically the default encryption program. And why hate it? It's easy to use, very effective, and provides lots of options. Most use the GUI version but a powerful command line version of the application is available as well and is perfect for use in a headless server setup, like our Pis. To use the GUI, you'd have to not only have a desktop OS installed but also navigate through VNC rather than SSH. This not only increases the attack surface of our Pi but substitutes the quick and accurate SSH for the often laggy and imprecise VNC. Fortunately, the command line version of VeraCrypt is almost as simple as the GUI version, and in some ways is even better. Once installed, we use the `VeraCrypt` command to create or interact with our volumes. An added bonus (in my opinion) is this approach forces the user to consider certain options that are more often clicked through without much thought on a GUI. When creating a volume, here are some of the parameters to consider:

• Normal or Hidden: Just like in the GUI, you can create a normal volume or a hidden volume, with the hidden volume contained within a normal volume.
• Encryption: The default choice for the encryption algorithm in VeraCrypt is AES. This is how the actual bits of the data you are protecting gets scrambled. Different encryption algorithms work differently but they all basically work by flipping certain bits (a 0 becomes a 1, a 1 becomes a 0), adding bits, or subtracting bits. The decryption then reverses this process.
• Hash Algorithm: The hash algorithm is used in combination with the password and PIM to derive the encryption key. Basically, if the encryption turns your data into gibberish, the hash algorithm turns your password into gibberish. When considering brute-force protection, a slower hash algorithm is advantageous. When combined with a high PIM value, brute-force attacks become extremely time-consuming and resource-intensive. As a side effect, it will make the initial mounting of your container slightly slower, but once the container is mounted, there's no impact on the performance of accessing the encrypted data. When in doubt, the default option of SHA-512 is always a solid choice.
• PIM (Personal Iterations Multiplier): When creating a new VeraCrypt container or partition, there is an option called 'PIM'. By default, for non-system volumes, this value is set to 485. PIM determines how many iterations of the hash algorithm are applied to the password. The higher the PIM value, the more iterations, and hence the more time-consuming (and resource-consuming) it becomes for an attacker to try a brute-force attack. You can consider selecting a custom PIM value different from the default to make the attacker's life harder. However, remember that choosing a higher PIM will also increase the time it takes for you to mount the container, as the iterations have to be computed every time you provide the password. PIM choice has no impact on volume usage performance once it is mounted.

With these options in mind, let's install VeraCrypt and create and mount our first container.

Step 1: Download and Install VeraCrypt

1. Download the most recent version available for the Raspberry Pi.
   sudo wget https://launchpad.net/veracrypt/trunk/1.26.7/+download/veracrypt-console-1.26.7-Debian-11-arm64.deb
   Replace arm64.deb with armhf.deb if using a 32-bit OS.
2. Attempt to install it.
   sudo dpkg -i veracrypt-console-1.26.7-Debian-11-arm64.deb
3. You'll get errors about missing dependencies. Fix the errors with this command:
   sudo apt --fix-broken install

Now that VeraCrypt is installed, we can create a container. Most of the options should be fairly familiar from the GUI version. You'll specify a file path for the container and set parameters like the encryption algorithm and password.

Step 2: Create a Container

1. Run the following command:
   veracrypt -t -c
-t: Execute in command line “text” mode rather than through the GUI (which doesn't exist in this install)
   -c: Create volume
2. VeraCrypt will ask if you want to make a normal or hidden volume. As a first time around with creating volumes, go with normal.
3. Specify a file path. If in the directory you want the container to be created, you can just specify a file name. It can have any or no extension.
4. Specify a size. Add “M” at the end or the specified size will be in bytes. For example, a 100 Megabyte volume would be specified as “100M”.
5. Set a password. VeraCrypt will warn you if it is fewer than 20 characters. Confirm the password.
6. Choose your encryption and hashing algorithms. AES and SHA-512 are good choices.
7. For the filesystem, if intending to use the volume only on the Pi, ext4 is the best choice. If you need the volume to have cross-OS compatibility, choose exFAT. For now, choose ext4.
8. Next it will ask for the PIM. Just press enter to accept the default 485.
9. Press enter to accept no keyfiles.
10. VeraCrypt will then tell you to basically mash the keyboard randomly. Don't forget about the shift key!

If all goes according to plan, VeraCrypt will display a progress meter and then tell you the volume was created. For this demo, we used the default PIM and no keyfiles. In the future, consider using a keyfile for added security. You can increase the PIM size as well, but know that it will slow down opening the volume. If you wind up using a simpler password, one that has very little randomness in it and primarily relies on dictionary words, a higher PIM can help offset that, but it's now one more thing to remember so consider using an easy to remember value. For the random keystrokes, a better and easier approach is to use a script to generate the random data. An example of this approach is at the end of the chapter. First, let's mount and add files to our volume.

Step 3: Mount the Volume

1. Create a directory to act as the mount point. This example will use “example_mount” but call yours whatever you'd like.
   mkdir example_mount
2. Add a file to this directory.
   touch example_mount/open.img
3. Run the following command:
   veracrypt -t --mount
4. Provide the file path for the volume created in Step 2. If you are in the same directory as the volume, code you can just specify the filename.
5. Provide a mount point. Again, if in the same directory as the mount point, you can just give the directory name.
   • If you just press enter, it will mount in the default location, which is /media/veracrypt1
6. Enter the password for the volume.
7. Enter the PIM value. If you chose the default when creating the volume, just press enter.
8. Select not using a keyfile and not protecting a hidden volume.
9. After several seconds, VeraCrypt will report that the volume was successfully created.

With the volume created and mounted to our specified mount point, you can add files or folders as if it were any other directory.

Step 4: Using the Volume

1. Change the current working directory to the mount point.
   cd example_mount
2. Look for the file we created in Step 3.1. You should not see it. The only content you should see is a “lost+found” directory.
   ls
3. Add a file to the volume.
   sudo touch closed.img
4. Verify the file is in the volume.
   ls
5. Go back to the parent of the mount point.
   cd ..

Step 5: Unmount Volume and Verify

1. Dismount with the following command:
   veracrypt -t -d
2. Check the content of the mount point we used. You should no longer see `lost+found` or `closed.img`
   ls example_mount

And just like that, an open and closed side verified as working as expected. If you ever forget where your volume is mounted, you can list where all volumes are mounted with this command:

The above is all you need to create a VeraCrypt volume. Stop here if you're happy and comfortable. If you'd like to generate the random data instead of mashing the keyboard in an only semi-random manner, you can use a script to do so. Below is one of many, many different methods of generating this kind of random data. It uses Python, conveniently included in virtually all standard Linux distros. In addition to being much more random than an impatient human bashing the keyboard, it uses more than the 320 character minimum that the normal process demands.

Step 6: Using a Script to Generate Random Data

1. In the same directory that you wish to create your volume, run the following command to create a Python file:
   nano random_source.py
2. In the text editor, copy and paste the following:
   #!/usr/bin/python3
import random

random_source = ''
for i in range(1000):
    random_source += chr(random.randrange(33, 227))

print(random_source)
3. Make the script executable.
   chmod 700 random_source.py
4. Run the following command to generate a text file:
   ./random_source.py > random_source.txt
5. Execute the create volume command as normal with an added --random-source flag.
   veracrypt -t -c --random-source random_source.txt
6. Delete the random data.
   rm random_source.txt