Create Hidden Encrypted Volume on USB Drive Using VeraCrypt
In this tutorial, we are going to learn how to encrypt a USB drive using the free and open-source VeraCrypt program. By encrypting your external drive, your sensitive data is protected if any unexpected event happens such as it being lost or stolen. We will also learn how to mount the encrypted USB drive to the Linux file system.
VeraCrypt Features
- Support FAT, exFAT, EXT2, EXT3, EXT4 and Btrfs file system.
- Full-disk encryption
- Create encrypted file container
- Create hidden encrypted volumes
- Allows you to install a hidden encrypted operating system, which I think is more useful than Tails Linux for Journalists and dissidents.
- Available for Linux, macOS, Windows, and BSD.
- GUI mode and console mode
Step 1: install VeraCrypt on Linux
Arch Linux
VeraCrypt is included in Arch Linux repository, so Arch Linux users can run the following command to install it.
sudo pacman -S veracrypt
VeraCrypt provides official .deb and .rpm packages for Debian, Ubuntu, Fedora, CentOS, OpenSUSE. (Note: You can learn how to verify the integrity of VeraCrypt package before installing it.)
Ubuntu 22.04
wget https://launchpad.net/veracrypt/trunk/1.25.9/+download/veracrypt-1.25.9-Ubuntu-22.04-amd64.deb sudo apt install ./veracrypt*.deb
Ubuntu 20.04
wget https://launchpad.net/veracrypt/trunk/1.25.9/+download/veracrypt-1.25.9-Ubuntu-20.04-amd64.deb sudo apt install ./veracrypt*.deb
Debian 11
wget https://launchpad.net/veracrypt/trunk/1.25.9/+download/veracrypt-1.25.9-Debian-11-amd64.deb sudo apt install ./veracrypt*.deb
Fedora/CentOS
wget https://launchpad.net/veracrypt/trunk/1.25.9/+download/veracrypt-1.25.9-CentOS-8-x86_64.rpm sudo dnf install ./veracrypt*.rpm
OpenSUSE
wget https://launchpad.net/veracrypt/trunk/1.25.9/+download/veracrypt-1.25.9-openSUSE-15-x86_64.rpm sudo zypper install ./veracrypt*.rpm
Generic Installer
For other Linux distributions, you need to manually install VeraCrypt using the generic installer, which is packaged as a .tar.bz2 file.
Step 2: Using VeraCrypt to Encrypt USB Drive
Hint: Make sure your data on the external drive is backed up before following the instructions below.
Fire up the VeraCrypt program from your system application menu. Then click create volume button to create a new volume.
In the next window, select the 2nd option: Encrypt a non-system partition/drive.
Now you can create a standard VeraCrypt volume or a hidden VeraCrypt volume. This tutorial is going to create a hidden VeraCrypt volume.
In the next window, click Select Device button and choose a location for the outer volume. If you create a hidden encrypted volume on a USB flash drive, then select the location of the USB flash drive. Make sure you select the right one because it will be formatted and all data on that drive will be lost. My USB drive is /dev/sdc, but yours might be different.
Then Veracrypt displays a warning. Use the arrow key to select Yes to continue.
Note: If this USB drive is already encrypted with other tools like LUKS, then you need to delete the encrypted volume in order to create VeraCrypt encrypted volume.
It requires root privileges to format a drive, so VeraCrypt will ask you to enter the sudo password.
Now you are presented with encryption options. You can choose any of these encryption algorithms since they are all very secure, but AES is much faster than the others and is widely used. If you are not sure what to select here, you can use the default settings.
Next, choose a good password for the outer volume.
Then choose the file system for the outer volume.
Next, move your mouse as randomly as possible within the VeraCrypt window to generate randomness for VeraCrypt encryption.
Once the randomness bar reaches the end, click the Format button and select Yes to continue.
Once the outer volume is formatted, it will be automatically mounted as /media/veracrypt1/ by VeraCrypt. Click the Open outer volume button to open this directory in your file manager and put some files in it.
Once the outer volume has some files, click the Next button. VeraCrypt will guide you to create the hidden volume.
You will need to choose an encryption algorithm and hash algorithm for the hidden volume. It’s a good practice to use different algorithm this time. For example:
- Outer volume: AES, SHA-512
- Hidden volume: Serpent (Twofish(AES)), Whirlpool.
Next, choose the hidden volume size. You can enter a number or choose all available free space. (Note: sometimes VeraCrypt might not allow you to continue without specifying a smaller size.)
Then set a password for the hidden volume. It must be different from the outer volume password.
Choose a file system format for the hidden volume.
Move your mouse as randomly as possible within the VeraCrypt window to generate randomness for VeraCrypt encryption. Once the randomness bar reaches the end, click the Format button.
And the hidden volume will be created. To prevent damage to the hidden volume, you should avoid writing to the outer volume.
Click the Exit button.
Mounting the Encrypted USB Drive
You can’t mount the USB drive in the normal way. If you want to see the content inside the encrypted USB drive, you will need to mount it via VeraCrypt.
First, select a drive slot in the upper part of the VeraCrypt main window.
Then click Select Device button to select your USB drive.
Next, click the Mount button on the bottom-left corner in the VeraCrypt main window.
You will need to enter the password for the outer volume.
You also need to enter your sudo password, because Linux requires root privilege to mount a drive.
Once it’s mounted, you can access it via file manager. VeraCrypt also tells you the mount point, and you can right-click on it and select Open to open it in file manager.
In the file manager, you won’t find the hidden volume. So how do you open the hidden volume?
Actually, the process is the same as mounting the outer volume. First, you should unmount the outer volume by clicking the dismount button. Then click Select Device to choose the USB drive, and click the Mount button. This time, you should enter the password for the hidden volume.
- If you enter the outer volume password, VeraCrypt will mount the outer volume.
- If you enter the hidden volume password, VeraCrypt will mount the hidden volume.
Wrapping Up
I hope this tutorial helped you encrypt USB drives on Linux. As always, if you found this post useful, then subscribe to our free newsletter or follow us on Twitter or like our Facebook page.
very cool!
Just what i needed for my private keys.
Thank you Linuxbabe!