Setup VeraCrypt volume manager
person cloud · link
Crypt
Debian
HowTo
Linux
RaspberryPi
Last update
2019-05-10
2019
05-10
« — »

Download and install VeraCrypt:

1
2
3
apt-get install libfuse2 libfuse-dev makeself libwxbase3.0-0
wget https://launchpad.net/veracrypt/trunk/1.21/+download/veracrypt-1.21-raspbian-setup.tar.bz2
# unarchive, run install script and extract the veracrypt binary

or compile it from source:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
# save disk space by not installing all wxWidgets packages
apt install make gcc pkg-config libfuse-dev
wget https://launchpad.net/veracrypt/trunk/1.23/+download/VeraCrypt_1.23_Source.tar.bz2
wget https://github.com/wxWidgets/wxWidgets/releases/download/v3.0.4/wxWidgets-3.0.4.7z
mkdir -p vc wx
cd wx && 7za x ../wxWidgets-*.7z & cd ..
cd vc && tar -xjf ../VeraCrypt_*_Source.tar.bz2
cd vc/src
make NOGUI=1 WXSTATIC=1 WX_ROOT=/path/to/wx wxbuild
make NOGUI=1 WXSTATIC=1

# or alternatively install wxWidgets packages
apt install make gcc pkg-config libfuse-dev libwxgtk3.0
wget https://launchpad.net/veracrypt/trunk/1.23/+download/VeraCrypt_1.23_Source.tar.bz2
# unarchive, run make

cp Main/veracrypt /usr/local/bin/

and apply my optional vc-mounter -headless systemd service (on the raspberry it seems that the shutdown does NOT cleanly unmount the volumes, see the UPS post for a solution).

Note: Remember to use a kernel supported cypher grep name /proc/crypto or you will get a Error allocating crypto tfm on dmesg preventing the mount.
Alternatively you can use the option -m nokernelcrypto with degraded performance.
You can test disk speed with these commands:

1
2
dd if=/dev/zero of=/dev/mapper/xxx bs=1G count=1 oflag=dsync # throughput
dd if=/dev/zero of=/dev/mapper/xxx bs=512 count=1000 oflag=dsync # latency

this seems to make sense... but after some tests on the raspberry pi 3 I found that -m nokernelcrypto is 3x faster than using kernel crypto services! :-O

For the sake of speed always remember to use a filesystem block size compatible with the device one1 (refer to man mkfs.xxxx), for example:

1
2
cat /sys/block/sdX/queue/physical_block_size # => 4096
mkfs.extX -E nodiscard -b 4096 /dev/sdaX

Notes for SSD drives:

  • Remember to disable TRIM2 operation via -m nokernelcrypto switch (vc-mounter already does it) and use the nodiscard mount option3.

  • You can use WDE/FDE (whole/full disk encryption) on an SSD drive because it does NOT require space overprovisioning unless you have a demanding workload (especially one with many random writes). Note that if you still want to leave some unallocated space (to further reduce write amplification4) then it must be trimmed5 if it has been written to before, otherwise it will have no benefit as the drive will see that space as occupied.

  • Comment any eventual fstrim usage in /etc/cron.* (find it with grep -rin fstrim /etc).

  • The util-linux package provides fstrim.service and fstrim.timer systemd unit files: eventually disable enable them.

Source: VeraCrypt setup and homepage, wiki.archlinux, raspbian forum

  1. howto 4k format 

  2. ArchLinux wiki - SSD 

  3. TRIM & dm-crypt ... problems? 

  4. Seagate overprovisioning
    Use 20-25% of the capacity = real OP + dinamyc OP (unsed/trimmed space). 

  5. StackExchange: TRIM unallocated space