Download and install VeraCrypt:
1 2 3
apt-get install libfuse2 libfuse-dev makeself libwxbase3.0-0 wget https://launchpad.net/veracrypt/trunk/1.21/+download/veracrypt-1.21-raspbian-setup.tar.bz2 # unarchive, run install script and extract the veracrypt binary
or compile it from source:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17
# save disk space by not installing all wxWidgets packages apt install make gcc pkg-config libfuse-dev wget https://launchpad.net/veracrypt/trunk/1.23/+download/VeraCrypt_1.23_Source.tar.bz2 wget https://github.com/wxWidgets/wxWidgets/releases/download/v3.0.4/wxWidgets-188.8.131.52z mkdir -p vc wx cd wx && 7za x ../wxWidgets-*.7z & cd .. cd vc && tar -xjf ../VeraCrypt_*_Source.tar.bz2 cd vc/src make NOGUI=1 WXSTATIC=1 WX_ROOT=/path/to/wx wxbuild make NOGUI=1 WXSTATIC=1 # or alternatively install wxWidgets packages apt install make gcc pkg-config libfuse-dev libwxgtk3.0 wget https://launchpad.net/veracrypt/trunk/1.23/+download/VeraCrypt_1.23_Source.tar.bz2 # unarchive, run make cp Main/veracrypt /usr/local/bin/
Note: Remember to use a kernel supported cypher
grep name /proc/crypto or you will get a
Error allocating crypto tfm on dmesg preventing the mount.
Alternatively you can use the option
-m nokernelcrypto with degraded performance.
You can test disk speed with these commands:
dd if=/dev/zero of=/dev/mapper/xxx bs=1G count=1 oflag=dsync # throughput dd if=/dev/zero of=/dev/mapper/xxx bs=512 count=1000 oflag=dsync # latency
this seems to make sense... but after some tests on the raspberry pi 3 I found that
-m nokernelcrypto is 3x faster than using kernel crypto services! :-O
For the sake of speed always remember to use a filesystem block size compatible with the device one1 (refer to
man mkfs.xxxx), for example:
cat /sys/block/sdX/queue/physical_block_size # => 4096 mkfs.extX -E nodiscard -b 4096 /dev/sdaX
Notes for SSD drives:
You can use WDE/FDE (whole/full disk encryption) on an SSD drive because it does NOT require space overprovisioning unless you have a
demanding workload(especially one with many random writes). Note that if you still want to leave some unallocated space (to further reduce write amplification4) then it must be trimmed5 if it has been written to before, otherwise it will have no benefit as the drive will see that space as occupied.
Comment any eventual fstrim usage in
/etc/cron.*(find it with
grep -rin fstrim /etc).
fstrim.timersystemd unit files: eventually disable enable them.