Ubuntu – Can VeraCrypt use persistent mount points on Linux

bashencryptionmountpathsveracrypt

Can VeraCrypt use persistent mount points on Linux?

Windows + VeraCrypt + encrypted volume absolute paths

On Windows I can mount veracrypt encrypted partitions/disks via batch script which employs device name displayed by mountvol.exe. Such an attribute is highly useful since rebooting can lead to alteration of relative path (\Device\Harddisk1\Partition3 –> reboot –> \Device\Harddisk3\Partition3).

My batch script for veracrypt volumes on Windows (shortened form):

@echo
"C:\Program Files\VeraCrypt\VeraCrypt.exe" /v \\?\Volume{xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx}\ /l z /m label=Encrypted_1 /q
"C:\Program Files\VeraCrypt\VeraCrypt.exe" /v \\?\Volume{yyyyyyyy-yyyy-yyyy-yyyy-yyyyyyyyyyyy}\ /l f /m label=Encrypted_2 /q
[...]
pause

Linux + VeraCrypt + encrypted volume relative paths only?

I have no knowledge about the existence of parallel command to Windows' /v \\?\Volume{xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx}\ avaliable for the Linux commandline. I tried (in vain) --mount=/dev/disk/by-uuid/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx flag, since mountvol.exe volume name is (probably) based on UUID number (imperceptible for blkid, though). Official veracrypt/truecrypt documentation allows Linux user to operate only with relative (variable) paths (/dev/sda3 –> reboot –> /dev/sdc3). Due to inconstancy, paths have to be verified each time after the OS is loaded.

My bash script for mounting veracrypt volumes on Linux (shortened form):

#! /bin/bash
#
echo "Encrypted_1" && veracrypt --mount /dev/sdq --slot=12 --verbose && echo "Encrypted_1"
echo "Encrypted_2" && veracrypt --mount /dev/sdz3 --slot=1 --verbose && echo "Encrypted_2"
[...]

Solution?

Does anyone know whether VeraCrypt volume location can be described in absolute terms on Linux?

If it is not possible, please provide suggestions for achieving the same objective? (eg: udev? fstab?)

Erratum

mountvol.exe recognizes GUID, not UUID as was written above.

Best Answer

I have elaborated below answer posted by David Foerster and made it more descriptive and clear for other Linux users interested in presented subject.

Linux + VeraCrypt + encrypted volume absolute paths

According to my research, it seems that assignment of absolute path to VeraCrypt volume is impossible (at least currently) (vide: by-id and by-path entry on wiki.archlinux.org under Persistent block device naming (1)).

Linux + VeraCrypt + semi-persistent block device naming

However, we can use semi-persistent block device naming.

1. by-path

/dev/disk/by-path/ depends on shortest physical path (2) and changes as port of controller is switched (3).

To obtain /dev/disk/by-path/ descriptor, type:

ls -l /dev/disk/by-path/

You can use obtained naming to mount VeraCrypt volume:

veracrypt --mount /dev/disk/by-path/[by-path] --slot=6 --verbose

/dev/disk/by-path/[by-path] can replace relative path in bash script:

#! /bin/bash
#
echo "Encrypted_1" && veracrypt --mount /dev/disk/by-path/[by-path1] --slot=12 --verbose && echo "Encrypted_1"
echo "Encrypted_2" && veracrypt --mount /dev/disk/by-path/[by-path2] --slot=1 --verbose && echo "Encrypted_2"
[...]

2. by-id

/dev/disk/by-id/ is created according to device serial number (4). wiki.archlinux.org states that /dev/disk/by-id/ cannot survive hardware changes i.e. scenario where device is plugged to port of controller subjected to different subsystem (5). access.redhat.com, on the other side, claims that /dev/disk/by-id/ can be maintained even if device is accessed by different systems (6). Thus, symlink appears to be quite stable in case of /dev/disk/by-id/ being applied.

To obtain /dev/disk/by-id/ device naming, type:

ls -l /dev/disk/by-id/

Now, when you have correct one, it can be used to mount VeraCrypt volume:

veracrypt --mount /dev/disk/by-id/[id] --slot=6 --verbose

Analogously to what was noted in paragraph one, /dev/disk/by-id/ can be used in bash script:

#! /bin/bash
#
echo "Encrypted_1" && veracrypt --mount /dev/disk/by-id/[id1] --slot=12 --verbose && echo "Encrypted_1"
echo "Encrypted_2" && veracrypt --mount /dev/disk/by-id/[id2] --slot=1 --verbose && echo "Encrypted_2"

Maybe it will be helpful for someone.

Addendum

/dev/disk/by-id/ is not stable enough to forget about correcting mounting script after reboot.

Related Solutions

Ubuntu – the recommended way to use VeraCrypt in Ubuntu

There is user Unit 193 who prepares ready builds of VeraCrypt on Launchpad. You can easily install it by adding his repo to Ubuntu sources:

sudo add-apt-repository ppa:unit193/encryption
sudo apt update
sudo apt install veracrypt

You should be aware that this repo is not related to the software developer and because of it you can't be 100% sure what you install or update in future. However Unit 193 is Xubuntu developer and he is well known in open source community. This is enough for me to sleep well.

Ubuntu – How can user mount an encrypted file container in VeraCrypt

Warning: Only use @Pawel Debski solution if agree the following:

Any user or hacker getting access to an user account in veracryptusers group can run any commands as root, by downloading a prepared container file containing malicious code running as root.

So using that solution you might consider to use a special user profile for veracrypt. As a result, sodo is easier to use.

Steps to test the security problem:

Create a container file (ext2-4)
Copy or create a binary file (e.g. whoami)
Change binary owner to root
Add setuid to the binary
Call the binary with a non-root-user account

The binary will run with root privilege.

Hint: I added this solution as the warning at Pawel Debski is inconspicuously. The risk is much greater than the benefit as long as the system has an internet connection.