Introduction to VeraCrypt

VeraCrypt is a disk encryption tool that works on Windows, macOS, and Linux.

Comparison between LUKS and VeraCrypt

You can also create and open LUKS encrypted volumes in Tails. LUKS is the standard for disk encryption in Linux. See our documentation about LUKS.

We recommend you use:

  • VeraCrypt to share encrypted files across different operating systems.
  • LUKS to encrypt files for Tails and Linux.
LUKSVeraCrypt
CompatibilityLinuxWindows + macOS + Linux
Create new volumesYesOutside of Tails
Open and modify existing volumesYesYes
Encrypted partitions (or entire disks) ¹YesYes
Encrypted file containers ¹Complicated ²Easy
Plausible deniability ³NoYes
Ease of useEasierMore complicated
SpeedFasterSlower
  1. See the difference between file containers and partitions.

  2. See Tyler Burton: How to migrate from TrueCrypt to LUKS file containers.

  3. Plausible deniability: in some cases (for example, with VeraCrypt hidden volumes), it is impossible for an adversary to technically prove the existence of an encrypted volume.

    Still, deniable encryption might not protect you if you are forced to reveal the existence of the encrypted volume. See:

To create new VeraCrypt volumes, do so outside of Tails. See the step-by-step guides by Security-in-a-Box:

Difference between file containers and partitions

With VeraCrypt you can store your files encrypted in two different kinds of volumes:

File containers

A file container is a single big file inside which you can store several files encrypted, a bit like a ZIP file.

Partitions or drives

Usually, drives (USB sticks and hard disks) have a single partition of their entire size. This way, you can encrypt a whole USB stick, for example. But, drives can also be split into several partitions.

Unlocking parameters

To unlock a VeraCrypt volume, you might need the following parameters, depending on the options that were selected when the volume was created:

Due to current limitations in Debian, using a PIM fails in Tails. It will become possible in Tails 4.0 (late 2019).

Using a file container

Unlocking a file container without keyfiles

  1. Choose Applications ▸ Utilities ▸ Unlock VeraCrypt Volumes.

  2. Click Add and choose the file container that you want to unlock.

  3. Enter the parameters to unlock the volume. For more information, see the Unlocking parameters section above.

    Click Unlock.

  4. Unlock VeraCrypt Volumes unlocks your volume.

    If unlocking the volume fails (for example, if you mistyped the password), click on Unlock to try unlocking again.

  5. Click Open to open the volume in the Files browser.

Unlocking a file container with keyfiles

  1. Choose Applications ▸ Utilities ▸ Disks to start the Disks utility.

  2. Choose Disks ▸ Attach Disk Image… from the top navigation bar.

  3. In the Select Disk Image to Attach dialog:

    • Unselect the Set up read-only loop device check box in the bottom-left corner if you want to modify the content of the file container.

    • Choose All Files in the file filter in the bottom-right corner.

    • Navigate to the folder containing the file container that you want to open.

    • Select the file container and click Attach.

  4. In the left pane, select the new Loop Device that corresponds to your file container.

    In the right pane, it should have an Encrypted? label.

  5. Click the Unlock
selected encrypted partition button in the right pane.

  6. Enter the parameters to unlock the volume. For more information, see the Unlocking parameters section above.

    Click Unlock.

  7. Select the file system that appears below the unlocked volume. It probably has a FAT or NTFS content.

  8. Click the Mount selected partition button to mount the volume.

  9. Click on the /media/amnesia/ link in the right pane to open the volume in the Files browser.

Closing a file container

You can either:

  • In the sidebar of the Files browser, click on the Eject button on the label of the volume corresponding to your file container.

  • In Unlock VeraCrypt Volumes, click on the button in the line that corresponds to your file container.

Using a partition or drive

Unlocking a partition or drive without keyfiles

  1. If your partition or drive is on an internal hard disk, set up an administration password when starting Tails.

    Otherwise, plug in the USB stick or the hard disk that you want to unlock.

  2. Choose Applications ▸ Utilities ▸ Unlock VeraCrypt Volumes.

  3. In the list of partitions, click Unlock in the line that corresponds to your USB stick or hard disk.

  4. Enter the parameters to unlock the volume. For more information, see the Unlocking parameters section above.

    Click Unlock.

  5. Click Open to open the volume in the Files browser.

Unlocking a partition or drive with keyfiles

  1. If your partition or drive is on an internal hard disk, set up an administration password when starting Tails.

    Otherwise, plug in the USB stick or the hard disk that you want to unlock.

  2. Choose Applications ▸ Utilities ▸ Disks to start the Disks utility.

  3. In the left pane, select the drive that corresponds to your USB stick or hard disk.

  4. In the right pane, select the partition that corresponds to your VeraCrypt volume.

    It should have an Encrypted? label.

  5. Click the Unlock
selected encrypted partition button in the right pane.

  6. Enter the parameters to unlock the volume. For more information, see the Unlocking parameters section above.

    Click Unlock.

  7. Select the file system that appears below the unlocked volume. It probably has a FAT or NTFS content.

  8. Click the Mount selected partition button to mount the volume.

  9. Click on the /media/amnesia/ link in the right pane to open the volume in the Files browser.

Closing a partition or drive

You can either:

  • In the sidebar of the Files browser, click on the Eject button on the label of the volume corresponding to your partition.

  • In Unlock VeraCrypt Volumes, click on the button in the line that corresponds to your USB stick or hard disk.