Can VeraCrypt use persistent mount points on Linux?
Can VeraCrypt use persistent mount points on Linux?
Windows + VeraCrypt + encrypted volume absolute paths
On Windows I can mount veracrypt encrypted partitions/disks via batch script which employs device name displayed by mountvol.exe
. Such an attribute is highly useful since rebooting can lead to alteration of relative path (\Device\Harddisk1\Partition3
--> reboot --> \Device\Harddisk3\Partition3
).
My batch script for veracrypt volumes on Windows (shortened form):
@echo
"C:\Program Files\VeraCrypt\VeraCrypt.exe" /v \\?\Volume{xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx}\ /l z /m label=Encrypted_1 /q
"C:\Program Files\VeraCrypt\VeraCrypt.exe" /v \\?\Volume{yyyyyyyy-yyyy-yyyy-yyyy-yyyyyyyyyyyy}\ /l f /m label=Encrypted_2 /q
[...]
pause
Linux + VeraCrypt + encrypted volume relative paths only?
I have no knowledge about the existence of parallel command to Windows' /v \\?\Volume{xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx}\
avaliable for the Linux commandline. I tried (in vain) --mount=/dev/disk/by-uuid/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
flag, since mountvol.exe
volume name is (probably) based on UUID number (imperceptible for blkid
, though). Official veracrypt/truecrypt documentation allows Linux user to operate only with relative (variable) paths (/dev/sda3
--> reboot --> /dev/sdc3
). Due to inconstancy, paths have to be verified each time after the OS is loaded.
My bash script for mounting veracrypt volumes on Linux (shortened form):
#! /bin/bash
#
echo "Encrypted_1" && veracrypt --mount /dev/sdq --slot=12 --verbose && echo "Encrypted_1"
echo "Encrypted_2" && veracrypt --mount /dev/sdz3 --slot=1 --verbose && echo "Encrypted_2"
[...]
Solution?
Does anyone know whether VeraCrypt volume location can be described in absolute terms on Linux?
If it is not possible, please provide suggestions for achieving the same objective? (eg: udev
? fstab
?)
Erratum
mountvol.exe
recognizes GUID
, not UUID
as was written above.
I have elaborated below answer posted by David Foerster and made it more descriptive and clear for other Linux users interested in presented subject.
Linux + VeraCrypt + encrypted volume absolute paths
According to my research, it seems that assignment of absolute path to VeraCrypt volume is impossible (at least currently) (vide: by-id and by-path entry on wiki.archlinux.org under Persistent block device naming (1)).
Linux + VeraCrypt + semi-persistent block device naming
However, we can use semi-persistent block device naming.
1. by-path
/dev/disk/by-path/
depends on shortest physical path (2) and changes as port of controller is switched (3).
To obtain /dev/disk/by-path/
descriptor, type:
ls -l /dev/disk/by-path/
You can use obtained naming to mount VeraCrypt volume:
veracrypt --mount /dev/disk/by-path/[by-path] --slot=6 --verbose
/dev/disk/by-path/[by-path]
can replace relative path in bash script:
#! /bin/bash
#
echo "Encrypted_1" && veracrypt --mount /dev/disk/by-path/[by-path1] --slot=12 --verbose && echo "Encrypted_1"
echo "Encrypted_2" && veracrypt --mount /dev/disk/by-path/[by-path2] --slot=1 --verbose && echo "Encrypted_2"
[...]
2. by-id
/dev/disk/by-id/
is created according to device serial number (4). wiki.archlinux.org states that /dev/disk/by-id/
cannot survive hardware changes i.e. scenario where device is plugged to port of controller subjected to different subsystem (5). access.redhat.com, on the other side, claims that /dev/disk/by-id/
can be maintained even if device is accessed by different systems (6). Thus, symlink
appears to be quite stable in case of /dev/disk/by-id/
being applied.
To obtain /dev/disk/by-id/
device naming, type:
ls -l /dev/disk/by-id/
Now, when you have correct one, it can be used to mount VeraCrypt volume:
veracrypt --mount /dev/disk/by-id/[id] --slot=6 --verbose
Analogously to what was noted in paragraph one, /dev/disk/by-id/
can be used in bash script:
#! /bin/bash
#
echo "Encrypted_1" && veracrypt --mount /dev/disk/by-id/[id1] --slot=12 --verbose && echo "Encrypted_1"
echo "Encrypted_2" && veracrypt --mount /dev/disk/by-id/[id2] --slot=1 --verbose && echo "Encrypted_2"
Maybe it will be helpful for someone.
Addendum
/dev/disk/by-id/
is not stable enough to forget about correcting mounting script after reboot.
Unfortunately the UUIDs and labels of the file system inside encrypted containers are inaccessible due to encryption and TrueCrypt/VeraCrypt containers don't carry UUIDs or labels on their own (or at least none that udev knows about as opposed to those of LUKS containers).
There's one other sufficiently stable identifier for storage volumes in Linux: disk IDs. You can find them in:
/dev/disk/by-id/
So far I never noticed any dramatic changes to the symbolic links in there, since the names are generated by
- udev, whose basic storage configuration doesn't change often,
- based on the manufacturer name, model name and serial number reported by the drive firmware, which also doesn't change often.