What is the recommended way to use VeraCrypt in Ubuntu?

I have a number of encrypted volumes on external media encrypted either with TrueCrypt or VeraCrypt. What is the recommended way to install and use VeraCrypt under Ubuntu?


Solution 1:

There is user Unit 193 who prepares ready builds of VeraCrypt on Launchpad. You can easily install it by adding his repo to Ubuntu sources:

sudo add-apt-repository ppa:unit193/encryption
sudo apt update
sudo apt install veracrypt

You should be aware that this repo is not related to the software developer and because of it you can't be 100% sure what you install or update in future. However Unit 193 is Xubuntu developer and he is well known in open source community. This is enough for me to sleep well.

Solution 2:

I chose to download veracrypt-1.21-setup.tar.bz2, uncompress it and install manually:

  • Download the latest release (from link above):

    wget https://launchpad.net/veracrypt/trunk/1.23/+download/veracrypt-1.23-setup.tar.bz2
    
  • Unpack it:

    $ tar xvf veracrypt-1.23-setup.tar.bz2 
    veracrypt-1.23-setup-console-x64  
    veracrypt-1.23-setup-console-x86
    veracrypt-1.23-setup-gui-x64
    veracrypt-1.23-setup-gui-x86
    
  • Run your installer of choice:

    ./veracrypt-1.23-setup-gui-x64`
    
  • Done! Run veracrypt with

    vercrypt
    

I chose not to follow s3m3n's suggestion because I would prefer not to have encryption automatically updated so as not to lose access to encrypted containers in case of some incompatibility between versions.

VeraCrypt is mature and stable, and occasional manual updates can easily be handled.

Solution 3:

If you don't trust the PPA or prefer to install it yourself, you can follow this:

Read https://www.veracrypt.fr/en/Digital%20Signatures.html & download the tar.bz2 files.

Download the key with ID shown in the above webpage: 5069A233D55A0EEB174A5FC3821ACD02680D16DE

gpg --keyserver keys.gnupg.net --recv-key 5069A233D55A0EEB174A5FC3821ACD02680D16DE

Verify files (replace ## with the version of your installation):

gpg --verify veracrypt-1.##-sha256sum.txt.sig veracrypt-1.##-sha256sum.txt
gpg --verify veracrypt-1.##-setup.tar.bz2.sig veracrypt-1.##-setup.tar.bz2

Install files:

tar xvjf veracrypt-1.##-setup.tar.bz2
./veracrypt-1.##-setup-gui-x64

Done. You should have a GUI app in your desktop.

Note that if you don't have a trust chain to the PGP key, you only trust the key because the website says it's theirs, and so you trust the website hasn't been hacked, or the key compromised another way.

Solution 4:

All of the other answers rely on trusting somebody to compile VeraCrypt for you, with no possibility to check whether or not the executable has been tampered with.

Trust, but verify

To remedy this situation, I created a Dockerfile called docker-build-veracrypt which generates a reproducible build of the VeraCrypt executable, directly from the publicly available source code of VeraCrypt and wxWidgets on GitHub. You have the following options:

  • You can simply download the resulting executable.

  • You can download an image from Docker Hub containing the executable as the result of an automated build of my Dockerfile.

  • You can build the Dockerfile yourself, and producing the executable on your own hardware.

  • Reading my Dockerfile and performing similar commands, you can build the executable on your host system.

Moreover, I have provided checksums (MD5, SHA256 and BLAKE2) which you can use to verify that the results of the above four procedures agree. Thus it is easy for anyone to audit my build process.