VeraCrypt on Mac OSX El Captain

Veracrypt provides on-the-fly encryption and is also the predecessor and a fork of the Truecrypt project. Back in Fall of 2015 the Truecrypt maintainer’s stated the code was “not secure”. When this happened it left the security community in a huge loss and swirl of what “not secure” meant. However, after several months the internet rolled on and someone decided to pickup the torch and keep running. In this guide I am just running through the installation of Veracrypt, creating Veracrypt containers, and creating hidden Veracrypt cotnainers on Mac OSX El Captain.

Install/Setup Veracrypt

  1. Download OSXFuse which is required by Veracrypt.
    1. Additionally, OSXFuse is a nice bonus because now you can write to NTFS partitions :).
  2. Instal OSXfusescreen-shot-2016-11-28-at-10-22-22-am
  3. Download Veracrypt
  4. Install Veracryptscreen-shot-2016-11-28-at-10-24-44-am
  5. Now once Veracrypt is installed we have access to mount or create Veracrypt containers.screen-shot-2016-11-28-at-10-25-59-am

Creating Veracrypt Container

  1. Open Veracrypt
  2. Select “Create volume”screen-shot-2016-11-28-at-10-28-30-am
  3. This menu allows you to select the type of container.
    1. Encrypted File Container -A VeraCrypt volume can reside in a file, which is also called container, in a partition or drive.
      1. We are going to select “File Container” for this guide.
    2. Encrypted Partition/Drive Container – This option allows the user to encrypt a partition/drive where an operating system may reside.
      1. Please beware that Veracrypt supports full disk encryption for Windows and Linux.
        1. It is recommended to use LUKS on Linux systems.screen-shot-2016-11-28-at-10-33-18-am
  4. This page allows you to select the type of volume.image_024
  5. Veracrypt Container Basics
    1. In the next few steps you will be choosing a static size for the Veracrypt container. Once a container is created it’s size cannot be changed unless you create a new container. The encryption process will take the entire space and encrypt it. This ensures that no one can read the file contents or guess the contents of the container based on the used space. To the attacker it’s just nothing but random bits.
    2. Volume Type
      1. Standard VeraCrypt Volume – As seen above a standard container can contain files and free space. However to an adversary the container is all random bits so they can’t tell the contents of the container.
        1. We are going to select “Standard Veracrypt Volume”
      2. Hidden Veracrypt Volume –  Since we know the entire container is encrypted we know it is impossible to detect a hidden volume. A hidden container works by putting a container inside a container. The Veracrypt container will have two passwords the first one is for the outer/fake portition and the second password if for the hidden portion. screen-shot-2016-11-28-at-10-32-53-am
  6. This page allows you to create a file for the Veracrypt container OR insert the container to an existing file.screen-shot-2016-11-28-at-10-34-09-am
    1. For this guide we are going to create a new file.
    2. Select “Select file”
    3. Enter a name into Save As
    4. Enter a location to save the file for “Where”
    5. Select “Save”screen-shot-2016-11-28-at-10-35-03-am
  7. This page allows you to choose the encryption algorithm and hash algorithm
    1. Encryption algorithm – Veracrypt gives the user the ability to select their preferred encryption algorithm. Please keep in mind once the encryption algorithm is chosen it can not be changed. Additionally, Veracrypt supports cascading encryption types for multiple layers of encryption.
    2. Hash algorithm – Veracrypt allows the use to select their preferred hashing algorithm. The hashing algorithm is used by the random number generator to create master/secondary keys and the salt.
      screen-shot-2016-11-28-at-10-36-01-am
  8. This page allows you to determine the size of the Veracrypt container. Please keep in mind the container size and fixed and CANNOT be resized later.screen-shot-2016-11-28-at-10-38-00-am
  9. This page allows you to setup a password for the container, a keyfile for the container, and the PIM interation for the containerscreen-shot-2016-11-28-at-10-39-03-am
    1. Password – A string of alphanumeric characters used to unlock the container.
    2. Keyfile – A file whose contents should be unique and is combined with a password to unlock the container.screen-shot-2016-11-28-at-10-40-23-am
    3. PIM – A value that controls the number of iterations used by the header key derivation function. The PIM can be treated as a secret value that must be entered manually by the user everytime they want to unlock the container.
      screen-shot-2016-11-28-at-10-40-52-am
  10. This page allows you to choose the filesystem format. Depending on the operating system mounting this image this can be important. Additionally keep in mind the limitations of filesystems say for example FAT can support files up to 4GB.screen-shot-2016-11-28-at-10-42-34-am
  11. This page is my favorite part. Veracrypt needs to generate a random pool of data for the key. They have this nifty tool that tracks your mouse movements and those random movements create entropy. So have fun and go nuts with your mouse!screen-shot-2016-11-28-at-10-44-35-am
  12. Select Formatscreen-shot-2016-11-28-at-10-45-19-amscreen-shot-2016-11-28-at-10-45-49-am

A fun lil tid bit about Veracrypt containers. So the internet will lead you to believe there are ways to detect Truecrypt containers however those methods are not perfect, nor do they have good accuracy(as of the date for this post). As you can see below when we run the file command on the container it just returns “DATA”. The best method to current date is all Veracrypt/Truecrypt containers are ALWAYS evenly divisible by 1024.

screen-shot-2016-11-28-at-10-59-00-am

screen-shot-2016-11-28-at-10-59-08-am

Mounting Veracrypt Container

  1. Open Veracrypt, select an open drive slot, and select “Select File”
  2. Find Veracrypt container and select open
  3. Once the file is loaded select “Mount”screen-shot-2016-12-05-at-3-03-22-pm
    1. Enter password for Veracrypt container
    2. If your Veracrypt container needs a keyfile select “Keyfiles”
      1. Select “Add files”
      2. Find your file(s) and select “Ok”screen-shot-2016-12-05-at-3-06-05-pm
    3. Select “Mount”
      1. If you get error 255 for OSXFuse on Mac OSX
      2. brew install Caskroom/cask/osxfuse
      3. rebootscreen-shot-2016-12-05-at-3-32-44-pm
    4. To dismount select “Dismount”

 

 

Create a hidden container

  1. Open Veracrypt
  2. Select “Create volume”screen-shot-2016-11-28-at-10-28-30-am
  3. This menu allows you to select the type of container.
  4. Select “Encryted File Container” for container type
  5. Select “Hidden VeraCrypt Volume” for Volume Type
  6. his page allows you to create a file for the Veracrypt container OR insert the container to an existing file.screen-shot-2016-11-28-at-10-34-09-am
    1. For this guide we are going to create a new file.
    2. Select “Select file”
    3. Enter a name into Save As
    4. Enter a location to save the file for “Where”
    5. Select “Save”screen-shot-2016-12-05-at-4-38-32-pm
  7. This page allows you to choose the encryption algorithm and hash algorithm
  8. This page allows you to determine the size of the Veracrypt container. Please keep in mind the container size and fixed and CANNOT be resized later.
    1. Keep in mind the outside container must be big enough to contain the hidden container.
      screen-shot-2016-11-28-at-10-38-00-am
  9. This page allows you to setup a password for the OUTSIDE container, a keyfile for the container, and the PIM interation for the container.screen-shot-2016-12-05-at-8-07-26-pm
  10. On the next screen move the mouse around to generate randomness and then select “Format”.screen-shot-2016-12-05-at-8-08-34-pm
  11. Once the outside container is created you will be prompted with the following. From here we can open up the outer container and enter some data that looks like the treasurer :).screen-shot-2016-12-05-at-8-09-18-pm
  12. The next page will allows to select encryption algorithm and hash algorithm.screen-shot-2016-12-05-at-8-11-38-pm
  13. This page allows you to enter the size of the hidden container. Keep in mind the hidden container can’t exceed the size of the outside container.
  14. screen-shot-2016-12-05-at-8-14-32-pm
  15. This page allows you to enter a password for the hidden volume. screen-shot-2016-12-05-at-8-14-59-pm
  16. Select filesystem type for a hidden Veracrypt container.screen-shot-2016-12-05-at-8-16-31-pm
  17. On the next screen move the mouse around to generate randomness and then select “Format”.
  18. After the creation of the hidden container you will be prompted with the following:screen-shot-2016-12-05-at-8-17-51-pm

 

Mounting a hidden container

Open the outer container(Fake container)

  1. Open Veracrypt, select an open drive slot, and select “Select File”
  2. Find Veracrypt container and select open
  3. Once the file is loaded select “Mount”screen-shot-2016-12-05-at-3-03-22-pm
    1. Enter password for the outer Veracrypt container.
    2. This will mount the container as a virtual drive. The driver can be used to retrieve and add files just like a normal container.

 

Open the hidden container

  1. Open Veracrypt, select an open drive slot, and select “Select File”
  2. Find Veracrypt container and select open
  3. Once the file is loaded select “Mount”screen-shot-2016-12-05-at-3-03-22-pm
    1. Enter password for the hidden Veracrypt container
    2. This will mount the container as a virtual drive. The driver can be used to retrieve and add files just like a normal container.
    3. This container is also the hidden porition and allows the user to retrieve the hidden contents and add new files.

Resources/Sources

Leave a Reply

Your email address will not be published.