How to mount verycrypt or truecrypt volumes with the boot password

Question

For Windows Veracrypt implements a feature called "system favorite volumes". It allows to mount additional discs with the password entered at boot to unlock the system partition.

Specs; I am running Pop OS! 22.04 which should be equivalent for this question to ubuntu 22.04. My system partition is encrypted with Luks. I want to mount three volumes one with veracrypt encryption and two with the original truecrypt encryption.

I have found several articles to tackle this problem, however none of them worked:

https://www.computercorrect.com/2018/operating-systems/linux/ubuntu/auto-mounting-a-veracrypt-volume-under-ubuntu-debian-linux/

https://wiki.archlinux.org/title/VeraCrypt

crypttab and VeraCrypt

I am completely lost and cant even test my trials.

Answer 1

TL;DR:

• edit the /etc/crypttab to feature the devices; like

  # existing lines from the system setup
  cryptdata UUID=ca....5c none luks
  cryptswap UUID=9a...91 /dev/urandom swap,plain,offset=1024,cipher=aes-xts-plain64,size=512
  # added lines
  givenname1 /dev/sdb2 none tcrypt,tcrypt-veracrypt #add the tcrypt-veracrypt option for a device encryted with veracrypt
  givenname2 /dev/sdc2 none tcrypt
  givenname3 /dev/sdd1 none tcrypt
  

• add the following lines to the /etc/fstab like

  /dev/mapper/givenname1 /mnt/mymountpoint1 auto nosuid,nodev,nofail 0 0
  /dev/mapper/givenname2 /mnt/mymountpoint2 auto nosuid,nodev,nofail 0 0
  /dev/mapper/givenname3 /mnt/mymountpoint3 auto nosuid,nodev,nofail 0 0
  

How to test

After editing the crypttab file you can call cryptdisks_start with e.g. sudo cryptdisks_start givenname1. If this works it might still not work at startup, but you are on the right way.

To test if it will work at startup perform the folloing steps

1. this will reread the crypttab file

   sudo systemctl daemon-reload 
   

2. this will start the service, this might yield false positive results if you have successfully called cryptdisks_start previously

   sudo systemctl start [email protected]
   

3. to rule out false positive results restart the service

   sudo systemctl stop [email protected]
   sudo systemctl start [email protected]
   

4. check if the a link has appeared in /dev/mappers

   $ ls  /dev/mapper/
   
   control  cryptdata  cryptswap  data-root  givenname1
   

Attention Ubuntu users

Ubuntu implements the cryptsetup scripts differently than most other distributions. As a result some options in the crypttab are missing for ubuntu and similar distributions.

Compare the man page for the exact changes.

• https://manpages.ubuntu.com/manpages/lunar/en/man5/crypttab.5.html
• https://man7.org/linux/man-pages/man5/crypttab.5.html

For me this meant that I could not use a keyfile in conjunction with the password since the option tcrypt-keyfile missing.

To test which options are available to you call man crypttab

Remarks

This solution works quite well for me. Mounting the discs is also much faster that with the veracrypt GUI.

For a typical dual boot scenario, the mounted drive might have the NTFS filesystem. Here the mount options should be different.

I have tried these additional parameters in the /etc/fstab:

uid=1000,gid=1000,dmask=027,fmask=137