How to mount VeraCrypt or TrueCrypt volumes with the boot password

You can unlock truecrypt volumes and veracrypt too with your system boot (luks) password with at least Debian and Ubuntu. A Veracrypt volume with a PIM needs at least v254 of systemd for the veracrypt-pim=<number> option within cryptab. See here https://www.freedesktop.org/software/systemd/man/latest/crypttab.html

For Debian 12 systemd is v252 so install v254 systemd from backports to use veracrypt-pim=<number> within cryptab. Then as well as having all your volumes using the same password, add initramfs,keyscript=decrypt_keyctl options at the end of the lines. The initramfs pulls the decrypting of the volume to the start of the boot with the system drive and keyscript=deycrypt_keyctl caches the password so you only have to enter it once.

For crypttab along with your system drive unlock line something like this. Note that the initramfs is not needed for the line unlocking the system volume:

# System volume sda3_crypt UUID=6b3229c1-6f6a-480f-8524-212f6bd2e4dc none luks,discard,keyscript=decrypt_keyctl # Truecrypt volume sdb_true /dev/disk/by-partuuid/7d185b93-01 none tcrypt,discard,initramfs,keyscript=decrypt_keyctl # Veracrypt volume. sdc_vera /dev/disk/by-partuuid/2c175e93-01 none tcrypt-veracrypt,discard,initramfs,keyscript=decrypt_keyctl 

Veracrypt volume needing a PIM you need systemd v254 or later:

sdc_vera /dev/disk/by-partuuid/2c175e93-01 none tcrypt-veracrypt,veracrypt-pim=20,discard,initramfs,keyscript=decrypt_keyctl 

After making your crypttab (and fstab to mount the drives) entries and checking it very thoroughly! run # update-initramfs -u -v to update grub.

TL;DR:

• edit the /etc/crypttab to feature the devices; like

  # existing lines from the system setup cryptdata UUID=ca....5c none luks cryptswap UUID=9a...91 /dev/urandom swap,plain,offset=1024,cipher=aes-xts-plain64,size=512 # added lines givenname1 /dev/sdb2 none tcrypt,tcrypt-veracrypt #add the tcrypt-veracrypt option for a device encryted with veracrypt givenname2 /dev/sdc2 none tcrypt givenname3 /dev/sdd1 none tcrypt 

• add the following lines to the /etc/fstab like

  /dev/mapper/givenname1 /mnt/mymountpoint1 auto nosuid,nodev,nofail 0 0 /dev/mapper/givenname2 /mnt/mymountpoint2 auto nosuid,nodev,nofail 0 0 /dev/mapper/givenname3 /mnt/mymountpoint3 auto nosuid,nodev,nofail 0 0 

How to test

After editing the crypttab file you can call cryptdisks_start with e.g. sudo cryptdisks_start givenname1. If this works it might still not work at startup, but you are on the right way.

To test if it will work at startup perform the folloing steps

1. this will reread the crypttab file

   sudo systemctl daemon-reload 

2. this will start the service, this might yield false positive results if you have successfully called cryptdisks_start previously

   sudo systemctl start [email protected] 

3. to rule out false positive results restart the service

   sudo systemctl stop [email protected] sudo systemctl start [email protected] 

4. check if the a link has appeared in /dev/mappers

   $ ls /dev/mapper/ control cryptdata cryptswap data-root givenname1 

Attention Ubuntu users

Ubuntu implements the cryptsetup scripts differently than most other distributions. As a result some options in the crypttab are missing for ubuntu and similar distributions.

Compare the man page for the exact changes.

• https://manpages.ubuntu.com/manpages/lunar/en/man5/crypttab.5.html
• https://man7.org/linux/man-pages/man5/crypttab.5.html

For me this meant that I could not use a keyfile in conjunction with the password since the option tcrypt-keyfile missing.

To test which options are available to you call man crypttab

Remarks

This solution works quite well for me. Mounting the discs is also much faster that with the veracrypt GUI.

For a typical dual boot scenario, the mounted drive might have the NTFS filesystem. Here the mount options should be different.

I have tried these additional parameters in the /etc/fstab:

uid=1000,gid=1000,dmask=027,fmask=137