12

I used TrueCrypt for a long time in Kubuntu, in which I used a keyboard shortcut to automatically mount a drive. Nowadays I use VeraCrypt, but I am always prompted for my sudo password after entering the password for the encrypted drive. This was never necessary in TrueCrypt.

It occurred to me that I could potentially mount the drive as a removable media (this is an operation that does not require a root password), but when mounting the drive to /mount/ (which is where removable media is mounted), I still get the sudo password request.

Furthermore, an option in VeraCrypt allows Volume Mounted as Removable Medium, but this option simply doesn't exist in the version I'm running in Linux (v1.19).

What is going on here? How can I request that the VeraCrypt mounting process behave like removable media? Entering my password every mount and dismount is irritating.

jmbeck
  • 221

3 Answers3

6

One option would be to set the the SUID bit on veracrypt. This would make sure it took on root privileges whenever run.

# chmod u+s /usr/bin/veracrypt

Generally, however, I try to avoid the SUID or SGID bits, as they allow any user with permission to execute the binary to use it at elevated privileges.

A better option:

Another option you have if you've got sudo is to create a group with password-free sudo privileges for veracrypt.

This is definitely a still a little less secure than always requiring a password, as is always the case when creating sudo rules like this. Make sure you read this carefully and understand what it entails to ensure you do not create a security risk!

Before you begin, you want to ensure that the /usr/bin/veracrypt binary is not writable by group or other.

Confirm that it is not writable by another other than the owner:

$ ls -lha /usr/bin/veracrypt
-rwxr-xr-x 1 root root 7.1M Sep 11  2019 /usr/bin/veracrypt

First, create a new group:

# groupadd veracrypt_group

Next, add your user(s) to the group:

# usermod -aG veracrypt_group your_user

Now you now use visudo to create a new sudo rule:

# visudo -f /etc/sudoers.d/veracrypt

This one will allow the veracrypt_group to run /usr/bin/veracrypt without a password.

%veracrypt_group ALL=(root) NOPASSWD:/usr/bin/veracrypt

Jeff Alyanak
  • 161
  • 1
  • 3
1

I had this problem in Linux Mint when my veracrypt container was in a directory not owned by the user opening the container. Even though the user could write to that directory (and owned the container file). Moving it to a folder that the user owns stopped veracrypt from prompting for an admin password.

jtbr
  • 243
1

With the latest version of VeraCrypt (1.25 and later), the following should work:

sudo tee <<EOM /etc/sudoers.d/veracrypt
%sudo ALL = (root) NOPASSWD:/usr/bin/veracrypt,/usr/bin/uptime
EOM

This gives all sudoers passwordless access to veracrypt.

Security considerations: Generally speaking it is possible to gain root using an unrestricted mount permission e.g. by mounting a filesystem with a setuid bash in it. But VeraCrypt always mounts filesystems using FUSE defaults which are nosuid,nodev, so this specific attack vector isn't really possible. With that said, there could be other bugs in VeraCrypt that could be exploited to gain root. So it is safer to only allow trusted users (e.g. sudoers) to use VeraCrypt.

rustyx
  • 1,118