VeraCrypt rpm for Fedora

Last updated: 2018-09-26

Update: I now package veracrypt in an rpm on my copr. So use:

dnf copr enable bgstack15/stackrpms
dnf install veracrypt

In these post-TrueCrypt days, I migrated to VeraCrypt. For a very long time now, I have been maintaining an encrypted file container on a flash drive on my keychain. Additionally, I keep various binaries to help open it, like on Windows or GNU/Linux, should I ever need emergency access to my files when not on one of my regular machines. I’m not NSA-proof, but I do intend to keep my private files out of the view of the general public or any random person who might find a lost flash drive.

So about VeraCrypt, A user can download the latest binary packages, even for GNU/Linux, from the offical downloads page. And the source code is on gitlab at

But nobody I could find on the Internet has a Fedora rpm package for it. Well, I present to you now my Veracrypt rpm project. It took me a while to figure out the different releases of VeraCrypt don’t compile on Fedora 27 for various bug-related reasons. But the freshest commit version does, so this rpm is generated from the beta upstream point in time where I saved a copy of the repo.

The normal way to compile any of my rpms is to use the usr/share/${package}/build/pack script. It will download sources, prepare the file list in the spec, and perform the rpmbuild.

Auto mount a disk that is encrypted with luks


The anaconda installer can ask you if you want to encrypt a partition when you are setting up a new system.
What if after the fact you want to add an encrypted disk that is auto-mounted at boot?
This post explains how to prepare a new partition that is encrypted and configure your system to mount it at boot. This guide is aimed at Fedora -based systems like RHEL and CentOS, and tested specifically on CentOS 7.3.

Preparing the system and disk

Ensure package cryptsetup is installed.

yum -y install cryptsetup

Prepare a valid disk and partition which the system can find.
Make a partition of the preferred size and of type Linux filesystem or Linux reserved.

# sudo fdisk /dev/vdb
Command (m for help): p
Disk /dev/vdb: 16.1 GB, 16106127360 bytes, 31457280 sectors
Units = sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disk label type: gpt
#         Start          End    Size  Type            Name
 1         2048     31457246     15G  Linux reserved

The example partition in this post is /dev/vdb1.

Initializing the encrypted partition

Perform the initial setup of the encrypted partition. The dash here means it will prompt for a password (or accept it from standard input).

cryptsetup luksFormat /dev/vdb1 -
# cryptsetup luksFormat /dev/vdb1 -

This will overwrite data on /dev/vdb1 irrevocably.

Are you sure? (Type uppercase yes): YES
Enter passphrase: 
Verify passphrase:

Get the UUID of the partition using the blkid command.

# blkid
/dev/vdb1: UUID="b8f055d6-cd91-43e8-afbc-85fa1f6d3d7b" TYPE="crypto_LUKS" PARTUUID="6614fac8-8d0c-45dd-a1a7-b799248bc370"

To get just the sole output you need:

thisblockid=$( blkid /dev/vdb1 -o value | head -n1 )

To open the encrypted partition, use luksOpen.

­cryptsetup luksOpen /dev/vdb1 "luks-${thisblockid}"
# cryptsetup luksOpen /dev/vdb1 luks-$( blkid /dev/vdb1 -o value | head -n1 )
Enter passphrase for /dev/vdb1: 
# ll /dev/mapper
lrwxrwxrwx. 1 root root       7 Jul  9 16:08 luks-b8f055d6-cd91-43e8-afbc-85fa1f6d3d7b -> ../dm-2

Now the /dev/mapper/luks-${thisblockid} path exists.
Make a filesystem of your choice.

mkfs.ext4 /dev/mapper/luks-b8f055d6-cd91-43e8-afbc-85fa1f6d3d7b

Now you can mount this wherever you wish.

Mounting the encrypted partition automatically

To mount this encrypted partition at boot, you will need to modify /etc/fstab and /etc/crypttab.
Add to /etc/fstab an entry:

/dev/mapper/luks-b8f055d6-cd91-43e8-afbc-85fa1f6d3d7b   /mnt/foo        ext4    defaul
ts        0 0

Add to /etc/crypttab an entry:

luks-b8f055d6-cd91-43e8-afbc-85fa1f6d3d7b UUID=b8f055d6-cd91-43e8-afbc-85fa1f6d3d7b -

Now for each boot, you will be prompted to provide the luks passphrase before it can mount the specified mount point (in this case, /mnt/foo). The system will fail to boot completely if you do not provide the passphrase, even for an unimportant directory like /mnt/foo: It will drop into single-user mode.



  1. Guide to placing a keyfile on a USB flash drive
  2. Inspiration for learning this topic

Man pages