Tails comes with some limited version of VeraCrypt, it does not allow you to create volumes, but it does not even allow you to open them as read-only for extra safety to maintain the documents safely. Kind of shocking something so basic is missing. I assume that this limited version is audited and so on, but that is a basic feature to be missing, at least on the GUI I don’t see it.
1 Like
Tails is supposed to be an ephemeral OS. I know it has some persistent storage but to expect a full fledged Veracrypt on an ephemeral OS is unreasonable if you ask me. The distro is really meant for select use cases and not as a daily driver.
I recommend managing expectations here. You sound like they owe you this or something.
Apparently it’s because some of its code (inherited from TrueCrypt) is under the TrueCrypt 3.0 license which is source available but doesn’t meet the Debian Free Software Guidelines. I’d rather have the full version of VeraCrypt even if part of it is only source-available rather than fully FOSS, but I guess the team behind Tails prefers to maximize FOSS at the expense of convenient encryption.
It’s perfectly in scope for Tails to include VeraCrypt and I don’t see why there would be any unique technical challenge in doing so. As far as I can tell, they’re only excluding it because part of the code is under a “non-free” (in FSF terms) source-available license. If anything I’d assume they spent more resources creating their VeraCrypt unlocker app rather than just including VeraCrypt. If VeraCrypt ever manages to rewrite all code under Apache 2.0, I’d assume they’d include VeraCrypt.
2 Likes
As far as i know, they deleted veracrypt in newer versions. But if you have persistent storage option in your usb, you can easily download it as appimage from their site, cryptomator same way, picocrypt might be harder, but cli version works.
About question, idk either why, maybe to its ephermal nature, so they thought it wont be that needed, but idk really
If I remember correctly, Appimage depends on an outdated (and vulnerable?) library. Installing their .deb package is probably better in that regard.
Adding ZuluCrypt when its patched, which is already in the Debian repository and has the ability to create and access VeraCrypt volumes, would be a good solution to this issue.
Yeah, like I said before, the included software does not even allow you to mount in read-only, which is basic to load documents and keep integrity and don’t risk corruption. But not only that, it seems there is something weird going on because I just tried to mount with the Tails app an lo and behold, it decided to open in read-only mode… why? and how, if there is no option? First time i’ve seen it mount in read-only. So I downloaded actual VeraCrypt, mounted, and I was able to write files too. VeraCrypt has an actual read-only checkbox so every time you mount it that is taken into account. I wonder if I opened the container in read-only, then this option got somehow saved inside the container and the Tails app opened it in read-only remembering the last setting from VeraCrypt.. but supposedly nothing is written in the header or anything about this I think, so I don’t get this behavior.
Something I noticed is that if you mount using the included Tails app the partitions show up as type “crypt”, and the names are like this:
tcrypt-4digitnumber_2
|___tcrypt-4digitnumber_1
|____tcrypt-4digitnumber (and this partition has a mount point in “/run/nosymfollow/media/amnesia/somelongstringofcharactersandnumbers/media/samestingofcharactersandnumbers”
If you open with regular VeraCrypt you get this:
veracrypt1_1
|___veracrypt1_0
|____veracrypt1 (mountpoint here is: “/run/nosymfollow/media/veracrypt1/media/veracrypt1”
Here, partitions are “dm” instead of “crypt”.
Could someone explain those discrepancies? also, specially the “read-only” thing. I don’t get it. As an experiment, I opened it in read-only using VeraCrypt, then I unmounted, and I opened it in the Tails app. It opened it as read+write as usual. So I do not understand why on the previous attempt it started it on read-only, when there is no option do so so in the Tails app like I said.
Given this, I will just be using regular VeraCrypt, as cumbersome as it is to download and install it every time you boot. I don’t need to access documents often anyway, but I would rather have full VeraCrypt there as well. Plus if you want to create volumes, it would be much safer to do so in a live environment like Tails than on your regular operating system.