This project has moved and is read-only. For the latest updates, please go here.

Using Veracrypt with Clonezilla?

Topics: Technical Issues
Jan 21, 2015 at 1:58 PM
I currently use Clonezilla (Live Linux CD) to make image backups of all my computer hard drives onto an external 1 TB usb drive; there is an option in the program to mount an external usb drive. So I figured I would encrypt the external drive in the event that it is stolen. Then it dawned on me, how am I going to unencrypt it? I never tried it, but I see others have successfully accomplished this using a command line tool called tcplay with TrueCrypt, which is an open source command line version of TrueCrypt. I imagine no such tool exists for VeraCrypt. So I am not sure how to attack this, but I guess some options, although not ideal, would be to:

Option 1) Buy a second drive and leave it unencrypted and perform the backup to this drive. Then copy the backup to the second encrypted drive. Then delete the backups on the first unencrypted drive and in addition wipe the drive so the data is truly gone. Unfortunately all of this would take forever. Not only that, but I would have to reverse the procedure to restore the image.

Option 2) Partition my current drive with both a smaller unencrypted partition (large enough to hold my largest backup set) and maybe add the traveler mode files to it. Then partition and encrypt the rest of the drive with VeraCrypt. Then like option 1, use the first partition to make the Clonezilla backup and then later on move it to the encrypted partition (Not sure I could do that while still running off the Live Linux CD or would have to do it in Windows later on). Saves me a second drive, but all the other problems as in option 1 still exist.

So is there a better way to do this, or maybe someone will eventually develop a vcplay that works like tcplay?

As a side note it is taking 5 minutes from the time I enter my password until the external drive is unencrypted, and that is with an i7-860 2.8 GHz 8 threaded processor, with all 8 threads cranking away full time; that is with the default values set in VeraCrypt. Not sure if that would be a processor or drive speed limitation at this point. I guess as others say on the forum, the price for security, but I suspect this is way overkill for my application. As others have mentioned, a setting switch or toned down version of VeraCrypt would be nice. Not trying to start another long thread about this though, as I understand the positive and negative aspects here.
Jan 22, 2015 at 5:12 PM
I decided to go with option 2 yesterday as I needed to make some backups today and could not come up with an alternate better method.
Jan 23, 2015 at 1:58 AM
VeraCrypt is available for Linux both as console executable or a GUI one. Since you are mentioning tcplay, the console version should do the work for you.
In the Downloads page (https://veracrypt.codeplex.com/wikipage?title=Downloads), you can download an archive that contains the setup for all versions (console/GUI, 32-bit/64-bit).

The only issue is that CloneZilla seems to come bundled with tcplay and it is not the case for VeraCrypt, so you'll have to find a way to copy VeraCrypt binary to the system after you boot on CloneZilla CD. For example, you can put VeraCrypt Linux binary on a USB stick or in an unencrypted partition.
In my opinion, this is the best approach to answer your need.

I already created a patch for tcplay to support VeraCrypt volumes and I submitted a pull request to the tcplay author (https://github.com/bwalex/tc-play/pull/65) but I didn't receive any feedback on it yet.
I'm also planning to develop a vcplay program that will be a fork of tcplay.

Concerning the 5 minutes mounting time, are you selecting the right PRF in the password dialog (SHA-512 if you used the default) or do you leave it set to automatic detection?
Does the VeraCrypt waiting dialog disappear before the 5 minutes or does it remain during the full 5 minutes?
Jan 23, 2015 at 2:39 PM
Edited Jan 23, 2015 at 6:33 PM
Thanks. I am going to try your usb suggestion.

QUESTION: "Concerning the 5 minutes mounting time, are you selecting the right PRF in the password dialog (SHA-512 if you used the default) or do you leave it set to automatic detection? "

I used whatever the default was for all encryption related values in the program. As I recall, the number "512" showed up in two different places in the program. Also, the password I am using is greater than 20 characters, if that matters.

QUESTION: Does the VeraCrypt waiting dialog disappear before the 5 minutes or does it remain during the full 5 minutes?

The dialog is there the whole time, with the Microsoft waiting "circle" or "hourglass" there (depending on the machine), until the partition is unencrypted.

More information. Curiosity got the better of me, so I performed the un-encryption on two other computers and my unencrypt times were better and more reasonable, and I guess more in line of what they should be; not sure what is going on with my main computer. Here are the results:

All tests were done using a Western Digital USB 3.0 external drive (In a USB 2.0 port each time so that the tests are comparable. Only the Dell has a USB 3.0 port).

Computer 1: (My Main Computer Intel DP55KG):
Processor: i7-860, 4 cores, 8 logical, 2.8 GHz.
RAM: 8 GB, DDR3-1333, 667.7 MHz.
Unencrypt Time: 5 minutes 30 seconds.

Computer 2: (Similar motherboard to computer #1 DP55WG)
Processor: i5-750, 4 cores, 4 logical, 2.6 GHz.
RAM: 8 GB, DDR3-1333, 667.7 MHz.
Unencrypt Time: 1 minutes 46 seconds.

Computer 3: (Very Recent Dell)
Processor: i3-4150, 2 cores, 4 logical, 3.5 GHz.
RAM: 8 GHz, DDR3-1600, 798.1 MHz.
Unencrypt Time: 1 minutes 34 seconds.
Jan 24, 2015 at 12:27 AM
Edited Jan 24, 2015 at 12:29 AM
Thanks for the update.

Your tests are interesting as they show that Core-i3 and Core-i5 perform better than the Core-i7 whereas the Core-i7 should be the faster. If we look for example at the figures of CPU benchmark (http://www.cpubenchmark.net/cpu_list.php), we find that the Core-i7 offers better performance:
  1. Intel Core i7 860 => 5089
  2. Intel Core i5 750 => 3742
  3. Intel Core i3-4150 => 4944
One possible explanation is that there is an issue in the Turbo Boost configuration of the Main computer that makes its cores having a low speed.

Another point is that I think you are not using the PRF selection in the password dialog and you are leaving it to auto-detection. I asked you about this but I didn't find any mention to this in you answer and you seem to say that you leave everything as it is.
Thus, you can speed things up by using the PRF selection in the password dialog in order to manually specify SHA-512. This will force the mount operation to use only one core of the CPU and usually this gives maximum speed.
PRF Selection

Can you please try this? Your figures are very helpful in understanding how VeraCrypt implementation behaves with respect to several CPU configurations.

Thanks.
Jan 24, 2015 at 1:03 AM
Edited Jan 24, 2015 at 1:34 AM
Sorry, I misunderstood your previous post. I just tried it with the PRF set to HMAC-SHA-512 on the i7 860, and it was a nice speed improvement (Took 1 minute 54 seconds). However it still did use all 8 threads during this operation as viewed in the Windows Task Manager.

idrassi wrote:
VeraCrypt is available for Linux both as console executable or a GUI one. Since you are mentioning tcplay, the console version should do the work for you.
SOLVED: With respect to Clonezilla, I did as you suggested and I was able to un-encrypt the partition using the Linux console version of VeraCrypt on a USB pendrive while Clonezilla was running off of the CD drive. Yipee, works great. Ready for this one ......... It took a whole 7 seconds to un-encrypt the partition doing it this way (meaning via Linux) on the same i7 860 computer. I had to check the mounted drive to make sure the files were there because I couldn't believe it.
Jan 24, 2015 at 1:51 AM
Edited Jan 24, 2015 at 4:12 AM
The difference between Linux and Windows is amazing and it shows that something is not right with your Windows installation.

The 7 seconds mount time is what you should expect also on Windows. I have just done a test on a Windows 7 64-bit machine with Core-i7 2600K (CPU benchmark is 8567) and it took 4.5 seconds to mount an SHA-512 container. By using the CPU benchamark value of your Core-i7 860, this means we should expect a mounting time of (8567/5089) x 4.5 = 7.5 seconds, which is close to what you are seeing on Linux.

I don't have an explanation for your Windows figures but definitely your CPU is not working correctly on Windows.

PS: some internet posts seem to suggest to disable "Intel Speed Step" feature on the BIOS to gain full performance. Can you see if this applies to your case? Also look for any Turbo Boost configuration.
Jan 24, 2015 at 3:11 AM
Edited Jan 24, 2015 at 3:31 AM
Well I had nothing to do with the Dell Windows installation and it is completely different hardware, so I can't imagine 3 different Windows 64 Bit installations being wrong. The only other thing I can think of is something related to the external WD passport drive. So I updated the firmware and all software but it didn't help.

With SpeedStep disabled the time was 2 minutes 17 seconds, so a little slower than with it activated. There is no Turbo Boost config.
Jan 24, 2015 at 4:11 AM
Thanks for the tests.

Well, Linux seems to know how to use your CPU better than Windows! VeraCrypt code is the same for both versions and as I said on other Core-i7 machines the performances on Windows are on a par with those of Linux.

This will remain a mystery for now...
Jan 24, 2015 at 10:11 PM
NOTE: If anyone needs to know the detailed steps of how to un-encrypt a volume/container while running Clonezilla so you can store your image backups, let me know and I can do a write-up and post it here.
Jan 25, 2015 at 12:52 AM
Thanks for the proposal pjc123. I think it will be helpful for many people who want to secure their backups and if you do such write-up, I can create a dedicated web page for it (giving you credit of course) so that it can be linked more easily from outside and it can be advertized on VeraCrypt twitter and Facebook accounts.
Jan 26, 2015 at 12:22 AM
OK, I am almost done with a first draft that I wrote in LibreOffice. It is 6 pages long, so definitely needed some formatting for ease of reading. How can I send it to you when I am done so that you can take a quick look and make sure that the VeraCrypt portion of it is the best way to do things?
Jan 26, 2015 at 5:28 AM
Thank you again for your efforts.

You can send it by email to any of the address present on the contact page.
You can also post it anonymously if you wish on Sourceforge forum which allows attaching files: that way, I will be the only one to have access to it as I'm its moderator and I'll delete the post after getting the document.
Jan 27, 2015 at 7:40 AM
Thank you pjc123 for sending your document.
For now, I created a web page containing various contributions including yours: https://veracrypt.codeplex.com/wikipage?title=Contributed%20Resources
Don't hesitate if you have any comments.
Marked as answer by pjc123 on 1/27/2015 at 4:42 AM