VeraCrypt On The Command Line for Windows

Introduction

This is part of my ongoing series on the VeraCrypt encryption utility. If you’ve not kept up, in my first post of the series, “VeraCrypt – A Powerful Encryption Utility“, I covered the basics of VeraCrypt including how to get it, use it through the GUI, and how the series was inspired by the Grumpy Old Bens podcast.

In the second post, “Creating and Using Hidden Containers in VeraCrypt“, I covered how to create a hidden container, adding an extra level of security to your containers.

My previous post, “VeraCrypt on the Command Line for macOS“, showed how to call VeraCrypt from within a script on the macOS platform.

The commands to call VeraCrypt from the command line are very different for each platform, As such, I’ve broken them out into individual blog posts.

In this entry you’ll see how to call VeraCrypt on Windows 10.

Prerequisites

Obviously, you’ll need to have VeraCrypt installed. My first post in the series, “VeraCrypt – A Powerful Encryption Utility“, covers where to get it from.

For this post, we’ll also be using the CMD mode to execute the commands. Do note that on most installations of Windows these days, PowerShell has replaced CMD as the default terminal shell. If you open up a command window and see PowerShell, all you have to do is type in CMD and it enter, and you’ll be switched to CMD mode.

Code Samples

While I will be providing samples here, you should also check out the project I have on GitHub that goes with this post, VeraCrypt-CommandLine-Examples.

I’ll update it over time as needed, and it may be easier for you to download, or cut and paste from it.

One item I want to mention, unlike the macOS version, the Windows version of VeraCrypt lacks the ability to list containers. So for this post we’ll only be able to include creation, mounting and dismounting of containers.

OK, let’s get started!

Creating a Container

Let’s begin by looking at the full command to create a container, then we will break it down to it’s individual components. While your blog reader or webpage may wrap the line, in your script (or command line) it should all be entered as a single line of text.

"C:\Program Files\VeraCrypt\VeraCrypt Format.exe" /create "C:\temp\vctest.vc" /size "200M" /password MySuperSecurePassword1! /encryption AES /hash sha-512 /filesystem exfat /pim 0 /silent

First up is the command to call. If you installed VeraCrypt to the default folder, you’ll find it in C:\Program Files\VeraCrypt\

The command to create a new volume is actually a separate executable than the rest of VeraCrypt. It is “VeraCrypt Format.exe“

Note there is indeed a space in the file name! Thus you have to enclose the entire thing in double quotes.

"C:\Program Files\VeraCrypt\VeraCrypt Format.exe"

Next is the command to create a volume, /create. You follow it with the path and file name to create. If you omit the path it will create the volume in the current directory you are running the script from.

As with all file names, if it has a space you must include double quotes. Otherwise they are optional, but it doesn’t hurt to have them.

/create "C:\temp\vctest.vc"

We now need to tell VeraCrypt how big to make the volume. VeraCrypt includes shortcuts for M (Megabytes), G (Gigabytes), T (Terabytes) and
K (Kilobytes). If you omit a letter, it assumes bytes.

For this demo we are making it small, so will use 200M to indicate 200 Megabytes.

/size "200M"

Next up is the password to use to encrypt the volume. In a “real world” situation, you should probably pass it into the script or get it using an alternate method.

To keep this demo simple, I’m just going to embed the password using the “super secure” password I’ve used throughout this series of blog posts.

As with file names, if your password has spaces you’ll need to enclose it in double quotes.

/password MySuperSecurePassword1!

Now we need to provide the encryption algorithm to use. VeraCrypt supports a vast array of algorithms, see their documentation for the supported list.

For this demo, we’ll use the popular AES.

/encryption AES

Many algorithms require you to provide an encryption hashing method. For AES, we’ll use the strong SHA-512.

/hash sha-512

In order to keep this container portable across OS’s we’ll format using exfat. Be aware though that to use exfat on a Mac, you’ll have to install macFUSE (see my previous post on macOS for more info).

/filesystem exfat

The PIM is a special number that allows you to specify the number of times the hashing algorithm executes. It’s a bit more complex than that, if you want full details see the VeraCrypt documentation at:

https://documentation.help/VeraCrypt/Personal%20Iterations%20Multiplier%20(PIM).html

For now, we can pass it the value of 0, which tells it to use the default value.

/pim 0

The final parameter is /silent. By default VeraCrypt will display dialogs notifying you of its progress, as well as when it is complete.

In a scripting situation you would normally not want this, so we add the silent switch to suppress the messages.

Note this does have one side affect, if there are any errors those too are also suppressed, so you won’t be aware of them. The most common of these would be the attempt to create a volume name that already exists.

/silent

You now have everything you need to create a VeraCrypt volume. Note that there is one more parameter that we didn’t use in the example, but you may want to know about.

/force

Normally, if you are trying to create a new volume and that file already exists, VeraCrypt will pop up a dialog (assuming you’ve not used /silent) warning you the volume you are trying to create already exists. It will then give you the choice of canceling or overwriting the existing file.

The /force parameter suppresses the message and always overwrites the file.

So hopefully you’ve now created your own volume using the commands in this section. Let’s now see how to mount it.

Mounting a VeraCrypt Volume

Mounting is very simple, here is the full command, then we’ll take a look at each part. As before, it should be all a single line.

"C:\Program Files\VeraCrypt\VeraCrypt.exe" /volume "C:\temp\vctest.vc" /letter x /password MySuperSecurePassword1! /quit /silent

We start with the command to VeraCrypt. This assumes you have installed to the default folder.

"C:\Program Files\VeraCrypt\VeraCrypt.exe"

Next we provide the /volume parameter, with the path to and the file name of the file to mount.

/volume "C:\temp\vctest.vc"

Volumes in VeraCrypt appear as a drive letter to Windows. As such we need to provide a letter to use. Note if you use a drive letter
already in use, you’ll get an error.

The letter can be provided in either or upper or lower case.

If you don’t know a drive letter, or don’t care what letter is used, then you can omit this parameter completely. When you do, VeraCrypt will use the first available drive letter it finds.

/letter x

Next up is the password to use to encrypt the volume. In a “real world” situation, you should probably pass it into the script, or get it using an alternate method.

To keep this demo simple, I’m just going to embed the password using the “super secure” password I’ve used throughout this series of blog posts.

As with file names, if your password has spaces you’ll need to enclose it in double quotes.

/password MySuperSecurePassword1!

Next we provide the quit parameter. By default, if you omit it then the VeraCrypt dialog will remain on the screen. Using quit will close the
VeraCrypt dialog, something usually desired if you are running a script.

/quit

Finally we’ll add the /silent parameter. This has the same affect as it did in the create function, suppressing any dialogs. Be aware, that for /silent to work, you must also have used the /quit parameter.

/silent

At this point hopefully all went well, and you have created a volume as well as mounted it. Once you are done with a volume, you’ll need to dismount it, the subject of the next section.

Dismounting VeraCrypt Volumes

The command to dismount a volume is the simplest of all.

"C:\Program Files\VeraCrypt\VeraCrypt.exe" /dismount H /quit /silent /force

Let’s look at the individual components of the command.

We start with the command to VeraCrypt. This assumes you have installed to the default folder.

"C:\Program Files\VeraCrypt\VeraCrypt.exe"

Next is the dismount parameter. You pass in the drive letter associated with the volume to dismount. As with mounting, the case of the drive letter does not matter.

If you omit the drive letter, VeraCrypt will dismount ALL currently mounted volumes.

/dismount X

We now provide the quit parameter. By default, if you omit it then the VeraCrypt dialog will remain on the screen. Using quit will close the
VeraCrypt dialog, something usually desired if you are running a script.

/quit

Now we append the /silent parameter, to suppress any dialogs as we did in the previous sections. As with mounting, for /silent to work we must also include /quit.

/silent

Finally we provide the force parameter. If some app is accessing the volume, for example Windows File Explorer, it will prevent VeraCrypt from dismounting.

The force parameter tells VeraCrypt to shut down, no matter what. Your inclusion of force is up to you, depending on your situation.

For the demo, we’ll include it.

/force

And that’s all there is to it. It’s a best practice to dismount all of your volumes when you are done with them, and especially before shutting down your computer.

This will ensure any operations that are copying data to your encrypted volume have completed, ensuring the data does not get corrupted.

Conclusion

This post covered how to create, mount and dismount VeraCrypt volumes in Windows 10. The technique should also be applicable to Windows 7 and 8, if you are still on those platforms.

Free Microsoft E-Books!

Yes, you read that right, free! Microsoft has lost their minds and is now giving away a rather large collection of e-books, yours for the taking.

They cover quite a range of subjects too, including ASP.Net, Office, SharePoint, SQL Server, Visual Studio, Windows, Azure, Phone 7, and Server. As you would expect they come in PDF format, but it gets better! They also have them in MOBI and EPUB formats, so if you have a device that supports them you get a full featured experience. (I know Kindle uses the MOBI format and Apple’s iBook EPUB, not sure what other readers use).

You can get these goodies from:

http://social.technet.microsoft.com/wiki/contents/articles/11608.e-book-gallery-for-microsoft-technologies.aspx

Looks like I have many more late nights of reading ahead of me. Oh well, I guess three hours of sleep a night ought to be fine for anyone.

The MVP Program–My Experience

Recently I saw two posts in which former participants writing about issues they perceived in the Microsoft MVP program. I’d like to take moment to contrast their experience with mine, specifically commenting on posts made in the post by Onuora Amobi titled “My year as a Microsoft MVP and the 7 reasons Microsoft need to fix their MVP program”. I’ll then add a few thoughts about Rob Eisenberg’s post “How I Lost, Regained, and then Turned Down an MVP Award”.

Unfortunately, these gentleman had a bad experience with the MVP program. This is disappointing, as I truly believe the MVP program is great, based on my own experiences. Let me respond to the 7 points made in the first post, and contrast them with my experiences as a SQL Server MVP since 2008.

What’s the Point?

Mr. Amobi stated “The MVP program seemed rather pointless”. To me, the point was quite clear from the outset. The information and tools provided to me allowed me to further enhance my ability to be a conduit for the community. I had contacts to pass information to from the community, and vice versa.

Additionally the MSDN/TechNet subscriptions gave me the ability to further enhance my knowledge of Microsoft products. Just recently I’ve been practicing setting up a scale-out deployment of SSRS. No way I would have been able to have 3 different Windows Servers plus 3 SQL Server licenses without the benefit. I’m now going to be able to pass this information on to the community in the form of new presentations, blog posts, and the like.

Quality Control

Here the author echoed a point form the Rob Eisenberg’s post in which he met an MVP who had limited knowledge of Technology X, the subject of this MVPs award. However, this person had continually posted and retweeted information about Technology X.

A major consideration of the MVP Award is about reaching the community with information about Technology X. Getting information into the hands of people who use that technology. Microsoft judged that this person was doing an effective job of helping the community, and hence the award. Technical competence is certainly important, but it’s not the only criteria for getting an MVP award.

Lack of Communication

Mr. Amobi complains there were no opportunities to participate. Yet he passed up the main chance of the year to communicate with the teams, the MVP Summit. For me the summit is the place I learn new things, give feed back to the teams, and learn things covered by my NDA. It’s where I learn what new technologies I should be focused on so I’ll be ready to help the community when they are released. Perhaps if he had attended he would have had the chance for the interaction that he desired.

Being an MVP also helped solidify relationships with other areas in Microsoft. The developer evangelist for our region, Glen Gordon, checks in with the MVPs in this area regularly. He often participates with us in events, or provides assistance for our Code Camps and SQL Saturdays.

NDA for what?

The author says that during his year he didn’t have any opportunities for calls or interactions with the teams, and hence no reason for his NDA. In addition to the summit, our SQL lead sends out weekly e-mails in which he lists upcoming conference calls / interactions with product teams, almost all of which are covered under NDA.

For him to get none of these notices is disappointing. Clearly someone dropped the ball. Our lead in the SQL group (who just moved to a new assignment) was very good about us getting this information. I hope Mr. Amobi didn’t wait for the end of his year to point this out. I’ve made it a point to make friends with as many of the Developer Evangelists, other MVPs (including those in other disciplines) and other MVP leads. This not only gives me multiple ways of reaching out, but more importantly has let me make some great friends.

Career Impact

Mr. Amobi didn’t see any benefit, career wise to being an MVP. For me it’s had a huge impact. Through my MVP award I was given the opportunity to participate in not one but two books. My current job at Pragmatic Works is also a direct result of being an MVP.

Arbitrary Renewals

The author first makes the assertion that his award wasn’t renewed because he was asking questions such as the ones in his post. I really can’t speak to that, but if it were the case many long time SQL MVPs wouldn’t be here anymore. As a rule most of us are pretty opinionated, and have no issues speaking out when we see problems with the program, or what Microsoft is doing in general.

That said, I have no inside information on the people who decide who gets an MVP award. Perhaps he’s right, and they did indeed drop him for the reasons he states.

He then makes a statement that I consider rather risky.

“I’ll put my Web or FaceBook or Google or Twitter or Technology stats up against any MVP and I guarantee that I represent the voice of thousands of Microsoft consumers way more than they do.”

I know MVPs who are “household” names in the SQL world. I’m not doubting the reach of Mr. Amobi, clearly he has made significant contributions for which I applaud him. And in the consumer realm he may even be right. But in my opinion statements like the above degrade the conversation into a “mine is bigger than yours” contest.

Now let me speak to the arbitrariness of the award. In the other article I sited by Rob Eisenberg he complained the process of getting the award is a black box. He’s exactly right, it is. It’s a combination of achievements plus subjective judgment on the part of the Microsoft product teams.

That’s done for a very specific reason. If there were a set formula you would have people who would game the system, do things just to meet some minimum requirement in order to gain the perceived benefits of being an MVP. At that point it would cease to be an award and instead become another credential.

I much prefer the current system. I have a much greater confidence that the people who get the award are deserving people who are interested in helping the community, and not just trying to get the award as another notch on their career belt.

It’s clear that this is not an important program to Microsoft

Based on my experiences this could not be further from the truth. Just in money alone Microsoft has made a huge commitment to the program. But what really speaks to me is the involvement of he very highest level of Microsoft management. Had he attended the summit he would have seen Steve Ballmer himself addressing the crowd. When the CEO along with a slate of vice presidents takes time to address the audience it speaks volumes about Microsoft’s commitment.

True, as an MVP I had to pay part of the cost. Budgets are tight for everyone. I felt the program was so important though I paid for two of the last three summits out of my own pocket. But it was an investment in me and my career. I made contacts and solidified relationships that are mutually beneficial for me and my fellow MVPs.

Another word or two…

I’d like to take just a moment to address a few points from Rob Eisenberg’s post. He was upset that his MVP lead apparently didn’t know enough about his accomplishments, and seemed insulted that he should have to fill out a spreadsheet detailing his activities.

I know our SQL MVP lead has to deal with at least 300 just in our discipline. I’m not sure the exact number, but there’s just no humanly way possible that even with a fantastic relationship they could be expected to know every single contribution a person makes to the community over the course of year. I made it as positive an experience as I could. It was a great time to update my resume, to add my community involvement, book authoring, etc.

I would like to say Rob makes a point about open source, although I do see some shifting of Microsoft’s involvement with open source. They established the CodePlex site, and use it as a conduit for distributing the SQL Server sample databases. They are now giving support for jQuery, and most recently announced support for Hadoop.

While I wish they could move a bit faster, they do have a very tricky legal tight rope to walk. Many licenses in the open source world require that should code be used from that project derivatives must also be open source. For a company who makes money selling software and guarding trade secrets, this is not the ideal situation.

There is one point I totally agree with Rob on though. The format of the spreadsheet was pretty lame.

The mystical MVP program

It saddens me that the two gentleman had such negative experiences. I wish a better job could have been done to keep talented people like these in the program. I am glad though they continue to be supportive of the community.

As for me, becoming an MVP was one of the highlights of my life, both personally and professionally. It opened doors for me, giving me a chance to fulfill a dream of becoming an author. It opened the door to become an employee of one of the most prestigious BI consulting firms in the world.

Most importantly, it has allowed me to make friends with some of the top professionals in not just the SQL community, but other disciplines such as .Net and SharePoint. The level of excellence these people have make me strive even harder to stay on top of my game.

For me, my MVP experience has been nothing but positive, and I will continue to serve as long as I can.