About Performance
On Ubuntu, the encrypted volume mounts within seconds of logging in. But on Windows, it takes noticeably longer, sometimes over a minute.
I tested the script on both Git Bash and again by porting into Windows PowerShell, both took about the same time (30s to 80s). Let me know if you manage to reduce Windows overhead, I’m all ears.
Background
Mounting a VeraCrypt volume usually requires entering a password and other details every time (even with auto-mount at logon enabled). This is by design and essential for security.
However, in my case, encryption is only meant to protect data if someone accidentally gains physical access to my drives (e.g., theft). But, I don’t want this “just in case” scenario to interrupt my everyday workflow.
So, I set up a simple script to auto-mount my VeraCrypt volume whenever I log in. Since I dual-boot Windows and Ubuntu, the script needs to works on both.
No system drive encryption
I didn’t encrypt my system drive. That means, I can’t just store my encryption keys as plain-text on the OS drive.
Synopsis
I’ll be using VeraCrypt to encrypt a partition on my drive, then have Python keyring to store encryption password, PIM, and path to keyfiles. Finally, I’ll use a script that automates the decryption process which gets triggered upon logon of selected user account (via Task Scheduler on Windows, and systemd on Ubuntu).
Note
The following guide assumes you dual boot into both Windows and Ubuntu as that was my case. However, if you don’t dual boot, simply following the relevant OS parts should be enough for you.
Prerequisites
For the following procedures to work, you should have:
- VeraCrypt
- A VeraCrypt encrypted drive/container (see previous post)
- Python (see installation guide)
- Git (optional but preferred)
Procedure
Step 01: Install Python keyring
The keyring is a Python library that provides an easy access to system keyring services (e.g., Windows Credential Locker). I’ll use this library to store my encryption credentials once and then access them non-interactively via the script.
On Windows, install the keyring by running:
pip install keyringOn Ubuntu, install by running:
sudo apt update && sudo apt install python3-keyringVerify installation by running the following command on a new terminal window:
keyring --helpStep 02: Store password, PIM, and keyfiles
Once keyring is installed, store each of the credentials:
keyring set veracrypt testvol.password # Enter your password
keyring set veracrypt testvol.pim # Enter PIM
keyring set veracrypt testvol.keyfiles # Comma-separated path/to/keyfilesEnter the appropriate values after running each command, when prompted.
Step 03: Prepare the script
Here comes the main part. Since I want cross-platform compatibility, I should write the script such that it’ll run on both Windows and Ubuntu with none to minimal codebase changes. I’ve picked Bash for this purpose:
Note: There are slight differences between the two scripts, notably because how partition names and VeraCrypt CLI syntax differs between the OSes.
Note
A better option might have been to use a Python script instead. That would eliminate the Git dependency. If you don’t want to use Git Bash on Windows, consider porting the code into Python using AI tools such as ChatGPT.
Once downloaded, modify the script to your requirements. E.g., change the DEVICE variable to point to your interested partition. Test the scripts by running them.
On Windows:
Ensure Git is installed. It will let us run Bash scripts. Once Git is ready, run (WIN + R):
"C:\Program Files\Git\bin\bash.exe" -c "/path/to/script.sh"Note: Here replace /path/to/script.sh with actual script path but such that if actual script path is C:\scripts\publish-win.sh then it would become /c/scripts/publish-win.sh.
Upon running the scripts, you would notice that the target volume is accessible via File Managers (e.g., File Explorer).
On Ubuntu: Ensure the script is executable by running:
chmod +x /path/to/script.shThen run the script:
`/path/to/script.sh`You should notice that during the execution of this script, it still requires you to enter your user password. This is for the VeraCrypt CLI. To mitigate this:
sudo groupadd veracrypt-handler # Add a group for veracrypt
sudo usermod -aG veracrypt-handler <your_username> # Add your user to the group
sudo visudo -f /etc/sudoers.d/veracrypt # Modify sudoers fileNow add the following line then save:
%veracrypt-handler ALL=(root) NOPASSWD:/usr/bin/veracryptNow, reboot your PC and re-run the script, it shouldn’t ask for your password.
Note
If you enable automatic login for your user account via Ubuntu Settings, it may ask for your password to unlock the keyring.
Step 04: Set triggers for the script
On Windows:
I’ll be using the Task Scheduler:
- Open Task Scheduler.
- Click on
ActionthenCreate Task. - On the
Generaltab, pick a desired name (e.g.,mount-testvol). - On the
Triggerstab, clickNew. - Set the following trigger options:
- Begin the task:
At logon - Set specific user to your user account
- Begin the task:
- On the
Actionstab, clickNew. - Set the following action options:
- Action:
Start a program - Program/script:
"C:\Program Files\Git\bin\bash.exe" - Add arguments:
-c "./publish-win.sh >> ./mount-testvol.log 2>&1" - Start in:
/path/to/folder/containing/the/script
- Action:
- On the
Conditionstab, uncheck the optionStart the task only if computer is on AC power. - Rest can be kept as is.
- Now click on
OK.
That’s it, the volume should auto-mount next time you log into your Windows user account. Any logs/errors should be stored in a file called mount-testvol.log on folder containing your script.
On Ubuntu:
I’ll use systemd user service for this purpose. First, create the systemd user service:
nano ~/.config/systemd/user/mount-testvol.serviceEnter and save the following content:
[Unit]
Description=Auto-mount VeraCrypt Volume at Login
After=graphical-session.target
[Service]
Type=oneshot
ExecStart=/home/testabyte/Documents/publish-linux.sh
ExecStop=/bin/sh -c 'sudo veracrypt --unmount /dev/sda'
RemainAfterExit=true
[Install]
WantedBy=default.targetNote: Modify the ExecStop command’s --unmount flag to point to the correct partition.
Once saved, enable this service:
systemctl --user daemon-reexec
systemctl --user enable mount-testvol.serviceManually test it by unmounting the volume and then run:
systemctl --user start mount-testvol.service # Should mount the volume
systemctl --user stop mount-testvol.service # Should unmount the volumeIf everything seems okay, restart your computer and the volume should mount successfully upon logon.
Step-by-Step Screenshots
Refer to this gallery for screenshots of each step.