Fast, Scripted Access to Encrypted Volumes using Dropbox and VeraCrypt

So I finally decided to move everything to the cloud and use Dropbox pretty much exclusively for all my data. The problem is I still wanted an extra layer of security for confidential information; password management, banking, insurance and personal identification in the event of Dropbox having a serious security breach or someone hacking into my account.

For this I wanted to use VeraCrypt as a portable install along with the encrypted volume and store both within Dropbox so they could be accessed anywhere. Theres already great how-to guides on setting up a VeraCrypt container if you need help getting started.

Just remember not to make your volume too large. When the volume is unmounted, it will look like a single file to Dropbox so any changes will cause the entire file to be synchronised which could take some time. For the types of files I wanted to store it probably doesn’t need to be larger than a few hundred MBs. If you need more than this, it might be sensible to repeat this process and create separate VeraCrypt containers for the different types of document you need to protect.

Faster Access to your Container

We could easily stop here but for me, the process of using VeraCrypt to access the volume is a bit long winded. I wanted to just double click and enter my password without worrying about locating the container and manually mounting the drive.

Thankfully VeraCrypt comes with a great command line interface which meant I could essentially script the entire process with fairly minimal effort.  I decided to make a small batch file that could also live within Dropbox;

@echo off
set volume=\Secure
set mountDrive=X
set target=%cd%%volume%

mode con cols=50 lines=1
cd Vera
IF EXIST %mountDrive%:\ (GOTO dismount) ELSE (GOTO mount)

:mount
title Target: %volume%
color 0A
set "psCommand=powershell -Command "$pword = read-host '[  Mount  ] Password' -AsSecureString ; ^
    $BSTR=[System.Runtime.InteropServices.Marshal]::SecureStringToBSTR($pword); ^
        [System.Runtime.InteropServices.Marshal]::PtrToStringAuto($BSTR)""
for /f "usebackq delims=" %%p in (`%psCommand%`) do set password=%%p
veracrypt /q /s /v %target% /l %mountDrive% /a /p %password% /e /b
cls
color 0E
echo|set /P=[ Mounting ] Please Wait...

:while
IF EXIST %mountDrive%:\ (GOTO dismount) ELSE (GOTO while)

:dismount
cls
title Mounted: %volume% [%mountDrive%:]
color 0C
set /P exitCode= [Dismount] Press Enter
veracrypt /q /s /d %mountDrive%

cls
(GOTO mount)

After saving this with a .bat extension in Dropbox along side the container and VeraCrypt Portable I had what I needed; double click this file, enter a password and the volume opens straight up.

But wait, what’s going on here? Let’s break it down bit by bit to explain what we’re doing and why.

Selecting the Container and Volume Letter

After turning off echo, we start by setting up a few variables for the file we want to mount and the drive letter we want it to use. 

volume is the name of the VeraCrypt container we created earlier. I called mine ‘Secure’ so we set this to \Secure

mountDrive is the drive letter we want to mount to. I’m hardcoding this, theoretically you could do something to find an available letter but X is usually available and keeps things nice and simple.

target is the full path to the veracrypt volume file. Here the file is in the same directory as the batch file so I can use %cd% to use the current directory and then use %volume% to add the file name to this path. E.g. ‘C:\Users\Eric\Dropbox\Secure’

Creating a really compact UI

Your options are limited with scripts but you can do a few things to make using it a bit more pleasant. For batch files, mode con to control the window size and the color command can add some more visual context. Additionally title allows you to change the title of the window itself; I’m using this so we can keep the actual window really discrete and still show what the script is currently doing. The cls command just clears the console window to keep things tidy between the stages.

Checking the current state

Next we use cd to change to the folder containing our portable VeraCrypt software, for me, this is in the same location inside a folder called ‘Vera’. Then, just to be sure the drive isn’t already mounted, we want to check for the existence of our drive letter. Based on this, we want to go to either the :mount or :dismount section of the script.

Mounting the Volume

I set the window title and use green text to signal that we are going to mount the volume. Now, we need to provide the password in the command to VeraCrypt but by default, if we type this into our command window, it will appear on the screen in plain text. As with any password, we want to hide our input. To do this I’m using a bit of PowerShell wizardry courtesy of StackOverflow. Then, it’s simply a case of calling our VeraCrypt install with some command line options to tell it how to mount the volume.

Mount

/q /s runs VeraCrypt with no prompts or error messages and only keeps the application open long enough to complete the command.

/v is our volume and /l is the drive letter we want to mount to so we pass in the target and mountDrive variables respectively.

/a automatically mounts the volume and /p is for the password we need to decrypt it so we pass in our password variable.

finally /e opens the volume in an explorer window and /b causes a system beep to confirm the command completed. You can leave either/both of these off if you want to keep the process completely silent.

A full list of command line options can be found in their Command Line Usage Documentation.

After this, there is a short while loop that waits for the volume to be properly mounted before giving you the option to dismount it again.

Mounting

Dismounting the Volume

The dismount is really simple, all we are doing here is using set for a variable called exitCode. This doesn’t get used for anything but is an alternative to the pause command and, unlike pause, doesn’t put the cursor on to a new line; this pushes the text up and would mean our window height would need to be another line taller just to compensate for it. (you may have noticed we used it with ‘echo’ further up to achieve the same effect)

Dismount

Then we call VeraCrypt again with the same /q /s we saw before but this time using /d and passing in our mountDrive to dismount the volume

For future improvement
  • Instead of just hard-coding the drive letter for mounting the volume, it would be better to find an available letter in case the one we wanted to use is already taken.
  • To get around the limits of Dropbox and volume sizes, it would be good to have this handle multiple volumes, even if they all used the same password. Either that or, based on the provided password, only the correct volumes would mount
  • It would be great to extend the portable applications to have a MacOS and Linux version of VeraCrypt and then use a similar script for those operating systems to make it easier to access the protected volume from more devices.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: