Note that this section applies to the Windows version of VeraCrypt. For information on command line usage applying to the Linux and Mac OS X versions, please run: veracrypt –h
| /help or /? | Display command line help. |
| /truecrypt or /tc | Activate TrueCrypt compatibility mode which enables mounting volumes created with TrueCrypt 6.x and 7.x series. |
| /hash | It must be followed by a parameter indicating the PRF hash algorithm to use when mounting the volume. Possible values for /hash parameter are: sha256, sha-256, sha512, sha-512, whirlpool, blake2s and blake2s-256. When /hash is omitted, VeraCrypt will try all possible PRF algorithms thus lengthening the mount operation time. |
| /volume or /v |
It must be followed by a parameter indicating the file and path name of a VeraCrypt volume to mount (do not use when dismounting) or the Volume ID of the disk/partition to mount. |
| /letter or /l | It must be followed by a parameter indicating the driver letter to mount the volume as. When /l is omitted and when /a is used, the first free drive letter is used. |
| /explore or /e | Open an Explorer window after a volume has been mounted. |
| /beep or /b | Beep after a volume has been successfully mounted or dismounted. |
| /auto or /a | If no parameter is specified, automatically mount the volume. If devices is specified as the parameter (e.g., /a devices), auto-mount all currently accessible device/partition-hosted VeraCrypt volumes. If favorites is specified as the parameter, auto-mount favorite volumes. Note that /auto is implicit if /quit and /volume are specified. If you need to prevent the application window from appearing, use /quit. |
| /dismount or /d | Dismount volume specified by drive letter (e.g., /d x). When no drive letter is specified, dismounts all currently mounted VeraCrypt volumes. |
| /force or /f | Forces dismount (if the volume to be dismounted contains files being used by the system or an application) and forces mounting in shared mode (i.e., without exclusive access). |
| /keyfile or /k | It must be followed by a parameter specifying a keyfile or a keyfile search path. For multiple keyfiles, specify e.g.: /k c:\keyfile1.dat /k d:\KeyfileFolder /k c:\kf2 To specify a keyfile stored on a security token or smart card, use the following syntax: token://slot/SLOT_NUMBER/file/FILE_NAME |
| /tryemptypass | ONLY when default keyfile configured or when a keyfile is specified in the command line. If it is followed by y or yes or if no parameter is specified: try to mount using an empty password and the keyfile before displaying password prompt. if it is followed by n or no: don't try to mount using an empty password and the keyfile, and display password prompt right away. |
| /nowaitdlg | If it is followed by y or yes or if no parameter is specified: don’t display the waiting dialog while performing operations like mounting volumes. If it is followed by n or no: force the display waiting dialog is displayed while performing operations. |
| /secureDesktop | If it is followed by y or yes or if no parameter is specified: display password dialog and token PIN dialog in a dedicated secure desktop to protect against certain types of attacks. If it is followed by n or no: the password dialog and token PIN dialog are displayed in the normal desktop. |
| /tokenlib | It must be followed by a parameter indicating the PKCS #11 library to use for security tokens and smart cards. (e.g.: /tokenlib c:\pkcs11lib.dll) |
| /tokenpin | It must be followed by a parameter indicating the PIN to use in order to authenticate to the security token or smart card (e.g.: /tokenpin 0000). Warning: This method of entering a smart card PIN may be insecure, for example, when an unencrypted command prompt history log is being saved to unencrypted disk. |
| /cache or /c | If it is followed by y or yes or if no parameter is specified: enable password cache;
If it is followed by p or pim: enable both password and PIM cache (e.g., /c p). If it is followed by n or no: disable password cache (e.g., /c n). If it is followed by f or favorites: temporary cache password when mounting multiple favorites (e.g., /c f). Note that turning the password cache off will not clear it (use /w to clear the password cache). |
| /history or /h | If it is followed by y or no parameter: enables saving history of mounted volumes; if it is followed by n: disables saving history of mounted volumes (e.g., /h n). |
| /wipecache or /w | Wipes any passwords cached in the driver memory. |
| /password or /p | It must be followed by a parameter indicating the volume password. If the password contains spaces, it must be enclosed in quotation marks (e.g., /p ”My Password”). Use /p ”” to specify an empty password. Warning: This method of entering a volume password may be insecure, for example, when an unencrypted command prompt history log is being saved to unencrypted disk. |
| /pim | It must be followed by a positive integer indicating the PIM (Personal Iterations Multiplier) to use for the volume. |
| /quit or /q | Automatically perform requested actions and exit (main VeraCrypt window will not be displayed). If preferences is specified as the parameter (e.g., /q preferences), then program settings are loaded/saved and they override settings specified on the command line. /q background launches the VeraCrypt Background Task (tray icon) unless it is disabled in the Preferences. |
| /silent or /s | If /q is specified, suppresses interaction with the user (prompts, error messages, warnings, etc.). If /q is not specified, this option has no effect. |
| /mountoption or /m |
It must be followed by a parameter which can have one of the values indicated below. ro or readonly: Mount volume as read-only. rm or removable: Mount volume as removable medium (see section Volume Mounted as Removable Medium). ts or timestamp: Do not preserve container modification timestamp. sm or system: Without pre-boot authentication, mount a partition that is within the key scope of system encryption (for example, a partition located on the encrypted system drive of another operating system that is not running). Useful e.g. for backup or repair operations. Note: If you supply a password as a parameter of /p, make sure that the password has been typed using the standard US keyboard layout (in contrast, the GUI ensures this automatically). This is required due to the fact that the password needs to be typed in the pre-boot environment (before Windows starts) where non-US Windows keyboard layouts are not available. bk or headerbak: Mount volume using embedded backup header. Note: All volumes created by VeraCrypt contain an embedded backup header (located at the end of the volume). recovery: Do not verify any checksums stored in the volume header. This option should be used only when the volume header is damaged and the volume cannot be mounted even with the mount option headerbak. Example: /m ro label=LabelValue: Use the given string value LabelValue as a label of the mounted volume in Windows Explorer. The maximum length for LabelValue is 32 characters for NTFS volumes and 11 characters for FAT volumes. For example, /m label=MyDrive will set the label of the drive in Explorer to MyDrive. noattach: Only create virtual device without actually attaching the mounted volume to the selected drive letter. Please note that this switch may be present several times in the command line in order to specify multiple mount options (e.g.: /m rm /m ts) |
| /DisableDeviceUpdate | Disables periodic internel check on devices connected to the system that is used for handling favorites identified with VolumeID and replace it with on-demande checks. |
| /protectMemory | Activates a mechanism that protects VeraCrypt process memory from being accessed by other non-admin processes. |
| /signalExit | It must be followed by a parameter specifying the name of the signal to send to unblock a waiting WAITFOR.EXE command when VeraCrypt exists. The name of signal must be the same as the one specified to WAITFOR.EXE command (e.g."veracrypt.exe /q /v test.hc /l Z /signal SigName" followed by "waitfor.exe SigName" This switch is ignored if /q is not specified |
| /create | Create a container based volume in command line mode. It must be followed by the file name of the container to be created. |
| /size |
(Only with /create)
|
| /password | (Only with /create) It must be followed by a parameter indicating the password of the container that will be created. |
| /keyfile or /k | (Only with /create) It must be followed by a parameter specifying a keyfile or a keyfile search path. For multiple keyfiles, specify e.g.: /k c:\keyfile1.dat /k d:\KeyfileFolder /k c:\kf2 To specify a keyfile stored on a security token or smart card, use the following syntax: token://slot/SLOT_NUMBER/file/FILE_NAME |
| /tokenlib | (Only with /create) It must be followed by a parameter indicating the PKCS #11 library to use for security tokens and smart cards. (e.g.: /tokenlib c:\pkcs11lib.dll) |
| /tokenpin | (Only with /create) It must be followed by a parameter indicating the PIN to use in order to authenticate to the security token or smart card (e.g.: /tokenpin 0000). Warning: This method of entering a smart card PIN may be insecure, for example, when an unencrypted command prompt history log is being saved to unencrypted disk. |
| /hash | (Only with /create) It must be followed by a parameter indicating the PRF hash algorithm to use when creating the volume. It has the same syntax as VeraCrypt.exe. |
| /encryption | (Only with /create) It must be followed by a parameter indicating the encryption algorithm to use. The default is AES if this switch is not specified. The parameter can have the following values (case insensitive):
|
| /filesystem | (Only with /create) It must be followed by a parameter indicating the file system to use for the volume. The parameter can have the following values /*
Legal Notice: Some portions of the source code contained in this file were
derived from the source code of Encryption for the Masses 2.02a, which is
Copyright (c) 1998-2000 Paul Le Roux and which is governed by the 'License
Agreement for Encryption for the Masses'. Modifications and additions to
the original source code (contained in this file) and all other portions
of this file are Copyright (c) 2003-2010 TrueCrypt Developers Association
and are governed by the TrueCrypt License 3.0 the full text of which is
contained in the file License.txt included in TrueCrypt binary and source
code distribution packages. */
#include "Common/Tcdefs.h"
#include "Platform/Platform.h"
#include "Volume/VolumeHeader.h"
#include "FatFormatter.h"
#include "RandomNumberGenerator.h"
namespace VeraCrypt
{
struct fatparams
{
char volume_name[11];
uint32 num_sectors; /* total number of sectors */
uint32 cluster_count; /* number of clusters */
uint32 size_root_dir; /* size of the root directory in bytes */
uint32 size_fat; /* size of FAT */
uint32 fats;
uint32 media;
uint32 cluster_size;
uint32 fat_length;
uint16 dir_entries;
uint16 sector_size;
uint32 hidden;
uint16 reserved;
uint16 sectors;
uint32 total_sect;
uint16 heads;
uint16 secs_track;
};
static void GetFatParams (fatparams * ft)
{
uint64 volumeSize = (uint64) ft->num_sectors * ft->sector_size;
unsigned int fatsecs;
if(ft->cluster_size == 0) // 'Default' cluster size
{
uint32 clusterSize;
// Determine optimal cluster size to minimize FAT size (mounting delay), maximize number of files, keep 4 KB alignment, etc.
if (volumeSize >= 2 * BYTES_PER_TB)
clusterSize = 256 * BYTES_PER_KB;
else if (volumeSize >= 512 * BYTES_PER_GB)
clusterSize = 128 * BYTES_PER_KB;
else if (volumeSize >= 128 * BYTES_PER_GB)
clusterSize = 64 * BYTES_PER_KB;
else if (volumeSize >= 64 * BYTES_PER_GB)
clusterSize = 32 * BYTES_PER_KB;
else if (volumeSize >= 32 * BYTES_PER_GB)
clusterSize = 16 * BYTES_PER_KB;
else if (volumeSize >= 16 * BYTES_PER_GB)
clusterSize = 8 * BYTES_PER_KB;
else if (volumeSize >= 512 * BYTES_PER_MB)
clusterSize = 4 * BYTES_PER_KB;
else if (volumeSize >= 256 * BYTES_PER_MB)
clusterSize = 2 * BYTES_PER_KB;
else if (volumeSize >= 1 * BYTES_PER_MB)
clusterSize = 1 * BYTES_PER_KB;
else
clusterSize = 512;
ft->cluster_size = clusterSize / ft->sector_size;
if (ft->cluster_size == 0)
ft->cluster_size = 1;
if (ft->cluster_size * ft->sector_size > TC_MAX_FAT_CLUSTER_SIZE)
ft->cluster_size = TC_MAX_FAT_CLUSTER_SIZE / ft->sector_size;
if (ft->cluster_size > 128)
ft->cluster_size = 128;
}
if (volumeSize <= TC_MAX_FAT_CLUSTER_SIZE * 4)
ft->cluster_size = 1;
// Geometry always set to SECTORS/1/1
ft->secs_track = 1;
ft->heads = 1;
ft->dir_entries = 512;
ft->fats = 2;
ft->media = 0xf8;
ft->hidden = 0;
ft->size_root_dir = ft->dir_entries * 32;
// FAT12
ft->size_fat = 12;
ft->reserved = 2;
fatsecs = ft->num_sectors - (ft->size_root_dir + ft->sector_size - 1) / ft->sector_size - ft->reserved;
ft->cluster_count = (int) (((int64) fatsecs * ft->sector_size) / (ft->cluster_size * ft->sector_size));
ft->fat_length = (((ft->cluster_count * 3 + 1) >> 1) + ft->sector_size - 1) / ft->sector_size;
if (ft->cluster_count >= 4085) // FAT16
{
ft->size_fat = 16;
ft->reserved = 2;
fatsecs = ft->num_sectors - (ft->size_root_dir + ft->sector_size - 1) / ft->sector_size - ft->reserved;
ft->cluster_count = (int) (((int64) fatsecs * ft->sector_size) / (ft->cluster_size * ft->sector_size));
ft->fat_length = (ft->cluster_count * 2 + ft->sector_size - 1) / ft->sector_size;
}
if(ft->cluster_count >= 65525) // FAT32
{
ft->size_fat = 32;
ft->reserved = 32 - 1;
do
{
ft->reserved++;
fatsecs = ft->num_sectors - ft->reserved;
ft->size_root_dir = ft->cluster_size * ft->sector_size;
ft->cluster_count = (int) (((int64) fatsecs * ft->sector_size) / (ft->cluster_size * ft->sector_size));
ft->fat_length = (ft->cluster_count * 4 + ft->sector_size - 1) / ft->sector_size;
// Align data area on TC_MAX_VOLUME_SECTOR_SIZE
} while (ft->sector_size == TC_SECTOR_SIZE_LEGACY
&& (ft->reserved * ft->sector_size + ft->fat_length * ft->fats * ft->sector_size) % TC_MAX_VOLUME_SECTOR_SIZE != 0);
}
ft->cluster_count -= ft->fat_length * ft->fats / ft->cluster_size;
if (ft->num_sectors >= 65536 || ft->size_fat == 32)
{
ft->sectors = 0;
ft->total_sect = ft->num_sectors;
}
else
{
ft->sectors = (uint16) ft->num_sectors;
ft->total_sect = 0;
}
}
static void PutBoot (fatparams * ft, byte *boot, uint32 volumeId)
{
int cnt = 0;
boot[cnt++] = 0xeb; /* boot jump */
boot[cnt++] = 0x3c;
boot[cnt++] = 0x90;
memcpy (boot + cnt, "MSDOS5.0", 8); /* system id */
cnt += 8;
*(int16 *)(boot + cnt) = Endian::Little (ft->sector_size); /* bytes per sector */
cnt += 2;
boot[cnt++] = (int8) ft->cluster_size; /* sectors per cluster */
*(int16 *)(boot + cnt) = Endian::Little (ft->reserved); /* reserved sectors */
cnt += 2;
boot[cnt++] = (int8) ft->fats; /* 2 fats */
if(ft->size_fat == 32)
{
boot[cnt++] = 0x00;
boot[cnt++] = 0x00;
}
else
{
*(int16 *)(boot + cnt) = Endian::Little (ft->dir_entries); /* 512 root entries */
cnt += 2;
}
*(int16 *)(boot + cnt) = Endian::Little (ft->sectors); /* # sectors */
cnt += 2;
boot[cnt++] = (int8) ft->media; /* media byte */
if(ft->size_fat == 32)
{
boot[cnt++] = 0x00;
boot[cnt++] = 0x00;
}
else
{
*(uint16 *)(boot + cnt) = Endian::Little ((uint16) ft->fat_length); /* fat size */
cnt += 2;
}
*(int16 *)(boot + cnt) = Endian::Little (ft->secs_track); /* # sectors per track */
cnt += 2;
*(int16 *)(boot + cnt) = Endian::Little (ft->heads); /* # heads */
cnt += 2;
*(int32 *)(boot + cnt) = Endian::Little (ft->hidden); /* # hidden sectors */
cnt += 4;
*(int32 *)(boot + cnt) = Endian::Little (ft->total_sect); /* # huge sectors */
cnt += 4;
if(ft->size_fat == 32)
{
*(int32 *)(boot + cnt) = Endian::Little (ft->fat_length); cnt += 4; /* fat size 32 */
boot[cnt++] = 0x00; /* ExtFlags */
boot[cnt++] = 0x00;
boot[cnt++] = 0x00; /* FSVer */
boot[cnt++] = 0x00;
boot[cnt++] = 0x02; /* RootClus */
boot[cnt++] = 0x00;
boot[cnt++] = 0x00;
boot[cnt++] = 0x00;
boot[cnt++] = 0x01; /* FSInfo */
boot[cnt++] = 0x00;
boot[cnt++] = 0x06; /* BkBootSec */
boot[cnt++] = 0x00;
memset(boot+cnt, 0, 12); cnt+=12; /* Reserved */
}
boot[cnt++] = 0x00; /* drive number */ // FIXED 80 > 00
boot[cnt++] = 0x00; /* reserved */
boot[cnt++] = 0x29; /* boot sig */
*(int32 *)(boot + cnt) = volumeId;
cnt += 4;
memcpy (boot + cnt, ft->volume_name, 11); /* vol title */
cnt += 11;
switch(ft->size_fat) /* filesystem type */
{
case 12: memcpy (boot + cnt, "FAT12 ", 8); break;
case 16: memcpy (boot + cnt, "FAT16 ", 8); break;
case 32: memcpy (boot + cnt, "FAT32 ", 8); break;
}
cnt += 8;
memset (boot + cnt, 0, ft->size_fat==32 ? 420:448); /* boot code */
cnt += ft->size_fat==32 ? 420:448;
boot[cnt++] = 0x55;
boot[cnt++] = 0xaa; /* boot sig */
}
/* FAT32 FSInfo */
static void PutFSInfo (byte *sector, fatparams *ft)
{
memset (sector, 0, ft->sector_size);
sector[3] = 0x41; /* LeadSig */
sector[2] = 0x61;
sector[1] = 0x52;
sector[0] = 0x52;
sector[484+3] = 0x61; /* StrucSig */
sector[484+2] = 0x41;
sector[484+1] = 0x72;
sector[484+0] = 0x72;
// Free cluster count
*(uint32 *)(sector + 488) = Endian::Little (ft->cluster_count - ft->size_root_dir / ft->sector_size / ft->cluster_size);
// Next free cluster
*(uint32 *)(sector + 492) = Endian::Little ((uint32) 2);
sector[508+3] = 0xaa; /* TrailSig */
sector[508+2] = 0x55;
sector[508+1] = 0x00;
sector[508+0] = 0x00;
}
void FatFormatter::Format (WriteSectorCallback &writeSector, uint64 deviceSize, uint32 clusterSize, uint32 sectorSize)
{
fatparams fatParams;
#if TC_MAX_VOLUME_SECTOR_SIZE > 0xFFFF
#error TC_MAX_VOLUME_SECTOR_SIZE > 0xFFFF
#endif
fatParams.sector_size = (uint16) sectorSize;
if (deviceSize / fatParams.sector_size > 0xffffFFFF)
throw ParameterIncorrect (SRC_POS);
fatParams.num_sectors = (uint32) (deviceSize / fatParams.sector_size);
fatParams.cluster_size = clusterSize / fatParams.sector_size;
memcpy (fatParams.volume_name, "NO NAME ", 11);
GetFatParams (&fatParams);
fatparams *ft = &fatParams;
SecureBuffer sector (ft->sector_size);
uint32 sectorNumber = 0;
/* Write the data area */
sector.Zero();
uint32 volumeId;
RandomNumberGenerator::GetDataFast (BufferPtr ((byte *) &volumeId, sizeof (volumeId)));
PutBoot (ft, (byte *) sector, volumeId);
writeSector (sector); ++sectorNumber;
/* fat32 boot area */
if (ft->size_fat == 32)
{
/* fsinfo */
PutFSInfo((byte *) sector, ft);
writeSector (sector); ++sectorNumber;
/* reserved */
while (sectorNumber < 6)
{
sector.Zero();
sector[508+3] = 0xaa; /* TrailSig */
sector[508+2] = 0x55;
writeSector (sector); ++sectorNumber;
}
/* bootsector backup */
sector.Zero();
PutBoot (ft, (byte *) sector, volumeId);
writeSector (sector); ++sectorNumber;
PutFSInfo((byte *) sector, ft);
writeSector (sector); ++sectorNumber;
}
/* reserved */
while (sectorNumber < (uint32)ft->reserved)
{
sector.Zero();
writeSector (sector); ++sectorNumber;
}
/* write fat */
for (uint32 x = 1; x <= ft->fats; x++)
{
for (uint32 n = 0; n < ft->fat_length; n++)
{
sector.Zero();
if (n == 0)
{
byte fat_sig[12];
if (ft->size_fat == 32)
{
fat_sig[0] = (byte) ft->media;
fat_sig[1] = fat_sig[2] = 0xff;
fat_sig[3] = 0x0f;
fat_sig[4] = fat_sig[5] = fat_sig[6] = 0xff;
fat_sig[7] = 0x0f;
fat_sig[8] = fat_sig[9] = fat_sig[10] = 0xff;
fat_sig[11] = 0x0f;
memcpy (sector, fat_sig, 12);
}
else if (ft->size_fat == 16)
{
fat_sig[0] = (byte) ft->media;
fat_sig[1] = 0xff;
fat_sig[2] = 0xff;
fat_sig[3] = 0xff;
memcpy (sector, fat_sig, 4);
}
else if (ft->size_fat == 12)
{
fat_sig[0] = (byte) ft->media;
fat_sig[1] = 0xff;
fat_sig[2] = 0xff;
fat_sig[3] = 0x00;
memcpy (sector, fat_sig, 4);
}
}
if (!writeSector (sector))
return;
}
}
/* write rootdir */
for (uint32 x = 0; x < ft->size_root_dir / ft->sector_size; x++)
{
sector.Zero();
if (!writeSector (sector))
return;
}
}
}
|
