Private and Secure Journaling with VeraCrypt
I would like to go back to the idea of a private journal as a test for how much faith you actually have in the privacy and security tools you're using.
In my post keeping a private digital diary, I asked whether a cloud-based service is really necessary for diary keeping. With any cloud storage that you don't host yourself, you are storing your private thoughts on a server managed by someone else, decreasing true privacy and security.
If you trust your own ability to manage and back up your own data, then keeping your diary on a local device not connected to the Internet seems the best option, although in a worst-case-scenario, like theft or a fire, you could lose everything you've written. Keeping a physical backup off site (or on your phone) might be a solution here, but that backup must be inaccessible to anyone but you.
Just like the traditional lock-and-key diaries still sold in (toy)stores today, we need a way to lock digital diaries, keeping prying eyes at bay.
I want to explore one tool for encrypting your personal diary and/or backups. VeraCrypt is the closest I have come to (almost) fully trusting the privacy and security of my digitally written musings, though in the end, a paper journal stills feels more secure.
VeraCrypt works on all major platforms.
VeraCrypt
VeraCrypt is an encryption tool. It allows the user to digitally lock any digital file or folder. It is not diary or writing software; I only want to look at using VeraCrypt to lock the diary.
The interface can be confusing at first. It appears basic and simple, but as a new user, you might feel unsure where to start. Thankfully, there is good tutorial-style support online, and VeraCrypt's own "Beginner's Tutorial" with screenshots, is clear and helpful:
VeraCrypt Beginner's Tutorial
Once you are ready to encrypt your file or drive with a password, VeraCrypt asks you to move your mouse pointer randomly, for quite a long time! This feels like a strange experimental game, but once that's done, you are ready to mount the file or drive and start storing your writing (or anything else), fully encrypted.
As with any zero-knowledge software, VeraCrypt cannot help you out if you lose your password—there is no backdoor—, so make sure you store this securely either in a notebook or a secure password manager like KeePass or Bitwarden.
Different approaches to storing your diary
VeraCrypt provides several options for encryption, and I would like to look at how these could help solve the problem of writing privately and securely on a computer.
- Encrypted file container
The first method is to create an encrypted file. VeraCrypt documentation calls this a container, because you can decide the size of the file yourself, and place other files (like a diary text file) within it, which automatically encrypts them. It makes more sense to view the container file as a directory folder, though it will appear as a single file in your system when locked.
It is even possible to store and play audio and video files in this way. The FAQ, linked below, explains on-the-fly encryption and decryption.
The container method allows you to move, rename, duplicate, delete and store the file anywhere you like. Just like with a KeePass password database file, which contains all your passwords but can only be opened with your master password, it seems to me perfectly fine to store this encrypted file anywhere you like, even on a commercial cloud storage platform, if that suits your workflow best.1
- Encrypted file container stored on USB drive
Another approach is to first create the encrypted container file as explained above, and then move it to a regularly formatted USB stick for physical portability. An added bonus is that you could also store the VeraCrypt software on the same USB drive.
- Encrypted USB drive
It is possible to encrypt an entire USB stick (or hard drive partition) using VeraCrypt. Any file store on the encrypted drive will be encrypted.
The only way to access the files stored in this way is by mounting the drive using the VeraCrypt software and your password. You will also need your system's admin password.
- Encrypted USB drive with partition for VeraCrypt software
If you are comfortable with creating partitions on disks, another option is to encrypt a section of your USB drive, and store the VeraCrypt software on the regular partition. That way, you can take your diary and the software to unlock it with you anywhere. The only thing to keep truly private (in your head) is the password.
Keep in mind that whichever of the three methods you use, you will need to mount the encrypted file or USB stick to access your diary, using VeraCrypt. This is not difficult, but it can be a little confusing at first, so I highly recommend reading their Beginner's Tutorial.
On my Linux system, I need to fill in my administrator's password after I have entered the VeraCrypt file password. There is a way to use VeraCrypt on a Windows machine not administered by you, but it's probably best to avoid that situation and only use VeraCrypt on devices you own.
Problems
When I first opened VeraCrypt, I was confused. My usual click-and-see-what-happens method didn't result in anything useful. But the Beginner Tutorial provided all the answers I needed.
At one point, I was not able to open a container file I had created. I felt frustration and panic at the thought I might have locked myself out of my own diary. The issue was that VeraCrypt was unable to open my file directly from the cloud. The solution was to create a synced local copy of the container, and mount that instead.
Having to open special encryption software, to remember and find your password, then fill in the system's master password each time you want to write can be a small but nonetheless unhelpful barrier to writing.
If you haven't used VeraCrypt in a while, you might find yourself having to consult the Beginner's Tutorial again to remember how to get started. The interface is not intuitive that way.
Conclusions
I like that VeraCrypt just sticks to one thing and does it well. The developers are committed to keeping VeraCrypt free and open source.
This single-tool approach makes VeraCrypt useful for a range of applications where encryption is required. It is possible make the encrypted container invisible on your system, or create a hidden operating system!
I have focused on diary writing here, because the thought experiment of digitally documenting a personal secret really helps clarify privacy and security issues. It also shows how well VeraCrypt addresses these.
I have recently been experimenting with similarly advanced privacy and security tools, like Qubes OS and GrapheneOS, and am glad developers are investing their time and energy into such tools for public use. I can imagine VeraCrypt might be a life-saver for someone with a high threat model. You can support the project financially via their Donation page.
I wrote a digital diary for a while using VeraCrypt, but eventually returned to paper. A physical journal can be discovered or lost in a fire, but I enjoy getting away from screens and using pen and paper for the process of collecting and sorting out my own thoughts.
Documentation
VeraCrypt is cross-platform (Windows, macOS, Linux), but keep in mind that if you wanted to use the USB methods I describe above (portable USB with VeraCrypt software on a partition) on different platforms, you would have to ensure you have the different versions of VeraCrypt saved on the open USB partition and format it as a FAT32 drive, so it can be seen by all operating systems. On Linux, VeraCrypt itself only takes up 60 MB, so the 4GB file limit of FAT32 should not be a problem, though I have not yet tested this approach.
From the FAQ:
How can I use VeraCrypt on a USB flash drive?
You have three options:
- Encrypt the entire USB flash drive. However, you will not be able run VeraCrypt from the USB flash drive.
- Create two or more partitions on your USB flash drive. Leave the first partition non encrypted and encrypt the other partition(s). You can store VeraCrypt on the first partition in order to run it directly from the USB flash drive. Note: Windows can only access the primary partition of a USB flash drive, nevertheless the extra partitions remain accessible through VeraCrypt.
- Create a VeraCrypt file container on the USB flash drive (for information on how to do so, see the chapter Beginner's Tutorial, in the VeraCrypt User Guide). If you leave enough space on the USB flash drive (choose an appropriate size for the VeraCrypt container), you will also be able to store VeraCrypt on the USB flash drive (along with the container – not in the container) and you will be able to run VeraCrypt from the USB flash drive (see also the chapter Portable Mode in the VeraCrypt User Guide).
-----Discuss on Reddit-----
Subscribe to my blog via email or RSS feed.
Find me on Mastodon and Twitter.
Back to Blog
The only concern is that future quantum computers might be powerful enough to break this type of encryption, but these don't yet exist, as far as we know, and I don't know enough about this to comment further.↩