This section applies to VeraCrypt on Unix-like systems, including Linux and macOS. The Windows command-line syntax is documented separately in Command Line Usage for Windows.
To display the command-line help for the installed VeraCrypt build in a terminal, run:
veracrypt -t --help
The -t or --text option selects the text user interface and must be specified as the first argument. Without -t, veracrypt --help may show the graphical help window when the graphical user interface is available.
veracrypt [OPTIONS] COMMAND
veracrypt [OPTIONS] VOLUME_PATH [MOUNT_DIRECTORY]
If no explicit command is specified and a volume path is given, VeraCrypt mounts the volume. When MOUNT_DIRECTORY is omitted, VeraCrypt uses the default mount directory.
| --auto-mount=devices|favorites | Auto-mount device-hosted volumes, favorite volumes, or both when the values are combined with a comma. |
| --backup-headers [VOLUME_PATH] | Back up volume headers to a file. Required values not specified on the command line are requested from the user. |
| -c or --create [VOLUME_PATH] | Create a new volume. Most values are requested from the user if not specified on the command line. See also --encryption, --filesystem, --hash, --keyfiles, --password, --pim, --random-source, --quick, --size, and --volume-type. |
| --create-keyfile [FILE_PATH] | Create a new keyfile containing pseudo-random data. |
| -C or --change [VOLUME_PATH] | Change a volume password, PIM, keyfiles, and/or header key derivation algorithm. See also --hash, --new-hash, --new-keyfiles, --new-password, --new-pim, --password, --pim, and --random-source. |
| -u or --unmount [MOUNTED_VOLUME] -d or --dismount [MOUNTED_VOLUME] |
Unmount a mounted volume. If no mounted volume is specified, all mounted VeraCrypt volumes are unmounted. --dismount is deprecated; use --unmount. |
| --delete-token-keyfiles | Delete keyfiles from security tokens. |
| --export-token-keyfile | Export a keyfile from a security token. |
| --import-token-keyfiles | Import keyfiles to a security token. See also --token-lib. |
| -l or --list [MOUNTED_VOLUME] | Display mounted volumes. By default, only the volume path, virtual device, and mount point are shown. Use --verbose for more details. |
| --list-token-keyfiles | Display all available token keyfiles. |
| --list-securitytoken-keyfiles | Display all available security token keyfiles. |
| --list-emvtoken-keyfiles | Display all available EMV token keyfiles. |
| --mount [VOLUME_PATH] | Mount a volume interactively. The volume path and missing options are requested from the user. |
| --restore-headers [VOLUME_PATH] | Restore volume headers from the embedded backup header or from an external backup file. |
| --save-preferences | Save user preferences. |
| --test | Test internal algorithms used in the process of encryption and decryption. |
| --version | Display VeraCrypt version information. |
| --volume-properties [MOUNTED_VOLUME] | Display properties of a mounted volume. |
A mounted volume can be specified in any of the following forms:
| --allow-insecure-mount | Allow mounting volumes on mount points that are in the user's PATH. |
| --allow-screencapture | Allow VeraCrypt windows to be included in screenshots and screen recordings. This option applies to macOS builds. |
| --background-task | Start the VeraCrypt background task. |
| --display-password | Display password characters while typing. |
| --encryption=ENCRYPTION_ALGORITHM | Use the specified encryption algorithm when creating a new volume. For cascades, use the algorithm name shown by VeraCrypt, for example AES-Twofish. |
| --explore | Open a file manager window after the volume is mounted. |
| --filesystem=TYPE | Filesystem type to mount or create. For mounting, the type is passed to the system mount command. none disables filesystem mounting or creation. Supported creation types depend on the platform: Linux supports FAT, Ext2, Ext3, Ext4, NTFS, exFAT, and Btrfs; macOS supports FAT, HFS/HFS+/MacOsExt, exFAT, and APFS; FreeBSD and Solaris builds support FAT and UFS. Non-FAT creation requires the corresponding system formatter to be available. |
| -f or --force | Force mounting of a volume in use, unmounting of a volume in use, or overwriting a file. The exact effect depends on the operating system. |
| --fs-options=OPTIONS | Filesystem mount options passed to the system mount command with -o. This option is available on Linux and other Unix-like builds where supported, but not on macOS. |
| --hash=HASH | Use the specified header key derivation algorithm when mounting, creating a volume, or changing password/keyfiles. This option also specifies the mixing hash of the random number generator when applicable. |
| -h or --help | Display detailed command-line help. |
| -k KEYFILE1[,KEYFILE2,...] or --keyfiles=KEYFILE1[,KEYFILE2,...] | Use the specified keyfiles. When a directory is specified, all files inside it are used non-recursively. Use a double comma (,,) for a comma contained in a keyfile name. A keyfile stored on a security token can be specified as token://slot/SLOT_NUMBER/file/FILENAME; an EMV token keyfile can be specified as emv://slot/SLOT_NUMBER. Use -k "" to disable interactive keyfile prompts. |
| --legacy-password-maxlength | Use the legacy maximum password length of 64 UTF-8 bytes. |
| --load-preferences | Load user preferences before processing command-line options, allowing command-line options to override preferences. |
| -m OPTION1[,OPTION2,...] or --mount-options=OPTION1[,OPTION2,...] | Set VeraCrypt volume mount options. Supported options are headerbak, nokernelcrypto, readonly or ro, system, and timestamp or ts. |
| --new-hash=HASH | Set the new header key derivation algorithm when changing a volume password or keyfiles. This option is used with --change. |
| --new-keyfiles=KEYFILE1[,KEYFILE2,...] | Set the new keyfiles when changing a volume password or keyfiles. This option is used with --change. |
| --new-password=PASSWORD | Set the new password when changing a volume password or keyfiles. This option is used with --change. |
| --new-pim=PIM | Set the new PIM when changing a volume password or keyfiles. This option is used with --change. |
| --no-size-check | Disable the check that verifies the requested container size against available free disk space. |
| --non-interactive | Do not interact with the user. This option is supported only in text mode. |
| -p PASSWORD or --password=PASSWORD | Use the specified password to mount or open a volume. An empty password can be specified with -p "". |
| --pim=PIM | Use the specified PIM to mount or open a volume. |
| --protect-hidden=yes|no | Write-protect a hidden volume when mounting an outer volume. If enabled, VeraCrypt uses the hidden volume credentials to determine the hidden area and protects it against writes. |
| --protection-hash=HASH | Use the specified header key derivation algorithm for the hidden volume protected by --protect-hidden=yes. |
| --protection-keyfiles=KEYFILE1[,KEYFILE2,...] | Use the specified keyfiles for the hidden volume protected by --protect-hidden=yes. |
| --protection-password=PASSWORD | Use the specified password for the hidden volume protected by --protect-hidden=yes. |
| --protection-pim=PIM | Use the specified PIM for the hidden volume protected by --protect-hidden=yes. |
| --quick | Enable quick formatting when creating a volume. This option must not be used when creating an outer volume. |
| --random-source=FILE | Use the specified file as a source of random data, for example when creating a volume. |
| --slot=SLOT | Use the specified slot number when mounting, unmounting, listing, or displaying properties of a volume. |
| --size=SIZE[K|KiB|M|MiB|G|GiB|T|TiB] or --size=max | Use the specified size when creating a new volume. If no suffix is specified, the value is interpreted in bytes. max uses all available free space. |
| --stdin | Read the password from standard input. This option can be used only with --non-interactive and cannot be combined with --password. |
| -t or --text | Use the text user interface. This option must be specified as the first argument. |
| --token-lib=LIB_PATH | Use the specified PKCS #11 security token library. |
| --token-pin=PIN | Use the specified security token PIN. |
| --use-dummy-sudo-password | Use a dummy password in sudo to detect whether sudo is already authenticated. This option is available on Linux and FreeBSD builds. |
| -v or --verbose | Enable verbose output. |
| --volume-type=normal|hidden | Use the specified volume type when creating a new volume. |
Passing a password, PIM, token PIN, or hidden-volume protection password on the command line can be insecure because command-line arguments may be visible in process listings, shell history, or system logs. When possible, let VeraCrypt prompt for sensitive values interactively, or use --stdin with --non-interactive where appropriate. Users must also follow the security requirements and precautions listed in Security Requirements and Precautions.
Create a new volume using the text user interface:
veracrypt -t -c
Mount a volume:
veracrypt volume.hc /media/veracrypt1
Mount a volume read-only, using keyfiles:
veracrypt -m ro -k keyfile1,keyfile2 volume.hc /media/veracrypt1
Mount a volume without mounting its filesystem:
veracrypt --filesystem=none volume.hc
Mount a volume prompting only for its password:
veracrypt -t -k "" --pim=0 --protect-hidden=no volume.hc /media/veracrypt1
Mount a volume non-interactively and read the password from standard input:
printf '%s\n' "$VERACRYPT_PASSWORD" | veracrypt -t --non-interactive --stdin --pim=0 --protect-hidden=no volume.hc /media/veracrypt1
List mounted volumes with detailed information:
veracrypt -t -v --list
Unmount a volume:
veracrypt -u volume.hc
Unmount all mounted VeraCrypt volumes:
veracrypt -u
Inexperienced users should use the graphical user interface to create a hidden volume. When using the text user interface, the following procedure must be followed:
If hidden volume protection is triggered at any step, start again from the first step.
