With just a USB drive, PortableApps, and VeraCrypt, you have what you need to create a portable, encrypted file and password manager that works on Windows, Mac, and Linux using simple plain-text files. PortableApps provides a Start Menu-like GUI interface and selection of apps that can be installed. PortableApps is a convenient way to carry the rest of the apps with you, usually on a usb stick, that are used to create and use your own portable file and password manager. While I’m also referring to it as a ‘password manager’, it’s just a file system with files and folders and, so, with VeraCrypt or other encryption you can create a password manager or secure anything else you’d prefer.
Update 2023-08-07: Added Security Weaknesses section to be fully transparent about the weaknesses of this solution. All solutions will have weaknesses but you can maintain best practices to reduce them.
Older updates are archived at the bottom under the Updates section.
Contents
How It Works
What you’ll be doing is creating a USB drive with the PortableApps software which, itself, allows you to install other ‘portable apps’, like VeraCrypt among many others. Then you’ll use VeraCrypt to create an encrypted volume. This can be mounted and used like any other drive in Windows, Mac, and Linux. You’ll use this drive to store your data in any way you wish.
First, you’ll install PortableApps on a USB drive. This creates the PortableApps ecosystem on the USB drive that allow you to carry it and the rest of the apps you’ll use with you wherever you go.
Next, you’ll install VeraCrypt using the PortableApps interface. VeraCrypt is used to create, mount, and manage encrypted volumes, which look just like normal files, and can be used as normal drives once mounted.
Finally, once a VeraCrypt volume is mounted, you use it like a regular drive. You can use Windows Explorer or any other app with it in Windows and Mac and in Linux it’s a regular mount point that can be used by any apps there. Create and store files and folders in any way you like.
Because VeraCrypt transparently decrypts and encrypts your data, you can effectively create your own portable password manager and much more because it’s all just files and folders.
Resources:
Windows, Mac, and Linux
PortableApps works only in Windows and Mac but VeraCrypt is available in Windows, Mac, and Linux so for our purposes this works transparently and easily on each of these.
It is recommended to use the PortableApps version of VeraCrypt so you can carry it around with you as opposed to downloading and installing as a standalone app, which is possible but not convenient when you move around.
Resources:
Linux Command-line Cheatsheet:
# Create a mount point
mkdir /mnt/vcfs
# Create VeraCrypt file system container
# - It will prompt you through each step
# - PIM: Personal Iterations Multiplier (PIM) maximum value is 2147468.
# - Press Enter for defaults
veracrypt --create vcfs
# Mount VeraCrypt file system container
veracrypt --mount /path/to/vcfs /mnt/vcfs
# List mounted volumes
# - Helps when unmounting/dismounting
veracrypt --list
# Unmount/Dismount VeraCrypt file system
veracrypt --dismount /path/to/vcfsManaging Your Data: Not Just Passwords
VeraCrypt volumes are themselves simple looking files in Windows Explorer but, when mounted by VeraCrypt, they are shown in Windows as regular letter-assigned drives and in Linux as regular mount-point drives. So, you store your data using files and folders as you wish.
It’s not just plain-text files and it’s not just for passwords, either. It’s a regular drive so store anything you want: images, audio, video, documents, spreadsheets, etc.
Improving Security Potential
Reducing Decryption Exposure
When you mount a VeraCrypt volume, you enter a password, but the entire drive’s data is not decrypted all at once: So it does not decrypt and expose all of your data at once. VeraCrypt decrypts just enough meta-data to facilitate working with the volume as a normal drive.
While you can use a VeraCrypt encrypted volume just as it is and have much greater security than normal, you can leverage the on-demand decryption to improve security potential further. I say potential because in computer security, nothing is guaranteed.
Consider this scenario: You store all your passwords in a single file on an encrypted VeraCrypt volume. You open that file in notepad: Everything in that file is decrypted at once. The Notepad app can read it all. Can we trust Notepad? Let’s hope so. But then there are any number of levels of Windows and its APIs that can now theoretically read that data. We can only hope we can trust Windows. We could say the same about Mac and Linux.
We can improve the single file scenario, and reduce the exposure of our data to decryption, by splitting up our single file into multiple files. In this way, only a small portion of your total data is decrypted each time you open a file.
We can take it a step further and treat every line of that original, single file as its own individual file. So, again, you’ve reduced the footprint of what gets decrypted and exposed to a single record for whatever app is opening it.
It’s up to you what level of security vs convenience you find ideal.
Encrypting Files Again Inside VeraCrypt Volumes
You can encrypt any file in a VeraCrypt drive using any other software. Some ZIP applications, like 7zip, for example, allow you to password protect ZIP files using proper encryption methods, like AES, which is what VeraCrypt uses by default. GNU Privacy Guard (GPG on Linux and GPG4WIN on Windows) is another way for password protecting files and folders. Openssl software on linux allows you to password encrypt files, as well.
One use case for this is the ‘inner vault’ use case. Think of a bank where you can access your bank account at a teller but you can also access safety deposit boxes in higher security areas that require extra security measures.
So, you might trust VeraCrypt to protect your regular data while encrypting other data with additional apps inside the VeraCrypt drive.
This technique allow you to leverage a graduated series of higher and higher security passwords. For example, your VeraCrypt volume might be secured with an initial password and encrypted files on the VeraCrypt drive might be encrypted with more complex passwords.
VeraCrypt Hidden Volumes for Plausible Deniability
VeraCrypt allows you to create a hidden volume which, unless found, provides a person ‘plausible deniability’ since they can deny the existence of a VeraCrypt volume and/or deny that they, themselves, put it there. Additionally, unless it can be found, there’s no reason to think one would be there and may discourage looking for it.
‘Plausible deniability is the ability of an individual or group to deny knowledge of or responsibility for actions committed by other individuals or groups.” (Wikipedia)
VeraCrypt Volume Obfuscation Potential Using Steganography
Because VeraCrypt volumes are simply files on an existing file system, there is potential to use steganography to obfuscate their storage within other file formats.
“Steganography is the practice of representing information within another message or physical object, in such a manner that the presence of the information is not evident to human inspection.” (Wikipedia)
For example, you might have a VeraCrypt volume file named “myveracryptvolume.img” which makes it pretty obvious what it is and how to open it. VeraCrypt volume files can be named anything so, if it were named “mona-lisa-city-museum.jpg”, for example, that would obfuscate its purpose.
But steganography goes further: You don’t just have a .jpg file name, the file actually is a jpg file, including a real image (which, if opened, displays as expected), while some part of the non-display data is used for your VeraCrypt file system.
Steganography goes beyond the scope of this piece, though, and I haven’t actually tried it, myself, but it is an interesting security technique that VeraCrypt makes easy.
Security Weaknesses
All password management solutions have weaknesses because, at some point, you need to view your password in plaintext. This DIY solution has weaknesses, too, but if you take some care you can minimize your risk.
VeraCrypt Drives Are Available To Any Process: So Encrypt What You Want To Secure
Being a normal drive, any process can read the drive. This is why, even though VeraCrypt itself is strong, high-grade encryption, I also encrypt files and folders inside the drive using other tools (7Zip AES, GPG, etc.). So, even if another process scans the drive while it’s decrypted, those files are still encrypted.
You should only temporarily decrypt important files. You shouldn’t have them open for any longer than you need to. For files with passwords in them, I decrypt them, open them, copy the password, and close them, leaving them open for as little as a few seconds, and the decrypted file laying around for as short a time as possible.
Additional App To Open and Decrypt Files Is Preferable
As it stands, you can decrypt files on the VeraCrypt mount and open in any app like Notepad, for example. The problem is the file is on the file system in a decrypted state and any other process could read it.
If we were using an app to decrypt files, we would be leveraging OS-level app isolation security measures. For example, a process should not be able to read another process’s memory (ie. memory access violation error) unless that other process already has elevated privileges.
So, for example, Excel can open encrypted Spreadsheet files and decrypt itself. It would be ideal to have a text editor that could do the same thing for text files. You might even get some benefit out of 7zip’s “Open Archive” mode where you can double-click on a file inside an encrypted archive and open in, for example, Notepad. This still uses a temporary decrypted copy of the file on the file system but typically these are created with higher security permissions, preventing other processes from reading them, and they should be removed when the app (eg. Notepad) closes (see next paragraph), so it should be better than a regular file on the file system.
If using the 7zip or similar method, 7zip should clean up temporary files but just in case run the Windows Disk Clean-up app to clear out your temporary files (eg. C:\Users\{User}\AppData\Local\Temp, also the %temp% environment variable). In my experience, opening in Windows Notepad (7zip’s text file default app) will clean up temporary files whereas if you drag&drop onto Notepad++ it won’t clean up temporary files.
It should be noted that any superuser level process (Administrator, root, etc.) can likely read all data everywhere, anyway. Our hope is that the host and operating system are not compromised. Some chances you have to take or you wouldn’t be able to do anything.
The Security Of The Computer Itself
The security of this solution will only be as secure as the computer it’s running on. You’ll typically be fine on your home computers, unless your computer has a virus, so where you really have to beware is other machines not under your control. It’s probably best to avoid using on public terminals (ex. library computers, school lab computers, internet cafes, etc).
The best way to avoid viruses on your own computer is to scan for viruses. I don’t run antivirus software, and haven’t for many years, but I do scan downloads with the free VirusTotal.com, which scans with virtually all of the antivirus software you might get all at once.
Easy Backups
Since VeraCrypt volumes are simple files they backup easily like the rest of your files.
Easy ‘Go Back In Time’ Backups
And, again, since VeraCrypt volumes appear just as simple files in Windows Explorer, you can back them up, and rename them with a timestamp (ex. “files230716.vc”), so that you can go back later and open backups at specific dates and times.
Wrapping Up
There’s a lot here to be distracted by but just know that with just a USB drive, PortableApps, and VeraCrypt, you have what you need to create a portable, encrypted password manager that works on Windows, Mac, and Linux using simple plain-text files.
Once you’ve got that done, you then have a powerful system to keep anything safe.