Hi,
I have some encrypted usb that i want to use and i am not sure how to install veracrypt.
Do you recomend to install it in the sys-usb or only in the qubes where i need the content of my usb or maybe juste creat a qubes between my sys-usb and my other qubes with juste veracrypt ?
Thank
You can create a TemplateVM (for example deb-veracrypt), install veracrypt in it, then create a DispVM Template (for example deb-veracrypt-dvm). Finally connect the usb device from sys-usb to the DispVM.
To create a DispVM template:
[user@dom0 ~]$ qvm-create -t deb-veracrypt -l red --prop template_for_dispvms=true --prop netvm='' deb-veracrypt-dvm
[user@dom0 ~]$ qvm-features deb-veracrypt-dvm appmenus-dispvm 1
Reminder: if you want the veracrypt package to persist and be usable in different vms, you have to install it in the TemplateVM.
If you only have the one volume and don’t expect to use it frequently, then BEBF738VD’s solution will work.
If you are thinking there are multiple qubes that should have access to files in the veracrypt volume, you’ve got a couple of options. The first is to create a dedicated qube for accessing the files on the volume (install veracrypt in that qube’s template, connect the usb volume to it, decrypt there, then qvm-copy the files where they should go). Basically what BEBF738VD said, just using the veracrypt-capable VM as an intermediary.
If for some reason you want direct access from your apps to the qube, then you can install veracrypt on those templates (which means you’ll possibly install it on multiple templates). Or there is a much more complex solution which might make sense if veracrypt is a major part of your life: Split veracrypt - General Discussion - Qubes OS Forum (qubes-os.org) but even as the guy who came up with that, I strongly recommend you do NOT do this unless you find yourself using veracrypt a lot. (It’s a huge part of my qubes infrastructure.)
tl;dr BEBF738VD’s solution is the best unless you use veracrypt a lot.
Thanks for your help !
I will use the BEBF738VD method. It’s the most simple and for what i have to do it’s perfect!
@BEBF738VD You create a Debian Template because you are more familiar with it or it’s better for Veracrypte ?
@SteveC Thanks for your time ! I really appreciate !!
Haven’t tested it with Fedora. I just like Debian better.
No worries. If it solved your issue, please mark it as answer.
hmm I am not sure if this code is formulated correctly as I am getting the following error in Dom0 Terminal:
“qvm-create: error : unrecognized arguments: red deb-veracrypt-dvm”
Maybe you’ve mistyped in -l red, the l is a small L and not 1 (one).
Hey apparatus,
Sorry for the late reply.
I have triple checked the above format like for like and there is definitely an issue with the code as I get the following error:
"Error creating VM: No such domain: ‘deb-veracrypt’ "
Would I be getting this error if my default distro is fedora on qubes?
Thanks
deb-veracrypt is an example name of the template where you’ve installed veracrypt. Change it to your own template name.
Instead of trying to create the veracrypt template and veracrypt dvm in dom0 terminal I ended up just cloning whonix-workstation-17 template and changing name to deb-veracrypt and cloning whonix-workstation-17-dvm and changing name to deb-veracrypt-dvm.
I have successfully downloaded and installed the veracrypt file on the deb-veracrypt template and have allowed VeraCrypt in Settings >> Applications in deb-veracrypt-dvm (AppVM). Veracrypt launches fine, however I am unable to create a new encrypted volume on a USB or SSD, I get the following error during the creation process as it’s formatting:
"Failed to create a file or directory in a temporary directory.
Please make sure the temporary directory exists, its security permissions allow you to access it, and there is sufficient disk space:
/tmp/user/42xxxxxxxxxx/.veracrypt_aux_mnt256"
Please help 
http://forums.dds6qkxpwdeubwucdiaord2xgbbeyds25rbsgr73tbfpqpt4a6vjwsyd.onion/t/veracrypt-stopped-working-after-updating-to-whonix-17/19752
Veracrypt stopped working after updating to whonix 17 - Support - Whonix Forum
Thank you apparatus the following solved the issue 
:
sudo mkdir -p /tmp/user/xxxxxxxxx/
Out of curiosity if I wanted to encrypt the entirety of an external drive such as a 1TB SSD using VeraCrypt on Qubes AppVM, will I need to allow 1TB of private storage in AppVM or is this only if you’re creating an encrypted folder on the AppVM of this size?
Thanks again for all the help, really appreciate it.
You do NOT need to allow 1tb of private storage in the AppVM (if you do so, you’ll simply have that much unencrypted empty space in your AppVM; your data won’t be there).
However the AppVM must mount the storage; and for that to happen someone must decrypt the storage. (In the simple case, that’s your AppVM though it can be done by other qubes with some work (see split-veracrypt).) Whichever does the decrypting must of course have veracrypt installed.
Hi SteveC,
Thanks for clarifying this. I thought if you are mounting an Encrypted 1TB SSD then the AppVM must have this storage allowance? If it’s not required then even better I guess, I can reduce the Private storage then
Many thanks