TrueCrypt

From Gentoo Linux Wiki

Filesystems TOC

Filesystem overview
Journaling filesystems
- Ext4
- Reiser4
Proprietary filesystems
- Mounting Windows Partitions
- NTFS-3G
Virtual filesystems
- Initramfs
Network filesystems
Encrypted filesystems
- TrueCrypt
- LVM2, DM-Crypt and RAID root
- DM-Crypt with LUKS
- AES-encrypted root partition using LVM2
Compressed filesystems
- Squashed Portage Tree (squashfs)
Volume management
- LVM
- RAID
Filesystems tricks
- Using Graphics Card Memory as Swap
- Automount Swap Early

Please format this article according to the Style Guidelines and Wikification suggestions, then remove this notice {{Wikify}} from the article.

Reason(s):

Section ”Mount volumes as a normal user” seems to be obsolete. Remove or rewrite

This page will show you the steps to install TrueCrypt, an open-source cross-platform software allowing you to manage encrypted disks. The main features are its creation of virtual encrypted disks and the encryption of entire partitions. There are two different security levels available: The hidden volume (see the official website for details) and the normal volume.

[edit] Requirements

TrueCrypt needs a 2.6.5 kernel (or higher/compatible) with both device mapper and loop device enabled (TrueCrypt itself however warns when using kernel older than 2.6.24 due to the bug in older kernels possibly causing system freeze when writing to the encrypted volume). Make sure that the kernel is configured as follows:

Linux Kernel Configuration: Device Mapper

Device Drivers ---> 
  [*] Multiple devices driver support (RAID and LVM) --->
    <*> Device mapper support
    <*>   Crypt target support
  [*] Block Devices --->
    <*> Loopback device support
File systems --->
  <*> FUSE (Filesystem in Userspace) support
[*] Cryptographic API --->
  <*> RIPEMD-160 digest algorithm 
  <*> SHA384 and SHA512 digest algorithms
  <*> Whirlpool digest algorithms
  <*> LRW support (EXPERIMENTAL)
  <*> XTS support (EXPERIMENTAL)
  <*> AES cipher algorithms
  <*> Serpent cipher algorithm
  <*> Twofish cipher algorithm

Note: In this configuration all the options are marked as built-in [*] but you also can mark them as modules <M>

Note: You need only those algorithms you plan to use, if you are uncertain or want to future support, select all.

Next, recompile and reboot into the new kernel (or just install the new modules if you marked all as modules).

[edit] Install

Note: There are no ”stable” version, so I’ll assume you use 6.3a, which is currently newest version.

Add app-crypt/truecrypt in /etc/portage/package.keywords

File: /etc/portage/package.keywords

app-crypt/truecrypt

Type:

emerge -av truecrypt

and follow instructions (depends on your configuration and package version).

Approximate instructions:

Download tar.gz source from http://www.truecrypt.org/downloads2.php, rename in truecrypt-6.3a.tar.gz and put the file in /usr/portage/distfiles/

Type:

emerge -av truecrypt

[edit] Usage

[edit] Create a volume

Simply follow the TrueCrypt assistant:

truecrypt -t -c

Create a linux filesystem on your volume (ext2 used as an example):

truecrypt --filesystem=none /path/to/volume
mkfs.ext3 /dev/mapper/truecrypt1
# deattach the volumes in order to test you can actually attach them back
truecrypt -d /path/to/created/volume 

[edit] NTFS volume

If you're on TrueCrypt >v6.0 and e.g. like to create an ntfs volume and are using ntfs-3g through FUSE, this sequence of commands will probably be more like this:

truecrypt /path/to/created/volume /mnt/mountpoint
mount

Note where truecrypt mounted the exterior volume, e.g.: /dev/loop0 on /mnt/mountpoint type fuseblk (rw,noatime,allow_other,default_permissions,blksize=4096)

umount /mnt/somewhere
mkntfs -f /dev/loop0
truecrypt -d /path/to/created/volume

For truecrypt 6a, when you want mount volume without filesystem, you must use

truecrypt /dev/md2 --filesystem=none

then only loop is created. Otherwise truecrypt ask you for "Enter mount directory" and later you get "Error: mount: you must specify the filesystem type"

Mount your volume, this will ask for the password:

truecrypt /path/to/created/volume /mnt/mountpoint

You can also set the mount options, for example to set the ownership to a specific user/group

Unmount the volume (-d parameter without any other argument will dismount any mounted volume):

truecrypt -d /path/to/created/volume or truecrypt -d /mnt/mountpoint

[edit] Mount volumes as a normal user

Note: This works with just wheel group allowed to use sudo and you to be in it, too

Truecrypt needs root privileges to work: this procedure will allow normal users to use it, also giving writing permissions to mounted volumes.

First of all, you must have sudo installed. If not, just type:

emerge -a app-admin/sudo

Now we have to create a new group called truecrypt and give it the necessary permissions. Any users that will belong to that group, will be able to use TrueCrypt.

groupadd truecrypt
nano /etc/sudoers

Use the just opened editor to attach the following lines at the bottom of the configuration file:

File: visudo

# Users in the truecrypt group are allowed to run truecrypt as root.
%truecrypt ALL=(root) NOPASSWD:/usr/bin/truecrypt

Before adding our users to the truecrypt group we still have to do something in order to make mounted volumes writable from normal users. To do this just open the system-wide bashrc file:

nano /etc/bash/bashrc

And add this few lines to it:

File: /etc/bash/bashrc

alias tc='sudo truecrypt'
alias tcm='tc -M uid=$(id -u),gid=$(id -g)'

(outdated: the -M option has been changed, and truecrypt now seems to know how to mount with user permissions by itself when run as root)

You can now add your users to the truecrypt group:

gpasswd -a USER_1 truecrypt
gpasswd -a USER_2 truecrypt

Note: The tc alias doesn't seem to be necessary (at least with Truecrypt version 4.3a running on an up-to-date Gentoo system), as calling the truecrypt binary as non-root results in it calling sudo by itself

Note: The tcm alias above would not work with ordinary Linux filesystems. This is because the -M option of truecrypt is used to pass parameters to mount(1) using its -o option. Not all filesystems support mount time options for UID and GID. To avoid confusion, do not add or use the tcm alias unless you know the target filesystem supports these mount options (VFAT filesystems do)

Note: In order to make these changes active, any user that has been added to the truecrypt group have to logout.

Use the tc alias to generically use truecrypt, (i.e. tc -d [volume] if you want to dismount a volume) and tcm to mount an encrypted volume.

If after doing the steps above you don't have access to the partition as a normal user then change the ownership of the folder in which the partition was mounted after being mounted. The steps above did not work for me and this was the only way I was able to access the partition as a normal user since the options passed through the -M option to the mount command weren't accepted.

truecrypt /dev/volume_name /mnt/mount_point
chown user_name /mnt/mount_point/
chgrp group_name /mnt/mount_point/

[edit] Safely unmount and unmap volumes on shutdown

Add this line to /etc/conf.d/local.stop.

File: /etc/conf.d/local.stop

/usr/bin/truecrypt -d

[edit] Mount volume via fstab

Create the following file in /sbin

File: mount.truecrypt

#!/bin/sh
OPTIONS="`echo $* |  sed 's/-o */--fs-options=/g'`"
sudo truecrypt $OPTIONS

Then you can mount your truecrypt device via the following line in fstab

File: /etc/fstab

/dev/sdb3 mountpoint          truecrypt defaults,noauto,user        0       2

By adding

 Defaults env_keep=DISPLAY
 Defaults env_keep+=XAUTHORITY

below

 # Reset environment by default
 Defaults        env_reset

when running visudo you also get graphical feedback in truecrypt-5.1a

Here is an extended version of /sbin/mount.truecrypt:

File: mount.truecrypt

#!/usr/bin/env sh

DEV="$1"
MNTPT="$2"
OPTIONS=""
TCOPTIONS=""

# skip device, mountpoint and '-o'
shift 3
IFS=','
for arg in $*; do
    if [ "${arg}" == "system" ]; then
        TCOPTIONS="${TCOPTIONS}-m=system "
    elif [[ "${arg}" == fs=* ]]; then
        FS=${arg#*=}
        TCOPTIONS="${TCOPTIONS}--filesystem=${FS} "
    else
        OPTIONS="${OPTIONS}${arg},"
    fi
done

sudo truecrypt ${DEV} ${MNTPT} ${TCOPTIONS% *} --fs-options="${OPTIONS%,*}"

Now you can mount system volumes and specify the filesystem type like this

File: /etc/fstab

/dev/hda2           /mnt/win            truecrypt       system,noauto,umask=000         0 0
/dev/hda7           /mnt/shared         truecrypt       fs=ntfs-3g,noauto,defaults      0 0

/dev/hda2 is an encrypted system partition (system option) and /dev/hda7 gets mounted as a ntfs-3g partition (fs option)

[edit] Troubleshooting

If the transfer speeds are low, try using the noatime option on mount:

truecrypt volume mountpoint -M noatime

If TrueCrypt gives you an error when mounting a NTFS encrypted volume even though ntfs-3g is installed that the module ntfs was not found, you need to specify the file system manually:

truecrypt --filesystem=ntfs-3g volume mountpoint

If TrueCrypt gives you an error when mounting volume:

device-mapper: reload ioctl failed: Invalid argument 
Command failed

you need to add XTS and/or LRW support in the kernel. See Requirements.

If you are positive that you have XTS and/or LRW support in the kernel but still get the above error, it may be necessary to disable kernel cryptographic services when mounting altogether:

truecrypt -m=nokernelcrypto volume mountpoint

Of course you may add any other necessary option on the commmand line as well. Note that truecrypt will have decreased performance when using this option.

[edit] See also

TrueCrypt

From Gentoo Linux Wiki

Contents

[edit] Requirements

[edit] Install

[edit] Usage

[edit] Create a volume

[edit] NTFS volume

[edit] Mount volumes as a normal user

[edit] Safely unmount and unmap volumes on shutdown

[edit] Mount volume via fstab

[edit] Troubleshooting

[edit] See also

Views

Personal tools

Navigation

support

Search

indexes

development

Toolbox