HOWTO Truecrypt

From Gentoo Linux Wiki

Jump to: navigation, search
This article is part of the HOWTO series.
Installation Kernel & Hardware Networks Portage Software System X Server Gaming Non-x86 Emulators Misc
This article is part of the Security series.


Contents

[edit] Introduction

Note: As of version 5.1a this howto does not work anymore, crucial commands seem to have changed. So be careful and – if successful: Please update this Howto!

This howto will show you the steps to install Truecrypt, an open-source cross-platform software that allows you to manage encrypted disks. Main features are:

  • creation of virtual encrypted disks
  • encryption of entire partitions
  • two different security levels available:

[edit] Requirements

Truecrypt needs a 2.6.5 kernel (or higher/compatible) with both device mapper and loop device enabled. Make sure that the kernel is configured as follows:

Linux Kernel Configuration: Device Mapper

Enable the device mapper: 

Device Drivers --> Multi-device support (RAID and LVM)  --->
 [*] Multiple devices driver support (RAID and LVM)
  <*> Device mapper support
  <*> Crypt target support

Enable loop device: 

Device Drivers --> Block Devices -->
 <*> Loopback device support


Note: In this configuration all the options are marked as built-in [*] but you also can mark them as modules [M]

Next, recompile and reboot into the new kernel (or just install the new modules if you marked all as modules).


[edit] Installation

To install truecrypt just type as root: 

# emerge -av truecrypt

Add the module in your module autoload list: 

# echo "truecrypt" >> /etc/modules.autoload.d/kernel-2.6

Load the module so that you can use it right away: 

# modprobe truecrypt

[edit] Usage

[edit] Configure a secure volume

Simply follow the truecrypt assistant: 

# truecrypt -c

Create a linux filesystem on your volume (ext2 used as an example): 

# truecrypt -N 1 /path/to/created/volume
# export MKE2FS_SYNC=1
# mkfs.ext2 /dev/mapper/truecrypt1
# truecrypt -d /path/to/created/volume

Mount your volume, this will ask for the password: 

# truecrypt /path/to/created/volume /mnt/mountpoint

You can also set the mount options, for example to set the ownership to a specific user/group: 

# truecrypt /path/to/created/volume /mnt/mountpoint -M uid=joe,gid=users

Unmount the volume (-d parameter without any other argument will dismount any mounted volume): 

# truecrypt -d /path/to/created/volume

or: 

# truecrypt -d /mnt/mountpoint

[edit] Mount volumes as a normal user

Truecrypt needs root privileges to work: this procedure will allow normal users to use it, also giving writing permissions to mounted volumes.

First of all, you must have sudo installed. If not, just type: 

# emerge app-admin/sudo

Now we have to create a new group called truecrypt and give it the necessary permissions. Any users that will belong to that group, will be able to use truecrypt. 

# groupadd truecrypt
# visudo

Use the just opened editor to attach the following lines at the bottom of the configuration file:

File: visudo 
# Users in the truecrypt group are allowed to run truecrypt as root.
%truecrypt ALL=(root) NOPASSWD:/usr/bin/truecrypt

Before adding our users to the truecrypt group we still have to do something in order to make mounted volumes writable from normal users. To do this just open the system-wide bashrc file: 

# nano /etc/bash/bashrc

And add this few lines to it:

File: /etc/bash/bashrc 
alias tc='sudo truecrypt'
alias tcm='tc -M uid=$(id -u),gid=$(id -g)'

You can now add your users to the truecrypt group: 

# gpasswd -a USER_1 truecrypt
# gpasswd -a USER_2 truecrypt
...
Note: The tcm alias above would not work with ordinary Linux filesystems. This is because the -M option of truecrypt is used to pass parameters to mount(1) using its -o option. Not all filesystems support mount time options for UID and GID. To avoid confusion, do not add or use the tcm alias unless you know the target filesystem supports these mount options (VFAT filesystems do)
Note: In order to make these changes active, any user that has been added to the truecrypt group have to logout.

Use the tc alias to generically use truecrypt, (i.e. tc -d [volume] if you want to dismount a volume) and tcm to mount an encrypted volume.


Note: If after doing the steps above you don't have access to the partition as a normal user then change the ownership of the folder in which the partition was mounted after being mounted. The steps above did not work for me and this was the only way I was able to access the partition as a normal user since the options passed through the -M option to the mount command weren't accepted. 

# truecrypt /dev/volume_name /mnt/mount_point
# chown user_name /mnt/mount_point/
# chgrp group_name /mnt/mount_point/

[edit] Tips

If the transfer speeds are low, try using the noatime option on mount 

# truecrypt /dev/volume_name  /mnt/mount_point  -M noatime

Assuming you have set up NTFS-3G, to read-write to an NTFS formatted truecrypt encrypted drive use the filesystem option 

# truecrypt --filesystem ntfs-3g /dev/volume_name  /mnt/mount_point

[edit] Safely unmount and unmap truecrypt volumes on shutdown

add this lines to

File: /etc/conf.d/local.stop 
/usr/bin/truecrypt -d

[edit] Mount TrueCrypt volume via fstab

Create the following file in /sbin

File: mount.truecrypt 
#!/bin/sh

OPTIONS="`echo $* |  sed 's/-o /--fs-options=/g'`"

sudo truecrypt $OPTIONS


Then you can mount your truecrypt device via the following line in fstab 

/dev/sdb3 /daten          truecrypt defaults,noauto,user        0       2

By adding 

Defaults env_keep=DISPLAY
Defaults env_keep+=XAUTHORITY
below 
# Reset environment by default
Defaults        env_reset

when running visudo you also get graphical feedback in truecrypt-5.1a

[edit] Links

Internal references:

External:

Retrieved from "http://gentoo-wiki.com/HOWTO_Truecrypt"
Personal tools