TrueCrypt

From Gentoo Linux Wiki

Jump to: navigation, search
Wikipedia has an article on:

Contents

[edit] Introduction

This page will show you the steps to install TrueCrypt, an open-source cross-platform software allowing you to manage encrypted disks. The main features are its creation of virtual encrypted disks and the encryption of entire partitions. There are two different security levels available: The hidden volume (see the official website for details) and the normal volume.

[edit] Requirements

TrueCrypt needs a 2.6.5 kernel (or higher/compatible) with both device mapper and loop device enabled. Make sure that the kernel is configured as follows:

Linux Kernel Configuration: Device Mapper

Enable the device mapper: 

Device Drivers --> Multi-device support (RAID and LVM)  --->
 [*] Multiple devices driver support (RAID and LVM)
  <*> Device mapper support
  <*> Crypt target support

Enable loop device: 

Device Drivers --> Block Devices -->
 <*> Loopback device support
Note: In this configuration all the options are marked as built-in [*] but you also can mark them as modules [M]

Next, recompile and reboot into the new kernel (or just install the new modules if you marked all as modules).

[edit] Install

To install TrueCrypt just type as root: emerge -av truecrypt.

[edit] Usage

[edit] Create a volume

Simply follow the TrueCrypt assistant: truecrypt -c.

Create a linux filesystem on your volume (ext2 used as an example): 

truecrypt -N 1 /path/to/created/volume
export MKE2FS_SYNC=1
mkfs.ext2 /dev/mapper/truecrypt1
truecrypt -d /path/to/created/volume
Note: If you're on TrueCrypt >v6.0 and e.g. like to create an ntfs volume and are using ntfs-3g through FUSE, this sequence of commands will probably be more like this:
 truecrypt /path/to/created/volume /mnt/mountpoint
 mount
  # Note where truecrypt mounted the exterior volume, e.g.: /dev/loop0 on /mnt/mountpoint type fuseblk (rw,noatime,allow_other,default_permissions,blksize=4096)
 umount /mnt/somewhere
 mkntfs -f /dev/loop0
 truecrypt -d /path/to/created/volume
Note: For truecrypt 6a, when you want mount volume without filesystem, you must use 
truecrypt /dev/md2 --filesystem=none

then only loop is created. Otherwise truecrypt ask you for "Enter mount directory" and later you get "Error: mount: you must specify the filesystem type"

Mount your volume, this will ask for the password: truecrypt /path/to/created/volume /mnt/mountpoint.

You can also set the mount options, for example to set the ownership to a specific user/group: {{{1}}}.

Unmount the volume (-d parameter without any other argument will dismount any mounted volume): truecrypt -d /path/to/created/volume or truecrypt -d /mnt/mountpoint.

[edit] Mount volumes as a normal user

Truecrypt needs root privileges to work: this procedure will allow normal users to use it, also giving writing permissions to mounted volumes.

First of all, you must have sudo installed. If not, just type: 

# emerge app-admin/sudo

Now we have to create a new group called truecrypt and give it the necessary permissions. Any users that will belong to that group, will be able to use TrueCrypt. 

# groupadd truecrypt
# visudo

Use the just opened editor to attach the following lines at the bottom of the configuration file:

File: visudo 
# Users in the truecrypt group are allowed to run truecrypt as root.
%truecrypt ALL=(root) NOPASSWD:/usr/bin/truecrypt

Before adding our users to the truecrypt group we still have to do something in order to make mounted volumes writable from normal users. To do this just open the system-wide bashrc file: 

# nano /etc/bash/bashrc

And add this few lines to it:

File: /etc/bash/bashrc 
alias tc='sudo truecrypt'
alias tcm='tc -M uid=$(id -u),gid=$(id -g)'

You can now add your users to the truecrypt group: 

# gpasswd -a USER_1 truecrypt
# gpasswd -a USER_2 truecrypt
...
Note: The tc alias doesn't seem to be necessary (at least with Truecrypt version 4.3a running on an up-to-date Gentoo system), as calling the truecrypt binary as non-root results in it calling sudo by itself
Note: The tcm alias above would not work with ordinary Linux filesystems. This is because the -M option of truecrypt is used to pass parameters to mount(1) using its -o option. Not all filesystems support mount time options for UID and GID. To avoid confusion, do not add or use the tcm alias unless you know the target filesystem supports these mount options (VFAT filesystems do)
Note: In order to make these changes active, any user that has been added to the truecrypt group have to logout.

Use the tc alias to generically use truecrypt, (i.e. tc -d [volume] if you want to dismount a volume) and tcm to mount an encrypted volume.


Note: If after doing the steps above you don't have access to the partition as a normal user then change the ownership of the folder in which the partition was mounted after being mounted. The steps above did not work for me and this was the only way I was able to access the partition as a normal user since the options passed through the -M option to the mount command weren't accepted. 
truecrypt /dev/volume_name /mnt/mount_point
chown user_name /mnt/mount_point/
chgrp group_name /mnt/mount_point/

[edit] Safely unmount and unmap truecrypt volumes on shutdown

Add this line to /etc/conf.d/local.stop.

File: /etc/conf.d/local.stop 
/usr/bin/truecrypt -d

[edit] Mount TrueCrypt volume via fstab

Create the following file in /sbin

File: mount.truecrypt 
#!/bin/sh

OPTIONS="`echo $* |  sed 's/-o /--fs-options=/g'`"

sudo truecrypt $OPTIONS

Then you can mount your truecrypt device via the following line in fstab

File: /etc/fstab 
/dev/sdb3 mountpoint          truecrypt defaults,noauto,user        0       2

By adding 

Defaults env_keep=DISPLAY
Defaults env_keep+=XAUTHORITY

below 

# Reset environment by default
Defaults        env_reset

when running visudo you also get graphical feedback in truecrypt-5.1a

[edit] Troubleshooting

If the transfer speeds are low, try using the noatime option on mount: 

truecrypt volume mountpoint -M noatime

If TrueCrypt gives you an error when mounting a NTFS encrypted volume even though ntfs-3g is installed that the module ntfs was not found, you need to specify the file system manually: truecrypt --filesystem=ntfs-3g volume mountpoint.

[edit] See also

Internal references:

External:

Retrieved from "http://gentoo-wiki.com/TrueCrypt"
Personal tools