https://wiki.archlinux.org/api.php?action=feedcontributions&user=Dajense&feedformat=atomArchWiki - User contributions [en]2024-03-29T05:29:06ZUser contributionsMediaWiki 1.41.0https://wiki.archlinux.org/index.php?title=TrueCrypt&diff=108678TrueCrypt2010-06-13T12:38:57Z<p>Dajense: /* Encrypting a physical volume */</p>
<hr />
<div>[[Category:Security (English)]]<br />
[[Category:File systems (English)]]<br />
[[Category:HOWTOs (English)]]<br />
'''TrueCrypt''' is a free open source on-the-fly encryption (OTFE) program. Some of its features are:<br />
* Virtual encrypted disks within files that can be mounted as real disks.<br />
* Encryption of an entire hard disk partition or a storage device/medium.<br />
* All encryption algorithms use the LRW mode of operation, which is more secure than CBC mode with predictable initialization vectors for storage encryption.<br />
* "Hidden volumes" within a normal "outer" encrypted volume. A hidden volume can not be distinguished from random data without access to a passphrase and/or keyfile.<br />
<br />
== Installation ==<br />
Type as root in a terminal:<br />
# pacman -S truecrypt<br />
If you use any kernel other than kernel26 install the corresponding kernel module, e.g. kernel26beyond -> truecrypt-beyond.<br />
<br />
If you are using truecrypt to encrypt a virtual filesystem (e.g. a file), the module will be automatically loaded whenever you run the <code>truecrypt</code> command. You will need the "loop" module though. Add it to the MODULES array in /etc/rc.conf.<br />
<br />
If you are using truecrypt to encrypt a physical device (e.g. a hard disk or usb drive), you will likely want to load the module during the boot sequence:<br />
<br />
Add the module to /etc/rc.conf:<br />
MODULES=('''truecrypt''' ...)<br />
<br />
== Encrypting a file as a virtual volume ==<br />
The following instructions will create a file that will act as a virtual filesystem, allowing you to mount it and store files within the encrypted file. This is a convenient way to store sensitive information, such as financial data or passwords, in a single file that can be accessed from Linux, Windows, or Macs.<br />
<br />
To create a new truecrypt file interactively, type the following in a terminal:<br />
$ truecrypt -c<br />
<br />
{{Box Note | This command won't work in newer version of truecrypt. Type "truecrypt" instead and manage your encrypted volumes from the GUI or specify the necessary options to work in the command line. (truecrypt -h)}}<br />
<br />
Follow the instructions, choosing the default values unless you know what you're doing:<br />
<br />
Volume type:<br />
1) Normal<br />
2) Hidden<br />
Select [1]: 1<br />
<br />
Enter file or device path for new volume: /home/user/myEncryptedFile.tc<br />
<br />
Enter volume size (bytes - size/sizeK/sizeM/sizeG): 32M<br />
<br />
Encryption algorithm:<br />
1) AES<br />
2) Blowfish<br />
3) CAST5<br />
4) Serpent<br />
5) Triple DES<br />
6) Twofish<br />
7) AES-Twofish<br />
8) AES-Twofish-Serpent<br />
9) Serpent-AES<br />
10) Serpent-Twofish-AES<br />
11) Twofish-Serpent<br />
Select [1]: 1<br />
<br />
Hash algorithm:<br />
1) RIPEMD-160<br />
2) SHA-1<br />
3) Whirlpool<br />
Select [1]: 1 <br />
<br />
Filesystem:<br />
1) FAT<br />
2) None<br />
Select [1]: 1<br />
<br />
Enter password for new volume '/home/user/myEncryptedFile.tc': *****************************<br />
Re-enter password: *****************************<br />
<br />
Enter keyfile path [none]: <br />
<br />
TrueCrypt will now collect random data.<br />
Is your mouse connected directly to computer where TrueCrypt is running? [Y/n]: <br />
Please move the mouse randomly until the required amount of data is captured...<br />
Mouse data captured: 100% <br />
<br />
Done: 32.00 MB Speed: 10.76 MB/s Left: 0:00:00 <br />
Volume created.<br />
<br />
[user@host:~] $<br />
<br />
You can now mount the new encrypted file to a previously-created directory:<br />
$ truecrypt /home/user/myEncryptedFile.tc /home/user/myEncryptedFileFolder<br />
<br />
'''''Note:''' Truecrypt requires root privileges and as such, running the above command as a user will attempt to use ''<tt>sudo</tt>'' for authentication. To work with files as a regular user, please see the appropriate section below.<br />
<br />
Once mounted, you can copy or create new files within the encrypted directory as if it was any normal directory. When you are you ready to re-encrypt the contents and unmount the directory, run:<br />
$ truecrypt -d<br />
<br />
Again, this will require administrator privileges through the use of <tt>sudo</tt>.<br />
<br />
For more information about truecrypt in general, run:<br />
$ man truecrypt<br />
<br />
Several options can be passed at the command line, making automated access and creation a simple task. The man page is highly recommended reading.<br />
<br />
== Encrypting a physical volume ==<br />
If you want to use a keyfile, create one with this command:<br />
truecrypt --create-keyfile /etc/disk.key<br />
By default both passphrase and key will be needed to unlock the volume.<br />
<br />
Create a new volume in the device /dev/sda1:<br />
truecrypt --type normal -c /dev/sda1<br />
<br />
Map the volume to /dev/mapper/truecrypt1:<br />
truecrypt -N 1 /dev/sda1<br />
<br />
If this command doesn't for you try this to map the volume:<br />
truecrypt --filesystem=none --slot=1 /dev/sda1<br />
<br />
If you want to use another file system than ext3 simply format the disk like you normally would, except use the path /dev/mapper/truecrypt1.<br />
mkfs.ext3 /dev/mapper/truecrypt1<br />
<br />
Mount the volume:<br />
mount /dev/mapper/truecrypt1 /media/disk<br />
<br />
Map and mount a volume:<br />
truecrypt /dev/sda1 /media/disk<br />
<br />
Unmount and unmap a volume:<br />
truecrypt -d /dev/sda1<br />
<br />
== Creating a hidden volume ==<br />
First, create a normal outer volume as described above.<br />
<br />
Map the outer volume to /dev/mapper/truecrypt1:<br />
truecrypt -N 1 /dev/sda1<br />
<br />
Create a hidden truecrypt volume in the free space of the outer volume:<br />
truecrypt --type hidden -c /dev/sda1<br />
You need to use another passphrase and/or keyfile here than the one you used for the outer volume.<br />
<br />
Unmap the outer truecrypt volume and map the hidden one:<br />
truecrypt -d /dev/sda1<br />
truecrypt -N 1 /dev/sda1<br />
Just use the passphrase you chose for the hidden volume and TrueCrypt will automatically choose it before the outer.<br />
<br />
Create a file system on it (if you have not already) and mount it:<br />
mkfs.ext3 /dev/mapper/truecrypt1<br />
mount /dev/mapper/truecrypt1 /media/disk<br />
<br />
Map and mount the outer volume with the hidden write-protected:<br />
truecrypt -P /dev/sda1 /media/disk<br />
<br />
==Mount a special filesystem==<br />
In my example I want to mount a ntfs-volume, but truecrypt doesn't use ntfs-3g by default (so there is no write access; checked in version 6.1).<br />
The following command works for me:<br />
truecrypt --filesystem=ntfs-3g --mount /file/you/want/to/mount<br />
You may also want to mount ntfs volume without execute flag on all files<br />
truecrypt --filesystem=ntfs-3g --fs-options=users,uid=$(id -u),gid=$(id -g),fmask=0113,dmask=0002<br />
<br />
==Mount volumes as a normal user==<br />
<br />
TrueCrypt needs root privileges to work: this procedure will allow normal users to use it, also giving writing permissions to mounted volumes.<br />
<br />
Both methods below require [[Sudo]]. Make sure it is configured before proceeding.<br />
<br />
===Method 1 (Add a truecrypt group)===<br />
<br />
Create a new group called truecrypt and give it the necessary permissions. Any users that will belong to that group, will be able to use TrueCrypt.<br />
# groupadd truecrypt<br />
<br />
Edit the sudo configuration:<br />
# visudo<br />
<br />
Append the following lines at the bottom of the sudo configuration file:<br />
# Users in the truecrypt group are allowed to run TrueCrypt as root.<br />
%truecrypt ALL=(root) NOPASSWD:/usr/bin/truecrypt<br />
<br />
Before adding our users to the truecrypt group we still have to do something in order to make mounted volumes writable from normal users. To do this just open the system-wide bashrc file:<br />
# nano /etc/bash.bashrc.local<br />
<br />
And add these few lines to it:<br />
alias tc='sudo truecrypt'<br />
alias tcm='tc -M uid=$(id -u),gid=$(id -g)'<br />
<br />
You can now add your users to the truecrypt group:<br />
# gpasswd -a USER_1 truecrypt<br />
# gpasswd -a USER_2 truecrypt<br />
...<br />
<br />
'''''Note:''' In order to make these changes active, any user that has been added to the truecrypt group have to logout.''<br />
<br />
===Method 2 (sudo simplified)===<br />
Simply enable desired user to run truecrypt without a password:<br />
# visudo<br />
<br />
Append the following:<br />
USERNAME ALL = (root) NOPASSWD:/usr/bin/truecrypt<br />
<br />
alternatively, if you make use of the wheel group:<br />
%wheel ALL = (root) NOPASSWD:/usr/bin/truecrypt<br />
<br />
If you have any difficulties with permissions as a normal user, just add the '-u' flag to the truecrypt mount command, for example:<br />
$ truecrypt -u /home/user/myEncryptedFile.tc /home/user/myEncryptedFileFolder<br />
<br />
===Automatic mount on login===<br />
Simply add <br />
$ truecrypt /home/user/myEncryptedFile.tc /home/user/myEncryptedFileFolder <<EOF<br />
password<br />
EOF<br />
to your startup procedure. Do not use the -p switch, this method is more secure. Otherwise everyone can just look up the password via [[ps]] and similar tools, as it is in the process name! [http://thoughtyblog.wordpress.com/2009/07/05/truecrypt-linux-hide-password-from-ps/ source]<br />
<br />
==Errors==<br />
===TrueCrypt is already running===<br />
If a messagebox ''TrueCrypt is already running'' appears when starting TrueCrypt, check for a hidden file in the home directory of the concerned user called ''.TrueCrypt-lock-username''. Substitute ''username'' with the individual username. Delete the file and start TrueCrypt again.<br />
<br />
===Deleted stale lockfile===<br />
If you always get a message "Delete stale lockfile [....]" after starting Truecrypt, the Truecrypt process with the lowest ID has to be killed during Gnome log out. A user in the Ubuntuforum provided the following solution: edit<br />
/etc/gdm/PostSession/Default <br />
and add the following line before exit 0:<br />
kill `ps -ef | grep truecrypt | tr -s ' ' | cut -d ' ' -f 2`<br />
<br />
===Issues with Unicode file / folder names on NTFS volumes ===<br />
Should files resp. folders containing Unicode characters in their names be incorrectly or not at all displayed on TrueCrypt NTFS volumes (while e. g. being correctly handled on non-encrypted NTFS partitions), first verify that you have the [[NTFS-3G]] driver installed and then create the following symlink as root:<br />
ln -s /sbin/mount.ntfs-3g /sbin/mount.ntfs<br />
That will cause TrueCrypt to automatically use this driver for NTFS volumes, having the same effect as the explicit use of<br />
truecrypt --filesystem=ntfs-3g /path/to/volume<br />
via the console.<br />
<br />
One may also consider setting e. g.<br />
rw,noatime<br />
amongst other options in the TrueCrypt GUI (Settings → Preferences → Mount Options).<br />
<br />
==Related links==<br />
* [http://www.truecrypt.org/ TrueCrypt Homepage]<br />
* [http://en.gentoo-wiki.com/wiki/TrueCrypt HOWTO: Truecrypt Gentoo wiki]<br />
* [http://www.howtoforge.com/truecrypt_data_encryption Truecrypt Tutorial on HowToForge]</div>Dajense