From ArchWiki
Revision as of 02:15, 2 May 2007 by Wulax (talk | contribs) (first version)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search


TrueCrypt is a free open source on-the-fly encryption (OTFE) program. Some of its features are:

  • Virtual encrypted disks within files that can be mounted as real disks.
  • Encryption of an entire hard disk partition or a storage device/medium.
  • All encryption algorithms use the LRW mode of operation, which is more secure than CBC mode with predictable initialization vectors for storage encryption.
  • "Hidden volumes" within a normal "outer" encrypted volume. A hidden volume can not be distinguished from random data without access to a passphrase and/or keyfile.


Type as root in a terminal:

  pacman -Sy truecrypt truecrypt-utils

If you use any other kernel than kernel26 install the corresponding kernel module, e.g. kernel26beyond -> truecrypt-beyond.

Load the kernel module that TrueCrypt needs.

  modprobe truecrypt

Add the module to /etc/rc.conf:

 MODULES=(truecrypt ...)

Creating a normal volume

If you want to use a keyfile, create one with this command:

  truecrypt --keyfile-create /etc/disk.key

By default both passphrase and key will be needed to unlock the volume.

Create a new volume in the device /dev/sda1:

  truecrypt --type normal -c /dev/sda1

Map the volume to /dev/mapper/truecrypt1:

  truecrypt -N 1 /dev/sda1

The only file system supported by default is FAT. If you want to use another simply format the disk like you normally would, except use the path /dev/mapper/truecrypt1.

  mkfs.ext3 /dev/mapper/truecrypt1

Mount the volume:

  mount /dev/mapper/truecrypt1 /media/disk

Map and mount a volume:

  truecrypt /dev/sda1 /media/disk

Unmount and unmap a volume:

  truecrypt -d /dev/sda1

Creating a hidden volume

First, create a normal outer volume as described above.

Map the outer volume to /dev/mapper/truecrypt1:

  truecrypt -N 1 /dev/sda1

Create a hidden truecrypt volume in the free space of the outer volume:

  truecrypt --type hidden -c /dev/sda1

You need to use another passphrase and/or keyfile here than the one you used for the outer volume.

Unmap the outer truecrypt volume and map the hidden one:

  truecrypt -d /dev/sda4
  truecrypt -N 1 /dev/sda4

Just use the passphrase you chose for the hidden volume and truecrypt will automatically choose it before the outer.

Create a file system on it and mount it:

  mkfs.ext3 /dev/mapper/truecrypt1
  mount /dev/mapper/truecrypt1 /media/disk

Map and mount the outer volume with the hidden write-protected:

  truecrypt -P /dev/sda1 /media/disk

Mount volumes as a normal user

This part is mostly taken from the Gentoo wiki.

Truecrypt needs root privileges to work: this procedure will allow normal users to use it, also giving writing permissions to mounted volumes.

First of all, you must have sudo installed. If not, just type:

  pacman -Sy sudo

Now we have to create a new group called truecrypt and give it the necessary permissions. Any users that will belong to that group, will be able to use truecrypt.

 groupadd truecrypt

Use the just opened editor to attach the following lines at the bottom of the configuration file:

 # Users in the truecrypt group are allowed to run truecrypt as root.
 %truecrypt ALL=(root) NOPASSWD:/usr/bin/truecrypt

Before adding our users to the truecrypt group we still have to do something in order to make mounted volumes writable from normal users. To do this just open the system-wide bashrc file:

 nano /etc/bash/bashrc

And add these few lines to it:

 alias tc='sudo truecrypt'
 alias tcm='tc -M uid=$(id -u),gid=$(id -g)'

You can now add your users to the truecrypt group:

 gpasswd -a USER_1 truecrypt
 gpasswd -a USER_2 truecrypt

Note: In order to make these changes active, any user that has been added to the truecrypt group have to logout.

Related links

TrueCrypt Homepage