TrueCrypt is a free open source on-the-fly encryption (OTFE) program. Some of its features are:
- Virtual encrypted disks within files that can be mounted as real disks.
- Encryption of an entire hard disk partition or a storage device/medium.
- All encryption algorithms use the LRW mode of operation, which is more secure than CBC mode with predictable initialization vectors for storage encryption.
- "Hidden volumes" within a normal "outer" encrypted volume. A hidden volume can not be distinguished from random data without access to a passphrase and/or keyfile.
Type as root in a terminal:
pacman -Sy truecrypt truecrypt-utils
If you use any other kernel than kernel26 install the corresponding kernel module, e.g. kernel26beyond -> truecrypt-beyond.
Load the kernel module that TrueCrypt needs.
Add the module to /etc/rc.conf:
Creating a normal volume
If you want to use a keyfile, create one with this command:
truecrypt --keyfile-create /etc/disk.key
By default both passphrase and key will be needed to unlock the volume.
Create a new volume in the device /dev/sda1:
truecrypt --type normal -c /dev/sda1
Map the volume to /dev/mapper/truecrypt1:
truecrypt -N 1 /dev/sda1
The only file system supported by default is FAT. If you want to use another simply format the disk like you normally would, except use the path /dev/mapper/truecrypt1.
Mount the volume:
mount /dev/mapper/truecrypt1 /media/disk
Map and mount a volume:
truecrypt /dev/sda1 /media/disk
Unmount and unmap a volume:
truecrypt -d /dev/sda1
First, create a normal outer volume as described above.
Map the outer volume to /dev/mapper/truecrypt1:
truecrypt -N 1 /dev/sda1
Create a hidden truecrypt volume in the free space of the outer volume:
truecrypt --type hidden -c /dev/sda1
You need to use another passphrase and/or keyfile here than the one you used for the outer volume.
Unmap the outer truecrypt volume and map the hidden one:
truecrypt -d /dev/sda4 truecrypt -N 1 /dev/sda4
Just use the passphrase you chose for the hidden volume and truecrypt will automatically choose it before the outer.
Create a file system on it and mount it:
mkfs.ext3 /dev/mapper/truecrypt1 mount /dev/mapper/truecrypt1 /media/disk
Map and mount the outer volume with the hidden write-protected:
truecrypt -P /dev/sda1 /media/disk
Mount volumes as a normal user
This part is mostly taken from the Gentoo wiki.
Truecrypt needs root privileges to work: this procedure will allow normal users to use it, also giving writing permissions to mounted volumes.
First of all, you must have sudo installed. If not, just type:
pacman -Sy sudo
Now we have to create a new group called truecrypt and give it the necessary permissions. Any users that will belong to that group, will be able to use truecrypt.
groupadd truecrypt visudo
Use the just opened editor to attach the following lines at the bottom of the configuration file:
# Users in the truecrypt group are allowed to run truecrypt as root. %truecrypt ALL=(root) NOPASSWD:/usr/bin/truecrypt
Before adding our users to the truecrypt group we still have to do something in order to make mounted volumes writable from normal users. To do this just open the system-wide bashrc file:
And add these few lines to it:
alias tc='sudo truecrypt' alias tcm='tc -M uid=$(id -u),gid=$(id -g)'
You can now add your users to the truecrypt group:
gpasswd -a USER_1 truecrypt gpasswd -a USER_2 truecrypt ...
Note: In order to make these changes active, any user that has been added to the truecrypt group have to logout.