Update: while truecrypt still doesn't offer native packages (ie. .deb / .rpm) for Linux distributions, their shellscript installer works just fine. So the simplified version of the installation procedure is:
- Download the correct package from Truecrypt (either 32 or 64 bit - you can find out which you need by typing
uname -a
- if it says i686 you need 32, if it says x86_64 you need 32 bit) - In the directory where you downloaded:
tar xvf truecrypt-7.0a-linux-x86.tar.gz
sudo ./truecrypt-7.0a-setup-x86
- Click "Install Truecrypt"
- Launch it from Application -> Accessories or by typing
truecrypt
- If you later want to uninstall truecrypt:
sudo /usr/bin/truecrypt-uninstall.sh/code>
While I was upgrading my storage subsystem
(I bought two new hard-drives :)) I thought that this might be a good time to go full encrypted for privacy reasons. The solution I selected was Truecrypt since it seemed the only one to offer cross platform support. However the Linux part of it is not complete and you may have to employ a few tricks which I describe below:
Truecrypt does not have packages (yet) for Ubuntu 7.04 (Feisty Fawn), so you have to go with the source distribution. My installation experience was pretty flawless, but others had problem with it, so you might need to google around a bit. What you need:
- The build-essentials package (
sudo apt-get install build-essential
) - The source files which correspond to your kernel version. You can find out which kernel version you have by typing
uname -r
at the console. For example I have 2.6.20-15-generic, and the corresponding source package for it islinux-source-2.6.20
(observe that the patch version is not important) - The latest Linux kernel is compiled with gcc4, however if you have an older version, you should check the gcc version it was compiled with, since you need to use the same version when compiling Truecrypt. You can do this by typing
cat /proc/version
at the console. For example the output on my system wasLinux version 2.6.20-15-generic (root@palmer) (gcc version 4.1.2 (Ubuntu 4.1.2-0ubuntu4)) #2 SMP Sun Apr 15 07:36:31 UTC 2007
. The important part of this is thegcc version ...
part. If it says something like 3.4 there, you should install the respective version of gcc (sudo apt-get install gcc-3.4
- the subversion is not important) and make sure that the building process uses the respective version by typing at the console which you will be using to launch the building process the following:export CC=gcc-3.4
Now for the building process (taken from howtogeek and the ubuntu forums):
- Download the source code (by going to the download page and selecting
Other (source code)
) - Extract the archive using either the GUI (with Archive Manager) or by typing at the command line
tar xvfz truecrypt-4.3-source-code.tar.gz
(if you downloaded a different version of truecrypt, you should replace the archive name with the name of the archive you downloaded) - Do the following on the terminal (the same terminal you done the
export...
step if it was needed - otherwise it doesn't matter):
Warning! The last step can take a considerable amount of time (up to an hour), so be prepared with some fun gamescd /usr/src/ sudo tar xvfj linux-source-2.6.20.tar.bz2 sudo make -d -C linux-source-2.6.20 modules_prepare
- Now you are ready to install truecrypt:
cd truecrypt-4.3-source-code/Linux/ sudo ./build.sh sudo ./install.sh
After installing you can create and mount Truecrypt volumes (including ones created under Windows). Here are some gotcha's to watch out for:
When creating a Truecrypt volume (under Linux), you have to specify FAT for the filesystem. This is needed because Truecrypt does not have an option (as far as I know) to mount the volume as a block device and refuses to mount it if it can't recognize the file system. If you wish to use a more sane
file-system (like ext3, reiserfs or ntfs even), do the following:
- Create the volume with a FAT filesystem
- Mount the volume
- Now unmount the filesystem part using umount (not
truecrypt -d
). For example on my system I would dosudo umount /media/large
. To find out the exact parameter you need to pass to umount, do asudo mount
and look for a line which begins with /dev/mapper/truecrypt and use that part afteron
(for example on my system it say:/dev/mapper/truecrypt0 on /media/large type fuseblk (rw,nosuid,nodev,noatime,allow_other,default_permissions,blksize=4096)
and thus I need to use /media/large). If you have multiple such lines, do atruecrypt -l
to find out which you need to use. - Use the
mkfs
to create the filesystem you wish. For example to create an NTFS filesystem, I would dosudo mkfs -V -t ntfs /dev/mapper/truecrypt0
- Now re-mount it.
If you wish to mount an NTFS formatted volume in read/write mode, you need to have the ntfs-3g driver installed, and when mounting specify it by saying --filesystem ntfs-3g
because the autodetect mode will result in the usage of the read-only ntfs driver. Also the user mount option doesn't seem to work for me, so instead you can use the --mount-options gid=100,uid=1000,umask=000
parameter to make it accessible to all the user. You can find out the number you need to type for gid (GroupID) and uid (UserID) by doing a cat /etc/group|grep user
and cat /etc/passwd|grep [your user name]
respectively.
Finally be aware that truecrypt gives you the option to specify sensitive data (keyfiles, passwords) at the command line. While this is convenient, doing so will give huge clues to any decent attacker, because the command line is stored in the ~/.bash_history
file, effectively giving away your passwords. Now you can clear you history file by doing a history -c
, however the strings are still on your hard-drive in the slack space. The best thing is not never specify these things at the command line and let truecrypt prompt you for them.
Update: if you don't want to move around your mouse when creating a new volume (to generate random numbers), just put --random-source /dev/urandom
on the command line. While this reduces the theoretical strength of your encryption, in practical terms it doesn't affect you.
Update: as a reader pointed out in the comments, there is a simpler way to use a file system different from FAT: after creating the volume, the first time you mount it, don't specify the directory where it should be mounted. This will mount it as a block-device, but will not attempt to use any file-system on it. Then issue the truecrypt -l
command to see where it got mounted and use mkfs family of commands to create a filesystem of your desire.
As far as I know, the user-mount option requires the truecrypt binary to be setuid root. Unfortunately this is seems to be a huge security hole (see http://www.securityfocus.com/archive/1/464064/30/300/threaded) and so mount-options seems to be the best solution at the moment.
ReplyDeleteThis looks like a great step-by-step guide-- but as a total newbie trying to move to Ubuntu I couldn't make it past downloading the Truecrypt source files because I didn't know where in the filesystem to save and extract truecrypt-4.3-source-code.tar.gz. Can anyone help?
ReplyDeleteI think that:
ReplyDeletesudo tar xvfz linux-source-2.6.20.tar.bz2
should be:
sudo tar xvfj linux-source-2.6.20.tar.bz2
the "j" being for bzip rather than "z" for gzip
Thank you, I corrected it. Also, with regards to the download:
ReplyDeleteYou can save the truecrypt source code anywhere you wish (for example on your desktop) and work from there. It is only needed for the install process, after that it can be safely deleted.
When creating TrueCrypt volumes under Linux, you don't _have to_ specify FAT as the filesystem.
ReplyDelete1. truecrypt --create test.tc
Create the volume (specify None for the filesystem)
2. truecrypt test.tc
Map the volume (it prompts you for your password)
3. truecrypt -l
List the mapped volume (you should see something like: /dev/mapper/truecrypt0)
4. sudo mke2fs /dev/mapper/truecrypt0
Make the file system you want
5. truecrypt -d
Dismount the mapped volume
6. mkdir mnt; truecrypt test.tc mnt
Mount the volume on your filesystem
7. sudo chown user.group mnt
Replace user.group with your appropriate values. This is needed because the filesystem on mnt is owned by root. You will probably need to do this only once.
Enjoy :)
(Note: I've tried the above on SUSE Linux, but it should work across all distributions)
THANK YOU! I downloaded the new Truecrypt 4.3a .deb package for my Ubuntu 6.10 and kept getting some kernel module error when trying to actually Truecrypt mount. I followed your instructions, downloaded the Truecrypt source, and it worked like a charm! Great step-by-step walkthrough!
ReplyDeleteI recently skimmed through all the posts in this blog, and I wanted to let you know that I really appreciate all the good information and hard work you've done here. I particularly like your examinations of Security Now! as I've been listening to that podcast since its inception. You do a very good job of pointing out things that Steve Gibson gets wrong, but you always give him credit when he gets things right, too. You definitely seem to be interested in getting sound answers to computer security questions rather than in making personal attacks. Keep up the good work!
ReplyDeletedoes anybody know if it's possible to mount pre-created ntfs volumes under truecrypt? i use truecrypt under windows, and would like to mount the volume i have there under ubuntu.
ReplyDeletethanks in advance :)
Thank you Sharad Popli for the info. I updated the blog posting.
ReplyDeleteIn reply to anonymous: it is perfectly possible as long as your linux distribution has the ability to read NTFS partitions.
In reply to anonymous, to mount a pre-created NTFS volume created by Truecrypt under Windows, it is very easy. The tricky part is to make the volume writeable.
ReplyDeleteBelow is the command I used as a normal user:
truecrypt -u --filesystem ntfs-3g /dev/sda2 /mnt
-u switch makes for user mounted options so that you can mount it as a normal user and access it.
--filesystem ntfs-3g tells Truecrypt to mount it with a writeable NTFS partition because by default NTFS is mounted read-only. Of course you need to have ntfs-3g package installed on your system in order to write to NTFS volumes.
I hope this helps.
Beautiful thanks! For a newbie using a file on an external USB drive on an Eee I found the following version worked fine:
ReplyDeletetruecrypt --filesystem=ntfs-3g D:/{tc filename} /mnt
I have a problem when mounting truecrypt volumes because after mounting you chmod doesnt affect the files that are there in the encrypted volume.. WHy is this? I'm running TC on FC10
ReplyDeleteTo create a arbitrary FS (i.e. ext2):
ReplyDeletetruecrypt -N 1 /path/to/created/volume
export MKE2FS_SYNC=1}}
mkfs.ext2 /dev/mapper/truecrypt1
truecrypt -d /path/to/created/volume
See: http://en.gentoo-wiki.com/wiki/TrueCrypt for more information
When using TC 6.2 or newer use:
ReplyDeletetruecrypt --filesystem=none /path/image.tc
mkntfs /dev/mapper/truecrypt1