Back to Top

Monday, April 23, 2007

Installing and using Truecrypt on Ubuntu

Update: while truecrypt still doesn't offer native packages (ie. .deb / .rpm) for Linux distributions, their shellscript installer works just fine. So the simplified version of the installation procedure is:

  1. Download the correct package from Truecrypt (either 32 or 64 bit - you can find out which you need by typing uname -a - if it says i686 you need 32, if it says x86_64 you need 32 bit)
  2. In the directory where you downloaded: tar xvf truecrypt-7.0a-linux-x86.tar.gz
  3. sudo ./truecrypt-7.0a-setup-x86
  4. Click "Install Truecrypt"
  5. Launch it from Application -> Accessories or by typing truecrypt
  6. If you later want to uninstall truecrypt: sudo /usr/bin/truecrypt-uninstall.sh/code>

While I was upgrading my storage subsystem (I bought two new hard-drives :)) I thought that this might be a good time to go full encrypted for privacy reasons. The solution I selected was Truecrypt since it seemed the only one to offer cross platform support. However the Linux part of it is not complete and you may have to employ a few tricks which I describe below:

Truecrypt does not have packages (yet) for Ubuntu 7.04 (Feisty Fawn), so you have to go with the source distribution. My installation experience was pretty flawless, but others had problem with it, so you might need to google around a bit. What you need:

  • The build-essentials package (sudo apt-get install build-essential)
  • The source files which correspond to your kernel version. You can find out which kernel version you have by typing uname -r at the console. For example I have 2.6.20-15-generic, and the corresponding source package for it is linux-source-2.6.20 (observe that the patch version is not important)
  • The latest Linux kernel is compiled with gcc4, however if you have an older version, you should check the gcc version it was compiled with, since you need to use the same version when compiling Truecrypt. You can do this by typing cat /proc/version at the console. For example the output on my system was Linux version 2.6.20-15-generic (root@palmer) (gcc version 4.1.2 (Ubuntu 4.1.2-0ubuntu4)) #2 SMP Sun Apr 15 07:36:31 UTC 2007. The important part of this is the gcc version ... part. If it says something like 3.4 there, you should install the respective version of gcc (sudo apt-get install gcc-3.4 - the subversion is not important) and make sure that the building process uses the respective version by typing at the console which you will be using to launch the building process the following: export CC=gcc-3.4

Now for the building process (taken from howtogeek and the ubuntu forums):

  1. Download the source code (by going to the download page and selecting Other (source code))
  2. Extract the archive using either the GUI (with Archive Manager) or by typing at the command line tar xvfz truecrypt-4.3-source-code.tar.gz (if you downloaded a different version of truecrypt, you should replace the archive name with the name of the archive you downloaded)
  3. Do the following on the terminal (the same terminal you done the export... step if it was needed - otherwise it doesn't matter):
    cd /usr/src/
    sudo tar xvfj linux-source-2.6.20.tar.bz2 
    sudo make -d -C linux-source-2.6.20 modules_prepare
    
    Warning! The last step can take a considerable amount of time (up to an hour), so be prepared with some fun games
  4. Now you are ready to install truecrypt:
    cd truecrypt-4.3-source-code/Linux/
    sudo ./build.sh
    sudo ./install.sh
    

After installing you can create and mount Truecrypt volumes (including ones created under Windows). Here are some gotcha's to watch out for:

When creating a Truecrypt volume (under Linux), you have to specify FAT for the filesystem. This is needed because Truecrypt does not have an option (as far as I know) to mount the volume as a block device and refuses to mount it if it can't recognize the file system. If you wish to use a more sane file-system (like ext3, reiserfs or ntfs even), do the following:

  1. Create the volume with a FAT filesystem
  2. Mount the volume
  3. Now unmount the filesystem part using umount (not truecrypt -d). For example on my system I would do sudo umount /media/large. To find out the exact parameter you need to pass to umount, do a sudo mount and look for a line which begins with /dev/mapper/truecrypt and use that part after on (for example on my system it say: /dev/mapper/truecrypt0 on /media/large type fuseblk (rw,nosuid,nodev,noatime,allow_other,default_permissions,blksize=4096) and thus I need to use /media/large). If you have multiple such lines, do a truecrypt -l to find out which you need to use.
  4. Use the mkfs to create the filesystem you wish. For example to create an NTFS filesystem, I would do sudo mkfs -V -t ntfs /dev/mapper/truecrypt0
  5. Now re-mount it.

If you wish to mount an NTFS formatted volume in read/write mode, you need to have the ntfs-3g driver installed, and when mounting specify it by saying --filesystem ntfs-3g because the autodetect mode will result in the usage of the read-only ntfs driver. Also the user mount option doesn't seem to work for me, so instead you can use the --mount-options gid=100,uid=1000,umask=000 parameter to make it accessible to all the user. You can find out the number you need to type for gid (GroupID) and uid (UserID) by doing a cat /etc/group|grep user and cat /etc/passwd|grep [your user name] respectively.

Finally be aware that truecrypt gives you the option to specify sensitive data (keyfiles, passwords) at the command line. While this is convenient, doing so will give huge clues to any decent attacker, because the command line is stored in the ~/.bash_history file, effectively giving away your passwords. Now you can clear you history file by doing a history -c, however the strings are still on your hard-drive in the slack space. The best thing is not never specify these things at the command line and let truecrypt prompt you for them.

Update: if you don't want to move around your mouse when creating a new volume (to generate random numbers), just put --random-source /dev/urandom on the command line. While this reduces the theoretical strength of your encryption, in practical terms it doesn't affect you.

Update: as a reader pointed out in the comments, there is a simpler way to use a file system different from FAT: after creating the volume, the first time you mount it, don't specify the directory where it should be mounted. This will mount it as a block-device, but will not attempt to use any file-system on it. Then issue the truecrypt -l command to see where it got mounted and use mkfs family of commands to create a filesystem of your desire.

14 comments:

  1. Anonymous2:54 PM

    As far as I know, the user-mount option requires the truecrypt binary to be setuid root. Unfortunately this is seems to be a huge security hole (see http://www.securityfocus.com/archive/1/464064/30/300/threaded) and so mount-options seems to be the best solution at the moment.

    ReplyDelete
  2. Anonymous4:29 PM

    This looks like a great step-by-step guide-- but as a total newbie trying to move to Ubuntu I couldn't make it past downloading the Truecrypt source files because I didn't know where in the filesystem to save and extract truecrypt-4.3-source-code.tar.gz. Can anyone help?

    ReplyDelete
  3. Anonymous8:57 AM

    I think that:
    sudo tar xvfz linux-source-2.6.20.tar.bz2

    should be:
    sudo tar xvfj linux-source-2.6.20.tar.bz2

    the "j" being for bzip rather than "z" for gzip

    ReplyDelete
  4. Thank you, I corrected it. Also, with regards to the download:

    You can save the truecrypt source code anywhere you wish (for example on your desktop) and work from there. It is only needed for the install process, after that it can be safely deleted.

    ReplyDelete
  5. Anonymous9:48 AM

    When creating TrueCrypt volumes under Linux, you don't _have to_ specify FAT as the filesystem.

    1. truecrypt --create test.tc
    Create the volume (specify None for the filesystem)

    2. truecrypt test.tc
    Map the volume (it prompts you for your password)

    3. truecrypt -l
    List the mapped volume (you should see something like: /dev/mapper/truecrypt0)

    4. sudo mke2fs /dev/mapper/truecrypt0
    Make the file system you want

    5. truecrypt -d
    Dismount the mapped volume

    6. mkdir mnt; truecrypt test.tc mnt
    Mount the volume on your filesystem

    7. sudo chown user.group mnt
    Replace user.group with your appropriate values. This is needed because the filesystem on mnt is owned by root. You will probably need to do this only once.

    Enjoy :)

    (Note: I've tried the above on SUSE Linux, but it should work across all distributions)

    ReplyDelete
  6. Anonymous4:01 PM

    THANK YOU! I downloaded the new Truecrypt 4.3a .deb package for my Ubuntu 6.10 and kept getting some kernel module error when trying to actually Truecrypt mount. I followed your instructions, downloaded the Truecrypt source, and it worked like a charm! Great step-by-step walkthrough!

    ReplyDelete
  7. Anonymous11:51 PM

    I recently skimmed through all the posts in this blog, and I wanted to let you know that I really appreciate all the good information and hard work you've done here. I particularly like your examinations of Security Now! as I've been listening to that podcast since its inception. You do a very good job of pointing out things that Steve Gibson gets wrong, but you always give him credit when he gets things right, too. You definitely seem to be interested in getting sound answers to computer security questions rather than in making personal attacks. Keep up the good work!

    ReplyDelete
  8. Anonymous6:15 AM

    does anybody know if it's possible to mount pre-created ntfs volumes under truecrypt? i use truecrypt under windows, and would like to mount the volume i have there under ubuntu.

    thanks in advance :)

    ReplyDelete
  9. Thank you Sharad Popli for the info. I updated the blog posting.

    In reply to anonymous: it is perfectly possible as long as your linux distribution has the ability to read NTFS partitions.

    ReplyDelete
  10. Anonymous7:32 AM

    In reply to anonymous, to mount a pre-created NTFS volume created by Truecrypt under Windows, it is very easy. The tricky part is to make the volume writeable.

    Below is the command I used as a normal user:

    truecrypt -u --filesystem ntfs-3g /dev/sda2 /mnt

    -u switch makes for user mounted options so that you can mount it as a normal user and access it.

    --filesystem ntfs-3g tells Truecrypt to mount it with a writeable NTFS partition because by default NTFS is mounted read-only. Of course you need to have ntfs-3g package installed on your system in order to write to NTFS volumes.

    I hope this helps.

    ReplyDelete
  11. Anonymous1:37 AM

    Beautiful thanks! For a newbie using a file on an external USB drive on an Eee I found the following version worked fine:

    truecrypt --filesystem=ntfs-3g D:/{tc filename} /mnt

    ReplyDelete
  12. I have a problem when mounting truecrypt volumes because after mounting you chmod doesnt affect the files that are there in the encrypted volume.. WHy is this? I'm running TC on FC10

    ReplyDelete
  13. To create a arbitrary FS (i.e. ext2):

    truecrypt -N 1 /path/to/created/volume
    export MKE2FS_SYNC=1}}
    mkfs.ext2 /dev/mapper/truecrypt1
    truecrypt -d /path/to/created/volume

    See: http://en.gentoo-wiki.com/wiki/TrueCrypt for more information

    ReplyDelete
  14. When using TC 6.2 or newer use:

    truecrypt --filesystem=none /path/image.tc

    mkntfs /dev/mapper/truecrypt1

    ReplyDelete