Contents
1. Introduction
2. What's Truecrypt and what are its advantages
3. Things to know before to try
4. Using truecrypt
5. Common Problems
6. Conclusion
Introduction
This is just a little guide about using truecrypt, yeah, I know, there are a lot of guides about truecrypt so why create another one?
Well, for one, the fact that there are others doesn't mean that they're good
Second, every guide (about any topic) is made with creator perceptions about content and knowledge, which mean that is possible that the way a guide is written isn't that understandable to others so another way to describe the same content might be appreciated.
Third, many of the guides about truecrypt in particular are GUI oriented, this is not.
This guide isn't perfect, isn't the greatest, but I'll do my best to cover the things that create more confusion about the tool, also, will be (or try to) easy to follow for those who are using the tool for the first time and those who already know the tool.
For convenience, I will be using several concepts to define different things, by "virtual volumes" I'll be meaning every group of clusters (random space in a hardrive or a hardrive partition), by "real volumes" I'll be meaning hardrives or partitions and by "removable volumes" I'll be referring to every removable device (like usb hardrives).
What's Truecrypt and what are its advantages
Truecrypt its an opensource tool build with privacy on mind. Its also referred as hard-disk encryption software, as of today, portable in most of the mayor systems. It works by encrypting the data 'on-the-fly', this means that, if I open a music file that is saved on a encrypted volume, this file will be decrypted in the RAM memory system while the data is asked by the music player, when saving the data, all the encrypting is done in the RAM as well while truecrypt reads the file(s) that are being saved in the volume.
From paranoids to companies, this is the best tool to use when you want to keep your information private for peeking eyes. If you're looking for a solution to keep your things private this tool will be your best friend for sure!
Truecrypt is loved by many because it has many important features and this is a list of them:
Portable: Can be used in several of the mayor operating systems around, Windows, Linux and Mac OSX.
Volume scope: You can encrypt just a portion of disk or disk partition by creating a virtual volume, you can encrypt a partition or hardrive entirely and you can encrypt removable devices.
Several algorithms: At the time of this writing, Truecrypt support three encryption algorithms, AES, Twofish and Serpent.
Cascades: Related with the avobe, one of the best things to enforce security is that you can use two or three algorithms at the same time, this is what is called cascades which are: AES-Twofish, AES-Twofish-Serpent, Serpent-AES, Serpent-Twofish-AES and Twofish-Serpent.
Several hashes: Besides algorithms, truecrypt uses hashes to create random values from password and key files, at the time of this writing there are only three hashes available, SHA-1, RIPEMD-160 and Whirlpool.
Passwords and key files: Truecrypt is flexible in the way that you can use only passwords to protect the encrypted volume or you can use passwords and key files. The key files are used as random data that is sourced and implemented while creating the hashes, the great thing is that any kind of file and even entire directories can be used as key file, meaing that you can use a mp3 file or a video avi file as key file.
Interfaces: The tool can be used through a GUI (Graphical User Interface) or from the console which offer wider portability.
Interactive use: For those who are starting to use the tool, this is the best. The interactive mode is used by truecrypt when there are no parameters passed to the initial command, this means that truecrypt will ask the user for every piece of information neede in order to create an encrypted volume thus avoiding errors that can be created by new users.
Two kind of volumes: There are normal volumes and hidden volumes. At the beginning, every volume is a normal one, hidden volumes are created inside of normal volumes as a way to improve the privacy of the data.
Plausible deniability: Related to the previous, this is by far one of the greatest advantage of this tool. Basically, since every truecrypt volume, unless decrypted, is showing as random data, it's almost impossible to know that such truecrypt volume exists, besides that, if the normal volume is expose (someone forces to give the access password), it's impossible to know that there's a hidden volume in it thus the information saved in that hidden volume.
You can deny that there are alot of advantages in the tool, and the best of all, is free
Things to know before to try
When it comes to Linux systems, you need to have specifics kernel support in order "to use" truecrypt volumes, not to create them, just to use them. Also, the specific support you'll need depends on truecrypt's version you're using. Right now you could say there are two mayor versions of the tool being used, the 4x and the 5x, there's also the 6x version which, for now, this guide won't cover since the version was released one month ago and haven' tried to be honest, however, this guide should be useful even for that version, if not, feel free to comment.
Regarding the other two, both have at least one very important difference regarding to linux support, the 4x uses device mapper while the 5x use FUSE (Userspace driver). Also, no matter what version of truecrypt you are using, you need to have the loop device support in the kernel.
So the first thing you'll need to check before start using truecrypt is that you have kernel support (activate them as modules or built-in accordingly to the truecrypt version you use):
Device Drivers --> Multiple devices drivers support (RAID and LVM) --> Device mapper support
File systems --> Filesystem in Userspace support
Device Drivers --> Block Devices --> Loopback device support
Using truecrypt
If you're starting to use this tool you need to understand at least how to encrypt what you need to encrypt, and to this, you need to understand that there are different scopes and kinds of volumes.
Virtual volumes: Lets say you have a linux partition in /dev/sda4 and this partition have 20GB of space. Now, virtual volumes are just a portion that can be reserved from a partition (or a hardrive if don't have any partitions), basically, is just a file with a fixed lenght that you create on a partition or hardrive. In /dev/sda4 a virtual volume could be one single file called private and be about 5GB of space, in turns, you have /dev/sda4 as a partition of 20GB with a file of 5GB. I call them virtual volumes because every truecrypt volume needs to be mounted and worked as if it was a single disk, so, even when it's actually just a file, it needs to be treated as if it was a real disk on your system.
Real volumes: Remember, as I said in the introduction, I'm using this terms as convenience so you can easily understand the way it all works, in the case of real volumes, I mean every partition or entire hardrive that's going to be encrypted. For instance, lets take the avobe example, you have a partition called /dev/sda4 and is about 20GB of space; You can encrypt the partition entirely, not just create a file on it, in the same way, if you have only one disk with no partitions at all, you can encrypt it completely. Those can be real volumes.
Removable volumes: This are just any kind of removable device where you can save data, like USB Hardrive, flashdrives and such.
Every truecrypt volume needs a path (like /media/sda4/private) which is going to be mapped then to a device in /dev, if it's a virtual volume, it will be mapped to /dev/mapper/truecryptN, this path is where the truecrypt volume is and is importand (demanded) to indicate it in order to create the volume. To use the volume, besides a known path, is need a mount point (like /mnt/something or /media/data), this is only used once the truecrypt volume have been created and mapped to device in /dev, this mount point is where you actually are going to save or access the data that is in the truecrypt volume, no worries if you don't catch this yet, you'll understand it later
As I said before, this guide is about using truecrypt from the console in Linux systems, for a guide about the use with the graphical interface please refer to the Official user's guide:
http://www.truecrypt.org/docs/tutorial.php
From the command line, truecrypt has many parameters that can be used to create your volumes, I won't cover every possible use of those parameters so you can check all the options avialable issuing the command:
Code: Select all
root@root [~]# truecrypt --help
Code: Select all
root@root [~]# truecrypt --interactive
Code: Select all
root@root [~]# truecrypt --password uid0R00t123 --create /media/hda3/private
Moving on, using truecrypt is incredible easy, mostly thanks to the interactive mode. Starting from here, I'll be issuing several ways about how to use the tool to fit better your needs, feel free to ask or add whatever you think will improve this guide. For convenience, I'll be using two example disks, one is a partition /dev/hda2 that is mounted on /media/data, and the other will be an entire disk /dev/sda1 that will be mounted on /media/mydisk
Create a volume called 'private' on /dev/hda2:
Code: Select all
root@root [~]# truecrypt --create /media/data/private
Code: Select all
root@root [~]# truecrypt --password uid0R00t123 --create /media/data/private
Code: Select all
root@root [~]# truecrypt --password uid0R00123 --encryption Twofish --create /media/data/private
Code: Select all
root@root [~]# truecrypt --password '' --keyfile /home/rootsec/logo.jpg --create /media/data/private
Code: Select all
root@root [~]# truecrypt --password uid0R00t123 --keyfile /home/rootsec/documents --encryption AES-Twofish-Serpent --create /media/data/private
Code: Select all
root@root [~]# truecrypt --password uid0R00t123 --keyfile /home/rootsec/mymovie.mpg --encryption Twofish-Serpent --hash SHA-1 --create /media/data/private
Code: Select all
root@root [~]# truecrypt --keyfile-create --hash RIPEMD-160 /home/rootsec/useme
Code: Select all
root@root [~]# truecrypt --keyfile-add --change /home/rootsec/useme /media/data/private
Code: Select all
root@root [~]# truecrypt --filesystem ext3 --create /media/data/private
Code: Select all
root@root [~]# truecrypt --password uid0R00t123 --random-source /home/rootsec/drums.mp3 --create /media/data/private
Code: Select all
root@root [~]# truecrypt /media/data/private /media/mystuff
Code: Select all
root@root [~]# truecrypt --mount-options ro /media/data/private /media/mystuff
Create a volume with fixed space:
Code: Select all
root@root [~]# truecrypt --size 200MB --create /media/data/private
Create a hidden volume:
Code: Select all
root@root [~]# truecrypt --create /media/mydisk
root@root [~]# truecrypt --type hidden --size 2GB --create /media/mydisk
Every truecrypt volume is mapped to /dev/mapper/truecryptN where 'N' is a number starting from 0 and assigned by avialability, lets say that you create one truecrypt volume, then it'll be mapped to /dev/mapper/truecrypt0, then you create another one, this will be mapped to /dev/mapper/truecrypt1, then you create another that will be mapped to /dev/mapper/truecrypt2 and so on. You can change this numbers for other if you like to avoid the automatic mapping. This is usefull when you have several truecrypt volumes and you need to know which is what:
Code: Select all
root@root [~]# truecrypt --device-number 10 --create /media/data/private
Change a volume: Imagine that you create the volume private with an space of 10GB but know you see that you don't need it to be so big, so lets change that:
Code: Select all
root@root [~]# truecrypt --size 5GB --change /media/data/private
Code: Select all
root@root [~]# truecrypt --password 1234uid0R00t --change /media/data/private
Code: Select all
root@root [~]# truecrypt --list
Code: Select all
root@root [~]# truecrypt --dismount /media/data/private
Code: Select all
root@root [~]# truecrypt --dismount
Code: Select all
root@root [~]# truecrypt --properties /media/data/private
Code: Select all
root@root [~]# rm /media/data/private
Finally, if you want to save or access data in a truecrypt volume, all you have to do is mount it and save the data to the mount point, for instance, if I created the volume 'private' and mounted it in /media/mystuff, all I need to do in order to save my information in the encrypted volume is to copy (or move) the data to /media/mystuff.
Common problems
There are several common problems while using truecrypt but most of them are related to the lack of kernel support, but for a matter of completeness, this are the most common errors:
- Mount Failed: Yeah, this is all you'll see while trying to mount the volume This error is caused because device mapper support or FUSE (depending on truecrypt's version used) isn't active.
-Wrong FS: So, you're going to mount the volume and it shows:
Code: Select all
mount: wrong fs type, bad option, bad superblock on /dev/mapper/truecrypt0,
missing codepage or other error
In some cases useful info is found in syslog - try
dmesg | tail or so
Code: Select all
root@root [~]# truecrypt --device-number 20 /media/data/private /media/mystuff && mkreiserfs /dev/mapper/truecrypt20
The '--device-number' option is optional, I used becuase is better if you want to control what device you're going to format.
-No free loopback device available: This error is because the lack of loop device support in the kernel (Device Drivers --> Block Devices --> Loopback support).
Conclusion
So we've come to the end of this guide, I hope you liked, I try to be the more specific I could and try to reach those who knows the tool and those who don't, however, this is not an strict guide, meaning that you can discuss, share, provide more examples of use, flame it and say is complety wrong or anything you like