Posted by jaalto on Fri 9 Mar 2007 at 13:56
Update: The project page hub for latest utilities is at Freshmeat. Report bugs to Launchpad. Note: the utilities are for version 4.3a. No other version can be supported because in later versions the original software was rewritten to use different kernel interaction.
Truecrypt(R) is an Open Source disk encryption software which uses a concept of containers to store encrypted data. The nice thing about it is that the containers (or volumes) can be read transparently under Linux and Windows. Here are step by step instructions how to get the encryption software running with minimum of effort.
Last time we talked about a patch to make truecrypt 4.2a to support later kernel versions. The follow-up article guided you through manual process of converting Truecrypt sources into *.deb packages.
But we can do even better.
The original software's v4.3a license does not seem to comply with the Debian Free Software Guidelines (DFSG, see keyword free), so it cannot be directly packaged for Debian or distributed by official Debian repositories. To help this, I wrote couple of utilities to take care of downloading the sources, assembling build structure with bzr and producing the packages.
Instead of manually creating Debian packages here we see how couple of utilities can simplify things.
PREPARATIONS FOR THE BUILD PROCESS
At the time of writing (2007-03-07) the utilities did not try to handle kernel source install or configuring kernel sources, so few preparation steps were necessary. The latest utilities at Freshmeat project handle package dependencies better and these steps are not needed.
1) Install linux-source-* and linux-kbuild-* packages that match currently running kernel.
$ apt-cache search 'linux-source|linux-kbuild' $ KVER=$(uname -r | sed 's/-.*//') # 2.6.NN $ apt-get install linux-source-$KVER linux-kbuild-$KVER
2) Prepare the Linux kernel. Copy the existing .config file to the kernel directory.
$ cd /usr/src $ tar -jxf linux-source-$KVER*.bz2 $ cd /usr/src/linux-source-$KVER $ cp /boot/config-$(uname -r) . $ make oldconfig prepare scripts
USING THE UTILITIES
After completing preparations above, install the tc-installer package from Launchpad project. The first command satisfies the dependencies and in case of problems, it asks helps with -f option. You could also use the now recommended aptitude command in place of apt-get.
$ apt-get install bzr python-celementtree libncurses5-dev gcc-4.1 debhelper devscripts dpatch || apt-get -f install $ dpkg -i tc-installer*.deb
Start the source downloader:
$ tc-download
3) Build the Debian packages:
$ tc-dpkg --auto [--install]
4) In case --install option was not used, install the packages by hand. The order is important, kernel module first, and the rest after that:
$ dpkg -i /usr/src/tc-{modules-linux,modules-modprobe,doc,cli}*.deb
The *modules-modprobe*.deb package takes care of configuring kernel module to be loaded at boot by modifying /etc/modules
. It also activates the module immediately. You can check the current status with lsmod. As long as you see truecrypt everything is good, the other modules that are listed vary from kernel to kernel:
$ lsmod | grep truecrypt truecrypt 148452 0 dm_mod 50232 4 truecrypt,dm_snapshot,dm_mirror,dm_crypt
UPGRADES
After performing a kernel upgrade, the steps to repeat are:
THE ENCRYPTED CONTAINERS
Update: In latest utilities the commands below have been implemented in separate program. You can simply run tc-create [--size SIZE[KMG]] <container name>.tc. Command tc-fsck can be used to check container's filesystem.
The following is just a crash course and you should read the manual to understand what all the options and commands do.
We make ext3 filesystem inside the container, because it preserves file attributes and gives portability to windows. If you only store data and do not care about proper permissions, the FAT might be easier route (you can skip 2).
1) Create 500M container which fits on standard CD-RW. The twofish is relatively fast compared to AES-256; on the other hand AES is relatively stronger -- but then again a proper password will compensate this. As encryption is quite CPU intensive, the AES would require more muscles to crunch bits.
$ truecrypt --encryption Twofish \ --hash RIPEMD-160 \ --type normal \ --keyfile "" \ --size 500M \ --create test.tc Filesystem: 1) FAT 2) None Select [1]: 2
2) Create filesystem inside the container. You Must be ROOT to create filesystem. Basicly the commands map the container through devmapper temporarily and then release it when filesystem has been made.
$ su - root $ truecrypt -N 9 test.tc # Pick free number: ls -1 /dev/mapper/ $ ls -l /dev/mapper/true* # You see truecrypt9 $ mkfs -t ext3 /dev/mapper/truecrypt9 $ truecrypt --dismount /dev/mapper/truecrypt9
3) Mount the container and use it as usual and enjoy the encryption software which keeps your data safe.
$ mkdir mountpoint $ truecrypt test.tc mountpoint Password: .......
DISCLAIMER
acronym: R = Registered Trademark
Truecrypt is registered trademark of David Tesarik (Czech Republic, Parague); See World Intellectual Property Organization registration number: IRN/925625 http://www.wipo.int/ipdl/en. This page or presented tc-* programs are not sponsored by and have no association with The Truecrypt Foundation which is the legal entity of the Truecrypt disk encryption software.
[ Parent ]
[ Parent ]
$ truecrypt-dpkg
It will automatically check and install new updates to the build process
-- Jari Aalto
[ Parent ]
Isn't it great how many things get fixed after you get more users?!
[ Parent ]
[ Parent ]
[ Parent ]
1) Kernel module
2) modprobe module
3) ...and the rest
A message has been added to clarify this in the latest release. In addition The currect truecrypt-installer includes new option --auto and --install, which completely eliminate the "preparation steps".
-- Jari Aalto
[ Parent ]
[ Parent ]
[ Parent ]
# chmod 4755 $(which truecrypt)
[ Parent ]
[ Parent ]
[ Parent ]
[ Parent ]
1) the running kernel is 2.6.18-3-686
2) but no header for that particulat kernel no longer can be downloaded.
To remedy:
1) install new kernel
2) install new kernel headers
3) boot to new kernel
... and build as usual:
# truecrypt-dpkg -aThis is similar situation as what the topic "UPGRADES" describes in the article. The running kernel must match the headers in order to truecrypt compilation to succeed.
Thanks, I'll try to clarify the error message in next revision
-- Jari Aalto
[ Parent ]
[ Parent ]
Then again using encrypted partitions of size of several 100G's; the only practical file system is a journaled one.
Having said that, I use ext3 everywhere and have had need for several hard resets (pushing the reset button). So far no data loss. This doesn't mean that it couldn't happen, but I have began to build solid confidence towards ext3.
-- Jari Aalto
[ Parent ]
[ Parent ]
[ Parent ]
[ Parent ]
[ Parent ]
[ Parent ]
[ Parent ]
[ Parent ]
[ Parent ]
truecrypt: Unknown symbol destroy_workqueue
-- Jari Aalto
[ Parent ]
[ Parent ]
dmsetupThe order of the installation of the produced *.deb packages was shown in the messages at the screen after successful compilation, namely:
modules-linux, modules-modprobe, cli, doc-- Jari Aalto
[ Parent ]
[ Parent ]
[ Parent ]
http_proxy=http://user:password@host:port-- Jari Aalto
[ Parent ]
[WARN] Not a supported kernel version. 2.6.21-2-k7 > 2.6.20 /bin/sh: line 3: return: can only `return' from a function or sourced script make: *** [kernel-version] Error 1 debuild: fatal error at line 1228: debian/rules build failed
[ Parent ]
truecrypt-installer --auto
[ Parent ]
[ Parent ]
[ Parent ]
[ Parent ]
[ Parent ]
[ Parent ]
[ Parent ]
[ Parent ]
tc-dpkg --auto
(The names of the binaries have changed in recent releases from truecrypt-* to tc-*). In future, please report problems to:
https://bugs.launchpad.net/truecrypt-installer/
The current project page (hub) is at:
http://freshmeat.net/projects/truecrypt-installer
Jari
[ Parent ]
[ Parent ]
Further correspondence in continued in https://bugs.launchpad.net/truecrypt-installer/+bug/257513
-- Jari Aalto
[ Parent ]
[ Parent ]
./truecrypt-dpkg: line 154: cd: /usr/src/truecrypt-4.2a/debian: No such file or directory
wait, getting debin/ control directory (bzr)
bzr: ERROR: Target directory "debian" already exists.
it's not my first try, so the "already exists"-error is probably nothing. but there is no dir "/usr/src/truecrypt-4.2a/debian" - however one was created in my working directory - if my working dir ist /usr/src/truecrypt-4.2a/ it works
[ Parent ]