Using truecrypt-installer to help install Truecrypt for Debian

Update: The project page hub for latest utilities is at Freshmeat. Report bugs to Launchpad. Note: the utilities are for version 4.3a. No other version can be supported because in later versions the original software was rewritten to use different kernel interaction.

Truecrypt(R) is an Open Source disk encryption software which uses a concept of containers to store encrypted data. The nice thing about it is that the containers (or volumes) can be read transparently under Linux and Windows. Here are step by step instructions how to get the encryption software running with minimum of effort.

Last time we talked about a patch to make truecrypt 4.2a to support later kernel versions. The follow-up article guided you through manual process of converting Truecrypt sources into *.deb packages.

But we can do even better.

The original software's v4.3a license does not seem to comply with the Debian Free Software Guidelines (DFSG, see keyword free), so it cannot be directly packaged for Debian or distributed by official Debian repositories. To help this, I wrote couple of utilities to take care of downloading the sources, assembling build structure with bzr and producing the packages.

Instead of manually creating Debian packages here we see how couple of utilities can simplify things.

PREPARATIONS FOR THE BUILD PROCESS

At the time of writing (2007-03-07) the utilities did not try to handle kernel source install or configuring kernel sources, so few preparation steps were necessary. The latest utilities at Freshmeat project handle package dependencies better and these steps are not needed.

1) Install linux-source-* and linux-kbuild-* packages that match currently running kernel.

$ apt-cache search 'linux-source|linux-kbuild'
$ KVER=$(uname -r | sed 's/-.*//')             # 2.6.NN
$ apt-get install linux-source-$KVER linux-kbuild-$KVER

2) Prepare the Linux kernel. Copy the existing .config file to the kernel directory.

$ cd /usr/src
$ tar -jxf linux-source-$KVER*.bz2
$ cd /usr/src/linux-source-$KVER
$ cp /boot/config-$(uname -r) .
$ make oldconfig prepare scripts

USING THE UTILITIES

After completing preparations above, install the tc-installer package from Launchpad project. The first command satisfies the dependencies and in case of problems, it asks helps with -f option. You could also use the now recommended aptitude command in place of apt-get.

$ apt-get install bzr python-celementtree libncurses5-dev gcc-4.1 debhelper devscripts dpatch ||
  apt-get -f install
$ dpkg -i tc-installer*.deb

Start the source downloader:

$ tc-download

3) Build the Debian packages:

$ tc-dpkg --auto [--install]

4) In case --install option was not used, install the packages by hand. The order is important, kernel module first, and the rest after that:

 $ dpkg -i /usr/src/tc-{modules-linux,modules-modprobe,doc,cli}*.deb

The *modules-modprobe*.deb package takes care of configuring kernel module to be loaded at boot by modifying /etc/modules. It also activates the module immediately. You can check the current status with lsmod. As long as you see truecrypt everything is good, the other modules that are listed vary from kernel to kernel:

$ lsmod | grep truecrypt
truecrypt             148452  0
dm_mod                 50232  4 truecrypt,dm_snapshot,dm_mirror,dm_crypt

UPGRADES

After performing a kernel upgrade, the steps to repeat are:

• Install new kernel, boot to it.
• Get kernel sources and prepare them (repeat steps 1 and 2). The tc-dpkg option --auto will do this for you.
• Build new *.deb packages (step 3)
• Install new *.deb packages for the kernel (step 4). The tc-dpkg option --install will do this for you.

THE ENCRYPTED CONTAINERS

Update: In latest utilities the commands below have been implemented in separate program. You can simply run tc-create [--size SIZE[KMG]] <container name>.tc. Command tc-fsck can be used to check container's filesystem.

The following is just a crash course and you should read the manual to understand what all the options and commands do.

We make ext3 filesystem inside the container, because it preserves file attributes and gives portability to windows. If you only store data and do not care about proper permissions, the FAT might be easier route (you can skip 2).

1) Create 500M container which fits on standard CD-RW. The twofish is relatively fast compared to AES-256; on the other hand AES is relatively stronger -- but then again a proper password will compensate this. As encryption is quite CPU intensive, the AES would require more muscles to crunch bits.

$ truecrypt --encryption Twofish \
  --hash RIPEMD-160 \
  --type normal \
  --keyfile "" \
  --size 500M \
  --create test.tc

Filesystem:
     1) FAT
     2) None
     Select [1]: 2

2) Create filesystem inside the container. You Must be ROOT to create filesystem. Basicly the commands map the container through devmapper temporarily and then release it when filesystem has been made.

$ su - root
$ truecrypt -N 9 test.tc      # Pick free number: ls -1 /dev/mapper/
$ ls -l /dev/mapper/true*     # You see truecrypt9
$ mkfs -t ext3 /dev/mapper/truecrypt9
$ truecrypt --dismount /dev/mapper/truecrypt9

3) Mount the container and use it as usual and enjoy the encryption software which keeps your data safe.

$ mkdir mountpoint
$ truecrypt test.tc mountpoint
Password: .......

DISCLAIMER

acronym: R = Registered Trademark

Truecrypt is registered trademark of David Tesarik (Czech Republic, Parague); See World Intellectual Property Organization registration number: IRN/925625 http://www.wipo.int/ipdl/en. This page or presented tc-* programs are not sponsored by and have no association with The Truecrypt Foundation which is the legal entity of the Truecrypt disk encryption software.