TrueCrypt Tutorial: Truly Portable Data Encryption

[ Wednesday, 23 May 2007, lipiec ]



In the previous article I described the program Cryptsetup, which enables you to efficiently encrypt your data. Somebody would ask: “So what is the reason for wasting time describing the same thing using different software?”. My answer is: “Because I want to give users the choice so that everyone can decide which program they want to use.” Moreover TrueCrypt is way easier, which you will be able to see as we work with it. If you are interested in discovering the wonderful abilities of this program, I invite you to read further.

A short presentation of the program’s functions

TrueCrypt is a free software that encrypts data “on-the-fly”. Right now the newest version released is version 4.3. You can create an encrypted hard drive, a separate partition or a directory with TrueCrypt. It doesn’t encrypt simply the content of files but their names and the names of the directories they are in as well. Moreover there is no way to check the size of the encrypted directory/HDD/partition. TrueCrypt is available for Windows and Linux.

Advantages of TrueCrypt:

  • creates encrypted hard drive and mounts it,
  • encrypts an entire drive, selected partition/directory and even USB flash drive,
  • encryption is automatic, on-the-fly and transparent for user
  • there is no way to check the size of the encrypted partition/directory,
  • uses such encryption algorithms as : AES-256, Serpent, Twofish,
  • enables the creation of a hidden volume,
  • in use you can’t distinguish between the created volume and common data,
  • it is very simple to use,
  • the virtual drives created with TrueCrypt are completely independent of the operating system,
  • authorization keys can be held on a USB stick.
  • and much more…

There are three ways to secure the encrypted data:

  • with a password,
  • with a special key,
  • with both a password and a key.

What is this key? The key can be any file from your hard drive e.g.: *.avi, *.mpg or *.txt and even a whole directory containing a few files. Warning! Be careful using *.txt file as the key because if you modify it, the key will change and you won’t be able to decrypt your data. What happens when you lose your key? You will never recover your data! That’s why I suggest using both, the key and the password as the best way. In this case if you lose your key you can change it by entering the right password, and vice versa. Naturally, there is no ideal solution because you can forget your password and lose your key at the same time.

A short comparison of TrueCrypt and DM-Crypt

In fact it is very difficult to say which of these programs is better. After a laborious review of the descriptions of their options and deliberations on both, I realized that the best solution would be combining the pair of them. They both enable you to create a so-called “container” which is an encrypted file that works like a directory in which you can store your private files (a very useful feature when you don’t want to encrypt the entire partition). The great advantage of these programs is that they can encrypt data while burning them on a CD/DVD. A slight disadvantage of TrueCrypt can be that after reloading the kernel you may have to install the TrueCrypt module again. On the other hand — in TrueCrypt you can simultaneously use different encryption algorithms! It also runs under Windows so if you use both systems TrueCrypt will be a better choice.

How to choose the best key?

Personally I don’t recommend choosing any file or directory from your hard drive as a key. The best way will be using a special key generator built-in to TrueCrypt. RNG – Random Number Generator – is the feature, it creates some random data with a maximum size of 320 bytes and saves this to a previously chosen file. How is random data generated? If it is Linux, RNG uses /dev/random or /dev/urandom that represents all of the noise generated by devices plugged to your PC, such as the mouse and keyboard.

How does TrueCrypt work?

The entire encryption process is transparent to the user. When copying a file to the encrypted drive, its constituent fragments (if it is a big file such as a movie) are copied to RAM then encrypted and saved to the destination file. The decryption process is the same. First the file, by fragments, is decrypted to RAM and next is passed on to a user. TrueCrypt never saves unencrypted data to the drive, encrypted data is always stored in RAM. This is a very secure method that prevents accidental access to your files.

TrueCrypt download

The newest version of the program you will always find on http://www.truecrypt.org. TrueCrypt needs a tool called dmsetup to work correctly. Dmsetup is a tool enabling you to work with logical drives mapped with the device-mapper driver. The newest version of dmsetup is available on http://sources.redhat.com/dm/. The first thing you have to do after downloading the source is to install dmsetup:

tar -zxvf device-mapper.your_version_no
cd device-mapper.your_version_no
./configure
make
make install (as root or sudo)

If everything has gone well, try to install TrueCrypt:

tar -zxvf truecrypt-your_version_no
cd truecrypt-your_version_no

Enter linux directory and install:

cd linux
./build.sh

Checking build requirements...
Building kernel module... Done.
Building truecrypt... Done.

First the script will check if your system fulfills all the requirements, it will prompt with information if it is not able to find the location of a package. Warning! To install TrueCrypt properly you have to have a kernel 2.6.5 or newer.

Next you run:

./install.sh (as root or sudo)

Checking installation requirements...
Testing truecrypt... Done.

Install binaries to [/usr/bin]:    press [Enter]
Install man page to [/usr/share/man]:  press [Enter]
Install user guide and kernel module to [/usr/share/truecrypt]:  [Enter] 
Allow non-admin users to run TrueCrypt [y/N]:
 to allow non-root users to use TrueCrypt press [y] else [N]
Installing kernel module... Done.
Installing truecrypt to /usr/bin... Done.
Installing man page to /usr/share/man/man1... Done.
Installing user guide to /usr/share/truecrypt/doc... Done.
installing backup kernel module to /usr/share/truecrypt/kernel... Done.

If everything proceeded as above you can continue.

The key generation

To generate a key type:

truecrypt -- keyfile-create key.txt
Of course you can choose another keyname, and the extension.
Is your mouse connected directly to the computer where TrueCrypt is running?
Press "Y", then you will be prompted to move your mouse :) 

If everything was OK, the following text will be displayed: Keyfile created.

The virtual volume creation

To create a new volume you have to consider its name and type. There are only two types of such volume: normal and hidden. What is the difference between them? The hidden is just that, hidden :D (the placement is different – more info on TrueCrypt homepage).

In a terminal type:

truecrypt -c home.txt

You create a volume named home.txt. The extension is at the user's
 discretion, I've chosen *.txt, because it is more difficult for 
a potential hacker to discover that it is a volume 

Volume type:
 1) Normal
 2) Hidden 
Select [1]: select 1 

Filesystem:
 1) FAT
 2) None
 Select [1]: select 2, because you will create other filesystem than FAT 
on your volume, default is FAT 

Enter volume size (bytes - size/sizeK/sizeM/sizeG): 10M -
 now you state a size for your volume, I have chosen 10 MB

 Hash algorithm:
 1) RIPEMD-160
 2) SHA-1
 3) Whirlpool
 Select [1]:  choose hash, I suggest SHA-1, default is RIPEMD-160 

Encryption algorithm:
 1 ) AES
 2 ) Blowfish
 3 ) CAST5
 4 ) Serpent
 5 ) Triple DES
 6 ) Twofish
 7 ) AES-Twofish
 8 ) AES-Twofish-Serpent
 9 ) Serpent-AES
10 ) Serpent-Twofish-AES
11 ) Twofish-Serpent Select [1]:  choose the algorithm, default is AES 

Enter password for new volume 'home.txt':
 press [Enter] if you don't want any password 
Re-enter password:  press [Enter] again 

Enter keyfile path [none]: here enter a full path to the key or 
leave empty if you don't have any key
 Enter keyfile path [finish]: you will be prompt again to enter 
the path. In case you have more than one key type another path, and 
if you have entered all the keypaths, leave empty and press [Enter]

 TrueCrypt will now collect random data. 

Is your mouse connected directly to the computer where TrueCrypt is running?
Press "Y" if your mouse is directly connected to your PC, 
but try pressing "n" and see what happens 

Please type at least 320 randomly chosen characters and then press Enter:  

if you enter fewer than required the program will show you 
how many are missing

Now the program will start to create your volume. The time needed for this operation depends on your CPU and the size of the volume. The script will let you know when it is complete (“Volume created”). In root’s home directory there should be a file “home.txt”. You can try to open it in a text processor, my congratulations if you manage to read anything from it.

Volume mapping and creation of the filesystem.

As you remember you didn’t choose the filesystem for your volume during the creation process. That’s why you have to do it now. This is required because TrueCrypt uses the linux tool mount to mount a volume which needs to be passed a filesystem as an option.

Enter:

truecrypt /root/home.txt -k /root/key 
Enter password for '/root/home.txt': 
if there is no password to this volume just press [Enter]

OK. To check if mapping has gone well type:

truecrypt -vl shows info about mapped devices

.

If there is no info, it means that something has gone wrong.

Now you create a filesystem:

mkfs.ext3 /dev/mapper/truecrypt0 you can choose any filesystem
The filesystem has been created.

Mounting created volumes

Now when you have created a filesystem on your volume and mapped it, you can mount it to any directory.

To do this type:

truecrypt -d /dev/mapper/truecrypt0
 unmaps the volume
mkdir encrypted -
creates a directory named "encrypted", this is the directory where you are 
going to mount the volume
 truecrypt /root/home.txt -k /root/key /root/encrypted 
mounts volume to encrypted directories

Done! From now on all data saved in "encrypted" directory will be encrypted.

But what should you do to encrypt an already existing directory? This is very simple. Just move data from this directory then mount volume to this directory and move the data back to this directory. Remember to make the volume suitably large when stating its size, because otherwise it won't accomodate all the data. The size of volume should be a little bit larger than the size of the directory.

Automatic mounting after the reboot.

As you will discover, after a reboot you will have to mount the volume again. There is a simple way to do it. Browsing a forum on TrueCrypt homepage I picked up on two different solutions:

  • adding a script to /etc/init.d or /etc/rc.d,
  • create in the home directory a configuration file named .profile and edit it properly.

I suggest you to use the second way which I describe below. Why? There is one simple reason. Let's say you secured the volume with a key and a password or even only with a password. In this case running boot scripts placed in init.d or rc.d directories you will have to init TrueCrypt with parameter -p and the password would be explicitly written there, which isn't the smartest solution. This way anyone could read your password.

Maybe there is already a file .profile in your home directory, but if not:

touch .profile - creates a new file .profile

Open .profile in an editor and add the following line: truecrypt /root/home.txt -k /root/key /root/encrypted
Save changes and leave the editor. Now, for each time you log in to the system, TrueCrypt will prompt for your password (which you don't have because in this example you are identified only by the key, so just press [Enter]) and the virtual volume will be mounted.

Can I hold the key on a pendrive/USB stick?

Yes, there is such an option, and you can believe me it's not that difficult. The first thing you have to do is to automatically mount the USB drive at startup. To do this you have to edit /etc/fstab. Then create a new directory for the pendrive in /mnt:

mkdir /mnt/pendrive

At first you have to see where the pendrive is in the system. Stick the pendrive into the USB port and run the following command: dmesg > output.txt. At the end of the file there should be a line like this:

usb 1-1: configuration #1 chosen from 1 choice
  uba: uba1

As you can see in my PC the USB drive is at /dev/uba1. You may have it at /dev/sda*.
Now you have to modify /etc/fstab. Add this line:

/dev/uba1  /mnt/pendrive  auto  defaults  0  0

Then type:

mount /mnt/pendrive

Next step is to move the key to the USB drive and change the line in your .profile file containing the path to the key /mnt/pendrive. Done!
Now the system mounts the virtual volume after the reboot automatically. What are the disadvantages of the automatic mounting? Let's say you have a very curious sibling and you don't want them to have access to some parts of your system (regardless of working on Windows or Linux). If you authorize with only the key, and it is placed somewhere on the HDD, then after boot the data is decrypted. "But I hold my key on the USB drive". What if you forget to take it out of the PC after work?

The future

In the near future the developers of TrueCrypt are planning to extend its features:

  • the MAC OS version,
  • adding an exterior authorization (so there will be the possibility of decryption over the network/Internet),
  • building an official GUI for TrueCrypt,
  • and much more...

Are there any unofficial GUI layers for TrueCrypt? Of course there are. I suggest you have a look at the following web page: TruecryptGUI at GoogleCode. For more information visit the TrueCrypt forum.

Proof-reading: chaddy (big thanks!)

Subscribe to RSS feed for this article!

27 Comments

fold this thread Disposable Guy  Sunday, 27 May 2007 o godz. 8:44 am #  Add karma Subtract karma  +0

nice piece of software.

(Comments wont nest below this level)
 
fold this thread Keith  Sunday, 27 May 2007 o godz. 10:35 am #  Add karma Subtract karma  +0

Thanks for the nice tutorial on using TrueCrypt to protect data. It is a very easy-to-follow instruction.

(Comments wont nest below this level)
 
fold this thread Poromenos  Sunday, 27 May 2007 o godz. 4:54 pm #  Add karma Subtract karma  +3

I must note that your claim that you can use the keyfile when you forget the password and vice-versa is rather misleading, and could lead to disastrous results. TrueCrypt needs BOTH the keyfile AND the password to unlock the volume (that’s done to protect against keyloggers), so if you lose one of the two, you can’t decrypt it.

This actually doubles your chances of losing the key to the volume, instead of halving them, in exchange for better security.

(Comments wont nest below this level)
fold this thread Joe  Saturday, 21 March 2009 o godz. 12:48 am #  Add karma Subtract karma  +0

I caught this error too. You need BOTH or you are screwed.

 
fold this thread kallekall  Thursday, 2 July 2009 o godz. 10:15 am #  Add karma Subtract karma  +0

If one needs both the key and the password, should he not also remove this: “In this case if you lose your key you can change it by entering the right password, and vice versa.”?

 
 
fold this thread mistake  Sunday, 27 May 2007 o godz. 5:10 pm #  Add karma Subtract karma  --1

http://forums.truecrypt.org/
you forgot the ‘s’ in forums

(Comments wont nest below this level)
 
fold this thread michuk  Sunday, 27 May 2007 o godz. 6:36 pm #  Add karma Subtract karma  --1

http://forums.truecrypt.org/
you forgot the ’s’ in forums

Thanks a lot. Corrected.

(Comments wont nest below this level)
 
fold this thread lipiec  Monday, 28 May 2007 o godz. 2:33 pm #  Add karma Subtract karma  +0

TrueCrypt needs BOTH the keyfile AND the password to unlock the volume (that’s done to protect against keyloggers), so if you lose one of the two, you can’t decrypt it.

Ok, I agree but using the keyfile and the password don’t protect you against keyloggers, to be precise.

Just think about hardware keyloggers..

(Comments wont nest below this level)
 
fold this thread Jens  Tuesday, 29 May 2007 o godz. 9:48 am #  Add karma Subtract karma  --1

Ok, I agree but using the keyfile and the password don’t protect you against keyloggers, to be precise.

Just think about hardware keyloggers..

I don’t understand this, how can a hardware keylogger get to the key file?
Great post by the way..

(Comments wont nest below this level)
 
fold this thread lipiec  Friday, 1 June 2007 o godz. 6:13 pm #  Add karma Subtract karma  --1

I don’t understand this, how can a hardware keylogger get to the key file?

Hardware keylogger can get to you password not key file.

(Comments wont nest below this level)
 
fold this thread Vin  Tuesday, 5 June 2007 o godz. 7:04 pm #  Add karma Subtract karma  --1

yes, you need BOTH password and the key file to decrypt.

So please change the paragraph where you said you use EITHER the password or the key file to decrypt. it is misleading. I actually thought I was wrong and had to re-read the Truecrypt documents.

thanks for the good post.

(Comments wont nest below this level)
 
fold this thread Py  Wednesday, 27 June 2007 o godz. 8:22 pm #  Add karma Subtract karma  --1

If you have this message “device-mapper: reload ioctl failed: Invalid argument” at step “Volume mapping and creation of the filesystem”, you just need to reboot your OS.

I think this allow truecrypt to be loaded by the device-mapper. I’m using Ubuntu Feisty 7.04

(Comments wont nest below this level)
fold this thread steve  Thursday, 27 November 2008 o godz. 8:38 pm #  Add karma Subtract karma  +1

Rebooting did not work. I can’t seem to find an answer to this yet.

fold this thread William Ross  Thursday, 14 January 2010 o godz. 10:33 pm #  Add karma Subtract karma  +0

The error:
“`
device-mapper: reload ioctl failed: Invalid argument
“`
implies you do not have XTS or LRW support compiled in your kernel. If you invoke truecrypt like so:
“`
truecrypt -m=nokernelcrypto volume mountpoint
“`
the lack of kernel support will be worked around – but without the kernel support it will be slower.

 
 
 
fold this thread Mountaingod  Thursday, 12 July 2007 o godz. 2:45 pm #  Add karma Subtract karma  +2

Great tutorial, thanks. I’ve hit a snag though.

You say I can use Truecrypt to encrypt my /home/ partition, but as far as I can tell there’s no way to automount it. Automounting requires the use of ‘.profile’, but this file is situated *in the home folder*, which would of course be encrypted prior to mounting!

Has anybody found a way to use Truecrypt for automounted /home/partitions? Or a way to get round this problem?

(Comments wont nest below this level)
fold this thread Wolf08  Sunday, 2 September 2007 o godz. 12:40 am #  Add karma Subtract karma  +0

You could create a /home//.profile that exists SOLELY to mount the truecrypt home partition on /home/.

 
 
fold this thread walter  Tuesday, 25 September 2007 o godz. 8:58 am #  Add karma Subtract karma  +0

really cool tutorial, but i’m having problems. what linux distro are you using? thanx

(Comments wont nest below this level)
 
fold this thread gavin  Sunday, 14 October 2007 o godz. 11:55 pm #  Add karma Subtract karma  +0

“truecrypt — keyfile-create key.txt” should be “truecrypt –keyfile-create key.txt” (there is an extra space.)

(Comments wont nest below this level)
fold this thread gavin  Sunday, 14 October 2007 o godz. 11:58 pm #  Add karma Subtract karma  +0

… there should be two hyphens before ‘keyfile’.

 
 
fold this thread dan  Wednesday, 16 January 2008 o godz. 5:23 pm #  Add karma Subtract karma  +1

And recently it’s become known that using truecrypt -p or -k (the last is only a problem if you’re only using the keyfile) is entered in /var/log/auth.log in plaintext, so you run the risk of leaving your password lying around.

thx for otherwise good tut

(Comments wont nest below this level)
 
fold this thread fpuga  Saturday, 16 February 2008 o godz. 3:41 pm #  Add karma Subtract karma  +1

I note that with some kernel the system frozes while creating the file system. If this happens the solution is before type mkfs.ext3, do:

export MKE2FS_SYNC=1

You can probe with other values as 5 or 10 if the process of creating file system is so slow and the system don’t crash.

(Comments wont nest below this level)
 
fold this thread Gustavo  Tuesday, 1 June 2010 o godz. 11:04 pm #  Add karma Subtract karma  +0

I already use Truecrypt on Windows with a security token from Aladdin. I’m now moving to Linux Ubuntu 10.04, I’ve installed the library, openct and opensc, to get my token working, but I can’t use it on Truecrypt.

(Comments wont nest below this level)
 
fold this thread vip loan shop reviews  Thursday, 4 April 2013 o godz. 11:31 pm #  Add karma Subtract karma  +0

Great goods from you, man. I have understand your stuff previous to and you are just too wonderful. I really like what you’ve acquired here, really like what you are stating and the way in which you say it. You make it enjoyable and you still care for to keep it sensible. I cant wait to read far more from you. This is actually a great web site.

(Comments wont nest below this level)
 
fold this thread zazzle discount  Thursday, 9 May 2013 o godz. 4:40 am #  Add karma Subtract karma  +0

I am a novice to this website, I have to be realistic ranks on the internet for among one of the most unique blog ideas I have ever seen.

(Comments wont nest below this level)
 
fold this thread SEO Company  Friday, 10 May 2013 o godz. 9:12 pm #  Add karma Subtract karma  +0

This is the perfect site for anyone who hopes to understand
this topic. You realize a whole lot its almost hard to argue with you (not that I actually will need to…HaHa).
You definitely put a brand new spin on a subject that has been written about for decades.

Great stuff, just wonderful!

(Comments wont nest below this level)
 
fold this thread Freeman  Tuesday, 20 May 2014 o godz. 5:33 pm #  Add karma Subtract karma  +0

What’s up everyone, it’s my first pay a visit at this web site, and post
is actually fruitful for me, keep up posting these
types of posts.

(Comments wont nest below this level)
 
fold this thread mode  Tuesday, 22 July 2014 o godz. 6:17 am #  Add karma Subtract karma  +0

Thanks for some other informative web site. The place else may just I am getting that kind of info written in such an ideal
approach? I’ve a challenge that I am just now operating on, and I’ve been on the glance out for such info.

(Comments wont nest below this level)
 
Name (required)
E-mail (required - never shown publicly)
URI

Adjust field size: shrink | enlarge)


You can use simple HTML in your comments. Some examples are as follows:
  • A hyperlink: <a href="polishlinux.org">GNU/Linux for everyone!</a>,
  • Strong text: <strong>Strong text</strong>,
  • Italic text: <em>italic text</em>,
  • Strike: <strike>strike</strike>,
  • Code: <code>printf("hello world");</code>,
  • Block quote: <blockquote>Block quote</blockquote>

New AdTaily ads!

Are you a film buff?

film buffs community, movie recommendations and reviews

RSS: Comments

You can follow the comments to this article through a special channel RSS 2.0 .

Related articles: CLI

 more »

Related articles: HOWTOs

 more »

PolishLinux Top Content


Become our fan on Facebook!

PolishLinux.org on Facebook

Follow PolishLinux on Twitter!

Follow polishlinux on Twitter

Google Ads