I.T. Security and Linux Administration

Feb 21 2011   4:17PM GMT

Drive Encryption (feat. TrueCrypt) Part 2



Posted by: Eric Hansen
Tags:
drive
encryption
how to
install
tip
truecrypt

Installation

Unfortunately, TrueCrypt’s official website does not offer a simple click-this-link-to-download, instead you have to choose between a GUI (x86 or x64) or CLI (x86 or x64) version. As my server’s pretty old (read: very, very old), I had to use the x86 version, so I cannot verify currently what changes there are between the two (if any). What I did was download the CLI/console x86 version, and then use WinSCP to copy the tar.gz file over to my server.

Note that most Linux flavors tend to have TrueCrypt in their repos, so if you’re not to follow the installation procedure, you can easily do it this way. Personally, though, I prefer to use the manual wrote, so that’s what I’ll cover here.

Once you download, transfer, and untar the TrueCrypt .tar.gz file, you’ll be left with one file:

truecrypt-7.0a-setup-console-x86

All you have to do is run this file, and it’ll give you two options:

TrueCrypt 7.0a Setup
____________________

Installation options:

1) Install truecrypt_7.0a_console_i386.tar.gz
2) Extract package file truecrypt_7.0a_console_i386.tar.gz and place it to /tmp

To select, enter 1 or 2:

I chose option 1, since 2 is more of a “see what’s involved in this”. After choosing 1, you’ll be prompted to acknowledge the EULA, where the Page Down key comes in handy quite a bit, as there’s a lot to read. Once you reach the end, you can type either “y” or “yes” (w/o the quotes) to acknowledge the EULA. After that, you’ll see the following screen:

Uninstalling TrueCrypt:
———————–

To uninstall TrueCrypt, please run ‘truecrypt-uninstall.sh’.

Installing package…
usr/bin/truecrypt
usr/bin/truecrypt-uninstall.sh
usr/share/truecrypt/doc/License.txt
usr/share/truecrypt/doc/TrueCrypt User Guide.pdf

Press Enter to exit…

That’s it for the installation, it’s a pretty easy install I’d say.

Usage

I’m not going to cover hidden volumes in this post, so I’ll address what the help option shows for TrueCrypt in regard to the hidden volume type:

Inexperienced users should use the graphical user interface to create a hidden
volume. When using the text user interface, the following procedure must be
followed to create a hidden volume:
1) Create an outer volume with no filesystem.
2) Create a hidden volume within the outer volume.
3) Mount the outer volume using hidden volume protection.
4) Create a filesystem on the virtual device of the outer volume.
5) Mount the new filesystem and fill it with data.
6) Dismount the outer volume.
If at any step the hidden volume protection is triggered, start again from 1).

In part one I covered what a hidden and normal volume is, as well as some other fundamental concepts for using this software. So, right now I’ll go through creating a TrueCrypt volume.

Before going into creating a volume, though, there is a switch (–random-source) that you can use, instead of inputting 320 random characters. While the help menu says “Use file as source of random data”, you can also use a device (such as /dev/urandom). You’ll have to wait a little bit though for it to finish, as it won’t output anything to let you know it’s gathering data.

truecrypt -t -c

Very simple, yet will become very powerful. You’ll be prompted with the following:

Volume type:
1) Normal
2) Hidden

My own personal experience, I never have found a need for a hidden volume, so I always go with normal (1). Once you do that, it’ll ask you for the volume path. It should be noted here, however, that it is the full absolute path (/home/tcvolumes/…, not ~/…), including the filename of the volume itself. When I was first working with TrueCrypt, this threw me off a little bit. Then the real fun begins.

Now it’ll ask you for the size of the volume, with megabytes (M) being the default size. If you want to specify kilobytes or gigabytes, then type in the size then K or G (i.e.: for 500 kilobytes, type 500K). Please note, even though it probably shouldn’t have to be said, make sure the partition or disk you use has the necessary space for the volume you are creating.

The first interesting bit during a volume set up is the encryption choice. Here’s what you’ll see next:

Encryption algorithm:
1) AES
2) Serpent
3) Twofish
4) AES-Twofish
5) AES-Twofish-Serpent
6) Serpent-AES
7) Serpent-Twofish-AES
8 ) Twofish-Serpent

While the default is #1, I prefer using #5 or #7, but outside of those, I recommend any of the AES ones. The cipher of AES is pretty robust, is among one of the hardest encryption algorithms to crack, and just overall provides a better security foreground to your volume.

After that, you’ll choose the hash algorithm to use, which mostly seems dependent on the encryption algorithm you just chose. I generally choose Whirlpool as it gathers data more randomly. For the file system, the default is to use FAT, but I like to stay consistent, so I stick w/ whatever format I have set up for the main partition (which is ext3 for my server). Besides that, make sure your kernel supports the file system format you want to use.

It’ll ask you for a password after you choose the file system. This is used for mounting the volume to ensure wondering eyes aren’t peeping into your files. While you don’t have to provide a password, it is very highly recommended that you do, unless you’re positive you’re the only one who will be able to access/mount/etc…the volume. If you enter a password shorter than 20 characters, it’ll warn you that a short password is generally easier to crack, and ask if you wish to still use the password. Alternatively, you can provide a keyfile (multiple keyfiles are possible) to use instead of a password. Please note though that the keyfile does have to exist prior, or else you’ll receive an error saying that the keyfile does not exist.

Then the real fun begins during the process, as you finally get to type in different characters to generate the encryption key. While it requires at least 320 characters, if you press Enter at any time, it’ll show you how many characters are left. After that, the volume will be created and then you’ll just have to mount it.

Mounting

(NOTE: Any switches with a * before the name means there’s two dashes instead of one.  WordPress screws up the formatting.)

This is pretty simple. The command is as follows:

truecrypt {volume} {mount point}

Just as if you were using the mount command, though, the mount point does have to exist before you mount the volume, or else you’ll get an error. If you decided to use a password for your volume, it’ll prompt you for it’s password before mounting. You’ll also be prompted for a keyfile (even if you didn’t provide one during creation), so if you didn’t give one during set up, you can just hit enter. After that, it’ll ask if you if you want to protect the hidden volume if there is any, which defaults to no. Then you’re done with mounting the volume. At this point, you can do pretty much whatever to the volume, as it’ll act just like any other drive would, mounted.

For mounting, if you want to speed up the process a bit, you can use this:

truecrypt -t -k “” *protect-hidden=no {volume} {mount point}

This will basically speed up the mounting process, only asking for a password. The -t switch says to use a text-based user interface, -k is to specify keyfiles (“” means no keyfiles), –protect-hidden does the same as the prompt during the regular mount process. Another switch you can use, but pretty much defeats the purpose of using passwords, is the -p switch, which lets you specify the password for the volume. In the case you decide to use this switch, the command (if you want to skip all user intervention) would look like this:

truecrypt -t -k “” -p “password here” *protect-hidden=no {volume} {mount point}

If you use the -m switch, you can set mount options (such as -m ro for read-only mount), similar (again) to the mount command. Another option that might come in handy is changing the password, which can be done using the -C switch. To do this, you would simply use the following command:

truecrypt -C {volume}

It’ll prompt you for the volume’s current password (which you can use the -p switch again if you like), then the new password and another 320 character string of random text.

Dismounting

I’ll cover this shortly as there’s only two commands really for dismounting a volume.  First, if you want to just dismount a specific volume, you would type in the following:

truecrypt -d {volume}

So, if your volume file was located at /root/tcv, you’d type truecrypt -d /root/tcv.

Lastly, if you would like to dismount all of your volumes, you would just use the following:

truecrypt -d

Finish

I’ll be covering more of TrueCrypt in future articles, as well as other programs that add to security and safety.  Keep checking back for more articles, as I’ll also be covering more about the IT world as well.

 Comment on this Post

 
There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when other members comment.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: