View previous topic :: View next topic |
Author |
Message |
Pergamon Tux's lil' helper
Joined: 01 Feb 2004 Posts: 117
|
Posted: Sat Nov 05, 2005 11:42 am Post subject: HowTo (v 1.0.2): TrueCrypt encryption: Windows XP and Linux |
|
|
TrueCrypt 4.0
Update: An ebuild is currently been tested at Bugs.Gentoo.Org. However this seems to be still work-in-progress.
Truecrypt is an ideal tool if you plan to exchange volume based encrypted data between Windows and Linux. It allows to create encrypted volumes within a file or partition and mount them from both Linux and Windows. The encrypted file system can reside for examle within a file on an USB stick, or the entire USB stick can be an encrypted volume.
Additionally, TrueCrypt supports hidden crypted volumes within an encrypted volume. Those hidden volumes can never be detected even if the password of the outer volume gets compromised - the hidden volume is indistingushable from random data.
Currently, there is no ebuild available for truecrypt 4.0 www.truecrypt.org.
This (hopefully soon obsolete) howto helps setting up truecrypt while there is no ebuild.
Manual compilation
First, go to the download page of truecrypt: http://www.truecrypt.org/downloads.php
an get the source code of truecrypt:
http://www.truecrypt.org/downloads/truecrypt-4.0-source-code.tar.gz
Code: | cd ~
mkdir truecrypt
cd truecrypt
gzip -dc <path-to-your-download>/truecrypt-4.0-source-code-tar.gz | tar xvf -
cd truecrypt-4.0/Linux
# Edit build.sh and replace occurences of "- 1" with "-n 1", otherwise you will get warnings.
su
./build.sh
./install.sh
|
Chose /usr/bin as installation path for the executables and /usr/share/man for man files.
Thats it.
Documentation
explains how to use it.
There es an excellent user documentation, that easily rivals the quality of commercial products available at: TrueCrypt user guide
I tested with XP, created an encrypted file system on an USB stick, mounted it on linux and with
Code: | truecrypt /mnt/stick/my-encrypted-volume /mnt/crypt |
files are easily accessible.
Current limitations with Linux
Currently, there is one limitation for the linux implementation: In order to create a new volume (either partition based or within a file) you have to use Windows XP. Once a truecrypt volume is created, its file system and the content can be changed with the linux implementation.
Howfully this howto is soon rendered obsolete by a nice truecrypt ebuild!
Changes
v 1.0.1: Corrected error concerning possibility of creating new volumes with linux
v 1.0.2: Link zu ebuild in bug database
Last edited by Pergamon on Wed Nov 16, 2005 9:46 am; edited 2 times in total |
|
Back to top |
|
|
gruemelmonster n00b
Joined: 05 Oct 2004 Posts: 4
|
Posted: Sat Nov 05, 2005 1:36 pm Post subject: |
|
|
Quote: | Of course encrypted volumes can also be created with Linux |
How do you do that??? I read that manpage and could not find anything about how to create a volume..
Maybe im just blind... |
|
Back to top |
|
|
mahdi1234 Guru
Joined: 19 Feb 2005 Posts: 559 Location: Being There
|
Posted: Sat Nov 05, 2005 7:05 pm Post subject: |
|
|
same problem is discussed in main product's forum http://www.truecrypt.org/forum.php so i guess it doesn't work under linux yet ;(. |
|
Back to top |
|
|
Pergamon Tux's lil' helper
Joined: 01 Feb 2004 Posts: 117
|
Posted: Sun Nov 06, 2005 9:05 am Post subject: Correct: truecrypt cannot create new volumes with Linux |
|
|
Unfortunately it seems you are both right: for the moment it seems like truecrypt cannot create new volumes under Linux. So at this point we have to rely on Windows.
I change the howto to reflect this.
Thanks. |
|
Back to top |
|
|
rschwarze n00b
Joined: 01 Jul 2005 Posts: 63 Location: Germany
|
Posted: Sun Nov 06, 2005 3:48 pm Post subject: |
|
|
Hi,
I followed the howto and installed truecrypt. But when I try to mount a trecrypt file i get the following error:
Code: | truecrypt /media/MAXTORFAT32/crypto.tc /mnt/crypt
Enter password for '/media/MAXTORFAT32/crypto.tc': |
Code: | truecrypt: No free loopback device available for file-hosted volume |
any suggestions? |
|
Back to top |
|
|
DOSBoy Tux's lil' helper
Joined: 26 Jun 2005 Posts: 84
|
Posted: Mon Nov 07, 2005 7:03 am Post subject: |
|
|
Does your kernel have support for loopback filesystems? |
|
Back to top |
|
|
Martux Veteran
Joined: 04 Feb 2005 Posts: 1917
|
Posted: Tue Nov 08, 2005 3:10 pm Post subject: |
|
|
rschwarze wrote:
Quote: |
Code: |
truecrypt: No free loopback device available for file-hosted volume
|
|
I've got the same problem. The only fix seems to be mounting as root (even if you said users should be able to mount it)...
hth, marcus _________________ "Coincidence is God's way of remaining anonymous."
Albert Einstein
"The road to success is always under construction" |
|
Back to top |
|
|
rschwarze n00b
Joined: 01 Jul 2005 Posts: 63 Location: Germany
|
Posted: Tue Nov 08, 2005 8:02 pm Post subject: |
|
|
yes, with root it works. |
|
Back to top |
|
|
webmaxx n00b
Joined: 30 Apr 2005 Posts: 33 Location: Germany
|
Posted: Sun Jan 01, 2006 1:00 am Post subject: |
|
|
I am able to mount a truecrypt volume as a normal user.
I'm using sudo and allowed my useraccount to execute mount (and put an alias in my ~/.bashrc).
With truecrypt --mount-options uid=<USERID> /.../truecrypt.tc /home/... the user can also fully access the files. |
|
Back to top |
|
|
rschwarze n00b
Joined: 01 Jul 2005 Posts: 63 Location: Germany
|
Posted: Mon Apr 24, 2006 3:47 am Post subject: |
|
|
in the new version, 4.2, its actually fully working under linux!
can someone consider making an ebuild? that would be great!
thanks, roman |
|
Back to top |
|
|
mahdi1234 Guru
Joined: 19 Feb 2005 Posts: 559 Location: Being There
|
Posted: Mon Apr 24, 2006 8:59 pm Post subject: |
|
|
rschwarze wrote: | in the new version, 4.2, its actually fully working under linux!
can someone consider making an ebuild? that would be great!
thanks, roman |
in fact there's already ebuild for quite a long time, recently updated to 4.2 - check https://bugs.gentoo.org/show_bug.cgi?id=112197
If you don't know how to use portage overlay search for something like gentoo + wiki + portage overlay. |
|
Back to top |
|
|
rschwarze n00b
Joined: 01 Jul 2005 Posts: 63 Location: Germany
|
Posted: Tue Apr 25, 2006 5:03 pm Post subject: |
|
|
I know how to use an overlay.
i would just like to have it in regular portage and i thought, now that everything works without windows, it would be possible to include it in portage.
edit: but thank you very much for pointing me to the ebuild its still easier than installing it by hand.
btw: ebuild works great. |
|
Back to top |
|
|
palmer Guru
Joined: 17 Nov 2004 Posts: 322 Location: Berkeley, CA
|
Posted: Sat May 20, 2006 8:51 pm Post subject: |
|
|
Anybody gotten it to create a file under linux?
truecrypt -c is stuck at the "enough entropy available in the kernel"
The % meter goes up to ~50%, then falls back to the single digits
The file is only 1mb, and has been running for ~20mins
I have tried different hash and encryption algorithms
EDIT: It's been going for ~4 hours now
-palmem |
|
Back to top |
|
|
vitaming n00b
Joined: 11 May 2006 Posts: 9
|
Posted: Wed May 24, 2006 3:28 pm Post subject: |
|
|
palmem wrote: | Anybody gotten it to create a file under linux?
truecrypt -c is stuck at the "enough entropy available in the kernel"
The % meter goes up to ~50%, then falls back to the single digits
The file is only 1mb, and has been running for ~20mins
I have tried different hash and encryption algorithms
EDIT: It's been going for ~4 hours now
-palmem |
the message said also something like "press any keys or move the mouse to increase entropy".
For me the encryption also didn't start when I was logged in remotely - I had to go to the physical mashine and hammer on the keybord for quite a while . |
|
Back to top |
|
|
quag7 Apprentice
Joined: 12 Aug 2002 Posts: 288 Location: Marana, Arizona - USA
|
Posted: Wed May 24, 2006 6:10 pm Post subject: |
|
|
Thanks for the ebuild; I have it working here...
Creating a container:
Code: |
[quag7@antarctica] /mnt/priv/cabinets : truecrypt -c testcabinet
Volume type:
1) Normal
2) Hidden
Select [1]: 1
Filesystem:
1) FAT
2) None
Select [1]: 2
Enter volume size (bytes - size/sizeK/sizeM/sizeG): 100M
Hash algorithm:
1) RIPEMD-160
2) SHA-1
3) Whirlpool
Select [1]: 2
Encryption algorithm:
1) AES
2) Blowfish
3) CAST5
4) Serpent
5) Triple DES
6) Twofish
7) AES-Twofish
8) AES-Twofish-Serpent
9) Serpent-AES
10) Serpent-Twofish-AES
11) Twofish-Serpent
Select [1]: 2
Enter password for new volume 'testcabinet':
Re-enter password:
Done: 99.42 MB Speed: 6.77 MB/s Left: 0:00:00
Volume created.
|
Container created:
Code: |
[quag7@antarctica] /mnt/priv/cabinets : ls -al
total 102512
drwxr-xr-x 2 quag7 quagworks 4096 May 24 10:36 .
drwxrwx--- 15 quag7 restricted 4096 May 24 09:35 ..
-rw-r--r-- 1 quag7 quagworks 104857600 May 24 10:36 testcabinet
|
Attempt to mount the container for formatting:
Code: |
[root@antarctica] /mnt/priv/cabinets : truecrypt --filesystem ext3 ./testcabinet /mnt/cabinet
Enter password for '/mnt/priv/cabinets/./testcabinet':
mount: wrong fs type, bad option, bad superblock on /dev/mapper/truecrypt0,
missing codepage or other error
In some cases useful info is found in syslog - try
dmesg | tail or so
truecrypt: Mount failed
|
However, mapping is accessible via /dev/mapper/truecrypt0 and the mount was just a partial failure. Or at least, for our purposes, the mapping will allow formatting even though the mount technically failed.
Creating an ext3 filesystem on the container so it will mount:
Code: |
[root@antarctica] /mnt/priv/cabinets : mke2fs -j /dev/mapper/truecrypt0
mke2fs 1.38 (30-Jun-2005)
Filesystem label=
OS type: Linux
Block size=1024 (log=0)
Fragment size=1024 (log=0)
25688 inodes, 102396 blocks
5119 blocks (5.00%) reserved for the super user
First data block=1
13 block groups
8192 blocks per group, 8192 fragments per group
1976 inodes per group
Superblock backups stored on blocks:
8193, 24577, 40961, 57345, 73729
Writing inode tables: done
Creating journal (4096 blocks): done
Writing superblocks and filesystem accounting information: done
This filesystem will be automatically checked every 38 mounts or
180 days, whichever comes first. Use tune2fs -c or -i to override.
|
First, ensure that everything is unmounted. Even though the above message says the mount failed, truecrypt still thinks it is mounted since it is mapped:
Code: |
[root@antarctica] /mnt/priv/cabinets : truecrypt -d
|
Mount the container:
Code: |
[root@antarctica] /mnt/priv/cabinets : truecrypt ./testcabinet /mnt/cabinet/
Enter password for '/mnt/priv/cabinets/./testcabinet':
|
The container is ready for use:
Code: |
[root@antarctica] /mnt/cabinet : ls -al
total 17
drwxr-xr-x 3 root root 1024 May 24 10:42 .
drwxr-xr-x 14 root root 4096 May 24 09:41 ..
drwx------ 2 root root 12288 May 24 10:42 lost+found
|
Just to make sure we're looking at the container:
Code: |
[root@antarctica] /mnt/cabinet : touch "We were somewhere around Barstow on the edge of the desert..."
[root@antarctica] /mnt/cabinet : ls -al
total 17
drwxr-xr-x 3 root root 1024 May 24 10:57 .
drwxr-xr-x 14 root root 4096 May 24 09:41 ..
-rw-r--r-- 1 root root 0 May 24 10:57 We were somewhere around Barstow on the edge of the desert...
drwx------ 2 root root 12288 May 24 10:42 lost+found
[root@antarctica] /mnt/cabinet : cd ..
[root@antarctica] /mnt : truecrypt -d
[root@antarctica] /mnt : cd cabinet/
[root@antarctica] /mnt/cabinet : ls -al
total 8
drwx------ 2 quag7 quag7 4096 May 24 09:41 .
drwxr-xr-x 14 root root 4096 May 24 09:41 ..
[root@antarctica] /mnt/cabinet :
|
So, Barstow and lost+found are gone (as should be normal since we unmounted the container), so this is now just an unused mountpoint; an empty directory.
Now, I remount and look at the directory of the container:
Code: |
[root@antarctica] /mnt/priv/cabinets : truecrypt ./testcabinet /mnt/cabinet
Enter password for '/mnt/priv/cabinets/./testcabinet':
[root@antarctica] /mnt/priv/cabinets : cd /mnt/cabinet
[root@antarctica] /mnt/cabinet : ls -al
total 17
drwxr-xr-x 3 root root 1024 May 24 10:57 .
drwxr-xr-x 14 root root 4096 May 24 09:41 ..
-rw-r--r-- 1 root root 0 May 24 10:57 We were somewhere around Barstow on the edge of the desert...
drwx------ 2 root root 12288 May 24 10:42 lost+found
[root@antarctica] /mnt/cabinet :
|
Don't know if this is helpful to anyone. I didn't get any messages related to entropy in the kernel, so I can't help with that unfortunately. A 100 megabyte container took perhaps 10 or 15 seconds total to create on my Celeron 1 GHz, and formatted almost instantly.
I haven't used it long enough to have any comments on reliability. The forums on the Truecrypt site suggest there may be a lot of instability yet, and a lot of problems, so don't feel too bad if you're one of those people. I was personally thrown by the file system creation. I used --filesystem ext3 when I issued truecrypt -c but this was not actually creating the filesystem; hence the traditional mke2fs -j command, which works fine.
However, container creation *does* work natively in Linux, at least on my machine. Windows isn't necessary.
Make sure you have the latest ebuild from bugzilla and that you have Device Mapper support enabled in your kernel, as well as whatever filesystems you want to use for your containers:
Code: |
Device Drivers
Multi-Device Support
<*> Device mapper support
|
_________________ http://www.dataswamp.net |
|
Back to top |
|
|
palmer Guru
Joined: 17 Nov 2004 Posts: 322 Location: Berkeley, CA
|
Posted: Sun May 28, 2006 6:58 pm Post subject: |
|
|
vitaming wrote: |
the message said also something like "press any keys or move the mouse to increase entropy".
For me the encryption also didn't start when I was logged in remotely - I had to go to the physical mashine and hammer on the keybord for quite a while :). |
During those 4 hours, I used the computer as normal (I typed ~1pg of homework, browsed the web, etc)
I think something's broken...
Code: | Device Drivers
Multi-Device Support
<*> Device mapper support |
What kernel are you using?
I am using genkernel with 2.6.16-gentoo-r3
There is no multi-device support in the options
The ebuild wants to install sys-fs/device-mapper
-palmem[/code] |
|
Back to top |
|
|
Gergan Penkov Veteran
Joined: 17 Jul 2004 Posts: 1464 Location: das kleinste Kuhdorf Deutschlands :)
|
Posted: Sun May 28, 2006 9:12 pm Post subject: |
|
|
just using the ebuild from bugzilla, I was able to create already three volumes with whirlpool-hash and serpent, without any problems and they work just fine here.
I'm still not certain, which hashes are better and, which encryption algorithms to use, if anyone could explain this a little bit better, as in the documentation there are only key-lengths, which does not mean in fact anything. _________________ "I knew when an angel whispered into my ear,
You gotta get him away, yeah
Hey little bitch!
Be glad you finally walked away or you may have not lived another day."
Godsmack |
|
Back to top |
|
|
Darknight Guru
Joined: 26 Jan 2004 Posts: 483 Location: Italy
|
Posted: Sat Sep 16, 2006 11:39 pm Post subject: |
|
|
I'll just give you a few pointers, besides you probably don't need them anymore (someone else may benefit).
All that follows is IMHO with no assumption regarding its completeness...
Some of the "best" algorithms for encryption are: blowfish, twofish, aes, serpent, this list should more or less be in order of quickest->slowest and, to some extent secure->more secure.
As a general rule you will use blowfish for the stuff you don't want your roommate or mom to see (it's already overkill) or where speed is most needed.
Key length is an important factor,the bigger the key the more difficult decrypting becomes for an attacker. Always use the maximum key size for your chosen algorithm.
Most hashes work well, the "sha" series are among the most used. |
|
Back to top |
|
|
ivanova Apprentice
Joined: 12 Apr 2004 Posts: 158 Location: South Africa
|
Posted: Thu Sep 28, 2006 8:40 am Post subject: |
|
|
rschwarze wrote: | Hi,
I followed the howto and installed truecrypt. But when I try to mount a trecrypt file i get the following error:
Code: | truecrypt /media/MAXTORFAT32/crypto.tc /mnt/crypt
Enter password for '/media/MAXTORFAT32/crypto.tc': |
Code: | truecrypt: No free loopback device available for file-hosted volume |
any suggestions? |
make sure the loop module is loaded with:
_________________ Ladies and Gentlemen... we are floating in space. |
|
Back to top |
|
|
fire-fly n00b
Joined: 15 Jan 2007 Posts: 2
|
Posted: Mon Jan 15, 2007 9:10 am Post subject: |
|
|
Hi quag7
I did as you mentioned,
Code: |
[root@antarctica] /mnt/priv/cabinets : truecrypt ./testcabinet /mnt/cabinet/
Enter password for '/mnt/priv/cabinets/./testcabinet':
|
However, the ownership becomes root, athough I login as an odinary user.
How do I mount it with other ownershitp ?
By the way I am using FC4
Thanks in advance.
Cheers
Fire-fly |
|
Back to top |
|
|
ronmon Veteran
Joined: 15 Apr 2002 Posts: 1043 Location: Key West, FL
|
Posted: Mon Jan 15, 2007 8:26 pm Post subject: |
|
|
Can't get any decent help in the Fedora forums? No big surprise there
Here's how I mount mine as a user in the "adm" group and assign rwx permissions to that group.
First, I edited my sudoers with "visudo" and added this:
Code: |
# Truecrypt
%adm localhost=(root) NOPASSWD: /usr/bin/truecrypt /home/vcr/v /home/vcr/m,/usr/bin/truecrypt -d
%adm localhost=(root) NOPASSWD: /usr/bin/chgrp adm /home/vcr/m,/usr/bin/chmod 770 /home/vcr/m
|
Then, I simplified things with a couple aliases in my ~/.bashrc:
Code: |
alias con="sudo truecrypt /home/vcr/v /home/vcr/m && \
sudo chgrp adm /home/vcr/m && \
sudo chmod 770 /home/vcr/m"
alias cof="sudo truecrypt -d"
|
You'll get prompted for the truecrypt password. Of course you need to adjust those to point to wherever you have set up your truecrypt volume and mountpoint. _________________ Ask Questions the Smart Way - by ESR |
|
Back to top |
|
|
saturday Apprentice
Joined: 20 Dec 2004 Posts: 246 Location: de/munich/home
|
Posted: Tue Jan 16, 2007 9:45 pm Post subject: |
|
|
I did "chmod 4755 /usr/bin/truecrypt" to be able to mount truecrypt volumes as user.
But I don't think that's a recommended way to do it. There may be security concerns, but I don't know enough about it to be able to evaluate this. |
|
Back to top |
|
|
fire-fly n00b
Joined: 15 Jan 2007 Posts: 2
|
Posted: Wed Jan 17, 2007 1:30 pm Post subject: |
|
|
Hi Ronmon,Apprentice
thanks for the suggestions, I will try the suggestions later, a bit busy with my work.
Anyway I forgot to mention I complied with the option, user is able to doing mounting.
I believe it is a bug, when mounting ext3,
becuase truecrpte -d works with FAT!
I will update you guys
Thanks! |
|
Back to top |
|
|
ronmon Veteran
Joined: 15 Apr 2002 Posts: 1043 Location: Key West, FL
|
Posted: Wed Jan 17, 2007 9:08 pm Post subject: |
|
|
Linux file systems understand permissions, FAT does not. That's the difference. Using setuid is not a good idea, for security reasons. _________________ Ask Questions the Smart Way - by ESR |
|
Back to top |
|
|
smypee n00b
Joined: 11 Oct 2003 Posts: 64 Location: Zurich
|
Posted: Sun Feb 18, 2007 8:09 am Post subject: |
|
|
I successfully created a encrypted volume (with no file system). I can mount this volume but when I try to format it using Code: | mke2fs -j /dev/mapper/truecrypt0 | my system freezes hard. Only thing I can do is reset the machine. The encrypted volume is located on a USB disk. |
|
Back to top |
|
|
|