Sunday, February 5, 2012

Truecrypt's Guide


  • Introduction
  • What's Truecrypt and what are its advantages
  • Things to know before to try
  • Using truecrypt
  • Common Problems
  • Conclusion


This is just a little guide about using truecrypt, I'm writing it because this great tool have been mentioned several times in r00tsec but there's no guide to use it yet. Many sites don't have a truecrypt guide because it use is fairly easy, however, every guide (including the Official Beginner's Manual) is about truecrypt's GUI which work in the interactive mode, this is why this guide is about using truecrypt from the console and will be a Linux based guide.

If you're like me, then you'll find every possible time to use some console command instead of using a GUI, so for you is this guide. Isn't perfect, isn't the greatest, but I'll do my best to cover the things that create more confusion about the tool, also, will be (or try to) easy to follow for those who are using the tool for the first time and those who already know the tool.

For convenience, I will be using several concepts to define different things, by "virtual volumes" I'll be meaning every group of clusters (random space in a hardrive or a hardrive partition), by "real volumes" I'll be meaning hardrives or partitions and by "removable volumes" I'll be referring to every removable device (like usb hardrives).

What's Truecrypt and what are its advantages

Truecrypt its an opensource tool build with privacy on mind. Its also referred as hard-disk encryption software, as of today, portable in most of the mayor systems. It works by encrypting the data 'on-the-fly', this means that, if I open a music file that is saved on a encrypted volume, this file will be decrypted in the RAM memory system while the data is asked by the music player, when saving the data, all the encrypting is done in the RAM as well while truecrypt reads the file(s) that are being saved in the volume.

From paranoids to companies, this is the best tool to use when you want to keep your information private for peeking eyes. If you're looking for a solution to keep your things private this tool will be your best friend for sure!

Truecrypt is loved by many because it has many important features and this is a list of them:

  • Portable: Can be used in several of the mayor operating systems around, Windows, Linux and Mac OSX.
  • Volume scope: You can encrypt just a portion of disk or disk partition by creating a virtual volume, you can encrypt a partition or hardrive entirely and you can encrypt removable devices.
  • Several algorithms: At the time of this writing, Truecrypt support three encryption algorithms, AES, Twofish and Serpent.
  • Cascades: Related with the avobe, one of the best things to enforce security is that you can use two or three algorithms at the same time, this is what is called cascades which are: AES-Twofish, AES-Twofish-Serpent, Serpent-AES, Serpent-Twofish-AES and Twofish-Serpent.
  • Several hashes: Besides algorithms, truecrypt uses hashes to create random values from password and key files, at the time of this writing there are only three hashes available, SHA-1, RIPEMD-160 and Whirlpool.
  • Passwords and key files: Truecrypt is flexible in the way that you can use only passwords to protect the encrypted volume or you can use passwords and key files. The key files are used as random data that is sourced and implemented while creating the hashes, the great thing is that any kind of file and even entire directories can be used as key file, meaing that you can use a mp3 file or a video avi file as key file.
  • Interfaces: The tool can be used through a GUI (Graphical User Interface) or from the console which offer wider portability.
  • Interactive use: For those who are starting to use the tool, this is the best. The interactive mode is used by truecrypt when there are no parameters passed to the initial command, this means that truecrypt will ask the user for every piece of information neede in order to create an encrypted volume thus avoiding errors that can be created by new users.
  • Two kind of volumes: There are normal volumes and hidden volumes. At the beginning, every volume is a normal one, hidden volumes are created inside of normal volumes as a way to improve the privacy of the data.
  • Plausible deniability: Related to the previous, this is by far one of the greatest advantage of this tool. Basically, since every truecrypt volume, unless decrypted, is showing as random data, it's almost impossible to know that such truecrypt volume exists, besides that, if the normal volume is expose (someone forces to give the access password), it's impossible to know that there's a hidden volume in it thus the information saved in that hidden volume.

You can deny that there are alot of advantages in the tool, and the best of all, is free ;)

Things to know before to try

When it comes to Linux systems, you need to have specifics kernel support in order "to use" truecrypt volumes, not to create them, just to use them. Also, the specific support you'll need depends on truecrypt's version you're using. Right now there are two mayor versions of the tool being used, the 4.3a and the 5.1a, this two have at least one very important difference regarding to linux support, the 4.3a uses device mapper while the 5.1a use FUSE (Userspace driver). Also, no matter what version of truecrypt you are using, you need to have the loop device support in the kernel.

So the first thing you'll need to check before start using truecrypt is that you have kernel support (activate them as modules or built-in accordingly to the truecrypt version you use):

Device Drivers --> Multiple devices drivers support (RAID and LVM) --> Device mapper support

File systems --> Filesystem in Userspace support

Device Drivers --> Block Devices --> Loopback device support

Using truecrypt

If you're starting to use this tool you need to understand at least how to encrypt what you need to encrypt, and to this, you need to understand that there are different scopes and kinds of volumes.

Virtual volumes: Lets say you have a linux partition in /dev/sda4 and this partition have 20GB of space. Now, virtual volumes are just a portion that can be reserved from a partition (or a hardrive if don't have any partitions), basically, is just a file with a fixed lenght that you create on a partition or hardrive. In /dev/sda4 a virtual volume could be one single file called private and be about 5GB of space, in turns, you have /dev/sda4 as a partition of 20GB with a file of 5GB. I call them virtual volumes because every truecrypt volume needs to be mounted and worked as if it was a single disk, so, even when it's actually just a file, it needs to be treated as if it was a real disk on your system.

Real volumes: Remember, as I said in the introduction, I'm using this terms as convenience so you can easily understand the way it all works, in the case of real volumes, I mean every partition or entire hardrive that's going to be encrypted. For instance, lets take the avobe example, you have a partition called /dev/sda4 and is about 20GB of space; You can encrypt the partition entirely, not just create a file on it, in the same way, if you have only one disk with no partitions at all, you can encrypt it completely. Those can be real volumes.

Removable volumes: This are just any kind of removable device where you can save data, like USB Hardrive, flashdrives and such.

Every truecrypt volume needs a path (like /media/sda4/private) which is going to be mapped then to a device in /dev, if it's a virtual volume, it will be mapped to /dev/mapper/truecryptN, this path is where the truecrypt volume is and is importand (demanded) to indicate it in order to create the volume. To use the volume, besides a known path, is need a mount point (like /mnt/something or /media/data), this is only used once the truecrypt volume have been created and mapped to device in /dev, this mount point is where you actually are going to save or access the data that is in the truecrypt volume, no worries if you don't catch this yet, you'll understand it later ;)

As I said before, this guide is about using truecrypt from the console in Linux systems, for a guide about the use with the graphical interface please refer to the Official user's guide:

From the command line, truecrypt has many parameters that can be used to create your volumes, I won't cover every possible use of those parameters so you can check all the options avialable issuing the command:
root@root [~]# truecrypt --help

However, if you've been following me so far, you should remember that I talked about the interactive mode in the advantages of truecrypt section. The great thing about this mode of operation is that you don't really need to know any other parameter in order to create a truecrypt volume, from the command line, the interactive mode is called like this:
root@root [~]# truecrypt --interactive

In this mode, the program will ask you everything that it needs to know to create a volume, the volume path, a password, a hash, a key file (optional), and other important stuff. This mode however can be called by truecrypt itself if the user issued some parameters but not every required to create the volume, for instance, lets say we create a volume called mystuff with the password uid0R00tS3c, the command could be something like this:
root@root [~]# truecrypt --password uid0R00tS3c --create /media/hda3/private

The thing with the above command is that it lacks of other important information, for example, the hash that should be used for the password, in this case, truecrypt will notice that not all the need parameters have been issued from the beginning so it will start to ask the user for all the missing data.

Moving on, using truecrypt is incredible easy, mostly thanks to the interactive mode. Starting from here, I'll be issuing several ways about how to use the tool to fit better your needs, feel free to ask or add whatever you think will improve this guide. For convenience, I'll be using two example disks, one is a partition /dev/hda2 that is mounted on /media/data, and the other will be an entire disk /dev/sda1 that will be mounted on /media/mydisk

Create a volume called 'private' on /dev/hda2:
root@root [~]# truecrypt --create /media/data/private

Create a volume called 'private' using the password R00tS3c:
root@root [~]# truecrypt --password R00tS3c --create /media/data/private

Create a volume called 'private' using password and the algorithm Twofish:
root@root [~]# truecrypt --password R00tS3c --encryption Twofish --create /media/data/private

Create a volume called 'private' with a blank password but using a key file:
root@root [~]# truecrypt --password '' --keyfile /home/rootsec/logo.jpg --create /media/data/private

Create a volume called 'private' with password, using cascade encryption and a directory as key file:
root@root [~]# truecrypt --password R00tS3c --keyfile /home/rootsec/documents --encryption AES-Twofish-Serpent --create /media/data/private

Create a volume called 'private' with password, key file, cascade and hash:
root@root [~]# truecrypt --password R00tS3c --keyfile /home/rootsec/mymovie.mpg --encryption Twofish-Serpent --hash SHA-1 --create /media/data/private

Create a key file called 'useme' using RIPEMD-160 hash
root@root [~]# truecrypt --keyfile-create --hash RIPEMD-160 /home/rootsec/useme

Add a key file to an existent volume called 'private':
root@root [~]# truecrypt --keyfile-add --change /home/rootsec/useme /media/data/private

Create a volume with an specific filesystem:
root@root [~]# truecrypt --filesystem ext3 --create /media/data/private

Create a volumen called 'private' with password and using a file as random generator instead of a hash:
root@root [~]# truecrypt --password R00tS3c --random-source /home/rootsec/drums.mp3 --create /media/data/private

Mount a volume called 'private' in /media/mystuff/:
root@root [~]# truecrypt /media/data/private /media/mystuff

Pass specific options to mount:
root@root [~]# truecrypt --mount-options ro /media/data/private /media/mystuff

The above will mount the truecrypt volume 'private' on /media/mystuff as read only

Create a volume with fixed space:
root@root [~]# truecrypt --size 200MB --create /media/data/private

The size can be used in KB, MB or GB, always put any of this, just putting the number will return an error.

Create a hidden volume:
root@root [~]# truecrypt --create /media/mydisk
root@root [~]# truecrypt --type hidden --size 2GB --create /media/mydisk

As I said before, hidden volumes are created inside normal volumes, this is way we need to create a normal value before. In this case (and if you remember) /media/mydisk is where the example /dev/sda1 disk is mounted, suppose that this disk is about 100GB, therefore, what we're doing here is create a hidden volume of 2GB inside that disk of 100GB.

Every truecrypt volume is mapped to /dev/mapper/truecryptN where 'N' is a number starting from 0 and assigned by avialability, lets say that you create one truecrypt volume, then it'll be mapped to /dev/mapper/truecrypt0, then you create another one, this will be mapped to /dev/mapper/truecrypt1, then you create another that will be mapped to /dev/mapper/truecrypt2 and so on. You can change this numbers for other if you like to avoid the automatic mapping. This is usefull when you have several truecrypt volumes and you need to know which is what:
root@root [~]# truecrypt --device-number 10 --create /media/data/private

This will map the truecrypt volume to /dev/mapper/truecrypt10

Change a volume: Imagine that you create the volume private with an space of 10GB but know you see that you don't need it to be so big, so lets change that:
root@root [~]# truecrypt --size 5GB --change /media/data/private

When you're doing this, you don't need to specify the older values, just the new ones, so if we want to change the password will use:
root@root [~]# truecrypt --password R00tS3c2 --change /media/data/private

List all mapped (thus mounted) truecrypt volumes:
root@root [~]# truecrypt --list

Unmount a truecrypt volume:
root@root [~]# truecrypt --dismount /media/data/private

Unmount all truecrypt volumes at once:
root@root [~]# truecrypt --dismount

Check the description of a volume:
root@root [~]# truecrypt --properties /media/data/private

Remove a truecrypt volume: If it's a virtual volume, all you need to do is erase the file, for instance, if I wanted to remove the 'private' volume created from previous examples, I'll use:
root@root [~]# rm /media/data/private

If you encrypted an entire partition or disk and you don't want it encrypted anymore, the only thing you can do is format.

Finally, if you want to save or access data in a truecrypt volume, all you have to do is mount it and save the data to the mount point, for instance, if I created the volume 'private' and mounted it in /media/mystuff, all I need to do in order to save my information in the encrypted volume is to copy (or move) the data to /media/mystuff.

Common problems

There are several common problems while using truecrypt but most of them are related to the lack of kernel support, but for a matter of completeness, this are the most common errors:

- Mount Failed: Yeah, this is all you'll see while trying to mount the volume :P This error is caused because device mapper support or FUSE (depending on truecrypt's version used) isn't active.

-Wrong FS: So, you're going to mount the volume and it shows:
mount: wrong fs type, bad option, bad superblock on /dev/mapper/truecrypt0,
missing codepage or other errorIn some cases useful info is found in syslog - try
dmesg | tail or so

When creating volumes (unless it's used the --filesystem option), truecrypt create those volumes using 'auto' filesystem which, for linux porpuses doesn't work for nothing, so, in order to avoid this error you'll need to create a filesystem in the volume like this:
root@root [~]# truecrypt --device-number 20 /media/data/private /media/mystuff && mkreiserfs /dev/mapper/truecrypt20

To actually create a file system on the truecrypt device, first its need to be mapped, that's why you need to mount it first and instally after create the file system you want, I used reiserfs but you can use whatever you like.
The '--device-number' option is optional, I used becuase is better if you want to control what device you're going to format.

-No free loopback device available: This error is because the lack of loop device support in the kernel (Device Drivers --> Block Devices --> Loopback support).


So we've come to the end of this guide, I hope you liked, I try to be the more specific I could and try to reach those who knows the toold and those who don't, however, this is not an strict guide, meaning that you can discuss, share, provide more examples of use or anything you like :)

Source - r00tsecurity


Post a Comment