Update, 1 June 2007: Version 4.3a, released May 2007, removes support for SUID.
I’ve been using TrueCrypt to encrypt financial and personal documents in Windows for a while now and it has worked just fine for the way I want to use it. I’m doing file-based encryption where you mount a single file as a virtual volume that appears as a normal drive in Windows. I knew there was a GNU/Linux version, so it seemed like a logical choice to use for the same purposes in the free world.
TrueCrypt is free-as-in-freedom (according to my hearsay understanding of the license), but the TrueCrypt Foundation behind it is apparently kind of secretive and closed with its development processes. I’m not sure how much of a concern this should be for me.
I briefly looked at dm-crypt/cryptsetup/LUKS but shied away from them for now since they don’t appear to be as mature and also since I don’t see that they use a file-based method and I don’t want to figure out more complicated methods at the moment (more complicated in my eyes, anyway). I’m trying to get some momentum going for the overall move and that means avoiding quagmires of new learning where possible.
(Update, 21 Feb 2007: Well, maybe just one new learning jaunt…)
So TrueCrypt it was. There is no GUI in the GNU version yet, but that was ok with me. It has helped that I’ve used the Windows version for a while so I knew what to look for and expect. It appears that there is some compatibility between GNU and Windows versions, but not really. I could take a volume created on GNU and open it in Windows and read files, but if I wrote files to it in Windows, they didn’t appear when I opened it back up in GNU. Maybe there is a way this could work, but it’s not important for me to have this feature so I let it go.
Overall the process went pretty smoothly. I started working on this in Fedora and got hung up on an error, switched to working on Ubuntu where I had more luck, and then got it going in Fedora also. My current strategy is to make things work in both distributions as much as possible. I don’t want to become overly tied to one system. I did have one mishap that I wrote about in a previous post.
And now, the blow by blow account…
Getting and Installing
TrueCrypt has several downloads for different “stock” versions of Fedora and Ubuntu. I’m hoping to stay with the stock version for a long, long time. It’s bewildering and intimidating to read about compiling custom kernels and sources for programs like TrueCrypt. Some day I want to know that stuff, but for now, it’s kind of scary. I can picture this Frankenstein system cobbled together on little customizations and all of it hanging together by a very delicate suture from a mad scientist. I fear that customizing the kernel could have a ripple effect that would cause me days and weeks of rebuilding everything in my system. That might be unfounded, but it’s my fear all the same.
Both the .rpm for Fedora Core 5 and the .deb for Ubuntu 6.10 (Edgy Eft) installed with no problems. This gave me
/usr/bin/truecrypt. (I eventually created an alias called
tc, because “truecrypt” is kind of hard to type.)
/usr/bin/truecrypt --create test.tc
I started by using the root user in Fedora. (Root privileges are required; later I’ll look in to how you can run as a normal user.) I went with a normal volume, FAT filesystem (the other interactive option is “none”), etc., etc.
Let’s try mounting this thing!
truecrypt test.tc test_mnt_dir
Error! “No free loopback device available for file-hosted volume”
Oh oh. I searched on that term and truecrypt, which further led to searches on [fedora loopback], and I felt the icy tingling of despair. Much talk of extensive configuration file changes and kernel compiling, and lots of esoteric discussions of loopbacks, and I really did not want to deal with that stuff.
Update, 25 April 2007: Removing some intemperate remarks about the relative difficulty of Windows versus GNU/Linux. The comments section reflects the resulting discussion from this part. It will now be read as a bit disconnected from the post content, but I’d rather not let the rant remain here where it detracts from what I hope is a decent guide to TrueCrypt in GNU/Linux. And I don’t think for a moment I can hide my imprudence. With any luck, the Internet Archive will have frozen that moment in time. :-)
Anyway, back to the narrative. The loopback brick wall caused me to flee in to the arms of another distribution. I decided to try on Ubuntu before investing more time. I’d return to Fedora, but this is one of the benefits of working on both systems concurrently: you learn things that help you out in both places.
sudo truecrypt test.tc test_mnt_dir
Success! I created a test file in the mounted volume.
Now, be careful. This:
truecrypt --dismount test.tc
Didn’t give an error in Ubuntu, but it didn’t dismount the volume. I was missing the sudo. At first I thought I hadn’t even mounted it in the first place, that the mount had failed with no error and I just created a regular file in the directory. But when I couldn’t change ownership on test_mnt_dir (“Operation not permitted”), I got a clue. I dismounted with sudo and that did the job. Checked the dir and no file, so it must be part of the test.tc file, as I confirmed by remounting it. Woo hoo!
Ok, now let’s figure out how to run this thing as a regular user. For one, because mounting with sudo would make root be the user and the group for the mounted volume, and I couldn’t change that. That obviously wouldn’t do. And I think in general you want to run these things as a regular user if possible.
The readme instructions inside the install tar file say:
TrueCrypt requires administrator (root) privileges. If you intend to
use TrueCrypt from a user account, you should execute the following command
as an administrator:
chmod u+s /usr/bin/truecrypt
I ran the command, which sets the SUID bit on the file, and then tried:
truecrypt test.tc test_mnt_dir
That worked: it let me mount the volume with my regular user account, but the folder still had root as the owner. (It did have my group now, though.)
Update, 1 June 2007: Version 4.3a, released May 2007, removes support for SUID. Haven’t experimented yet to see what options that leaves for ownership/permissions.
A little more investigation got me this:
truecrypt --user-mount test.tc test_mnt_dir
And that took care of the permissions. I had achieved usability in Ubuntu!
Going back to Fedora, I found that setting SUID on the truecrypt executable and running as a normal user took care of the loopback problem there, and everything else worked as it had in Ubuntu, so that was a happy ending also.
I wanted to know what was the risk of using
chmod u+s /usr/bin/truecrypt to give access to ordinary users, so I looked in to that a bit. I need to learn more, but I’ve written about my initial investigation already, including my attempt to render the machine inoperable.
As mentioned above, support for SUID has been removed, I guess to avoid all the associated risks.
I wanted to see about specifying a non-FAT filesystem with
--filesystem, but couldn’t figure out how that worked. In any case, FAT seems to work fine and appears to work with Unix file permissions correctly, so I’ll let that one go.
Backing Up Volume Headers
I had gotten in the habit of backing up volume headers in the Windows version and it seemed like it would be a good idea here also, so I verified that it worked as expected:
truecrypt --backup-headers test_backup.tch test.tc
Change the password:
truecrypt --change test.tc
Verify the new password works when mounting the volume, then dismount, and:
truecrypt --restore-header test_backup.tch test.tc
Verify the old password works again.
And there you have it…
Another brick in the wall.