Using truecrypt-installer to help install Truecrypt for Debian

Posted by jaalto on Fri 9 Mar 2007 at 13:56

Truecrypt is an Open Source disk encryption software which uses a concept of containers to store encrypted data. The nice thing about Truecrypt is that the containers (or volumes) can be read transparently under Linux and Windows. Here are step by step instructions how to use the truecrypt-installer utilities to get Truecrypt running with minimum of effort.

Last time we talked about a patch to make truecrypt 4.2a to support later kernel versions. The follow-up article guided you through manual process of converting Truecrypt sources into *.deb packages.

But we can do even better.

The Truecrypt license does not currently comply with the Debian Free Software Guidelines (DFSG, see keyword free), so it cannot be directly packaged for Debian or distributed by official Debian repositories. To help this, I wrote couple of utilities to take care of downloading the sources, assembling build structure with bzr and producing the packages.

Instead of manually creating Debian packages here we see how the truecrypt-installer utilities can simplify things.

PREPARATIONS FOR THE BUILD PROCESS

At the time of writing (2007-03-07) the utilities did not try to handle kernel source install or configuring kernel sources, so few preparation steps are necessary.

1) Install linux-source-* and linux-kbuild-* packages that match currently running kernel.

$uname -a
$ apt-cache search 'linux-source|linux-kbuild'

$ KVER=$(uname -r | sed 's/-.*//')
$ apt-get install linux-source-$KVER linux-kbuild-$KVER

2) Prepare the Linux kernel. You don't need to compile anything, but let the menuconfig to generate a few files for the CPU architecture.

$ cd /usr/src
$ tar -jxf linux-source-$KVER*.bz2
$ cd /usr/src/linux-source-$KVER
$ make menuconfig

...press TAB and select "Exit"
Do you wish to save your new kernel configuration?
...Press TAB and select "Yes" to write ".config" file

USING TRUECRYPT-INSTALLER UTILITIES

After completing preparations above, install the truecrypt-installer package. The lines here make sure the latest *.deb package is downloaded. Alternativaly you can point the browser to the URL and manually pick the latest version.

$ url=http://debian.cante.net/truecrypt-installer
$ file=$(wget -qO - $url | grep -Eo 'truecrypt-installer[^"]+\.deb' | tail -1)
$ wget $url/$file
$ dpkg -i truecrypt-installer*.deb

Start the Truecrypt source downloader:

$ truecrypt-download

3) Now build the Debian packages:

$ truecrypt-dpkg

4) Install the packages. The order is important, kernel module first, and the rest after that:

 $ dpkg -i /usr/src/truecrypt-{modules-2,modules-modprobe,doc,cli}*.deb

The truecrypt-modules-modprobe*.deb package takes care of configiring truecrypt to be loaded at boot by modifying /etc/modules. It also activates the module immediately. You can check the current module status:

$ lsmod | grep truecrypt
truecrypt             148452  0
dm_mod                 50232  4 truecrypt,dm_snapshot,dm_mirror,dm_crypt

UPGRADES

After performing a kernel upgrade, the steps to repeat are:

• Install new kernel, boot to it.
• Get kernel sources and prepare them (repeat steps 1 and 2)
• Build new *.deb packages (step 3)
• Install new *.deb packages for your kernel (step 4)

TRUECRYPT CONTAINERS

The following is just a crash course and you should read the manual to understand what all the options and commands do.

We use ext3 inside the container, because it preserves file attributes and gives portability to windows. If you only store data and do not care about proper permissions, the FAT might be easier route (you can skip 2).

1) Create 500M container, fits on standard CD-RW. The twofish is relatively fast compared to AES-256; on the other hand AES is relatively stronger -- but then again a proper password will compensate this.

$ truecrypt --encryption Twofish --hash SHA-1 \
    --type normal --keyfile "" --size 500M --create test.tc

Filesystem:
     1) FAT
     2) None
     Select [1]: 2

2) Create filesystem inside the container. You Must be ROOT to create filesystem. Basicly the commands map the container through devmapper temporarily and then release it when filesystem has been made.

$ su - root
$ truecrypt -N 9 test.tc      # Pick free number: ls -1 /dev/mapper/
$ ls -l /dev/mapper/true*     # You see truecrypt9
$ mkfs -t ext3 /dev/mapper/truecrypt9
$ truecrypt --dismount /dev/mapper/truecrypt9

3) Mount the container and use it as usual.

$ mkdir mountpoint
$ truecrypt test.tc mountpoint
Password: .......

This article can be found online at the Debian Administration website at the following bookmarkable URL:

• http://www.debian-administration.org/articles/506

This article is copyright 2007 jaalto - please ask for permission to republish or translate.