# HowTo (v 1.0.2): TrueCrypt encryption: Windows XP and Linux

## Pergamon

TrueCrypt 4.0

Update: An ebuild is currently been tested at Bugs.Gentoo.Org. However this seems to be still work-in-progress.

Truecrypt is an ideal tool if you plan to exchange volume based encrypted data between Windows and Linux. It allows to create encrypted volumes within a file or partition and mount them  from both Linux and Windows. The encrypted file system can reside for examle within a file on an USB stick, or the entire USB stick can be an encrypted volume.

Additionally, TrueCrypt supports hidden crypted volumes within an encrypted volume. Those hidden volumes can never be detected even if the password of the outer volume gets compromised - the hidden volume is indistingushable from random data.

Currently, there is no ebuild available for truecrypt 4.0 www.truecrypt.org.

This (hopefully soon obsolete) howto helps setting up truecrypt while there is no ebuild.

Manual compilation

First, go to the download page of truecrypt: http://www.truecrypt.org/downloads.php

an get the source code of truecrypt:

http://www.truecrypt.org/downloads/truecrypt-4.0-source-code.tar.gz

```
cd ~

mkdir truecrypt

cd truecrypt

gzip -dc <path-to-your-download>/truecrypt-4.0-source-code-tar.gz | tar xvf -

cd truecrypt-4.0/Linux

# Edit build.sh and replace occurences of "- 1" with "-n 1", otherwise you will get warnings.

su

./build.sh

./install.sh

```

Chose /usr/bin as installation path for the executables and /usr/share/man for man files.

Thats it.

Documentation

```
man truecrypt
```

explains how to use it.

There es an excellent user documentation, that easily rivals the quality of commercial products available at: TrueCrypt user guide

I tested with XP, created an encrypted file system on an USB stick, mounted it on linux and with

```
truecrypt /mnt/stick/my-encrypted-volume /mnt/crypt
```

files are easily accessible. 

Current limitations with Linux

Currently, there is one limitation for the linux implementation: In order to create a new volume (either partition based or within a file) you have to use Windows XP. Once a truecrypt volume is created, its file system and the content can be changed with the linux implementation.

Howfully this howto is soon rendered obsolete by a nice truecrypt ebuild!

Changes

v 1.0.1: Corrected error concerning possibility of creating new volumes with linux

v 1.0.2: Link zu ebuild in bug databaseLast edited by Pergamon on Wed Nov 16, 2005 9:46 am; edited 2 times in total

----------

## gruemelmonster

 *Quote:*   

> Of course encrypted volumes can also be created with Linux

 

How do you do that??? I read that manpage and could not find anything about how to create a volume..

Maybe im just blind...

----------

## mahdi1234

same problem is discussed in main product's forum http://www.truecrypt.org/forum.php so i guess it doesn't work under linux yet ;(.

----------

## Pergamon

Unfortunately it seems you are both right: for the moment it seems like truecrypt cannot create new volumes under Linux. So at this point we have to rely on Windows.

I change the howto to reflect this.

Thanks.

----------

## rschwarze

Hi,

I followed the howto and installed truecrypt. But when I try to mount a trecrypt file i get the following error:

```
truecrypt /media/MAXTORFAT32/crypto.tc /mnt/crypt 

Enter password for '/media/MAXTORFAT32/crypto.tc':
```

```
truecrypt: No free loopback device available for file-hosted volume
```

any suggestions?

----------

## DOSBoy

Does your kernel have support for loopback filesystems?

----------

## Martux

rschwarze wrote:

 *Quote:*   

> 
> 
> ```
>    
> 
> ...

 

I've got the same problem. The only fix seems to be mounting as root (even if you said users should be able to mount it)...

hth, marcus

----------

## rschwarze

yes, with root it works.

----------

## webmaxx

I am able to mount a truecrypt volume as a normal user.

I'm using sudo and allowed my useraccount to execute mount (and put an alias in my ~/.bashrc).

With truecrypt --mount-options uid=<USERID> /.../truecrypt.tc /home/... the user can also fully access the files.

----------

## rschwarze

in the new version, 4.2, its actually fully working under linux!

can someone consider making an ebuild? that would be great!

thanks, roman

----------

## mahdi1234

 *rschwarze wrote:*   

> in the new version, 4.2, its actually fully working under linux!
> 
> can someone consider making an ebuild? that would be great!
> 
> thanks, roman

 

in fact there's already ebuild for quite a long time, recently updated to 4.2 - check https://bugs.gentoo.org/show_bug.cgi?id=112197

If you don't know how to use portage overlay search for something like gentoo + wiki + portage overlay.

----------

## rschwarze

I know how to use an overlay.

i would just like to have it in regular portage and i thought, now that everything works without windows, it would be possible to include it in portage.

edit: but thank you very much for pointing me to the ebuild  :Smile:  its still easier than installing it by hand.

btw: ebuild works great.

----------

## palmer

Anybody gotten it to create a file under linux?

truecrypt -c is stuck at the "enough entropy available in the kernel"

The % meter goes up to ~50%, then falls back to the single digits

The file is only 1mb, and has been running for ~20mins

I have tried different hash and encryption algorithms

EDIT: It's been going for ~4 hours now

-palmem

----------

## vitaming

 *palmem wrote:*   

> Anybody gotten it to create a file under linux?
> 
> truecrypt -c is stuck at the "enough entropy available in the kernel"
> 
> The % meter goes up to ~50%, then falls back to the single digits
> ...

 

the message said also something like "press any keys or move the mouse to increase entropy". 

For me the encryption also didn't start when I was logged in remotely - I had to go to the physical mashine and hammer on the keybord  for quite a while  :Smile: .

----------

## quag7

Thanks for the ebuild; I have it working here...

Creating a container:

```

[quag7@antarctica] /mnt/priv/cabinets : truecrypt -c testcabinet       

Volume type:

 1) Normal

 2) Hidden

Select [1]: 1

Filesystem:

 1) FAT

 2) None

Select [1]: 2

Enter volume size (bytes - size/sizeK/sizeM/sizeG): 100M

Hash algorithm:

 1) RIPEMD-160

 2) SHA-1

 3) Whirlpool

Select [1]: 2

Encryption algorithm:

 1) AES

 2) Blowfish

 3) CAST5

 4) Serpent

 5) Triple DES

 6) Twofish

 7) AES-Twofish

 8) AES-Twofish-Serpent

 9) Serpent-AES

10) Serpent-Twofish-AES

11) Twofish-Serpent

Select [1]: 2

Enter password for new volume 'testcabinet': 

Re-enter password: 

Done: 99.42 MB  Speed: 6.77 MB/s  Left: 0:00:00  

Volume created.

```

Container created:

```

[quag7@antarctica] /mnt/priv/cabinets : ls -al

total 102512

drwxr-xr-x  2 quag7 quagworks       4096 May 24 10:36 .

drwxrwx--- 15 quag7 restricted      4096 May 24 09:35 ..

-rw-r--r--  1 quag7 quagworks  104857600 May 24 10:36 testcabinet

```

Attempt to mount the container for formatting:

```

[root@antarctica] /mnt/priv/cabinets : truecrypt --filesystem ext3 ./testcabinet /mnt/cabinet 

Enter password for '/mnt/priv/cabinets/./testcabinet': 

mount: wrong fs type, bad option, bad superblock on /dev/mapper/truecrypt0,

       missing codepage or other error

       In some cases useful info is found in syslog - try

       dmesg | tail  or so

truecrypt: Mount failed

```

However, mapping is accessible via /dev/mapper/truecrypt0 and the mount was just a partial failure.  Or at least, for our purposes, the mapping will allow formatting even though the mount technically failed.

Creating an ext3 filesystem on the container so it will mount:

```

[root@antarctica] /mnt/priv/cabinets : mke2fs -j /dev/mapper/truecrypt0 

mke2fs 1.38 (30-Jun-2005)

Filesystem label=

OS type: Linux

Block size=1024 (log=0)

Fragment size=1024 (log=0)

25688 inodes, 102396 blocks

5119 blocks (5.00%) reserved for the super user

First data block=1

13 block groups

8192 blocks per group, 8192 fragments per group

1976 inodes per group

Superblock backups stored on blocks: 

        8193, 24577, 40961, 57345, 73729

Writing inode tables: done                            

Creating journal (4096 blocks): done

Writing superblocks and filesystem accounting information: done

This filesystem will be automatically checked every 38 mounts or

180 days, whichever comes first.  Use tune2fs -c or -i to override.

```

First, ensure that everything is unmounted.  Even though the above message says the mount failed, truecrypt still thinks it is mounted since it is mapped:

```

[root@antarctica] /mnt/priv/cabinets : truecrypt -d

```

Mount the container:

```

[root@antarctica] /mnt/priv/cabinets : truecrypt ./testcabinet /mnt/cabinet/

Enter password for '/mnt/priv/cabinets/./testcabinet':

```

The container is ready for use:

```

[root@antarctica] /mnt/cabinet : ls -al

total 17

drwxr-xr-x  3 root root  1024 May 24 10:42 .

drwxr-xr-x 14 root root  4096 May 24 09:41 ..

drwx------  2 root root 12288 May 24 10:42 lost+found

```

Just to make sure we're looking at the container:

```

[root@antarctica] /mnt/cabinet : touch "We were somewhere around Barstow on the edge of the desert..."

[root@antarctica] /mnt/cabinet : ls -al

total 17

drwxr-xr-x  3 root root  1024 May 24 10:57 .

drwxr-xr-x 14 root root  4096 May 24 09:41 ..

-rw-r--r--  1 root root     0 May 24 10:57 We were somewhere around Barstow on the edge of the desert...

drwx------  2 root root 12288 May 24 10:42 lost+found

[root@antarctica] /mnt/cabinet : cd ..

[root@antarctica] /mnt : truecrypt -d

[root@antarctica] /mnt : cd cabinet/

[root@antarctica] /mnt/cabinet : ls -al

total 8

drwx------  2 quag7 quag7 4096 May 24 09:41 .

drwxr-xr-x 14 root  root  4096 May 24 09:41 ..

[root@antarctica] /mnt/cabinet : 

```

So, Barstow and lost+found are gone (as should be normal since we unmounted the container), so this is now just an unused mountpoint; an empty directory.

Now, I remount and look at the directory of the container:

```

[root@antarctica] /mnt/priv/cabinets : truecrypt ./testcabinet /mnt/cabinet 

Enter password for '/mnt/priv/cabinets/./testcabinet': 

[root@antarctica] /mnt/priv/cabinets : cd /mnt/cabinet

[root@antarctica] /mnt/cabinet : ls -al

total 17

drwxr-xr-x  3 root root  1024 May 24 10:57 .

drwxr-xr-x 14 root root  4096 May 24 09:41 ..

-rw-r--r--  1 root root     0 May 24 10:57 We were somewhere around Barstow on the edge of the desert...

drwx------  2 root root 12288 May 24 10:42 lost+found

[root@antarctica] /mnt/cabinet : 

```

Don't know if this is helpful to anyone.  I didn't get any messages related to entropy in the kernel, so I can't help with that unfortunately.  A 100 megabyte container took perhaps 10 or 15 seconds total to create on my Celeron 1 GHz, and formatted almost instantly.

I haven't used it long enough to have any comments on reliability.  The forums on the Truecrypt site suggest there may be a lot of instability yet, and a lot of problems, so don't feel too bad if you're one of those people.  I was personally thrown by the file system creation.  I used --filesystem ext3 when I issued truecrypt -c but this was not actually creating the filesystem; hence the traditional mke2fs -j command, which works fine.

However, container creation *does* work natively in Linux, at least on my machine.  Windows isn't necessary.

Make sure you have the latest ebuild from bugzilla and that you have Device Mapper support enabled in your kernel, as well as whatever filesystems you want to use for your containers:

```

Device Drivers

    Multi-Device Support

        <*> Device mapper support

```

----------

## palmer

 *vitaming wrote:*   

> 
> 
> the message said also something like "press any keys or move the mouse to increase entropy". 
> 
> For me the encryption also didn't start when I was logged in remotely - I had to go to the physical mashine and hammer on the keybord  for quite a while :).

 

During those 4 hours, I used the computer as normal (I typed ~1pg of homework, browsed the web, etc)

I think something's broken...

```
 Device Drivers 

     Multi-Device Support 

         <*> Device mapper support 
```

What kernel are you using?

I am using genkernel with 2.6.16-gentoo-r3

There is no multi-device support in the options

The ebuild wants to install sys-fs/device-mapper

-palmem[/code]

----------

## Gergan Penkov

just using the ebuild from bugzilla, I was able to create already three volumes with whirlpool-hash and serpent, without any problems and they work just fine here.

I'm still not certain, which hashes are better and, which encryption algorithms to use, if anyone could explain this a little bit better, as in the documentation there are only key-lengths, which does not mean in fact anything.

----------

## Darknight

I'll just give you a few pointers, besides you probably don't need them anymore (someone else may benefit).

All that follows is IMHO with no assumption regarding its completeness...

Some of the "best" algorithms for encryption are: blowfish, twofish, aes, serpent, this list should more or less be in order of quickest->slowest and, to some extent secure->more secure.

As a general rule you will use blowfish for the stuff you don't want your roommate or mom to see (it's already overkill) or where speed is most needed.

Key length is an important factor,the bigger the key the more difficult decrypting becomes for an attacker. Always use the maximum key size for your chosen algorithm.

Most hashes work well, the "sha" series are among the most used.

----------

## ivanova

 *rschwarze wrote:*   

> Hi,
> 
> I followed the howto and installed truecrypt. But when I try to mount a trecrypt file i get the following error:
> 
> ```
> ...

 

make sure the loop module is loaded with:

```
modprobe loop
```

----------

## fire-fly

Hi quag7

I did as you mentioned,

```

[root@antarctica] /mnt/priv/cabinets : truecrypt ./testcabinet /mnt/cabinet/

Enter password for '/mnt/priv/cabinets/./testcabinet':

```

However, the ownership becomes root, athough I login as an odinary user.  

How do I mount it with other ownershitp ?

By the way I am using FC4

Thanks in advance.

Cheers

Fire-fly

----------

## ronmon

Can't get any decent help in the Fedora forums? No big surprise there  :Smile: 

Here's how I mount mine as a user in the "adm" group and assign rwx permissions to that group.

First, I edited my sudoers with "visudo" and added this:

```

# Truecrypt

%adm    localhost=(root) NOPASSWD: /usr/bin/truecrypt /home/vcr/v /home/vcr/m,/usr/bin/truecrypt -d

%adm    localhost=(root) NOPASSWD: /usr/bin/chgrp adm /home/vcr/m,/usr/bin/chmod 770 /home/vcr/m

```

Then, I simplified things with a couple aliases in my ~/.bashrc:

```

alias con="sudo truecrypt /home/vcr/v /home/vcr/m && \

            sudo chgrp adm /home/vcr/m && \

            sudo chmod 770 /home/vcr/m"

alias cof="sudo truecrypt -d"

```

You'll get prompted for the truecrypt password. Of course you need to adjust those to point to wherever you have set up your truecrypt volume and mountpoint.

----------

## saturday

I did "chmod 4755 /usr/bin/truecrypt" to be able to mount truecrypt volumes as user.

But I don't think that's a recommended way to do it. There may be security concerns, but I don't know enough about it to be able to evaluate this.

----------

## fire-fly

Hi  Ronmon,Apprentice

thanks for the suggestions, I will try the suggestions later, a bit busy with my work.

Anyway I forgot to mention I complied with the option, user is able to doing mounting.

I believe it is a bug, when mounting ext3,

becuase truecrpte -d works with FAT!

I will update you guys

Thanks!

----------

## ronmon

Linux file systems understand permissions, FAT does not. That's the difference. Using setuid is not a good idea, for security reasons.

----------

## smypee

I successfully created a encrypted volume (with no file system). I can mount this volume but when I try to format it using 

```
mke2fs -j /dev/mapper/truecrypt0
```

 my system freezes hard. Only thing I can do is reset the machine. The encrypted volume is located on a USB disk.

----------

## PaulBredbury

The workaround for the system freeze during mkfs.ext2 is to run this before the mkfs command:

```
export MKE2FS_SYNC=1
```

It's still unclear as to where the bug lies  :Sad: 

Edit: Changed 10 to 1, because it still hangs with 10. Strangely, mkfs.reiserfs works OK, so maybe it's a bug in mkfs.ext2? mkfs.ext3 still freezes, even with the above command  :Confused: 

----------

## Ramblurr

I would like to use my truecrypt key in a mobile setting on both windows and linux machines.. that might not necessarily have TC installed.

Does anyone know if this is doable?

I was thinking something along the lines of a small un encrypted partition, fat32 probably, that would hold TC binaries for 32/64bit linux, and a windows binary. Then of course the rest of the drive would be a TC volume. Is this possible?

I'd imagine TC would have to be statically linked, but I don't know if you can do that.

----------

## Havin_it

 *Ramblurr wrote:*   

> I would like to use my truecrypt key in a mobile setting on both windows and linux machines.. that might not necessarily have TC installed.
> 
> Does anyone know if this is doable?
> 
> I was thinking something along the lines of a small un encrypted partition, fat32 probably, that would hold TC binaries for 32/64bit linux, and a windows binary. Then of course the rest of the drive would be a TC volume. Is this possible?
> ...

 

I think this couldn't be very reliably portable because it needs a kernel driver to operate; so you need to be able to install a driver on the Windows side, and on the Linux side you might need to actually build it against the host kernel...

Now, a question of my own.  Is there any known/reliable way that you could make your homedir on a truecrypt volume?  It seems you would need to be able to mount the volume at the KDM (or whatever -DM) stage, before login processes begin that need access to the homedir.  PAM maybe?  Any info welcome!

----------

## Havin_it

I've moved on from the encrypted homedir idea for now, and settled for symlinking the sensitive files (Quanta Plus configfile containing site passwords was the main one) to locations inside the TC volume.  There's nothing really sensitive that needs to be there at login.  I'd still be interested in any thoughts on the issue, but purely as a theoretical discussion.

Since we still lack a TrueCrypt GUI for Linux (well, I couldn't find one) here's a small script I wrote that I use on KDE login to mount my TC volume.  It uses kde-base/kdialog (sorry Gnomers) so it's not necessary to pop up a terminal to run it.  Just fill the variables at the top with the volume path and mountpoint, and put in a file (or symlink/shortcut to a file) in ~/.kde/Autostart/

```
#!/bin/sh

# Set Truecrypt volume or image path

TC_VOL=/path/to/tc_vol_or_img

# Set mount point

TC_MNT=/mnt/tc_mount_point

while ! mount | grep $TC_MNT &>/dev/null; do

        PW=`kdialog --password "Please enter the TrueCrypt password:"`

        if [ "${PW}" == "" ]; then

                kdialog --warningcontinuecancel "Password not given!\nTry again?" || exit 1

        fi

        if ! sudo truecrypt --password=$PW $TC_VOL $TC_MNT; then

                kdialog --warningcontinuecancel "Incorrect password!\nTry again?" || exit 1

        fi

done

kdialog --passivepopup "Volume $TC_VOL mounted at $TC_MNT" 3

```

Also don't forget that truecrypt will need you to use sudo, so add this line to /etc/sudoers using visudo command:

```
myusername ALL=NOPASSWD:/usr/bin/truecrypt *
```

Comments/improvements are welcome.  As for umounting, all mounted truecrypt volumes are dismounted at shutdown anyway, but if you specifically want to umount on logoff, put a script or shortcut in ~/.kde/shutdown (create this dir if it doesn't exist) containing the one-liner "sudo truecrypt -d".

----------

## ahubu

First of all, thanks for the nice tutorial. My question concerns the creation of a FAT32 filesystem on a truecrypt volume in linux. I know it is possible by going into Windows and using Truecrypt to create a FAT32 partition there. My question is if it is possible to make the FAT32 partition in linux, without having to boot into windows? IIRC parted (and maybe fdisk) are able to make FAT32 filesystems.

edit: oh, I was quick and restless. When running "truecrypt -c" it asks for filesystems and FAT is an option... So to answer my own question: yes.  :Smile: 

----------

## Ramblurr

 *Havin_it wrote:*   

> I've moved on from the encrypted homedir idea for now, and settled for symlinking the sensitive files (Quanta Plus configfile containing site passwords was the main one) to locations inside the TC volume.  There's nothing really sensitive that needs to be there at login.  I'd still be interested in any thoughts on the issue, but purely as a theoretical discussion.
> 
> Comments/improvements are welcome.  As for umounting, all mounted truecrypt volumes are dismounted at shutdown anyway, but if you specifically want to umount on logoff, put a script or shortcut in ~/.kde/shutdown (create this dir if it doesn't exist) containing the one-liner "sudo truecrypt -d".

 

Have you considered using dm-crypt for partition encryption?

----------

## Havin_it

 *Ramblurr wrote:*   

> Have you considered using dm-crypt for partition encryption?

 

Can't say as I have; the partition I encrypted is to be used from both Gentoo and WinXP installs, so it has to be TrueCrypt for me really.  Were this not the case though, what would be the advantages?

----------

