Update, 1 June 2007: Version 4.3a, released May 2007, removes support for SUID.
I’ve been using TrueCrypt to encrypt financial and personal documents in Windows for a while now and it has worked just fine for the way I want to use it. I’m doing file-based encryption where you mount a single file as a virtual volume that appears as a normal drive in Windows. I knew there was a GNU/Linux version, so it seemed like a logical choice to use for the same purposes in the free world.
TrueCrypt is free-as-in-freedom (according to my hearsay understanding of the license), but the TrueCrypt Foundation behind it is apparently kind of secretive and closed with its development processes. I’m not sure how much of a concern this should be for me.
I briefly looked at dm-crypt/cryptsetup/LUKS but shied away from them for now since they don’t appear to be as mature and also since I don’t see that they use a file-based method and I don’t want to figure out more complicated methods at the moment (more complicated in my eyes, anyway). I’m trying to get some momentum going for the overall move and that means avoiding quagmires of new learning where possible.
(Update, 21 Feb 2007: Well, maybe just one new learning jaunt…)
So TrueCrypt it was. There is no GUI in the GNU version yet, but that was ok with me. It has helped that I’ve used the Windows version for a while so I knew what to look for and expect. It appears that there is some compatibility between GNU and Windows versions, but not really. I could take a volume created on GNU and open it in Windows and read files, but if I wrote files to it in Windows, they didn’t appear when I opened it back up in GNU. Maybe there is a way this could work, but it’s not important for me to have this feature so I let it go.
Overall the process went pretty smoothly. I started working on this in Fedora and got hung up on an error, switched to working on Ubuntu where I had more luck, and then got it going in Fedora also. My current strategy is to make things work in both distributions as much as possible. I don’t want to become overly tied to one system. I did have one mishap that I wrote about in a previous post.
And now, the blow by blow account…
Getting and Installing
TrueCrypt has several downloads for different “stock” versions of Fedora and Ubuntu. I’m hoping to stay with the stock version for a long, long time. It’s bewildering and intimidating to read about compiling custom kernels and sources for programs like TrueCrypt. Some day I want to know that stuff, but for now, it’s kind of scary. I can picture this Frankenstein system cobbled together on little customizations and all of it hanging together by a very delicate suture from a mad scientist. I fear that customizing the kernel could have a ripple effect that would cause me days and weeks of rebuilding everything in my system. That might be unfounded, but it’s my fear all the same.
Both the .rpm for Fedora Core 5 and the .deb for Ubuntu 6.10 (Edgy Eft) installed with no problems. This gave me /usr/bin/truecrypt. (I eventually created an alias called tc, because “truecrypt” is kind of hard to type.)
Using
Now:
/usr/bin/truecrypt --create test.tc
I started by using the root user in Fedora. (Root privileges are required; later I’ll look in to how you can run as a normal user.) I went with a normal volume, FAT filesystem (the other interactive option is “none”), etc., etc.
Let’s try mounting this thing!
truecrypt test.tc test_mnt_dir
Error! “No free loopback device available for file-hosted volume”
Fretting
Oh oh. I searched on that term and truecrypt, which further led to searches on [fedora loopback], and I felt the icy tingling of despair. Much talk of extensive configuration file changes and kernel compiling, and lots of esoteric discussions of loopbacks, and I really did not want to deal with that stuff.
Update, 25 April 2007: Removing some intemperate remarks about the relative difficulty of Windows versus GNU/Linux. The comments section reflects the resulting discussion from this part. It will now be read as a bit disconnected from the post content, but I’d rather not let the rant remain here where it detracts from what I hope is a decent guide to TrueCrypt in GNU/Linux. And I don’t think for a moment I can hide my imprudence. With any luck, the Internet Archive will have frozen that moment in time. :-)
Resuming
Anyway, back to the narrative. The loopback brick wall caused me to flee in to the arms of another distribution. I decided to try on Ubuntu before investing more time. I’d return to Fedora, but this is one of the benefits of working on both systems concurrently: you learn things that help you out in both places.
Ubuntu:
sudo truecrypt test.tc test_mnt_dir
Success! I created a test file in the mounted volume.
Now, be careful. This:
truecrypt --dismount test.tc
Didn’t give an error in Ubuntu, but it didn’t dismount the volume. I was missing the sudo. At first I thought I hadn’t even mounted it in the first place, that the mount had failed with no error and I just created a regular file in the directory. But when I couldn’t change ownership on test_mnt_dir (“Operation not permitted”), I got a clue. I dismounted with sudo and that did the job. Checked the dir and no file, so it must be part of the test.tc file, as I confirmed by remounting it. Woo hoo!
Ok, now let’s figure out how to run this thing as a regular user. For one, because mounting with sudo would make root be the user and the group for the mounted volume, and I couldn’t change that. That obviously wouldn’t do. And I think in general you want to run these things as a regular user if possible.
The readme instructions inside the install tar file say:
TrueCrypt requires administrator (root) privileges. If you intend to
use TrueCrypt from a user account, you should execute the following command
as an administrator:
chmod u+s /usr/bin/truecrypt
I ran the command, which sets the SUID bit on the file, and then tried:
truecrypt test.tc test_mnt_dir
That worked: it let me mount the volume with my regular user account, but the folder still had root as the owner. (It did have my group now, though.)
Update, 1 June 2007: Version 4.3a, released May 2007, removes support for SUID. Haven’t experimented yet to see what options that leaves for ownership/permissions.
Working!
A little more investigation got me this:
truecrypt --user-mount test.tc test_mnt_dir
And that took care of the permissions. I had achieved usability in Ubuntu!
Going back to Fedora, I found that setting SUID on the truecrypt executable and running as a normal user took care of the loopback problem there, and everything else worked as it had in Ubuntu, so that was a happy ending also.
Security Concerns
I wanted to know what was the risk of using chmod u+s /usr/bin/truecrypt to give access to ordinary users, so I looked in to that a bit. I need to learn more, but I’ve written about my initial investigation already, including my attempt to render the machine inoperable.
As mentioned above, support for SUID has been removed, I guess to avoid all the associated risks.
Miscellaneous
I wanted to see about specifying a non-FAT filesystem with --filesystem, but couldn’t figure out how that worked. In any case, FAT seems to work fine and appears to work with Unix file permissions correctly, so I’ll let that one go.
Backing Up Volume Headers
I had gotten in the habit of backing up volume headers in the Windows version and it seemed like it would be a good idea here also, so I verified that it worked as expected:
truecrypt --backup-headers test_backup.tch test.tc
Change the password:
truecrypt --change test.tc
Verify the new password works when mounting the volume, then dismount, and:
truecrypt --restore-header test_backup.tch test.tc
Verify the old password works again.
And there you have it…
Another brick in the wall.
Next up:
VNC for remote access so I can move the Ubuntu box off my desk, and rsync for backups.
19 Comments
What I don’t get: although you know that your problem on Fedora were the strict security defaults (with SUID everything worked) you write stuff like “GNU/Linux is more work than Windows”.
Why?
You let the reader alone with the feeling that there might be very terrible problems with loopback (well, yes, there can be, but when you use more than 8 loopbacks at a time you have a problem anyway) and that getting encryption going on is a very big problem.
The fact that you had problems just because Fedora was more concerned about security defaults is put in a sub paragraph a page later.
Sorry, but that’s something I do not like at all: if you have some specific action going on you want to describe a good style is to write the source of the action close to the paragraph about the section, not a page later. Your style leaves the reader with mixed feelings instead of a clear mind about the pro and cons.
Also, please be reasonable about the source and action: if the truecrypt guys do not release a GUI for Linux, it’s there fault. It is not the fault of Linux in general. Your “GNU/Linux is more work than Windows” implies that this is the fact in general. That’s not true because for example LUKS-encrypted devices are supported by gnome with a GUI. You plug the device in (like an external hard disk) and are prompted with a nice GUI which queries a password.
Try that on other operating systems…
Anyhow, a technical remark: using formatted containers has shortcomings: you have a pre-fixed storage size and you cannot copy the files easily (you need to create another container). Other solutions work on a file by file encryption technique which is more suitable imo in case you do not want to encrypt whole partitions. One way is to use EncFS, another is to use eCryptFS (on Linux, at least).
You might want to have a look at them as well.
11 February 2007 at 6:48 am
Thank you very much for your comments.
Sometimes when I write about difficulty of Windows versus GNU/Linux, I qualify it by saying that I’ve been using Windows for a long time and maybe it just doesn’t *seem* that hard anymore, even though in some ways it still is. But even so, I think you have to tinker with and pick up a lot more knowledge to get things working. Installing and running TrueCrypt was much simpler in Windows (even allowing for the lack of a GUI, which I’ll say more about).
And you give me too much credit: I still didn’t understand that the loopback problem had anything to do with security. I thought it was some kind of fluke that it didn’t work with root, although it makes sense now that you put it that way and I should have connected the dots. Still, it was looking pretty gory and esoteric as I started reading about loopbacks and various things that people were saying needed to be done.
If I understood it that way, I agree that it makes sense to put the information together with the original problem. As it was, I went with the narrative of how I did things. (I’ll add an update after I type this comment.)
For the lack of GUI, I absolutely attribute that to the TrueCrypt guys. Using the command line wasn’t the reason I was complaining about difficulty. (I had said that the command line was ok with me.)
It was more the unexpected glimpse of the void when trying to get something working that had “just worked” in Windows. Again I could get in to a lot of qualifications. I understand one of the reasons things “just work” more in Windows (in my experience!) is that the security defaults are weaker. But it’s also true (I think) that there are a lot more one-click installations and less compatibility issues. (And less tinkering with arcane configuration files.)
GNU/Linux is getting better all the time, though, for impatient Windows guys like me. I’ve been lurking around and have tried migrating several times since 1999 and this time I think I have a chance. It’s also not that I’m opposed to learning it, but in trying to balance time for many things, and rapidly turning in to an old fart, I fantasize about things being easier. :-)
I didn’t realize there were some graphical tools already built in to GNOME for encryption — this tool will also let you set up the device? Can you point me to it? A cursory look just now didn’t turn it up for me.
I agree about the shortcoming of using a file container (especially the fixed size), but it has worked well for me in the case of working with certain sets of files. Thanks for the pointers to other options — I’ll keep them in my back pocket. I’ve also used GPG quite a bit (from the command line, no less!) :-) I’d like to diversify here but at the same time I’m trying to accelerate the pace of my move over to GNU and there are so many different areas to start learning that I’m avoiding delving too much in to each thing.
Thanks again for your thoughtful feedback.
11 February 2007 at 8:19 am
About the GUI things in GNOME: they do not let you set it up! But once you have set up a device, or if you get a removable device from someone else, and plug the device in Gnome will query you for the password with a nice dialog:
http://people.freedesktop.org/~david/gnome-luks-integration.png
Again, the drive must be set up before!
The other possibility i like most is to use a transparent cryptographic overlay connected with PAM. That is indeed (atm) difficult to set up, but once you did that you do not even see the encryption anymore. Every time you log in PAM decrypts the directoy for you without you even noticing.
Anyway, about the security stuff and the difficulties: I just read from your post that the mechanism didn’t work on Fedora in the first run because of the missing SUID – nothing else! And that looks at least to me like a security configuration. Fedora is pretty closed down for a “normal” distribution (keep in mind SELinux is running in background all the time, for example) so that doesn’t really surprise me.
So far…
11 February 2007 at 11:25 am
If you know a bit about command line (and not afraid to use it), as well as the hardware of your PC, compiling a kernel is a piece of cake.
Once you do it, you’ll realise and question why was it hard in the first place!
Anyway, I wonder if anyone has used TrueCrypt in a server environment?
11 February 2007 at 4:35 pm
Thanks, ab. I’m sure I’ll get there some day, but I’m hoping to put it off until much later. :-)
12 February 2007 at 3:03 pm
Thank you for this tutorial. The truecrypt guys should be ashamed of themselves for not including one in the docs.
Thanks aside, I agree with “Whoever” that your comments on Linux are unfair. Linux is much simpler than Windows. Not necessarily easier, but simpler. As for your “glimpse of the void,” that also is the fault of the truecrypt guys. They easily could have had an install script and GUI to make setup and usage on Linux as easy as it is on Windows.
I used to think that Windows “just worked.” I think I even used those words. I’ve been using Linux now as my primary system for over a year. I started using Windows again recently (not moving back, fixing up someone else’s computer.) Did you know that Windows doesn’t even have grep? Or symlinks? Their .lnk files are binary blobs! Pain in the Ass! When I was a regular Windows user, Linux looked strange, and wonderful, confusing and weird. Taking that glimpse back, Windows is just butt ugly.
Truecrypt is a Windows Program. Linux was an incomplete afterthought for them. I wouldn’t be using it, but it seems to be the only mature linux program that incorporates plausible deniability.
25 February 2007 at 5:21 pm
Thanks for sharing your thoughts, WK1. It’s not that I don’t think GNU/Linux is better, because I do. For example, I’m seeing that rsync + hard links is going to make my backup regime so much better.
But from my personal experience as a Windows user — maybe even a power user — it just seems that many things are harder and more complicated. I’m sure over time that feeling will fade as I become more familiar with GNU/Linux.
I think for a new computer user, something like Ubuntu would be just as easy as Windows to do the normal things you want to do on a computer, like email, web, music, and digital pictures. But for people like me who use Windows to do a lot of different things, learning the comparable methods in GNU/Linux can be quite a challenge.
I want to promote free software and advocate its use as much as anyone, but I don’t want to look at things through rose-colored glasses. Microsoft spends a lot of money on usability, and along with making things less secure by default, I think they do produce a system that is easier in many ways to use. GNU/Linux packaging and install systems are getting better all the time, but I also think it’s true (at the moment) that Windows enables developers to provide simpler installs. Again, this might be partly due to security defaults and partly due to familiarity. Maybe it just feels easier, but I’ve installed a lot of software on Windows and I rarely have to learn about fiddle around with configuration files all over the place, which is something I’ve been doing a fair amount of in GNU/Linux.
A lot of that may fall on the developers — in this case of TrueCrypt — but it seems fairly common when I’m trying to get things working. I spent a lot of time figuring out how to get VNC working in Ubuntu and Fedora so I could have a remote X session, and judging by what I’ve seen in forums and the amount of traffic I’m getting to my VNC HowTo, it’s not an easy thing for many people to use. In Windows XP, Remote Desktop is *much* simpler. (And one final time, maybe a large part of that is for security reasons, but it doesn’t change the fact that it’s harder.)
25 February 2007 at 7:04 pm
I’m an ubuntu user, and I got this from your tutorial. Its a bit more concise.
True Crypt
//Create
/usr/bin/truecrypt –create test.tc
//Change Permissions so user can run
sudo chmod u+s /usr/bin/truecrypt
//Mount so user can change files
truecrypt –user-mount test.tc test_mnt_dir
//Dismount
truecrypt –dismount test.tc
3 April 2007 at 9:39 pm
That was a nice basic tutorial, thanks. Except for that somewhat immature sounding paragraph in between, it was well written. The difference in the operating systems means that you had that little extra bit of work there, but I find it profitable because they are the same reasons I am not spending my time and creativity juggling two antivirus programs and one anti-spyware and running periodic scans etc.
And like a previous poster mentioned, when after more than 6 mths of almost exclusive linux use, I have to boot into windows for something, I am amazed at how difficult it is to do some things that I take for granted now.
25 April 2007 at 5:58 pm
Thanks, Raja. My attitude is slowly coming around as I give myself over to learning GNU/Linux and accept that there is a learning curve and things will take time.
I still think from the perspective of a Windows user, many tasks are more difficult to do in GNU than in Windows. I think it becomes hard for gnu users to see this as they become immersed in the better free operating system. Once you *know,* how it’s done, it doesn’t seem so arcane. Windows tries to shield you from the details. It lets you be productive without knowing so much, but it also limits you quite a bit, of course.
(I think free software desktops are also doing a good job now of hiding details, but I was trying to do less common tasks at the start that led me in to the internals. And there is a whole ‘nother discussion there of whether or not it’s good to hide details. I do well with systems that let me start simplistically muddling around and then gradually learn as I go.)
I flinched at your use of the word “immature,” but rereading that part I have to agree it sounds not only immature but downright petulant as well. :-) I hesitate to edit it, as I don’t want people to think I’m rewriting history and covering up my youthful indiscretions, but since this post gets a lot of traffic from Google I might want to moderate it a bit. (There’s a balance somewhere between historical post and current technical reference.)
Thanks for your comment and gentle correction.
25 April 2007 at 7:07 pm
GUI for TrueCrypt (Debian package, but you’ll sort it out):
http://bockcay.de/forcefield/
Cheers.
21 July 2007 at 1:16 pm
Cool — thanks for the pointer.
21 July 2007 at 4:25 pm
Java GUI for TrueCrypt: jTcGui. It looks like the windows version.
18 November 2007 at 5:28 pm
Thanks, win. I’ve bookmarked it in del.icio.us and hope to get a chance to look in to it sometime.
18 November 2007 at 7:43 pm
I’ve been struggling with 4.3a on Gutsy for a day or two now, finally got it going:
# make volume
tc -c safe.vol
-o yada yada
# mount it
tc safe.vol
# find its id
ls /dev/mapper # Note the truecrypt#
# make it mountable, may need to do this more than once but I doubt it – it’s mostly going to be ’0′
echo ‘/dev/mapper/truecrypt# /mount/point [vfat|whatever] user,noauto,uid=my# 0 0′ >> /etc/fstab
# mount it
mount /mount/point
# To remove
umount /mount/point && tc -d
If I use tc to mount it (tc /device /mount) it always winds up with root ownership and 755 mask, which is useless for me.
Aside: while it’s mapped but before it’s mounted you can format it with whatever filesystem takes your fancy :)
HTH someone
sproot
13 December 2007 at 5:37 pm
Thanks, sproot. I may experiment with that — I’d like to get it working with non-FAT filesystems.
13 December 2007 at 6:17 pm
Welcome :)
Another point: If you use ext3 or another fs that supports uid:gid for files you don’t need the ‘uid=my#’ bit in /etc/fstab.
sproot
23 January 2008 at 5:08 pm
And another thanks!
23 January 2008 at 5:20 pm
@Whoever
I wrote a short tutorial on how to setup Truecrypt and PAM to automatically mount home directories on login.
17 July 2008 at 2:24 pm
One Trackback
[...] Read more [...]