20100314 truecrypt for desktop security - plembo/onemoretech GitHub Wiki
title: truecrypt for desktop security link: https://onemoretech.wordpress.com/2010/03/14/truecrypt-for-desktop-security/ author: lembobro description: post_id: 179 created: 2010/03/14 10:17:21 created_gmt: 2010/03/14 10:17:21 comment_status: open post_name: truecrypt-for-desktop-security status: publish post_type: post
truecrypt for desktop security
I just started using Truecrypt for securing sensitive files on my laptop and wanted to share some notes on making the most of it.
For what follows I used version 6.2a of the product as packaged for Red Hat Enterprise Linux 5/CentOS 5 by Dag Weeirs. There are packages for other Linux distributions and Windows available on the Truecrypt web site.
Of course the best policy when it comes to mobile devices like laptops is to avoid storing any kind of sensitive data on them. The fact is that, given physical access to a device and enough time, anything can be cracked. Any thing. This is one of the reasons I’ve long opposed the use of “encrypted” USB thumb drives as a medium for exchanging private information. Many years ago someone gave me one of these supposedly secure devices slated for use by a Human Resources department. Within a very short time I was able to return them a list of the simulated account numbers that they’d stored there using a basic utility that ships with all Unix systems.
Truecrypt’s basic mode of operation is to mount an encrypted file as a disk volume. To do this on Unix the user needs root accesss to the mount command. This can be done on Linux by adding the user to /etc/sudoers.
Something like the very reckless
`
myuser ALL=(ALL) ALL
`
will do the trick. When using the sudoers method Truecrypt will throw a fatal error unless the user is exempted from the default policy of requiring a real TTY for every operation. This can be done by adding
`
Defaults requiretty
**Defaults:myuser !requiretty**
`
(added directive in bold)
Probably the easiest way to describe how Truecrypt is used would be to show the command line sequence for creating and mounting a secure volume.
1. Create a volume file:
truecrypt -t -c **/home/myuser/secvol**
Where “secvol” is the name of your volume file.
The dialog that follows will look something like this:
`
Volume type:
1) Normal
2) Hidden
Select [1]: **1**
Enter volume size (sizeK/size[M]/sizeG): **10M**
Encryption algorithm:
1) AES
2) Serpent
3) Twofish
4) AES-Twofish
5) AES-Twofish-Serpent
6) Serpent-AES
7) Serpent-Twofish-AES
8) Twofish-Serpent
Select [1]: **1**
Hash algorithm:
1) RIPEMD-160
2) SHA-512
3) Whirlpool
Select [1]: **2**
Filesystem:
1) FAT
2) None
Select [1]: **1**
Enter password: **mysecurepassphrase**
Re-enter password:
Enter keyfile path [none]:
Please type at least 320 randomly chosen characters and then press Enter:
**dhjeslwl123345l99skscldrorg9gkewwlsmvmlee**
Characters remaining: 101
**sfsdifhwtjjgirw;yp35uy34uy3j5oy3jy3y5[oyj35jo[oj5y**
Characters remaining: 30
**gvjsg24eruitsd;vs;rg;rogjsjovwr[ogtu2tudjvjw’ef’qefj**
Done: 100.000% Speed: 7.2 MB/s Left: 0 s
The TrueCrypt volume has been successfully created.
`
2. Now create a mountpoint like,
mkdir /home/myuser/secdir
3. Mount the volume:
`
truecrypt -t /home/myuser/secvol /home/myuser/secdir
Due to a bug in the Linux kernel, your system may stop responding
when writing data to a TrueCrypt volume. This problem can be solved
by upgrading the kernel to version 2.6.24 or later.
Enter password for /home/myuser/secvol:
**mysecurepassphrase**
Enter keyfile [none]:
Protect hidden volume (if any)? (y=Yes/n=No) [No]:
**No**
Enter your user password or administrator password:
**myuserpass**
truecrypt -t -l
1: /home/myuser/secvol /dev/loop0 /home/myuser/secdir
`
Now you should be able to do things like list, add or remove files from /home/myuser/secdir just as you would any other mounted filesystem.
Dismounting the volume is as easy as doing a
`
truecrypt -t -d /home/myuser/secdir
Enter your user password or administrator password:
**myuserpass**
truecrypt -t -l
Error: No volumes mounted.
`
More on how to create and use key files and set up auto mounting in another post.
Copyright 2004-2019 Phil Lembo