While it's fairly trivial to create an encrypted container using command-line truecrypt on linux, when I began to look for documentation on how to encrypt an entire drive; I found next to nothing.
To correct this, I wrote the following walkthrough on how to do exactly that.  For this I used Ubuntu 9.04 Alpha (Jaunty Jackalope) because I wanted ext4 and truecrypt6.1a.
*** Backup all your data onto a different disk; formatting this drive will erase all data! ***
Find the unencrypted drive that is associated with your chosen mount point.
#mount
/dev/sdb1 on /home/storage type ext4 (rw,noatime)
Unmount the drive you want to work on.
#umount /home/storage
Comment out the line for this drive in your fstab
#vim /etc/fstab
Create the truecrypt container.  (Recommended choices in blue.)
#truecrypt -t -c /dev/sdb1
Volume type:
1) Normal
2) Hidden
Select [1]: 1 (Hidden drive not covered by this guide)
Encryption algorithm:
1) AES
2) Serpent
3) Twofish
4) AES-Twofish
5) AES-Twofish-Serpent
6) Serpent-AES
7) Serpent-Twofish-AES
8) Twofish-Serpent
Select [1]: 1 (Depending on your preference (read: level of paranoia) you may prefer another option.  I chose AES because it's the fastest.  Twofish would be my second choice.)
Hash algorithm:
1) RIPEMD-160
2) SHA-512
3) Whirlpool
Select [1]: 3 (Personal Preference)
Filesystem:
1) FAT
2) None
Select [1]: 1 (I ran into an issue when I tried None, I know this works when you pick FAT, but it takes longer to create the volume initially.  I am going to test again and see if I can get this working with no initial formatting to speed things up.)
Enter password:
Re-enter password:
Enter keyfile path [none]:
Please type at least 320 randomly chosen characters and then press Enter:
Done:   0.071%  Speed: 125 MB/s  Left: 3 hours
Now you wait a while for truecrypt to build the archive and format...  For my 1.5 tb drive (raid 10) it took several hours.   Be patient.
Mount drive with truecrypt (This includes the arugments to use to mount a volume prompting only for its password)
#truecrypt -t -k "" --protect-hidden=no /dev/sdb1 /home/storage
Find the truecrypt dev mapper for your drive
#mount /dev/mapper/truecrypt1 on /home/storage type vfat (rw)
Now you need to unmount the that dev device
#umount /home/storage
Format in ext4
mkfs.ext4 /dev/mapper/truecrypt1
once done do a truecrypt unmount (Note this will unmount all truecrypt drives.)
#truecrypt -d
You will now be able to mount your encrypted drive with truecrypt and it will be formatted in ext4
#truecrypt -t -k "" --protect-hidden=no /dev/sdb1 /home/storage
#mount
/dev/mapper/truecrypt1 on /home/storage type ext4 (rw)
Voila!  Drive is now encrypted and using ext4.
Subscribe to:
Post Comments (Atom)
 

 
 Posts
Posts
 
 
Thanks! That worked for me.
ReplyDeleteI tried to format as having no file system. You could just modify the text to explain that if None is being selected, it won't be possible to mount and format that volume later.
I'm having issues in Ubuntu 9.04 with Truecrypt 6.2 and ext4 - problems mounting from GUI (mount fails with "you need to specify a file system").
ReplyDeleteSo no ext4 for me now.
I had some luck with TC 6.2 and Ubuntu and the following commands:
ReplyDelete# truecrypt -t -c /dev/sdd1 --volume-type=Normal --encryption=AES --hash=RIPEMD-160 --filesystem=None -k "" -p test
# truecrypt -t --filesystem=None -p test --protect-hidden=no -k "" --slot=3 --mount /dev/sdd1
# echo /dev/mapper/true*
/dev/mapper/truecrypt3
# zpool create ztest /dev/mapper/truecrypt3
# df -h /ztest
Filesystem Size Used Avail Use% Mounted on
ztest 228M 18K 228M 1% /ztest
YMMV
When mounting a tc volume you can specify --filesystem=none to tell truecrypt not to mount the device yet (so that you can format it first):
ReplyDeletetruecrypt --filesystem=none /share/data/photos01.tc
This connects the device but does not mount the filesystem yet.
Then truecrypt -l shows you the device name.
(in my case /dev/loopo0 as I use fuse on qnap)
Then for example use mkfs.ext4 /dev/.... to format with ext4 filesytem