Full HDD encryption with Truecrypt 5.1a

edgg · 2008-07-03 20:33:04

This is not really a script, so I'm quite unsure whether this is the correct subforum for this topic. But in case anyone actually uses the "Search" feature, he will find this topic regardless of the subforum.

This post is only intended for people who try to use Truecrypt to encrypt the root filesystem.

Since Truecrypt upgraded from 4.x to 5.1a several problems occured, which I had quite some struggle to solve, so I thought I'd share the knowledge to make it easier for anyone else. In a form of tips.

* Truecrypt now needs "fuse" and "loop" modules to be loaded.
* Make sure to add option --filesystem=none because otherwise Truecrypt now automatically tries to mount a filesystem and fails miserably in klibc, outputting a misguiding message (I forgot it)
* For some weird reason Truecrypt adds an argument "--" to some it's system calls, particulary "mount" and "umount", "losetup" and probably some more. I think patching can be avoided if the used programs are taken from the standard /bin folders, not the klibc library. They seem to be more tolerant. That is you can add these lines before the "for f in /usr/lib/klibc/bin/*; do":
for f in $(ls -p /lib/* |grep -ve /$); do
add_file ${f} 2> /dev/null
done
add_file /sbin/losetup /bin/losetup
Note that it will seriously bloat your initramfs, so if it's a concern for you, patch the Truecrypt. If you're patching, just change the CoreLinux.cpp not to use "--" as an argument for "losetup", or the Process.cpp to strip the "--" argument out at all times.
* Truecrypt uses fuse which uses mount with an option "-i" which is not present in current 1.5-5 klibc. Fuse support is introduced in later versions of klibc http://git.kernel.org/?p=libs/klibc/kli … 571d2c979d but until those arrive, you'll probably have to patch klibc with that patch. I recompiled all packages which depend on klibc too, but I'm not too sure if that is mandatory.
* Truecrypt creates a temporary file in /tmp which is not deletable, so kinit fails with "Directory not empty". This false positive failure can be avoided using here presented patch: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=476268
* At least for me klibc mount didn't like Truerypt at all, giving the following in dmesg after the root filesystem is mounted
EXT3-fs: INFO: recovery required on readonly filesystem.
EXT3-fs: write access will be enabled during recovery.
Buffer I/O error on device dm-2, logical block 0
lost page write due to I/O error on dm-2
Buffer I/O error on device dm-2, logical block 1
lost page write due to I/O error on dm-2
Buffer I/O error on device dm-2, logical block 472
...

And soon after initramfs is nuked:
...
EXT3 FS on dm-2, internal journal
Aborting journal on device dm-2.
journal commit I/O error
ext3_abort called.
EXT3-fs error (device dm-2): ext3_journal_start_sb: Detected aborted journal
Remounting filesystem read-only

It worked for me with the standard non-klibc mount, so I added the whole lib/* and /bin/mount, /bin/umount and losetup to initcpio/install/base, which kind of works as a hax, but is pretty nasty. Unfortunately I know of no other fixes.

* As Truecrypt is not a module anymore, shutdown will kill it with other normal processes, too soon, resulting in failed filesystem for the rest of the shutdown process. Splashy http://bbs.archlinux.org/viewtopic.php?id=48978 is confronting the same problem, and their ported 82_killall_exclude_pids.patch in http://bugs.archlinux.org/task/10536 takes care of killall5 just fine. The filesystem didn't umount cleanly the first time, but seems to work every time after that.

If anyone this far is not yet frightened off using Truecrypt 5.1a for full HDD enryption, it is your own fault.

Sjoden · 2008-07-03 21:02:25

Thanks for the info! I don't use truecrypt though, but maybe you could make a Truecrypt 5.1a subsection in the wiki?

http://wiki.archlinux.org/index.php/Truecrypt

Zack

edgg · 2008-07-03 21:58:34

I'm sorry, but I'll refuse to create a wiki article:
* As the given tips tell, using Truecrypt 5.1a for full hdd encryption is a huge hax, and I don't want to advocate it at all.
* Those who still are stubborn enough to use it, need to really understand what the hell they are doing, since it is a big hax. I don't want any sunday users be attracted by a descriptive article.
* Many simpler alternatives as LUKS are out there, so I'm actually wondering if there is one person seriously considering to go through the obvious necessary trouble to get Truecrypt.
* I find very difficult to write formal and descriptive articles.

But if anyone with enough knowledge background is still interested, I'm ready to help out in case of problems right here in this topic. Forums tend leave a very good archive of problem-solution set, imo preferable to wikis in cases where no clean solutions have yet been established.

arch0r · 2008-07-04 18:29:08

cryptsetup/luks keeps it much more easier and faster than truecrypt with it's annoying gui

Sjoden · 2008-07-05 03:09:29

edgg wrote:

I'm sorry, but I'll refuse to create a wiki article:
* As the given tips tell, using Truecrypt 5.1a for full hdd encryption is a huge hax, and I don't want to advocate it at all.
* Those who still are stubborn enough to use it, need to really understand what the hell they are doing, since it is a big hax. I don't want any sunday users be attracted by a descriptive article.
* Many simpler alternatives as LUKS are out there, so I'm actually wondering if there is one person seriously considering to go through the obvious necessary trouble to get Truecrypt.
* I find very difficult to write formal and descriptive articles.
But if anyone with enough knowledge background is still interested, I'm ready to help out in case of problems right here in this topic. Forums tend leave a very good archive of problem-solution set, imo preferable to wikis in cases where no clean solutions have yet been established.

Fair enough. Don't blame you, those are valid reasons.

Zack

machete · 2008-07-14 18:49:12

arch0r wrote:

cryptsetup/luks keeps it much more easier and faster than truecrypt with it's annoying gui

for those who haven't noticed yet: truecrypt 6.0a got released a few days ago. the new version resolves the write-speed issues from the previous versions (5.0 - 6.0). i get around 30mb/s writing to an external usb2.0-sata harddrive. haven't tested this with full system encryption though.

as for the gui: as mentioned before you can disable the gui with --text or -t . if you like to compile it yourself, you can even disable the gui permanently.
from the src Readme.txt:

By default, a universal executable supporting both graphical and text user
interface is built. To build a console-only executable, which requires no GUI
library, use the 'NOGUI' parameter:

   $ make NOGUI=1 WX_ROOT=/usr/src/wxWidgets wxbuild
   $ make NOGUI=1

Arch Linux

#1 2008-07-03 20:33:04

Full HDD encryption with Truecrypt 5.1a

#2 2008-07-03 21:02:25

Re: Full HDD encryption with Truecrypt 5.1a

#3 2008-07-03 21:58:34

Re: Full HDD encryption with Truecrypt 5.1a

#4 2008-07-04 18:29:08

Re: Full HDD encryption with Truecrypt 5.1a

#5 2008-07-05 03:09:29

Re: Full HDD encryption with Truecrypt 5.1a

#6 2008-07-14 18:49:12

Re: Full HDD encryption with Truecrypt 5.1a

Board footer