TrueCrypt Volume Encryption

30 May 2008   Charles Roth

TrueCrypt is a lovely, cross-platform, open-source, encryption and security tool.  It does on-the-fly encryption of entire volumes.  A volume can be either a physical disk partition, or a (large) pre-defined file that acts as a logical volume.

I use TrueCrypt on my linux laptop to mount several logical volumes, in which I keep sensitive commercial data.  That way, if the laptop is stolen, the data in those volumes is totally unavailable.  The passwords to those volumes live only in my head, and must be entered every time the volumes are mounted (i.e. every time the laptop reboots).

Linux Install
I had to install from source, although the process was relatively straight-forward.  It did require also installing "fuse" and "wxWidgets".  I was able to install fuse from a repository ("yum install fuse"), but wxWidgets had to be installed from source (very straightforward).

When finished, I just put the generated 'truecrypt' executable in /usr/local/bin.

Creating a volume
Initially creating a volume is a little bit tricky, since TrueCrypt only knows how to format FAT volumes.  Basically this means creating a FAT volume, then reformatting it.

  1. Create the volume:
       truecrypt -t -c
    At the prompts, supply a file name ("volume_path"), volume size, encryption algorithm (I use "Serpent-Twofish-AES"), a hash algorithm (I use "RIPEMD-160"), a filesystem ("FAT"), and a good, long, password.  I do not use or recommend keyfiles, the whole point is that all passwords (keys) live in my head and only my head.  For this example, I do not use hidden volumes, although they are useful in very-high-security situations.
  2. Mount the new volume:
       truecrypt -t --mount volume_path
    ...and see where the volume got mounted, typically something like /dev/loop0.
  3. Dismount the new volume:
       sudo umount /dev/loop0
  4. Make a new filesystem on the volume:
       sudo mkfs -t ext3 /dev/loop0
  5. Reboot.  (There's probably a better approach, involving dismounting the new volume from inside truecrypt.  But I'm being lazy.)

Using a volume
Immediately after booting, do:

   truecrypt -t volume_path
and specify whatever mount point you really prefer, long-term.

You may also need to set specific permissions on directories inside the volume, depending on how you intend to use it.  But that's really not any different from, say, mounting a new physical disk and putting a filesystem on it.