How to Install TrueCrypt (CLI) on Linux
“WARNING: Using TrueCrypt is not secure as it may contain unfixed security issues” — The truecrypt site has recently posted instructions on how to migrate away from truecrypt. You can find an additional explanation of the situation here.
What is TrueCrypt and is it really secure?
If you’re worried about the recent NSA scandals and want to maintain some privacy, or simply want to keep your data safe and secure, then the free and open source TrueCrypt is an ideal option. TrueCrypt allows you to encrypt files in virtual volumes, and even create ‘hidden’ volumes, so in the case that you are forced to reveal your password, you can still maintain the security of your data.
Reading the official documentation of TrueCrypt gives the impression that the author is highly paranoid, which is a positive trait when it comes to security. As TrueCrypt is open source, it seems unlikely that it would be able to include a backdoor, and yet with backdoors being found left, right, and centre, there is of course the possibility that there are backdoors in TrueCrypt too. However, it’s very unlikely: it has gotten a lot of attention recently, and no one has found anything yet. A foundation has been set up to fully audit it: (here) and Xavier de Carné de Carnavalet claims to have compiled the source against the binaries and found a perfect match (here).
TrueCrypt provides many different encryption methods. At the time of writing, you can choose between the following when creating a new encrypted volume:
Downloading and Installing
We’ll be installing the “console-only” version of TrueCrypt for Linux. There are 32 and 64 bit versions available, so choose the correct one depending on your system. If you are unsure run:
And the beginning of the output will be (for 64-bit) something like:
/sbin/init: ELF 64-bit LSB shared object
or for 32-bit:
/sbin/init: ELF 32-bit LSB shared object
The official website does not provide links for specific installations, seeming to force you to choose your version through a .php post form, but you can in fact download the tar directly with a wget command. At the time of writing, to download the 64-bit console only version, run:
sudo wget http://truecrypt.org/download/truecrypt-7.1a-linux-console-x64.tar.gz
7.1a is still the current version before you download (see http://truecrypt.org/downloads where the heading currently reads: Latest Stable Version - 7.1a), and substitute the version number in the command if there is a later one. Simply change the x64 to x32 in the command to download the 32-bit version.
To extract the setup file, run
tar xfvz truecrypt-7.1a-linux-console-x64.tar.gz
Again substituting the version number and architecture type if necessary. Don’t worry about where to extract it to: anywhere is fine as the installer will handle the installation path automatically.
Again substituting the version and architecture (last time, I promise), run:
And you’ll be guided through the installation. At first, you should see:
TrueCrypt 7.1a Setup ____________________ Installation options: 1) Install truecrypt_7.1a_console_amd64.tar.gz 2) Extract package file truecrypt_7.1a_console_amd64.tar.gz and place it to /tmp To select, enter 1 or 2:
1, and then press
Enter to read the terms and conditions. Hold down your
Space key for a while, if, like most people, you are not actually intent on reading them. (
Enter will also work, but
Space goes page by page instead of line by line).
y to accept the terms, and then press
Enter. You’ll be told about the prerequisites.
Requirements for Running TrueCrypt:
FUSE library and tools
device mapper tools
Press Enter to continue.
Which should already be installed on Ubuntu and Debian systems.
Now you’ll see a message about how to uninstall TrueCrypt (The words “Uninstalling TrueCrypt” may be a bit misleading – but don’t worry, they’re just instructions for how to uninstall should you want to do so). Press
Enter to exit the installer. TrueCrypt is now installed on your system.
create a volume
To interactively create a new encrypted volume, use the command:
truecrypt -c /path/to/volume/directory/volumename
For example, to create a new volume called “mysecrets” in your home directory, run
truecrypt -c /home/mysecrets
Note that the “mysecrets” will be created – it should not be an existing file. You can use any file extension that you want or omit it. Note that TrueCrypt will not create the subpath, so make sure the full subpath exists (in this example,
/home/) and that the file does not (in this example,
You’ll be asked whether you want to create a “Normal” volume or a “Hidden” one. In this example, we’ll be creating a “Normal” one. A Hidden volume is in essence two TrueCrypt volumes inside each other. These are very useful if someone uses physical force or blackmail to make you open a TrueCrypt volume or give them your password. With a hidden volume, you can pretend to comply, while in reality only giving them access to the outer volume. This is unlikely to be an issue for the average user.
1 to create a normal volume, and choose a size. e.g., enter:
To create a volume of 100 Megabytes. Use, for example,
5G to create a 5 Gigabyte volume, or
100K to create a 100 Kilabyte volume. Think of this volume as a separate storage device, such as a flash drive: whatever size you assign in this step will be its fixed capacity. The larger it is, the longer it will take to create, as it needs to encrypt the entire volume before use, though this isn’t a huge factor as, on my system, creating a volume of 1GB only took a couple of seconds. If you just want to store a few text files (for example, I store all my passwords in a text file inside a TrueCrypt volume) then a few MB will be more than adequate. You cannot create a volume bigger than your storage capacity.
Pick an encryption method. We’ll go with entering
1 again, to have our volume encrypted by AES, and
1 for the next input as well to choose RIPEMD-160 as our hashing algorithm. Any of the three encryption methods and hashing methods is sufficient. For the slightly paranoid, there are options such as
Serpent-Twofish-AES which encrypts the volume using AES, encrypts the output of this (with a different key) with Twofish, and the output of this with Serpent. This means that if any of the three encryption methods is “broken” (that is, a way is found to easily decrypt without the key), then your volume is still safe (unless all three are “broken”). Each of the three encryption methods has an article on Wikipedia, so have a look at these to see the latest attack attempts against each. All seem secure for the time being.
You can then pick from a number of file systems. Pick FAT (
2) for the best compatibility, if you intend on accessing the volume from other systems. Now pick a password – remember that brute-forcing the password is the only vaguely feasible way for other people to access your files, so pick a long password (recommended more than 20 characters) for security. For this demo we’ll go with
1234 as a password. Don’t try this at home.
1234, confirm with another
Enter that you’re happy with the password of fewer than 20 characters, and re-enter it for confirmation. You’ll now be prompted for a keyfile path. In this example we will not be using a keyfile, which means that we can access our volume in the future using just the password. Keyfiles are more secure than passwords. You can pick an image, a text file, or any other file you want, and you’ll have to use this file every time you want to access your volume. While this is much more secure than a regular password, it does mean that if you ever lose you keyfile or if it becomes corrupted, you will no longer be able to access your TrueCrypt volume (see here for more about keyfiles and how to use them).
Now for the fun bit. Mash your keyboard as randomly as possible, entering at least 320 characters. TrueCrypt will use this to create Entropy. Humans are generally terrible at doing anything random – remember to include as many different keys as possible. You can read about the random number generator method used here.
Enter and your volume will have been created.
mounting a volume
To mount it, use the command:
truecrypt --mount /home/secret
Enter to accept the default mount directory (on Ubuntu /media/truecrypt1/), enter your password, and press
Enter twice more for the other defaults (no key file, no protect hidden volume).
Your encrypted volume is now mounted. Just like a mounted flash drive, you can copy files to and from it while it is mounted, but after dismount they are inaccessible. Move files to your volume with commands such as:
mv secrettextfile.txt /media/truecrypt1/
dismounting a volume
To dismount the volume use:
Which will dismount all mounted volumes. If you get the error
Error: umount: /media/truecrypt1: device is busy. (In some cases useful info about processes that use the device is found by lsof(8) or fuser(1))
Then it is very likely that it is simply your terminal that is keeping the device
busy. If you have your terminal open in the location of your volume, change out with
truecrypt -d again.
The documentation and tutorials on the official site are exceptionally well-written, clear, and extensive, and they should give you step by step instructions as to all of TrueCrypt’s more advanced uses, should you need them.