Warning: TrueCrypt is no longer maintained. Using TrueCrypt is not secure as it may contain unfixed security issues. The TrueCrypt website has instructions on how to migrate away from their tool.
If you’re worried about the recent NSA scandals and want to maintain some privacy, or simply want to keep your data safe and secure, then the free and open source <a href=“http://truecrypt.org” target=“_blank”>TrueCrypt</a> is an ideal option. TrueCrypt allows you to encrypt files in virtual volumes, and even create <a href=“http://www.truecrypt.org/docs/hidden-volume” target=“_blank”>‘hidden’</a> volumes, so in the case that you are forced to reveal your password, you can still maintain the security of your data.
Reading the official documentation of TrueCrypt gives the impression that the author is highly paranoid, which is a positive trait when it comes to security. As TrueCrypt is open source, it seems unlikely that it would be able to include a backdoor, and yet with backdoors being found <a href=“http://www.theverge.com/2013/9/20/4751364/rsa-tells-developers-to-stop-using-encryption-with-suspected-nsa-backdoor” target=“_blank”>left</a>, <a href=“http://arstechnica.com/security/2013/09/new-york-times-provides-new-details-about-nsa-backdoor-in-crypto-spec/” target=“_blank”>right<a/>, and <a href=“http://www.technobuffalo.com/2013/08/22/nsa-windows-8-exploit/” target=“_blank”> centre</a>, there is of course the possibility that there are backdoors in TrueCrypt too. However, it’s very unlikely: it has gotten a lot of attention recently, and no one has found anything yet. A foundation has been set up to fully audit it: <a href=“http://istruecryptauditedyet.com/” target=“_blank”> (here)</a> and Xavier de Carné de Carnavalet claims to have compiled the source against the binaries and found a perfect match <a href=“https://madiba.encs.concordia.ca/~x_decarn/truecrypt-binaries-analysis/” target=“_blank”>(here)</a>.
TrueCrypt provides many different encryption methods. At the time of writing, you can choose between the following when creating a new encrypted volume:
AES
Serpent
Twofish
AES-Twofish
AES-Twofish-Serpent
Serpent-AES
Serpent-Twofish-AES
Twofish-Serpent
We’ll be installing the “console-only” version of TrueCrypt for Linux. There are 32 and 64 bit versions available, so choose the correct one depending on your system. If you are unsure run:
file /sbin/init
And the beginning of the output will be (for 64-bit) something like:
/sbin/init: ELF 64-bit LSB shared object
or for 32-bit:
/sbin/init: ELF 32-bit LSB shared object
The official website does not provide links for specific installations, seeming to force you to choose your version through a .php post form, but you can in fact download the tar directly with a wget command. At the time of writing, to download the 64-bit console only version, run:
sudo wget http://truecrypt.org/download/truecrypt-7.1a-linux-console-x64.tar.gz
Check that 7.1a
is still the current version before you download (see <a href=“http://truecrypt.org/downloads” target=“_blank”>http://truecrypt.org/downloads</a> where the heading currently reads: Latest Stable Version - 7.1a), and substitute the version number in the command if there is a later one. Simply change the x64 to x32 in the command to download the 32-bit version.
To extract the setup file, run
tar xfvz truecrypt-7.1a-linux-console-x64.tar.gz
Again substituting the version number and architecture type if necessary. Don’t worry about where to extract it to: anywhere is fine as the installer will handle the installation path automatically.
Again substituting the version and architecture (last time, I promise), run:
./truecrypt-7.1a-linux-console-x64.tar.gz
And you’ll be guided through the installation. At first, you should see:
TrueCrypt 7.1a Setup
____________________
Installation options:
1) Install truecrypt_7.1a_console_amd64.tar.gz
2) Extract package file truecrypt_7.1a_console_amd64.tar.gz and place it to /tmp
To select, enter 1 or 2:
Enter 1
, and then press Enter
to read the terms and conditions. Hold down your Space
key for a while, if, like most people, you are not actually intent on reading them. (Enter
will also work, but Space
goes page by page instead of line by line).
Type y
to accept the terms, and then press Enter
. You’ll be told about the prerequisites.
FUSE library and tools
device mapper tools
Press Enter to continue.
Which should already be installed on Ubuntu and Debian systems.
Now you’ll see a message about how to uninstall TrueCrypt (The words “Uninstalling TrueCrypt” may be a bit misleading – but don’t worry, they’re just instructions for how to uninstall should you want to do so). Press Enter
to exit the installer. TrueCrypt is now installed on your system.
To interactively create a new encrypted volume, use the command:
truecrypt -c /path/to/volume/directory/volumename
For example, to create a new volume called “mysecrets” in your home directory, run
truecrypt -c /home/mysecrets
Note that the “mysecrets” will be created – it should not be an existing file. You can use any file extension that you want or omit it. Note that TrueCrypt will not create the subpath, so make sure the full subpath exists (in this example, /home/
) and that the file does not (in this example, mysecrets
)
You’ll be asked whether you want to create a “Normal” volume or a “Hidden” one. In this example, we’ll be creating a “Normal” one. A Hidden volume is in essence two TrueCrypt volumes inside each other. These are very useful if someone uses physical force or blackmail to make you open a TrueCrypt volume or give them your password. With a hidden volume, you can pretend to comply, while in reality only giving them access to the outer volume. This is unlikely to be an issue for the average user.
Enter 1
to create a normal volume, and choose a size. e.g., enter:
100M
To create a volume of 100 Megabytes. Use, for example, 5G
to create a 5 Gigabyte volume, or 100K
to create a 100 Kilabyte volume. Think of this volume as a separate storage device, such as a flash drive: whatever size you assign in this step will be its fixed capacity. The larger it is, the longer it will take to create, as it needs to encrypt the entire volume before use, though this isn’t a huge factor as, on my system, creating a volume of 1GB only took a couple of seconds. If you just want to store a few text files (for example, I store all my passwords in a text file inside a TrueCrypt volume) then a few MB will be more than adequate. You cannot create a volume bigger than your storage capacity.
Pick an encryption method. We’ll go with entering 1
again, to have our volume encrypted by AES, and 1
for the next input as well to choose RIPEMD-160 as our hashing algorithm. Any of the three encryption methods and hashing methods is sufficient. For the slightly paranoid, there are options such as Serpent-Twofish-AES
which encrypts the volume using AES, encrypts the output of this (with a different key) with Twofish, and the output of this with Serpent. This means that if any of the three encryption methods is “broken” (that is, a way is found to easily decrypt without the key), then your volume is still safe (unless all three are “broken”). Each of the three encryption methods has an article on Wikipedia, so have a look at these to see the latest attack attempts against each. All seem secure for the time being.
You can then pick from a number of file systems. Pick FAT (2
) for the best compatibility, if you intend on accessing the volume from other systems. Now pick a password – remember that brute-forcing the password is the only vaguely feasible way for other people to access your files, so pick a long password (recommended more than 20 characters) for security. For this demo we’ll go with 1234
as a password. Don’t try this at home.
Enter 1234
, confirm with another Enter
that you’re happy with the password of fewer than 20 characters, and re-enter it for confirmation. You’ll now be prompted for a keyfile path. In this example we will not be using a keyfile, which means that we can access our volume in the future using just the password. Keyfiles are more secure than passwords. You can pick an image, a text file, or any other file you want, and you’ll have to use this file every time you want to access your volume. While this is much more secure than a regular password, it does mean that if you ever lose you keyfile or if it becomes corrupted, you will no longer be able to access your TrueCrypt volume (see <a href=“http://www.truecrypt.org/docs/keyfiles” target=“_blank”>here</a> for more about keyfiles and how to use them).
Now for the fun bit. Mash your keyboard as randomly as possible, entering at least 320 characters. TrueCrypt will use this to create Entropy. Humans are generally terrible at doing anything random – remember to include as many different keys as possible. You can read about the random number generator method used <a href=“http://www.truecrypt.org/docs/random-number-generator” target=“_blank”>here</a>.
Press Enter
and your volume will have been created.
To mount it, use the command:
truecrypt --mount /home/secret
Press Enter
to accept the default mount directory (on Ubuntu /media/truecrypt1/), enter your password, and press Enter
twice more for the other defaults (no key file, no protect hidden volume).
Your encrypted volume is now mounted. Just like a mounted flash drive, you can copy files to and from it while it is mounted, but after dismount they are inaccessible. Move files to your volume with commands such as:
mv secrettextfile.txt /media/truecrypt1/
To dismount the volume use:
truecrypt -d
Which will dismount all mounted volumes. If you get the error
Error: umount: /media/truecrypt1: device is busy.
(In some cases useful info about processes that use
the device is found by lsof(8) or fuser(1))
Then it is very likely that it is simply your terminal that is keeping the device busy
. If you have your terminal open in the location of your volume, change out with
cd ..
And run truecrypt -d
again.
The <a href=“http://www.truecrypt.org/docs/” target=“_blank”>documentation</a> and <a href=“http://www.truecrypt.org/docs/tutorial#Y0” target=“_blank”>tutorials</a> on the official site are exceptionally well-written, clear, and extensive, and they should give you step by step instructions as to all of TrueCrypt’s more advanced uses, should you need them.
<div class=“author”>Submitted by: <a href=“http://techblog.garethdwyer.co.za/”>Gareth Dwyer</a></div>
Thanks for learning with the DigitalOcean Community. Check out our offerings for compute, storage, networking, and managed databases.
This textbox defaults to using Markdown to format your answer.
You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!
Sign up for Infrastructure as a Newsletter.
Working on improving health and education, reducing inequality, and spurring economic growth? We'd like to help.
Get paid to write technical tutorials and select a tech-focused charity to receive a matching donation.
How to have truecrypt on a headless linux fetch a password stored on a vps (offsite) txt file. Example: Power failure, system reboots and auto-mounts containers when power is back. How to have truecrypt fetch password in a txt file on your vps. or vice-versa?
newbie q… have sucessfully installed Truecrypt under Unbuntu 14.04 and Zorin 6 on other PC but on this dual boot W7/Ubuntu, I am getting an error when extracting the file ++++++++++++++++++++++++++++++ gzip: stdin: not in gzip format tar: Child returned status 1 tar: Error is not recoverable: exiting now ++++++++++++++++++++++++++++++++++
any ideas please? Tony
Auto-mounting a TrueCrypt volume would make encrypting anything completely pointless. When a volume is mounted, the files are accessible; when it’s not mounted, it’s not accessible.
This was very useful. One problem I did hit (aside from doing this on CentOS) was I needed to install the device-mapper package.
Now, that I have a truecrypt file created, what is the process to have this automatically mounted at boot time? My assumption is to write a simple init.d script to handle this
Thanks.