Tutorial

How to Install TrueCrypt (CLI) on Linux

Published on March 17, 2014
Default avatar

By Gareth Dwyer

Founder @ ritza.co

How to Install TrueCrypt (CLI) on Linux

Warning: TrueCrypt is no longer maintained. Using TrueCrypt is not secure as it may contain unfixed security issues. The TrueCrypt website has instructions on how to migrate away from their tool.

What is TrueCrypt and is it really secure?

If you’re worried about the recent NSA scandals and want to maintain some privacy, or simply want to keep your data safe and secure, then the free and open source <a href=“http://truecrypt.org” target=“_blank”>TrueCrypt</a> is an ideal option. TrueCrypt allows you to encrypt files in virtual volumes, and even create <a href=“http://www.truecrypt.org/docs/hidden-volume” target=“_blank”>‘hidden’</a> volumes, so in the case that you are forced to reveal your password, you can still maintain the security of your data.

Reading the official documentation of TrueCrypt gives the impression that the author is highly paranoid, which is a positive trait when it comes to security. As TrueCrypt is open source, it seems unlikely that it would be able to include a backdoor, and yet with backdoors being found <a href=“http://www.theverge.com/2013/9/20/4751364/rsa-tells-developers-to-stop-using-encryption-with-suspected-nsa-backdoor” target=“_blank”>left</a>, <a href=“http://arstechnica.com/security/2013/09/new-york-times-provides-new-details-about-nsa-backdoor-in-crypto-spec/” target=“_blank”>right<a/>, and <a href=“http://www.technobuffalo.com/2013/08/22/nsa-windows-8-exploit/” target=“_blank”> centre</a>, there is of course the possibility that there are backdoors in TrueCrypt too. However, it’s very unlikely: it has gotten a lot of attention recently, and no one has found anything yet. A foundation has been set up to fully audit it: <a href=“http://istruecryptauditedyet.com/” target=“_blank”> (here)</a> and Xavier de Carné de Carnavalet claims to have compiled the source against the binaries and found a perfect match <a href=“https://madiba.encs.concordia.ca/~x_decarn/truecrypt-binaries-analysis/” target=“_blank”>(here)</a>.

TrueCrypt provides many different encryption methods. At the time of writing, you can choose between the following when creating a new encrypted volume:

  1. AES

  2. Serpent

  3. Twofish

  4. AES-Twofish

  5. AES-Twofish-Serpent

  6. Serpent-AES

  7. Serpent-Twofish-AES

  8. Twofish-Serpent

Downloading and Installing

Version

We’ll be installing the “console-only” version of TrueCrypt for Linux. There are 32 and 64 bit versions available, so choose the correct one depending on your system. If you are unsure run:

file /sbin/init

And the beginning of the output will be (for 64-bit) something like:

/sbin/init: ELF 64-bit LSB shared object

or for 32-bit:

/sbin/init: ELF 32-bit LSB shared object

The official website does not provide links for specific installations, seeming to force you to choose your version through a .php post form, but you can in fact download the tar directly with a wget command. At the time of writing, to download the 64-bit console only version, run:

sudo wget http://truecrypt.org/download/truecrypt-7.1a-linux-console-x64.tar.gz

Check that 7.1a is still the current version before you download (see <a href=“http://truecrypt.org/downloads” target=“_blank”>http://truecrypt.org/downloads</a> where the heading currently reads: Latest Stable Version - 7.1a), and substitute the version number in the command if there is a later one. Simply change the x64 to x32 in the command to download the 32-bit version.

Extract

To extract the setup file, run

tar xfvz truecrypt-7.1a-linux-console-x64.tar.gz

Again substituting the version number and architecture type if necessary. Don’t worry about where to extract it to: anywhere is fine as the installer will handle the installation path automatically.

Install

Again substituting the version and architecture (last time, I promise), run:

./truecrypt-7.1a-linux-console-x64.tar.gz

And you’ll be guided through the installation. At first, you should see:

TrueCrypt 7.1a Setup
____________________


Installation options:

 1) Install truecrypt_7.1a_console_amd64.tar.gz

 2) Extract package file truecrypt_7.1a_console_amd64.tar.gz and place it to /tmp

To select, enter 1 or 2:

Enter 1, and then press Enter to read the terms and conditions. Hold down your Space key for a while, if, like most people, you are not actually intent on reading them. (Enter will also work, but Space goes page by page instead of line by line).

Type y to accept the terms, and then press Enter. You’ll be told about the prerequisites.

Requirements for Running TrueCrypt:

  • FUSE library and tools

  • device mapper tools

Press Enter to continue.

Which should already be installed on Ubuntu and Debian systems.

Now you’ll see a message about how to uninstall TrueCrypt (The words “Uninstalling TrueCrypt” may be a bit misleading – but don’t worry, they’re just instructions for how to uninstall should you want to do so). Press Enter to exit the installer. TrueCrypt is now installed on your system.

Usage

create a volume

To interactively create a new encrypted volume, use the command:

truecrypt -c /path/to/volume/directory/volumename

For example, to create a new volume called “mysecrets” in your home directory, run

truecrypt -c /home/mysecrets

Note that the “mysecrets” will be created – it should not be an existing file. You can use any file extension that you want or omit it. Note that TrueCrypt will not create the subpath, so make sure the full subpath exists (in this example, /home/) and that the file does not (in this example, mysecrets)

You’ll be asked whether you want to create a “Normal” volume or a “Hidden” one. In this example, we’ll be creating a “Normal” one. A Hidden volume is in essence two TrueCrypt volumes inside each other. These are very useful if someone uses physical force or blackmail to make you open a TrueCrypt volume or give them your password. With a hidden volume, you can pretend to comply, while in reality only giving them access to the outer volume. This is unlikely to be an issue for the average user.

Enter 1 to create a normal volume, and choose a size. e.g., enter:

100M

To create a volume of 100 Megabytes. Use, for example, 5G to create a 5 Gigabyte volume, or 100K to create a 100 Kilabyte volume. Think of this volume as a separate storage device, such as a flash drive: whatever size you assign in this step will be its fixed capacity. The larger it is, the longer it will take to create, as it needs to encrypt the entire volume before use, though this isn’t a huge factor as, on my system, creating a volume of 1GB only took a couple of seconds. If you just want to store a few text files (for example, I store all my passwords in a text file inside a TrueCrypt volume) then a few MB will be more than adequate. You cannot create a volume bigger than your storage capacity.

Pick an encryption method. We’ll go with entering 1 again, to have our volume encrypted by AES, and 1 for the next input as well to choose RIPEMD-160 as our hashing algorithm. Any of the three encryption methods and hashing methods is sufficient. For the slightly paranoid, there are options such as Serpent-Twofish-AES which encrypts the volume using AES, encrypts the output of this (with a different key) with Twofish, and the output of this with Serpent. This means that if any of the three encryption methods is “broken” (that is, a way is found to easily decrypt without the key), then your volume is still safe (unless all three are “broken”). Each of the three encryption methods has an article on Wikipedia, so have a look at these to see the latest attack attempts against each. All seem secure for the time being.

You can then pick from a number of file systems. Pick FAT (2) for the best compatibility, if you intend on accessing the volume from other systems. Now pick a password – remember that brute-forcing the password is the only vaguely feasible way for other people to access your files, so pick a long password (recommended more than 20 characters) for security. For this demo we’ll go with 1234 as a password. Don’t try this at home.

Enter 1234, confirm with another Enter that you’re happy with the password of fewer than 20 characters, and re-enter it for confirmation. You’ll now be prompted for a keyfile path. In this example we will not be using a keyfile, which means that we can access our volume in the future using just the password. Keyfiles are more secure than passwords. You can pick an image, a text file, or any other file you want, and you’ll have to use this file every time you want to access your volume. While this is much more secure than a regular password, it does mean that if you ever lose you keyfile or if it becomes corrupted, you will no longer be able to access your TrueCrypt volume (see <a href=“http://www.truecrypt.org/docs/keyfiles” target=“_blank”>here</a> for more about keyfiles and how to use them).

Now for the fun bit. Mash your keyboard as randomly as possible, entering at least 320 characters. TrueCrypt will use this to create Entropy. Humans are generally terrible at doing anything random – remember to include as many different keys as possible. You can read about the random number generator method used <a href=“http://www.truecrypt.org/docs/random-number-generator” target=“_blank”>here</a>.

Press Enter and your volume will have been created.

mounting a volume

To mount it, use the command:

truecrypt --mount /home/secret

Press Enter to accept the default mount directory (on Ubuntu /media/truecrypt1/), enter your password, and press Enter twice more for the other defaults (no key file, no protect hidden volume).

Your encrypted volume is now mounted. Just like a mounted flash drive, you can copy files to and from it while it is mounted, but after dismount they are inaccessible. Move files to your volume with commands such as:

mv secrettextfile.txt /media/truecrypt1/

dismounting a volume

To dismount the volume use:

truecrypt -d

Which will dismount all mounted volumes. If you get the error

Error: umount: /media/truecrypt1: device is busy.
        (In some cases useful info about processes that use
         the device is found by lsof(8) or fuser(1))

Then it is very likely that it is simply your terminal that is keeping the device busy. If you have your terminal open in the location of your volume, change out with

cd ..

And run truecrypt -d again.

Further Information

The <a href=“http://www.truecrypt.org/docs/” target=“_blank”>documentation</a> and <a href=“http://www.truecrypt.org/docs/tutorial#Y0” target=“_blank”>tutorials</a> on the official site are exceptionally well-written, clear, and extensive, and they should give you step by step instructions as to all of TrueCrypt’s more advanced uses, should you need them.

<div class=“author”>Submitted by: <a href=“http://techblog.garethdwyer.co.za/”>Gareth Dwyer</a></div>

Thanks for learning with the DigitalOcean Community. Check out our offerings for compute, storage, networking, and managed databases.

Learn more about us


About the authors
Default avatar

Founder @ ritza.co

I’m a software engineer, writer, and mentor. On a mission to make high quality technical educational materials free for everyone.

https://ritza.co

Still looking for an answer?

Ask a questionSearch for more help

Was this helpful?
 
4 Comments


This textbox defaults to using Markdown to format your answer.

You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!

How to have truecrypt on a headless linux fetch a password stored on a vps (offsite) txt file. Example: Power failure, system reboots and auto-mounts containers when power is back. How to have truecrypt fetch password in a txt file on your vps. or vice-versa?

newbie q… have sucessfully installed Truecrypt under Unbuntu 14.04 and Zorin 6 on other PC but on this dual boot W7/Ubuntu, I am getting an error when extracting the file ++++++++++++++++++++++++++++++ gzip: stdin: not in gzip format tar: Child returned status 1 tar: Error is not recoverable: exiting now ++++++++++++++++++++++++++++++++++

any ideas please? Tony

Auto-mounting a TrueCrypt volume would make encrypting anything completely pointless. When a volume is mounted, the files are accessible; when it’s not mounted, it’s not accessible.

This was very useful. One problem I did hit (aside from doing this on CentOS) was I needed to install the device-mapper package.

Now, that I have a truecrypt file created, what is the process to have this automatically mounted at boot time? My assumption is to write a simple init.d script to handle this

Thanks.

Try DigitalOcean for free

Click below to sign up and get $200 of credit to try our products over 60 days!

Sign up

Join the Tech Talk
Success! Thank you! Please check your email for further details.

Please complete your information!

Get our biweekly newsletter

Sign up for Infrastructure as a Newsletter.

Hollie's Hub for Good

Working on improving health and education, reducing inequality, and spurring economic growth? We'd like to help.

Become a contributor

Get paid to write technical tutorials and select a tech-focused charity to receive a matching donation.

Welcome to the developer cloud

DigitalOcean makes it simple to launch in the cloud and scale up as you grow — whether you're running one virtual machine or ten thousand.

Learn more
DigitalOcean Cloud Control Panel