TrueCrypt

This page will show you the steps to install TrueCrypt, an open-source cross-platform software allowing you to manage encrypted disks. The main features are its creation of virtual encrypted disks and the encryption of entire partitions. There are two different security levels available: The hidden volume (see the official website for details) and the normal volume.

Requirements
TrueCrypt needs a 2.6.5 kernel (or higher/compatible) with both device mapper and loop device enabled (TrueCrypt itself however warns when using kernel older than 2.6.24 due to the bug in older kernels possibly causing system freeze when writing to the encrypted volume). Make sure that the kernel is configured as follows:

Next, recompile and reboot into the new kernel (or just install the new modules if you marked all as modules).

Install
Add app-crypt/truecrypt in /etc/portage/package.keywords

Type:

and follow instructions (depends on your configuration and package version).

Approximate instructions:

Download tar.gz source from http://www.truecrypt.org/downloads2.php, rename in truecrypt-7.1a.tar.gz and put the file in /usr/portage/distfiles/

Type:

The problem is described here and the truecrypt-pkcs11.h.bz2 file can be downloaded on the same page.

Create a volume
Simply follow the TrueCrypt assistant:

Create a linux filesystem on your volume (ext2 used as an example):

NTFS volume
If you're on TrueCrypt >v6.0 and e.g. like to create an ntfs volume and are using ntfs-3g through FUSE, this sequence of commands will probably be more like this:

Note where truecrypt mounted the exterior volume, e.g.: /dev/loop0 on /mnt/mountpoint type fuseblk (rw,noatime,allow_other,default_permissions,blksize=4096)

For truecrypt 6a, when you want mount volume without filesystem, you must use

then only loop is created. Otherwise truecrypt ask you for "Enter mount directory" and later you get "Error: mount: you must specify the filesystem type"

Mount your volume, this will ask for the password:

You can also set the mount options, for example to set the ownership to a specific user/group

Unmount the volume (-d parameter without any other argument will dismount any mounted volume):

Mount volumes as a normal user
Truecrypt needs root privileges to work: this procedure will allow normal users to use it, also giving writing permissions to mounted volumes.

First of all, you must have sudo installed. If not, just type:

Now we have to create a new group called truecrypt and give it the necessary permissions. Any users that will belong to that group, will be able to use TrueCrypt.

Use the just opened editor to attach the following lines at the bottom of the configuration file:

Before adding our users to the truecrypt group we still have to do something in order to make mounted volumes writable from normal users. To do this just open the system-wide bashrc file:

And add this few lines to it:

You can now add your users to the truecrypt group:

Use the tc alias to generically use truecrypt, (i.e. tc -d [volume] if you want to dismount a volume) and tcm to mount an encrypted volume.

If after doing the steps above you don't have access to the partition as a normal user then change the ownership of the folder in which the partition was mounted after being mounted. The steps above did not work for me and this was the only way I was able to access the partition as a normal user since the options passed through the -M option to the mount command weren't accepted.

Safely unmount and unmap volumes on shutdown
Create /etc/local.d/truecrypt.stop with the following contents (baselayout 2.x only):

If you are using baselayout 1.x add the following line to /etc/conf.d/local.stop:

Mount volume via fstab
Create the following file in /sbin

Then you can mount your truecrypt device via the following line in fstab

By adding

Defaults env_keep=DISPLAY Defaults env_keep+=XAUTHORITY

below

# Reset environment by default Defaults       env_reset

when running visudo you also get graphical feedback in truecrypt-5.1a

Here is an extended version of /sbin/mount.truecrypt:

Now you can mount system volumes and specify the filesystem type like this

/dev/hda2 is an encrypted system partition (system option) and /dev/hda7 gets mounted as a ntfs-3g partition (fs option)

Booting an encrypted partition
When booting from an encrypted partition or disk, the TrueCrypt bootloader shows up asking for the passphrase. This partition might not be the one which is booted by default, however. In order to avoid opening the BIOS boot menu to boot the TrueCrypt volume, we want to create a menu entry in GRUB.

Imagine you use the following partitioning scheme:

To load /dev/sdb1 from GRUB, we need to copy the TrueCrypt bootloader stored in the Master Boot Record to the boot partition:

Now we have to create the appropriate entry in grub.conf:

In this entry, we use rootnoverify to specify the root partition without trying to mount it. After that, GRUB will chainload the TrueCrypt bootloader we previously copied to the boot partition. This should create a new entry in the GRUB boot menu which loads the TrueCrypt volume.

Low transfer speeds
If the transfer speeds are low, try using the noatime option on mount:

Errors when mounting volumes
If TrueCrypt gives you an error when mounting a NTFS encrypted volume even though ntfs-3g is installed that the module ntfs was not found, you need to specify the file system manually:

If TrueCrypt gives you an error when mounting volumes: device-mapper: reload ioctl failed: Invalid argument Command failed you may have forgotten to activate XTS and/or LRW support in the kernel. See Requirements.

If you are positive that you have XTS and/or LRW support in the kernel but still get the above error, it may be necessary to disable kernel cryptographic services when mounting altogether:

Of course you may add any other necessary option on the commmand line as well. Note that truecrypt will have decreased performance when using this option.

Error when unmounting volumes
If TrueCrypt gives you an error when unmounting volumes: device-mapper: reload ioctl failed: Invalid argument Command failed you may be suffering from a bug in version 7.0a-r2 (edit: still persists in version 7.0a-r5). Truecrypt tries to unmount containers using the corresponding device name (e.g. "umount /dev/mapper/truecrypt1" instead of "umount /media/truecrypt1"), which is an obsolete method that fails with current versions of ntfs-3g (>=2010.8.8) and other fs drivers due to non-canonicalized entries in /etc/mtab. See this page for details. Until Truecrypt gets fixed, you may implement a workaround in order to safely unmount all containers during shutdown.

Add these lines to /etc/local.d/truecrypt.stop: