Encryption with TrueCrypt
About TrueCrypt
From its Web site, we learn that TrueCrypt is free, open-source disk encryption software for Windows Vista/XP, Mac OS X, and Linux. Its more common use would be to create a virtual encrypted disk within a file (called a volume file), and mount it as a real disk. Anyhow, it also implements mechanisms to provide plausible deniability, a hidden volume inside another one, and, of course, the possibility to encrypt an entire partition or storage device. Operating system encryption is supported only on Windows at the moment.
Encryption is automatic, real-time (on-the-fly), and transparent. Regarding this "on-the-fly" property of the way TrueCrypt works, we read in the official documentation:
On-the-fly encryption means that data is automatically encrypted or decrypted right before it is loaded or saved, without any user intervention. No data stored on an encrypted volume can be read (decrypted) without using the correct password/keyfile(s) or correct encryption keys. The entire file system is encrypted (e.g., file names, folder names, contents of every file, free space, metadata, etc).
Although more popular on Windows operating systems [1], TrueCrypt runs well on Linux, and its volume files are fully cross-platform. General documentation about how to use the program is mainly focused on the graphical user interface of the Windows version, but information about how it works, encryption algorithms, hash algorithms, technical details, etc. is very complete, and applies also to the Linux version.
License conflicts
As already mentioned, from the official documentation, we know that TrueCrypt is free and open-source software. However, despite several user requests, it has not been included in most popular Linux distributions and repositories, because of some concerns regarding TrueCrypt's collective license.[1] Major Linux distributors consider it non-free; in this post, for example, from a Red Hat representative, it's explained why they think that, even if Fedora complies with all of the conditions and/or obligations imposed by this license, they still would not be protected from a lawsuit from TrueCrypt. For the Fedora official position regarding this issue, you should check this link, and, for Ubuntu, this one.
Anyhow, if you plan to redistribute TrueCrypt, or software based on it, you should probably get some legal help. That being said, you can of course, download the full source code tree and use it as best suits your needs in a private way.
The algorithms
TrueCrypt implements three symmetric block encryption algorithms (also called ciphers, so there are block ciphers, symmetric key ciphers, etc.): AES (for Advanced Encryption Standard), Twofish, and Serpent. The program also can combine the use of ciphers, so, when selecting the algorithm to use, you'll see options like Serpent-AES or Twofish-Serpent. The cryptographic hash functions implemented and available in TrueCrypt are RIPEMD-160, SHA-512, and Whirlpool.
If this does not sound familiar to you, know that a block cipher operates on chunks of data of a fixed length, each one of them is a block. AES, for example, uses blocks 128 bits long. These blocks consist of your input: what you want to cipher, usually plaintext. When a cipher encrypts a block of plaintext, it outputs a transformed block of the same length, and that's called a block of ciphertext. This is done using the key, as another input for the cipher process, which also has to be of a fixed length (up to 256 bits long in Twofish, for example).
Another aspect to take into consideration is that an extra step may be necessary if you are going to encrypt some plaintext larger than the block cipher block size. In these cases, the implementation chooses (this being not part of the algorithm itself) a "mode" of operation. The ciphertext block of the previously encrypted block of plaintext may be combined with the actual plaintext block you are going to encrypt. The mode in which you use an algorithm determines how block processing would be chained, if processing is to be done at all. For the first block, when using a chaining mode, of course you don't have any previous output, so you use what's called an initialization vector (IV), usually made of random data, that you would make as public as the other resulting ciphertext blocks.
The key is not the array of ASCII characters that forms your password - not in recent cryptographic implementations, at least - but the output of a cryptographic hash function applied to that password and a salt.
Cryptographic hash functions can take a block of data of arbitrary size and return a fixed-size output block (128 bits long, for example, for MD5). This output is called the hash value, and sometimes it's referred to as the message digest - the message being the input, or simply the digest. Any change in the input would produce a substantially different hash value.
The salt is a random number generated as part of the input for the hash function, usually simply concatenated to the password, so that the same password does not generate the same hash value. It's as public as the resulting hash, as you'll always need both values to do password comparison. This way it's harder to dictionary-attack a password.
There are standards specifying that the hash function should be applied repeatedly - a minimum of 1000 iterations is recommended in the RSA PKCS5 standard - each time hashing the output or hash of the previous iteration, to finally produce the key bytes to be used as the input key for a symmetric cipher.
Regarding general cryptographic theory, you could check out the online version of the book Handbook of Applied Cryptography. A very brief and basic description of every algorithm follows, but for further reference and a more in-depth discussion of each one, please refer to the references, and as to how they're implemented in TrueCrypt, to the program's technical documentation. Also, remember that block ciphers may be used in different modes of operation. These modes determine the way to chain (or not) outputs from ciphering each individual block of plaintext, when this input is larger than the block size. Recent versions of TrueCrypt use the XTS mode (IEEE 1619 standard).
- Symmetric ciphers available in TrueCrypt:
- AES: Advanced Encryption Standard. It was originally published as Rijndael (1998), a word derived from the authors names: Joan Daemen and Vincent Rijmen. This algorithm was the selected (2001) one in the NIST's AES contest, and so the standard specifies it as a FIPS-approved (FIPS-197) one that may be used by U.S. Government organizations (and others) to protect sensitive information. It has a 128-bit block size, with key sizes of 128, 192, and 256 bits. Rijndael supports other block and key sizes, but the former were the only ones selected for the AES. It's worth noting that it has been analyzed extensively and is used worldwide.[2]
- Serpent: The algorithm was a finalist in the AES contest, and ended up in second place, right after Rijndael. Authors are: Ross Anderson, Eli Biham, and Lars Knudsen. Implements a block size of 128 bits long. Its key size may be 128, 192, or 256 bits long. First published in 1998.
- Twofish: Another finalist in the AES contest. Authored by: Bruce Schneier, John Kelsey, Doug Whiting, David Wagner, Chris Hall, and Niels Ferguson. It has a 128-bit block size, and a variable-length key size: a minimum of 8 bits, a maximum of 256 bits, being a multiple of 8 bits. Also published in 1998.
- Cryptographic hash functions available:
- RIPEMD-160: The name stands for RACE Integrity Primitives Evaluation Message Digest. Authors are: Hans Dobbertin, Antoon Bosselaers, and Bart Preneel. It produces a 160-bit-long hash value, but there are other versions of the algorithm, as well (RIPEMD-128, RIPEMD-256, and RIPEMD-320). It was first published in 1996.
- SHA-512: SHA stands for Secure Hash Algorithm. This one belongs to the the SHA-2 family. These functions were designed by the NSA, and published by the NIST as a U.S. FIPS, in 2001. As you may already guessed, SHA-512 generates a 512-bit-long hash.
- Whirlpool: From one of Rijndael authors, Vincent Rijmen, and Paulo S. L. M. Barreto. Published in 2000. It produces a 512-bit-long hash value.
Installation
We are going to build and install the latest version of TrueCrypt from source (latest version being 6.2a at the time of this writing, released June 15, 2009). You could also download .deb and .rpm packages, for Ubuntu and OpenSUSE respectively, from TrueCrypt's Web site. Of course, you could go that way if you have one of the two supported Linux distributions. If not, or if you're running one of these but prefer compiling the software you will use on your own system, you should download the source code for Linux/MacOS, and continue reading this installation section. Note: the .zip package of the source code does not contain the same files; if you encounter a Microsoft Visual Studio solution file (.sln) instead of a Makefile, you have downloaded the Windows version.
The documentation tells us that our system should meet the following requirements for building the software:
- GNU Make
- GNU C++ Compiler 4.0 or compatible
- pkg-config
- wxWidgets 2.8 shared library and header files installed or wxWidgets 2.8 library source code (available at http://www.wxwidgets.org)
- FUSE library and header files (available at http://fuse.sourceforge.net and http://code.google.com/p/macfuse)
- RSA Security Inc. PKCS #11 Cryptographic Token Interface (Cryptoki) 2.20 header files (available at ftp://ftp.rsasecurity.com/pub/pkcs/pkcs-11/v2-20) located in a standard include path, or in a directory defined by the environment variable 'PKCS11_INC'.
Depending on your Linux distribution, you may already meet most of these requirements. (Surely not all of them in default Linux installations, I'm afraid.) You should, of course, install from distribution packages or source, as you prefer. The components you'll less likely have are FUSE and the RSA header files. Also, wxWidgets, if you didn't need it before. Some quick hints and notes before the step-by-step installation procedure:
- If you download FUSE distribution packages, remember to download the "fuse" or "libfuse" and "libfuse-devel" packages for your distribution.
- Also consider that you'll need kernel sources if you are compiling FUSE; the package name in most distributions is named "kernel-devel"
- The main RSA header file (pkcs11.h) includes source code comments indicating that some code should be uncommented before use; don't do that, because there's no need. The file Common/SecurityToken.h in TrueCrypt's source has all the #define lines needed.
- If you'll build a NOGUI version of TrueCrypt (that is, the NO Graphical User Interface executable), as we are going to be doing in this "by example" article, note you still should download the wxWidgets library source code. However, installing them is not necessary.
Step-by-step installation instructions follow. The only assumption made is that the files "TrueCrypt 6.2a Source.tar.gz" and "wxX11-2.8.10.tar.gz" have been placed in the /tmp directory. TrueCrypt's Web site does not seem to provide a public direct link for download, and the wx libraries' source code is hosted on Sourceforge, so you should download those files with your Web browser. PKCS #11 include files will be downloaded with the wget command. Finally, not all commands need root access, but, in the examples, I've logged in as root.
[root@w2 ~]# [root@w2 ~]# cd /tmp [root@w2 tmp]# mkdir pkcs11 [root@w2 tmp]# cd pkcs11 [root@w2 pkcs11]# wget ftp://ftp.rsasecurity.com/pub/pkcs/pkcs-11/v2-20/pkcs11.h [root@w2 pkcs11]# wget ftp://ftp.rsasecurity.com/pub/pkcs/pkcs-11/v2-20/pkcs11f.h [root@w2 pkcs11]# wget ftp://ftp.rsasecurity.com/pub/pkcs/pkcs-11/v2-20/pkcs11t.h [root@w2 pkcs11]# cd .. [root@w2 tmp]# tar xvfz wxX11-2.8.10.tar.gz [root@w2 tmp]# tar xvfz "TrueCrypt 6.2a Source.tar.gz" [root@w2 tmp]# cd truecrypt-6.2a-source/ [root@w2 truecrypt-6.2a-source]# export PKCS11_INC=/tmp/pkcs11 [root@w2 truecrypt-6.2a-source]# make NOGUI=1 WX_ROOT=/tmp/wxX11-2.8.10 wxbuild [root@w2 truecrypt-6.2a-source]# make NOGUI=1 WXSTATIC=1 [root@w2 truecrypt-6.2a-source]# cd Main [root@w2 Main]# ./truecrypt --test [root@w2 Main]# cp truecrypt /usr/local/bin/
Note: after executing truecrypt with the --test option, you should see
Self-tests of all algorithms passed
. The TrueCrypt compiled
binary is copied to a system directory manually, because the Makefile
does not provide an "install" target.[3]
Before you begin...
Now, again according to the documentation, some requirements should be met by our Linux system for running TrueCrypt:
- Kernel, including FUSE, device mapper, and encryption modules
- FUSE library (available at http://fuse.sourceforge.net)
- device mapper tools (available at http://sources.redhat.com/dm)
As mentioned before, you may already have most of this software in your "modern" Linux distribution installation. Also, FUSE for example should have been installed for the compiling process. Take into account also that recent Linux kernels already include FUSE. If your system lacks some component, follow the links described in the official documentation, or search the Internet for the corresponding packages for your distribution.
When done, check that the FUSE kernel module loads; if that goes well, you should be OK.
[root@w2 tmp]# modprobe fuse
Command-line options
The official documentation regarding command-line options applies only to the Windows version of TrueCrypt. So, before going on with a couple of examples on using this software, I'll copy and paste here the output of what the documentation tells us to do, if we want to know how to execute TrueCrypt and are on Linux or MacOS; that is, use the "-h" option. Also, this is a fairly good way of getting an idea of what a program can do.
[root@w2 tmp]# truecrypt -h Usage: truecrypt [--auto-mount <str>] [--backup-headers] [--background-task] [-C] [-c] [--create-keyfile] [--delete-token-keyfiles] [-d] [--encryption <str>] [--explore] [--filesystem <str>] [-f] [--fs-options <str>] [--hash <str>] [-h] [--import-token-keyfiles] [-k <str>] [-l] [--list-token-keyfiles] [--load-preferences] [--mount] [-m <str>] [--new-keyfiles <str>] [--new-password <str>] [--non-interactive] [-p <str>] [--protect-hidden <str>] [--protection-keyfiles <str>] [--protection-password <str>] [--random-source <str>] [--restore-headers] [--quick] [--size <str>] [--slot <str>] [--test] [-t] [--token-lib <str>] [-v] [--version] [--volume-properties] [--volume-type <str>] [Volume path] [Mount point] --auto-mount=<str> Auto mount device-hosted/favorite volumes --backup-headers Backup volume headers --background-task Start Background Task -C, --change Change password or keyfiles -c, --create Create new volume --create-keyfile Create new keyfile --delete-token-keyfiles Delete security token keyfiles -d, --dismount Dismount volume --encryption=<str> Encryption algorithm --explore Open explorer window for mounted volume --filesystem=<str> Filesystem type -f, --force Force mount/dismount/overwrite --fs-options=<str> Filesystem mount options --hash=<str> Hash algorithm -h, --help Display detailed command line help --import-token-keyfiles Import keyfiles to security token -k, --keyfiles=<str> Keyfiles -l, --list List mounted volumes --list-token-keyfiles List security token keyfiles --load-preferences Load user preferences --mount Mount volume interactively -m, --mount-options=<str> TrueCrypt volume mount options --new-keyfiles=<str> New keyfiles --new-password=<str> New password --non-interactive Do not interact with user -p, --password=<str> Password --protect-hidden=<str> Protect hidden volume --protection-keyfiles=<str> Keyfiles for protected hidden volume --protection-password=<str> Password for protected hidden volume --random-source=<str> Use file as source of random data --restore-headers Restore volume headers --quick Enable quick format --size=<str> Size in bytes --slot=<str> Volume slot number --test Test internal algorithms -t, --text Use text user interface --token-lib=<str> Security token library -v, --verbose Enable verbose output --version Display version information --volume-properties Display volume properties --volume-type=<str> Volume type
Option details and some simple usage examples are also printed, following this list of command-line options. I'll include in the following section a couple of standard examples, but with their output, so you can see exactly how it works.
Encrypting
Now, we are going to create example volume files, and mount them. These are the files that are encrypted and decrypted "on the fly" when mounted. You can think of them as read/write .iso files, for example, but you won't be using the mount command; you'll use the TrueCrypt binary, instead. When you work inside the mounted "partition", encryption (and decryption, of course) takes place automatically.
The first thing we are doing, then, is to create a 5 MB standard volume file. Note we're using the "-t" option, which stands for "Use text user interface", and the "-c" one, for "Create new volume". This way, we will be asked for all the information needed to create the volume. We could, as expected, use other command-line options to determine some of this information, but I think it's clearer in this manner.
[root@w2 tmp]# [root@w2 tmp]# mkdir tests [root@w2 tmp]# cd tests/ [root@w2 tests]# [root@w2 tests]# truecrypt -t -c Volume type: 1) Normal 2) Hidden Select [1]: 1 Enter volume path: /tmp/tests/file.tc Enter volume size (sizeK/size[M]/sizeG): 5M Encryption algorithm: 1) AES 2) Serpent 3) Twofish 4) AES-Twofish 5) AES-Twofish-Serpent 6) Serpent-AES 7) Serpent-Twofish-AES 8) Twofish-Serpent Select [1]: 1 Hash algorithm: 1) RIPEMD-160 2) SHA-512 3) Whirlpool Select [1]: 1 Filesystem: 1) FAT 2) None Select [1]: 1 Enter password: WARNING: Short passwords are easy to crack using brute force techniques! We recommend choosing a password consisting of more than 20 characters. Are you sure you want to use a short password? (y=Yes/n=No) [No]: y Re-enter password: Enter keyfile path [none]: Please type at least 320 randomly chosen characters and then press Enter: Characters remaining: 247 Characters remaining: 57 Done: 100,000% Speed: 782 KB/s Left: 0 s The TrueCrypt volume has been successfully created. [root@w2 tests]#
We can see the file was created with the indicated size. (The program adds a header, but it's relatively small.)
[root@w2 tests]# ls -la total 5208 drwxr-xr-x 2 root root 4096 jul 4 21:03 . drwxrwxrwt 9 root root 65536 jul 4 21:01 .. -rw------- 1 root root 5242880 jul 4 21:04 file.tc [root@w2 tests]#
Having the volume file created, now we are going to mount it and create a test file in it. We'll create a temporary directory for its mount point, for testing purposes.
[root@w2 tests]# mkdir mount_point [root@w2 tests]# truecrypt -t file.tc /tmp/tests/mount_point
At this point, you may get a warning message:
Warning: Your system uses an old version of the Linux kernel. Due to a bug in the Linux kernel, your system may stop responding when writing data to a TrueCrypt volume. This problem can be solved by upgrading the kernel to version 2.6.24 or later.
If you properly installed FUSE and required components, you can safely disregard this message, and the rest of the mounting process should continue without any trouble.
Enter password for /tmp/tests/file.tc: Enter keyfile [none]: Protect hidden volume (if any)? (y=Yes/n=No) [No]: [root@w2 tests]#
Let's create a test file now, and then unmount the volume. The "-d" command-line option unmounts all of TrueCrypt's currently mounted filesystems.
[root@w2 tests]# ls file.tc mount_point [root@w2 tests]# cd mount_point/ [root@w2 mount_point]# ls -la total 20 drwx------ 2 root root 16384 ene 1 1970 . drwxr-xr-x 3 root root 4096 jul 4 22:32 .. [root@w2 mount_point]# cat > secret.txt This is a secret test. [root@w2 mount_point]# cat secret.txt This is a secret test. [root@w2 mount_point]# cd .. [root@w2 tests]# truecrypt -d [root@w2 tests]# ls mount_point [root@w2 tests]#
The use of keyfiles may add an important security enhancement to the process: It will be combined with the password in encryption and decryption. Just for testing, we will use a compressed file; the documentation recommends this kind of file (mp3, for example) and also randomly generated ones. You may think of it as a private key. You can of course use a public available file, but that's the secret you should only share with people with whom you also share the password. It will serve as a sort of source of random data.
[root@w2 tests]# truecrypt -t -c Volume type: 1) Normal 2) Hidden Select [1]: 1 Enter volume path: volume2.tc Enter volume size (sizeK/size[M]/sizeG): 1M Encryption algorithm: 1) AES 2) Serpent 3) Twofish 4) AES-Twofish 5) AES-Twofish-Serpent 6) Serpent-AES 7) Serpent-Twofish-AES 8) Twofish-Serpent Select [1]: 1 Hash algorithm: 1) RIPEMD-160 2) SHA-512 3) Whirlpool Select [1]: 2 Filesystem: 1) FAT 2) None Select [1]: 1 Enter password: WARNING: Short passwords are easy to crack using brute force techniques! We recommend choosing a password consisting of more than 20 characters. Are you sure you want to use a short password? (y=Yes/n=No) [No]: y Re-enter password: Enter keyfile path [none]: ../fuse-2.7.4.tar.gz Enter keyfile path [finish]: Please type at least 320 randomly chosen characters and then press Enter: Characters remaining: 40 Done: 100,000% Speed: 267 KB/s Left: 0 s The TrueCrypt volume has been successfully created. [root@w2 tests]#
Mounting is also done in the expected way. I'll not specify the keyfile first, to show the how the program indicates that there's a problem. Note that the password was correct.
[root@w2 tests]# mkdir mount_point2 [root@w2 tests]# truecrypt -t volume2.tc mount_point2 Enter password for /tmp/tests/volume2.tc: Enter keyfile [none]: Protect hidden volume (if any)? (y=Yes/n=No) [No]: Incorrect password or not a TrueCrypt volume. Enter password for /tmp/tests/volume2.tc: Protect hidden volume (if any)? (y=Yes/n=No) [No]: Incorrect password or not a TrueCrypt volume. [CTRL-C] [root@w2 tests]# [root@w2 tests]# truecrypt -t volume2.tc mount_point2 Enter password for /tmp/tests/volume2.tc: Enter keyfile [none]: ../fuse-2.7.4.tar.gz Enter keyfile [finish]: Protect hidden volume (if any)? (y=Yes/n=No) [No]: [root@w2 tests]#
Finally
As you could see from the examples, TrueCrypt's command-line mode is not complicated at all. It's a powerful tool to rapidly secure files using strong cryptography and easily move them around. (The volume file may be copied to a pen drive, and then be mounted on a Windows system, for example.) It runs on Linux, it's well documented, it's free, and you have access to its source code. From a cryptographic point of view, the implementation of robust, modern, and well known algorithms, the lifetime of the program, and its popularity, may give you some confidence.
References
- TrueCrypt's statistics http://www.truecrypt.org/statistics
[1] Rick Moen comments: A close reading of the current TrueCrypt License Version 2.7 suggests, in my opinion as a software licensing geek, that TrueCrypt Foundation has now managed to fix all the problems cited by Red Hat Legal (relayed by Tom Calloway), the Ubuntu packagers, Debian developers, and Gentoo developers.
The cited Fedora wiki page still claims that the licence is still proprietary, but that judgement seems (my best guess) to concern an earlier licence version, probably 2.5.
TrueCrypt License remains unapproved by OSI (because it's Yet Another Regrettable One-Off Licence, and more to the point hasn't been submitted for certification), but in its latest version nonetheless appears to be fully compliant with the Open Source Definition.
[2] Rick Moen comments: This testing is one of the best arguments for AES/Rijndael, and the reasons why are worth elaborating on. Elsewhere in software, it's often assumed that newer algorithms are better, so new ciphers ought, in general, to be more trustworthy. In cryptography, though, it's the other way around. New ciphers, however impressive their specifications and design might be, are treated warily in favour of well-tested alternatives, the older the better. Thus, in the competition that led to the selection of Rijndael as the Advanced Encryption Standard, Bruce Schneier's Twofish algorithm seemed, superficially, to have the edge on his earlier Blowfish cipher -- but, in fact, Blowfish is more-trusted of the two, as it's withstood much more, more varied, and more protracted attacks by expert cryptographers, without breaking.
[3] René Pfeiffer comments: It is a good practice to download, uncompress, and compile everything with a different user than root. You need root privileges only for installing the software. On every system, I have a build user that prepares everything; root only installs it. Be aware that most Makefiles and configure scripts consist of code that runs on your machine. Nobody's perfect, and, if these scripts fail, the damage will be less if you use a dedicated build user account with no privileges.
Talkback: Discuss this article with The Answer Gang
Ariel Maiorano works as an IT consultant at m-sistemas studio from Argentina. He holds a degree in computer science and is primarily involved in developing security and web-based solutions. He first started using Linux with Slackware distribution, almost fifteen years ago.