Linux and Truecrypt - Plausible Deniability

Intro, intermediate and advanced HOWTOs and discussion.

Linux and Truecrypt - Plausible Deniability

Postby foldingstock » Sat Aug 18, 2007 11:03 pm

Original guide located at: http://theowned.org/news.php?item.30.5


*DISCLAIMER: Some countries have regulations on the use of cryptographics systems; it may be unlawful to use the following encryption setup in these countries. Please do the proper research before reading on.


In the following recipe, I will detail how to setup an encrypted Ubuntu Linux system using Truecrypt. If you follow each step of this guide, the result will be a system that has an encrypted /home, /tmp, /var, and /usr filesystem. Why would you want to encrypt all of these partitions, instead of just your home directory, or a folder within your home directory? There are many programs that store browser cache, password hashes, temporary files, ect in /tmp, /var, and /usr. By encrypting all of these partitions, you can rest a little easier. Lets begin shall we?


Ingredients:

Ubuntu 7.04 installation, or equiv (although directions may need to be changed to fit your OS and system specs)
Internet Access (should be understood)
A Knoppix or equiv live-cd

Directions:

Pour installation cd into computer, allow to sit until installation begins. Modify partition layout as follows:

---------------------------------------------------------------------------------
/dev/sda1 Swap = 512MB - 2GB
/dev/sda2 Root (/) = 10GB
/dev/sda3 Enc (/enc) = 70GB (the rest of the disk, hopefully over 20GB, and in my case, 70GB)
---------------------------------------------------------------------------------


Install system, and boot.

Download Truecrypt installation package: http://www.truecrypt.org/downloads.php

Extract the contents of truecrypt-4.3a-ubuntu-7.04-x86.tar.gz (please note if you are not using Ubuntu, you will have to download and compile the source tarball). Cd to the newly created directory, and use "dpkg" to install truecrypt. (dpkg will need to be run as root, "sudo dpkg -i ./truecrypt_4.3a-0_i386.deb")


Ensure truecrypt was installed correctly:

---------------------------------------------------------------------------------
# which truecrypt
/usr/bin/truecrypt
---------------------------------------------------------------------------------


Please note Ubuntu comes with the dmsetup (device mapper) package by default. If you are using a different distro, you may need to install dmsetup.

Before we go any further, PLEASE unmount the partition you plan to encrypt. If you go any further without unmounting the partition, you will damage the filesystem and will not be able to mount it after you encrypt it.

---------------------------------------------------------------------------------
# umount /dev/sda3
---------------------------------------------------------------------------------



Run truecrypt (as root) to begin the encryption process:

---------------------------------------------------------------------------------
# truecrypt -c
Volume type:
1) Normal
2) Hidden
Select [1]: 1

Enter file or device path for new volume: /dev/sda3

Filesystem:
1) FAT
2) None
Select [1]: 2

Enter volume size (bytes - size/sizeK/sizeM/sizeG): 70G

Hash algorithm:
1) RIPEMD-160
2) SHA-1
3) Whirlpool
Select [1]: 2

Encryption algorithm:
1) AES
2) Blowfish
3) CAST5
4) Serpent
5) Triple DES
6) Twofish
7) AES-Twofish
8) AES-Twofish-Serpent
9) Serpent-AES
10) Serpent-Twofish-AES
11) Twofish-Serpent
Select [1]: 2

Enter password for new volume 'test': ****** (choose a password, which we will call "password a")
Re-enter password: ******

Enter keyfile path [none]:

Is your mouse connected directly to computer where TrueCrypt is running? [Y/n]: y

Please move the mouse randomly until the required amount of data is captured...
Mouse data captured: 100% stir vigorously

Done: 10.00 MB Speed: 2.66 MB/s Left: 0:00:00
Volume created.

#

Now lets activate the drive.

# truecrypt /dev/sda3
Enter password for '/home/clown/encrypt/test': (enter password a)
#
# ls /dev/mapper
control truecrypt0
# mkfs.ext2 /dev/mapper/truecrypt0
mke2fs 1.39 (29-May-2006)
Filesystem label=
OS type: Linux
Block size=1024 (log=0)
Fragment size=1024 (log=0)
2560 inodes, 10236 blocks
511 blocks (4.99%) reserved for the super user
First data block=1
Maximum filesystem blocks=10485760
2 block groups
8192 blocks per group, 8192 fragments per group
1280 inodes per group
Superblock backups stored on blocks:
8193

Writing inode tables: done
Creating journal (1024 blocks): done
Writing superblocks and filesystem accounting information: done

This filesystem will be automatically checked every 20 mounts or
180 days, whichever comes first. Use tune2fs -c or -i to override.

# mount /dev/mapper/truecrypt0 /mnt
#
---------------------------------------------------------------------------------


Before proceeding to the next step, lets unmount the encrypted volume and turn it off:

---------------------------------------------------------------------------------
# umount /dev/mapper/truecrypt0
# truecrypt -d
---------------------------------------------------------------------------------


Now, its time to add a little spice to our recipe.

---------------------------------------------------------------------------------
# truecrypt -c
Volume type:
1) Normal
2) Hidden
Select [1]: 2

Enter file or device path for new volume: /dev/sda3

Filesystem:
1) FAT
2) None
Select [1]: 2

Enter volume size (bytes - size/sizeK/sizeM/sizeG): 65G (please note this size must be slightly smaller then the original encrypted partition we created earlier)

Hash algorithm:
1) RIPEMD-160
2) SHA-1
3) Whirlpool
Select [1]: 2

Encryption algorithm:
1) AES
2) Blowfish
3) CAST5
4) Serpent
5) Triple DES
6) Twofish
7) AES-Twofish
8) AES-Twofish-Serpent
9) Serpent-AES
10) Serpent-Twofish-AES
11) Twofish-Serpent
Select [1]: 8

Enter password for new volume 'test': ******** (choose a different password then before, which we will call "password b")
Re-enter password: ********

Enter keyfile path [none]:

Is your mouse connected directly to computer where TrueCrypt is running? [Y/n]: y

Please move the mouse randomly until the required amount of data is captured...
Mouse data captured: 100% stir vigorously

Done: 10.00 MB Speed: 2.66 MB/s Left: 0:00:00
Volume created.

#

Now lets activate the drive.

# truecrypt /dev/sda3
Enter password for '/home/clown/encrypt/test': (enter password b)
#
# ls /dev/mapper
control truecrypt0
# mkfs.ext2 /dev/mapper/truecrypt0
mke2fs 1.39 (29-May-2006)
Filesystem label=
OS type: Linux
Block size=1024 (log=0)
Fragment size=1024 (log=0)
2560 inodes, 10236 blocks
511 blocks (4.99%) reserved for the super user
First data block=1
Maximum filesystem blocks=10485760
2 block groups
8192 blocks per group, 8192 fragments per group
1280 inodes per group
Superblock backups stored on blocks:
8193

Writing inode tables: done
Creating journal (1024 blocks): done
Writing superblocks and filesystem accounting information: done

This filesystem will be automatically checked every 20 mounts or
180 days, whichever comes first. Use tune2fs -c or -i to override.

# mount /dev/mapper/truecrypt0 /mnt
#
---------------------------------------------------------------------------------


You should notice a size difference depending on which password you use. When you enter password a, you are accessing the first partition we created, which is less secure. When you enter password b, you are accessing the second partition we created, which is quite secure.

You will need to create the following file /etc/init.d/truecrypt.sh (click the link to download):

---------------------------------------------------------------------------------

>truecrypt.sh<

---------------------------------------------------------------------------------


Please note some parts of the above script will need to be edited to fir your system. Specifically, the line:

/usr/bin/truecrypt /dev/sda3

Once you have this file in /etc/init.d, make it executable on boot:

---------------------------------------------------------------------------------
# chmod +x /etc/init.d/truecrypt.sh
# update-rc.d truecrypt.sh start 20 S .
---------------------------------------------------------------------------------


*IMPORTANT: please include the trailing "." after the "S".

Now we will need to set the system to use this new, secured partition. First things first, reboot into single-user (failsafe) mode, and mount /dev/mapper/truecrypt0 to /enc (be sure to use password b).

Once it is mounted, run the following script as root (click the link to download):

---------------------------------------------------------------------------------

>buildsafe.sh<

---------------------------------------------------------------------------------


Allow to simmir until done. Now edit /etc/fstab, and add the following /usr entry:

---------------------------------------------------------------------------------

/dev/mapper/truecrypt0 /usr ext3 defaults 0 0

---------------------------------------------------------------------------------


Now edit /boot/grub/menu.lst, and delete the "quiet" and "splash" entries:

---------------------------------------------------------------------------------
title Ubuntu, kernel 2.6.17-11-generic
root (hd0,0)
kernel /boot/vmlinuz-2.6.17-11-generic root=/dev/sda2 ro quiet splash
initrd /boot/initrd.img-2.6.17-11-generic
quiet
savedefault
boot
---------------------------------------------------------------------------------


The above should read:

---------------------------------------------------------------------------------
title Ubuntu, kernel 2.6.17-11-generic
root (hd0,0)
kernel /boot/vmlinuz-2.6.17-11-generic root=/dev/sda2 ro
initrd /boot/initrd.img-2.6.17-11-generic
quiet
savedefault
boot

---------------------------------------------------------------------------------


The reason you must erase the bootsplash is it will get in the way of your password prompt, and you'll be unable to boot your system fully.

Once this is completed, reboot system and boot Knoppix (or equiv) live-cd. Mount your / partition (in my case, /dev/sda2), and "rm -rf var".

Reboot, into Ubuntu single-user (failsafe) mode. You will need to enter password b at the truecrypt password prompt, and you will also need to either press CTRL+D or your root password to finish booting the system. Once system has booted, "ln -s /usr/var /var". Reboot.

On boot, you should be asked to enter your truecrypt password. Enter password b. Welcome to your newly encrypted operating system! If your ever in a tight spot, and required to give up your encryption password (whether legally or otherwise), simply give them password a. They will be left with a broken system with no user data.

Enjoy!

-foldingstock


**props to Cool_Fire for helping me test this against Debian, and general proof-reading
Last edited by foldingstock on Mon Aug 20, 2007 8:40 pm, edited 5 times in total.
foldingstock
 

Postby hormesis » Sat Aug 18, 2007 11:06 pm

I love you.
User avatar
hormesis
Veteran
 
Posts: 679
Joined: Wed May 17, 2006 3:27 pm
Location: irc.tddirc.net #hackerthreads

Postby Cool_Fire » Sat Aug 18, 2007 11:06 pm

I've followed the guide for Debian 4, it works great.
Preformance is very good too.
If we're breaking the rules, then how come you can't catch us? You can't find us? I know why. Cause, it's ... MAGIC!
Hackerthreads chat, where the party is going 24/7.
User avatar
Cool_Fire
Not a sandwich
 
Posts: 1880
Joined: Fri May 09, 2003 1:20 pm
ICQ: 336613081
Website: https://www.insomnia247.nl/
Yahoo Messenger: cool_fire_666
AOL: EvilCoolFire
Location: 41 6d 73 74 65 72 64 61 6d

Postby Life » Sat Aug 18, 2007 11:07 pm

Excellent tutorial foldage.

A+ and a cookie.
It was once suggested that a million monkeys working at a million typewriters would produce the works of Shakespeare. However, a million monkeys working at a million keyboards has only produced 2girls1cup, goatse and MySpace.
User avatar
Life
Corporate Drunkard
 
Posts: 1911
Joined: Tue Jul 29, 2003 11:47 pm
Website: http://www.tlm-project.org
Location: Guam

Postby Aiden » Sat Aug 18, 2007 11:09 pm

Excellenter tutorial foldage.

A++ and two cookies.
"When it takes forever to learn all the rules, no time is left for breaking them."
User avatar
Aiden
Administrator
 
Posts: 1080
Joined: Tue Oct 31, 2006 11:11 pm
Location: /usr/bin/perl

Postby infinite_ » Sun Aug 19, 2007 1:09 am

Clear instruction and really well explained f0ldage.

+1.
My effort to help you will never exceed your effort to explain the problem.
User avatar
infinite_
Bat Country
 
Posts: 1353
Joined: Fri Jun 04, 2004 7:19 pm
Location: Australia

Postby John » Sun Aug 19, 2007 2:13 am

Good guide mate, a lot of people will definitely find this useful.
True knowledge exists in knowing that you know nothing.
And in knowing that you know nothing, that makes you the smartest of all. - Socrates

<Life> Dinosaurs can't survive in vacuums
<Life> That's a scientific fact
John
Your Senior
 
Posts: 845
Joined: Wed Sep 17, 2003 6:39 pm

Postby DigitolJedi » Sun Aug 19, 2007 3:57 am

:shock: cosmic I'm just about to set up a new computer. Thank you.
If you don't find it in the index, look very carefully through the entire catalogue.
DigitolJedi
Hacker in Training
 
Posts: 50
Joined: Tue Jul 03, 2007 9:34 am
Location: plz don't change this again

Postby foldingstock » Thu Aug 30, 2007 11:13 pm

If you use the XFCE4 desktop on an encrypted system you may experience some system hangups. I'm not sure what causes this yet but I am in the process of figuring it out. All other desktop environments / window managers seem to work fine, however.
foldingstock
 

Postby silas » Fri Aug 31, 2007 8:46 am

Great tutorial. Will be trying it out with Gentoo. These are the types of tuts that need to be submitted to the threads.

Nice work foldingstock.
Knowledge is potential,
Application is kinetic.
User avatar
silas
Sargeant at Arms
 
Posts: 268
Joined: Sat May 27, 2006 8:57 pm
Location: ./scapy

Re: Linux and Truecrypt - Plausible Deniability

Postby happypenguin » Sat Feb 14, 2009 9:21 am

Hi, very nice tutorial.

I know that this is an old article but would it be possible for someone to reupload the shell scripts?

Thanks.
happypenguin
 

Re: Linux and Truecrypt - Plausible Deniability

Postby foldingstock » Sun Feb 15, 2009 11:42 am

Unfortunately I had a server crash a while (sata connector melted) back and lost some stuff. Luckily, I was smart enough to create regular backups. :twisted: <3 freebsd.

If you re-check the links, they should be working now. If you're lazy, just see below.

buildsafe.sh:
Code: Select all
#!/bin/sh # # This will build an encrypted userland file system from # an encrypted partition called /enc if [ `grep 'enc' /etc/mtab -c` -gt 0 ]; then if [ ! -d /usr/var ]; then echo 'editing /etc/fstab to mount /enc at /usr' cp /etc/fstab /etc/fstab.enc sed 's/enc/usr/g' /etc/fstab.enc > /etc/fstab echo 'moving /var partition to /usr/var...' cp --preserve=all -r /var /usr echo -n 'done' echo 'moving /home partition to /usr/home...' cp --preserve=all -r /home /usr echo -n 'done' echo 'moving /tmp partition to /usr/tmp...' rm -rf /usr/tmp cp --preserve=all -r /tmp /usr cd /usr/var rm -rf tmp ln -s ../tmp ./tmp cd / echo -n 'done' echo 'now building new /usr partition... relinking...' rm -rf /var rm -rf /home rm -rf /tmp ln -s /usr/tmp /tmp ln -s /usr/var /var ln -s /usr/home /home echo -n 'done' fi echo 'now moving /usr to encrypted partition...' echo 'please be patient. Depending on your systems speed' echo 'and specs, this may take a few minutes to more than an hour' cp --preserve=all -r /usr/* /enc echo 'done' echo 'enter *reboot* for the changes to take effect' else echo 'mount point /enc cannot be found. make sure you have' echo 'created the mount point /enc. If you are certain it' echo 'exists, run this script again after mounting it.' fi #file ends here
truecrypt.sh:
Code: Select all
#! /bin/sh PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin if [ -r /lib/lsb/init-functions ]; then . /lib/lsb/init-functions logbegin="log_begin_msg" logend="log_end_msg" else logbegin="echo -n" logend=`printf "echo .\n"` fi # Exit if the daemon binary is NOT available, executable, etc. test -x /usr/bin/truecrypt || exit 0 # Start function d_start() { /usr/bin/truecrypt /dev/sda3 } # Stop function d_stop() { /usr/bin/truecrypt -d } case "$1" in start) $logbegin "Mounting Truecrypt Volumes" d_start $logend $? ;; stop) $logbegin "Dismounting Truecrypt Volumes" d_stop $logend $? ;; restart) $0 stop sleep 1 $0 start ;; *) log_success_msg "Usage: truecrypt.sh {start|stop|restart}" exit 1 ;; esac exit 0
User avatar
foldingstock
htd0rg lieutenant
 
Posts: 300
Joined: Sat Aug 16, 2008 10:38 pm

Re: Linux and Truecrypt - Plausible Deniability

Postby happypenguin » Tue Feb 17, 2009 3:57 pm

Thank you very much, very appreciated :)
happypenguin
 


Return to ā€œ%sā€ Linux & BSD Tutorials

Who is online

Users browsing this forum: No registered users and 0 guests

cron