Linux and Truecrypt - Plausible Deniability

Intro, intermediate and advanced HOWTOs and discussion.
Post Reply
foldingstock

Linux and Truecrypt - Plausible Deniability

Post by foldingstock » Sat Aug 18, 2007 11:03 pm

Original guide located at: http://theowned.org/news.php?item.30.5


*DISCLAIMER: Some countries have regulations on the use of cryptographics systems; it may be unlawful to use the following encryption setup in these countries. Please do the proper research before reading on.


In the following recipe, I will detail how to setup an encrypted Ubuntu Linux system using Truecrypt. If you follow each step of this guide, the result will be a system that has an encrypted /home, /tmp, /var, and /usr filesystem. Why would you want to encrypt all of these partitions, instead of just your home directory, or a folder within your home directory? There are many programs that store browser cache, password hashes, temporary files, ect in /tmp, /var, and /usr. By encrypting all of these partitions, you can rest a little easier. Lets begin shall we?


Ingredients:

Ubuntu 7.04 installation, or equiv (although directions may need to be changed to fit your OS and system specs)
Internet Access (should be understood)
A Knoppix or equiv live-cd

Directions:

Pour installation cd into computer, allow to sit until installation begins. Modify partition layout as follows:

---------------------------------------------------------------------------------
/dev/sda1 Swap = 512MB - 2GB
/dev/sda2 Root (/) = 10GB
/dev/sda3 Enc (/enc) = 70GB (the rest of the disk, hopefully over 20GB, and in my case, 70GB)
---------------------------------------------------------------------------------


Install system, and boot.

Download Truecrypt installation package: http://www.truecrypt.org/downloads.php

Extract the contents of truecrypt-4.3a-ubuntu-7.04-x86.tar.gz (please note if you are not using Ubuntu, you will have to download and compile the source tarball). Cd to the newly created directory, and use "dpkg" to install truecrypt. (dpkg will need to be run as root, "sudo dpkg -i ./truecrypt_4.3a-0_i386.deb")


Ensure truecrypt was installed correctly:

---------------------------------------------------------------------------------
# which truecrypt
/usr/bin/truecrypt
---------------------------------------------------------------------------------


Please note Ubuntu comes with the dmsetup (device mapper) package by default. If you are using a different distro, you may need to install dmsetup.

Before we go any further, PLEASE unmount the partition you plan to encrypt. If you go any further without unmounting the partition, you will damage the filesystem and will not be able to mount it after you encrypt it.

---------------------------------------------------------------------------------
# umount /dev/sda3
---------------------------------------------------------------------------------



Run truecrypt (as root) to begin the encryption process:

---------------------------------------------------------------------------------
# truecrypt -c
Volume type:
1) Normal
2) Hidden
Select [1]: 1

Enter file or device path for new volume: /dev/sda3

Filesystem:
1) FAT
2) None
Select [1]: 2

Enter volume size (bytes - size/sizeK/sizeM/sizeG): 70G

Hash algorithm:
1) RIPEMD-160
2) SHA-1
3) Whirlpool
Select [1]: 2

Encryption algorithm:
1) AES
2) Blowfish
3) CAST5
4) Serpent
5) Triple DES
6) Twofish
7) AES-Twofish
8) AES-Twofish-Serpent
9) Serpent-AES
10) Serpent-Twofish-AES
11) Twofish-Serpent
Select [1]: 2

Enter password for new volume 'test': ****** (choose a password, which we will call "password a")
Re-enter password: ******

Enter keyfile path [none]:

Is your mouse connected directly to computer where TrueCrypt is running? [Y/n]: y

Please move the mouse randomly until the required amount of data is captured...
Mouse data captured: 100% stir vigorously

Done: 10.00 MB Speed: 2.66 MB/s Left: 0:00:00
Volume created.

#

Now lets activate the drive.

# truecrypt /dev/sda3
Enter password for '/home/clown/encrypt/test': (enter password a)
#
# ls /dev/mapper
control truecrypt0
# mkfs.ext2 /dev/mapper/truecrypt0
mke2fs 1.39 (29-May-2006)
Filesystem label=
OS type: Linux
Block size=1024 (log=0)
Fragment size=1024 (log=0)
2560 inodes, 10236 blocks
511 blocks (4.99%) reserved for the super user
First data block=1
Maximum filesystem blocks=10485760
2 block groups
8192 blocks per group, 8192 fragments per group
1280 inodes per group
Superblock backups stored on blocks:
8193

Writing inode tables: done
Creating journal (1024 blocks): done
Writing superblocks and filesystem accounting information: done

This filesystem will be automatically checked every 20 mounts or
180 days, whichever comes first. Use tune2fs -c or -i to override.

# mount /dev/mapper/truecrypt0 /mnt
#
---------------------------------------------------------------------------------


Before proceeding to the next step, lets unmount the encrypted volume and turn it off:

---------------------------------------------------------------------------------
# umount /dev/mapper/truecrypt0
# truecrypt -d
---------------------------------------------------------------------------------


Now, its time to add a little spice to our recipe.

---------------------------------------------------------------------------------
# truecrypt -c
Volume type:
1) Normal
2) Hidden
Select [1]: 2

Enter file or device path for new volume: /dev/sda3

Filesystem:
1) FAT
2) None
Select [1]: 2

Enter volume size (bytes - size/sizeK/sizeM/sizeG): 65G (please note this size must be slightly smaller then the original encrypted partition we created earlier)

Hash algorithm:
1) RIPEMD-160
2) SHA-1
3) Whirlpool
Select [1]: 2

Encryption algorithm:
1) AES
2) Blowfish
3) CAST5
4) Serpent
5) Triple DES
6) Twofish
7) AES-Twofish
8) AES-Twofish-Serpent
9) Serpent-AES
10) Serpent-Twofish-AES
11) Twofish-Serpent
Select [1]: 8

Enter password for new volume 'test': ******** (choose a different password then before, which we will call "password b")
Re-enter password: ********

Enter keyfile path [none]:

Is your mouse connected directly to computer where TrueCrypt is running? [Y/n]: y

Please move the mouse randomly until the required amount of data is captured...
Mouse data captured: 100% stir vigorously

Done: 10.00 MB Speed: 2.66 MB/s Left: 0:00:00
Volume created.

#

Now lets activate the drive.

# truecrypt /dev/sda3
Enter password for '/home/clown/encrypt/test': (enter password b)
#
# ls /dev/mapper
control truecrypt0
# mkfs.ext2 /dev/mapper/truecrypt0
mke2fs 1.39 (29-May-2006)
Filesystem label=
OS type: Linux
Block size=1024 (log=0)
Fragment size=1024 (log=0)
2560 inodes, 10236 blocks
511 blocks (4.99%) reserved for the super user
First data block=1
Maximum filesystem blocks=10485760
2 block groups
8192 blocks per group, 8192 fragments per group
1280 inodes per group
Superblock backups stored on blocks:
8193

Writing inode tables: done
Creating journal (1024 blocks): done
Writing superblocks and filesystem accounting information: done

This filesystem will be automatically checked every 20 mounts or
180 days, whichever comes first. Use tune2fs -c or -i to override.

# mount /dev/mapper/truecrypt0 /mnt
#
---------------------------------------------------------------------------------


You should notice a size difference depending on which password you use. When you enter password a, you are accessing the first partition we created, which is less secure. When you enter password b, you are accessing the second partition we created, which is quite secure.

You will need to create the following file /etc/init.d/truecrypt.sh (click the link to download):

---------------------------------------------------------------------------------

>truecrypt.sh<

---------------------------------------------------------------------------------


Please note some parts of the above script will need to be edited to fir your system. Specifically, the line:

/usr/bin/truecrypt /dev/sda3

Once you have this file in /etc/init.d, make it executable on boot:

---------------------------------------------------------------------------------
# chmod +x /etc/init.d/truecrypt.sh
# update-rc.d truecrypt.sh start 20 S .
---------------------------------------------------------------------------------


*IMPORTANT: please include the trailing "." after the "S".

Now we will need to set the system to use this new, secured partition. First things first, reboot into single-user (failsafe) mode, and mount /dev/mapper/truecrypt0 to /enc (be sure to use password b).

Once it is mounted, run the following script as root (click the link to download):

---------------------------------------------------------------------------------

>buildsafe.sh<

---------------------------------------------------------------------------------


Allow to simmir until done. Now edit /etc/fstab, and add the following /usr entry:

---------------------------------------------------------------------------------

/dev/mapper/truecrypt0 /usr ext3 defaults 0 0

---------------------------------------------------------------------------------


Now edit /boot/grub/menu.lst, and delete the "quiet" and "splash" entries:

---------------------------------------------------------------------------------
title Ubuntu, kernel 2.6.17-11-generic
root (hd0,0)
kernel /boot/vmlinuz-2.6.17-11-generic root=/dev/sda2 ro quiet splash
initrd /boot/initrd.img-2.6.17-11-generic
quiet
savedefault
boot
---------------------------------------------------------------------------------


The above should read:

---------------------------------------------------------------------------------
title Ubuntu, kernel 2.6.17-11-generic
root (hd0,0)
kernel /boot/vmlinuz-2.6.17-11-generic root=/dev/sda2 ro
initrd /boot/initrd.img-2.6.17-11-generic
quiet
savedefault
boot

---------------------------------------------------------------------------------


The reason you must erase the bootsplash is it will get in the way of your password prompt, and you'll be unable to boot your system fully.

Once this is completed, reboot system and boot Knoppix (or equiv) live-cd. Mount your / partition (in my case, /dev/sda2), and "rm -rf var".

Reboot, into Ubuntu single-user (failsafe) mode. You will need to enter password b at the truecrypt password prompt, and you will also need to either press CTRL+D or your root password to finish booting the system. Once system has booted, "ln -s /usr/var /var". Reboot.

On boot, you should be asked to enter your truecrypt password. Enter password b. Welcome to your newly encrypted operating system! If your ever in a tight spot, and required to give up your encryption password (whether legally or otherwise), simply give them password a. They will be left with a broken system with no user data.

Enjoy!

-foldingstock


**props to Cool_Fire for helping me test this against Debian, and general proof-reading
Last edited by foldingstock on Mon Aug 20, 2007 8:40 pm, edited 5 times in total.

User avatar
hormesis
Veteran
Posts: 679
Joined: Wed May 17, 2006 3:27 pm
Location: irc.tddirc.net #hackerthreads

Post by hormesis » Sat Aug 18, 2007 11:06 pm

I love you.

User avatar
Cool_Fire
Not a sandwich
Posts: 1888
Joined: Fri May 09, 2003 1:20 pm
Location: 41 6d 73 74 65 72 64 61 6d
Contact:

Post by Cool_Fire » Sat Aug 18, 2007 11:06 pm

I've followed the guide for Debian 4, it works great.
Preformance is very good too.
If we're breaking the rules, then how come you can't catch us? You can't find us? I know why. Cause, it's ... MAGIC!
Hackerthreads chat, where the party is going 24/7.

User avatar
Life
Corporate Drunkard
Posts: 1911
Joined: Tue Jul 29, 2003 11:47 pm
Location: Guam
Contact:

Post by Life » Sat Aug 18, 2007 11:07 pm

Excellent tutorial foldage.

A+ and a cookie.
It was once suggested that a million monkeys working at a million typewriters would produce the works of Shakespeare. However, a million monkeys working at a million keyboards has only produced 2girls1cup, goatse and MySpace.

User avatar
Aiden
Administrator
Posts: 1080
Joined: Tue Oct 31, 2006 11:11 pm
Location: /usr/bin/perl

Post by Aiden » Sat Aug 18, 2007 11:09 pm

Excellenter tutorial foldage.

A++ and two cookies.
"When it takes forever to learn all the rules, no time is left for breaking them."

User avatar
infinite_
Bat Country
Posts: 1353
Joined: Fri Jun 04, 2004 7:19 pm
Location: Australia

Post by infinite_ » Sun Aug 19, 2007 1:09 am

Clear instruction and really well explained f0ldage.

+1.
My effort to help you will never exceed your effort to explain the problem.

John
Your Senior
Posts: 845
Joined: Wed Sep 17, 2003 6:39 pm

Post by John » Sun Aug 19, 2007 2:13 am

Good guide mate, a lot of people will definitely find this useful.
True knowledge exists in knowing that you know nothing.
And in knowing that you know nothing, that makes you the smartest of all. - Socrates

<Life> Dinosaurs can't survive in vacuums
<Life> That's a scientific fact

DigitolJedi
Hacker in Training
Posts: 50
Joined: Tue Jul 03, 2007 9:34 am
Location: plz don't change this again

Post by DigitolJedi » Sun Aug 19, 2007 3:57 am

:shock: cosmic I'm just about to set up a new computer. Thank you.
If you don't find it in the index, look very carefully through the entire catalogue.

foldingstock

Post by foldingstock » Thu Aug 30, 2007 11:13 pm

If you use the XFCE4 desktop on an encrypted system you may experience some system hangups. I'm not sure what causes this yet but I am in the process of figuring it out. All other desktop environments / window managers seem to work fine, however.

User avatar
silas
Sargeant at Arms
Posts: 268
Joined: Sat May 27, 2006 8:57 pm
Location: ./scapy

Post by silas » Fri Aug 31, 2007 8:46 am

Great tutorial. Will be trying it out with Gentoo. These are the types of tuts that need to be submitted to the threads.

Nice work foldingstock.
Knowledge is potential,
Application is kinetic.

happypenguin

Re: Linux and Truecrypt - Plausible Deniability

Post by happypenguin » Sat Feb 14, 2009 9:21 am

Hi, very nice tutorial.

I know that this is an old article but would it be possible for someone to reupload the shell scripts?

Thanks.

User avatar
foldingstock
htd0rg lieutenant
Posts: 300
Joined: Sat Aug 16, 2008 10:38 pm

Re: Linux and Truecrypt - Plausible Deniability

Post by foldingstock » Sun Feb 15, 2009 11:42 am

Unfortunately I had a server crash a while (sata connector melted) back and lost some stuff. Luckily, I was smart enough to create regular backups. :twisted: <3 freebsd.

If you re-check the links, they should be working now. If you're lazy, just see below.

buildsafe.sh:

Code: Select all

#!/bin/sh
#
# This will build an encrypted userland file system from
# an encrypted partition called /enc

 if [ `grep 'enc' /etc/mtab -c` -gt 0 ]; then

  if [ ! -d /usr/var ]; then

    echo 'editing /etc/fstab to mount /enc at /usr'
    cp /etc/fstab /etc/fstab.enc
    sed 's/enc/usr/g' /etc/fstab.enc > /etc/fstab

    echo 'moving /var partition to /usr/var...'
    cp --preserve=all -r /var /usr
    echo -n 'done'

    echo 'moving /home partition to /usr/home...'
    cp --preserve=all -r /home /usr
    echo -n 'done'

    echo 'moving /tmp partition to /usr/tmp...'
    rm -rf /usr/tmp
    cp --preserve=all -r /tmp /usr
    cd /usr/var
    rm -rf tmp
    ln -s ../tmp ./tmp
    cd /
    echo -n 'done'
    echo 'now building new /usr partition... relinking...'

    rm -rf /var
    rm -rf /home
    rm -rf /tmp
    ln -s /usr/tmp /tmp
    ln -s /usr/var /var
    ln -s /usr/home /home

    echo -n 'done'

  fi

  echo 'now moving /usr to encrypted partition...'
  echo 'please be patient. Depending on your systems speed'
  echo 'and specs, this may take a few minutes to more than an hour'

  cp --preserve=all -r /usr/* /enc

  echo 'done'
  echo 'enter *reboot* for the changes to take effect'
 else
  echo 'mount point /enc cannot be found. make sure you have'
  echo 'created the mount point /enc. If you are certain it'
  echo 'exists, run this script again after mounting it.'
 fi
 #file ends here
truecrypt.sh:

Code: Select all

#! /bin/sh

PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin

if [ -r /lib/lsb/init-functions ]; then
. /lib/lsb/init-functions
logbegin="log_begin_msg"
logend="log_end_msg"
else
logbegin="echo -n"
logend=`printf "echo .\n"`
fi

# Exit if the daemon binary is NOT available, executable, etc.
test -x /usr/bin/truecrypt || exit 0

# Start function
d_start() {
/usr/bin/truecrypt /dev/sda3
}

# Stop function
d_stop() {
/usr/bin/truecrypt -d
}

case "$1" in
start)
$logbegin "Mounting Truecrypt Volumes"
d_start
$logend $?
;;
stop)
$logbegin "Dismounting Truecrypt Volumes"
d_stop
$logend $?
;;
restart)
$0 stop
sleep 1
$0 start
;;
*)
log_success_msg "Usage: truecrypt.sh {start|stop|restart}"
exit 1
;;
esac
exit 0

happypenguin

Re: Linux and Truecrypt - Plausible Deniability

Post by happypenguin » Tue Feb 17, 2009 3:57 pm

Thank you very much, very appreciated :)

Post Reply