Goodbye truecrypt
Well I have been using this encryption product for a while (truecrypt). The code has not been updated for a while (2012) and despite a funded audit it has not really been progressed for a couple of years. The sourceforge truecrypt site now recommends use anything else as reported in places like this!!
So what do I do for my personal and work data? As I use Linux then obvious choice would be one of the available encrypted file systems. This is the story of how I moved them across. Firstly I decided to use cryptsetup for no apparent reason apart from the fact it was bundled in the disto and supported up-to-date algorithms with the underlying dm-crypt kernel module and LUKS.
I use lvm to managed my storage and currently a 64Gb lvm logical volume ( tc1 on group ubunut-vg ) is used as a truecrypt drive. So the number one step is to create a new volume for the new drive of the same size.
$ sudo lvcreate -L 64G ubuntu_vg tc2
If you want to be paranoid you can check for bad blocks (not much point on lvm but may be useful if you are using physical disks) and then randomize the data:
$ sudo /sbin/badblocks -c 10240 -s -w -t random -v /dev/ubuntu-vg/tc2 $ sudo dd if=/dev/urandom of=/dev/ubuntu-vg/tc2
Now you can create the LUKS partition on the new logical volume; here with AES encryption using a keysize of 256 (we are also using SHA-2 hashing). Remember to choose something strong for a pass-phrase (and memorable – I use a quotation however being somewhat dyslexic it is never spelt correctly but it is consistent 🙂
$ sudo cryptsetup --verify-passphrase --cipher=aes-cbc-essiv:sha256 --key-size=256 --hash=sha256 luksFormat /dev/ubuntu-vg/tc2
Now we can set the mapper to register that partition
$ sudo cryptsetup luksOpen /dev/ubuntu-vg/tc2 tc2
I suppose we really out to put a file-system on it too; I will use ext4 for this.
$ sudo mke2fs -t ext4 /dev/mapper/tc2
Now I just copy the data across by mounting a temporary mount point and synchronising with rsync
$ sudo mkdir /mnt/tc2 $ sudo mount -t ext4 /dev/mapper/tc2 /mnt/tc2 $ rsync -avx --progress /media/truecrypt1/ /mnt/tc2
When this is complete I can delete the old truecrypt volume and update symbolic links or otherwise just map onto the old mount point. Two files to edit to get this to new drive to mount from boot.
/etc/fstab
/dev/mapper/tc2 /mnt/tc2 ext4 defaults 1 2
And of course you need an entry in /etc/crypttab to prompt for pass-phrase and key into the logical encrypted volume.
tc2 /dev/ubunutu-vg/tc2 none luks
Works for me!
Disclaimer: This code is
from a hardware engineer turned hacker, it most likely aint pretty, it most likely can be done better but …. it works.
Nice breakdown of what to do. One comment, rsync’s -a doesn’t include -H, -A, or -X, which some folks might want, especially -H.
LikeLike
Ralph Corderoy
June 16, 2014 at 9:36 am
Good point ralph – I didn’t have any hard links and simple ACLs on that file area – as both file systems are local a recursive cp with preserve on the attributes would suffice.
LikeLike
sipsmi
June 16, 2014 at 10:41 am
For those who do not really grok the command line of doing things there is a GUI project which can handle this here https://code.google.com/p/zulucrypt/
For those trying to build this on Ubuntu you could save a bit of library dependancy work with the following (you may have many of them already):
sudo apt-get install cmake pkg-config libsecret-1-dev libcryptsetup-dev libblkid-dev libpwquality-dev libtcplay-dev libdevmapper-dev uuid-dev libgcrypt11-dev libqt4-dev libudev-dev chrpath bzip2
LikeLike
sipsmi
June 16, 2014 at 1:33 pm