Goodbye truecrypt

with 3 comments

Well I have been using this encryption product for a while (truecrypt).  The code has not been updated for a while (2012) and despite a funded audit it has not really been progressed for a couple of years.  The sourceforge truecrypt site now recommends use anything else as reported in places like this!!

So what do I do for my personal and work data?  As I use Linux then obvious choice would be one of the available encrypted file systems.   This is the story of how I moved them across.   Firstly I decided to use cryptsetup for no apparent reason apart from the fact it was bundled in the disto and supported up-to-date algorithms with the underlying dm-crypt kernel module and LUKS.

I use lvm to managed my storage and currently a 64Gb lvm logical volume ( tc1 on group ubunut-vg ) is used as a truecrypt drive. So the number one step is to create a new volume for the new drive of the same size.

$ sudo lvcreate -L 64G ubuntu_vg tc2

If you want to be paranoid you can check for bad blocks (not much point on lvm but may be useful if you are using physical disks) and then randomize the data:

$ sudo /sbin/badblocks -c 10240 -s -w -t random -v /dev/ubuntu-vg/tc2
$ sudo dd if=/dev/urandom of=/dev/ubuntu-vg/tc2

Now you can create the LUKS partition on the new logical volume; here with AES encryption using a keysize of 256 (we are also using SHA-2 hashing).  Remember to choose something strong for a pass-phrase (and memorable – I use a quotation however being somewhat dyslexic it is never spelt correctly but it is consistent 🙂

$ sudo cryptsetup --verify-passphrase --cipher=aes-cbc-essiv:sha256 --key-size=256 --hash=sha256 luksFormat /dev/ubuntu-vg/tc2

Now we can set the mapper to register that partition

  $ sudo cryptsetup luksOpen /dev/ubuntu-vg/tc2 tc2

I suppose we really out to put a file-system on it too; I will use ext4 for this.

$ sudo mke2fs -t ext4 /dev/mapper/tc2

Now I just copy the data across by mounting a temporary mount point and synchronising with rsync

$ sudo mkdir /mnt/tc2
$ sudo mount -t ext4 /dev/mapper/tc2 /mnt/tc2
$ rsync -avx --progress /media/truecrypt1/ /mnt/tc2

When this is complete I can delete the old truecrypt volume and update symbolic links or  otherwise just map onto the old mount point.   Two files to edit to get this to new drive to mount from boot.

/etc/fstab

/dev/mapper/tc2   /mnt/tc2      ext4     defaults    1       2

And of course you need an entry in /etc/crypttab to prompt for pass-phrase and key into the logical encrypted volume.

tc2  /dev/ubunutu-vg/tc2    none       luks

Works for me!

 

Disclaimer: This code is
from a hardware engineer turned hacker, it most likely aint pretty, it most likely can be done better but …. it works.

Written by sipsmi

June 15, 2014 at 6:45 pm

Posted in GNU/Linux