TrueCrypt is the weapon of choice for easy end-to-end filesystem encryption, and conveniently supports FAT, NTFS, and EXT2/3/4 out of the box. This means all you have to do is specify the filesystem during the creation of the encrypted volume, and it will be automatically mounted when the volume is unlocked. That’s great!
…But wait, I don’t want any Ext4, I want the latest and greatest BTRFS (ooooh copy on write…). Luckily, it’s only slightly more complicated, and requires treating a TrueCrypt volume like, well, a volume and not a filesystem: Create a volume and make it available, then interact with the filesystem on the volume outside of TrueCrypt.
truecrypt --text --create --filesystem=none /dev/sdx1
truecrypt --text --mount --filesystem=none --keyfiles= --volume-type=normal --protect-hidden=no --slot=1 /dev/sdx1
mount /dev/mapper/truecrypt1 /mnt
To dismount the filesystem and then the volume:
truecrypt --text --dismount /dev/sdx1
This post will be short (and sweet). We will secure the majority of our personal data by encrypting our home partition. This is important for users with personal or sensitive data on their laptops, as well as other mobile devices such as the Google Nexus 7 when it runs Ubuntu Linux.
The steps to encrypt a partition with Truecrypt are probably the easiest ones compared to alternatives such as LUKS and other Linux Kernel built in tools. This involves installing Truecrypt, creating an encrypted partition, copying all the sensitive data into it, deleting the sensitive data from the unencrypted partition it was previously on, and configuring mounting and umounting of the Truecrypt volume during startup/shutdown. You will need to perform this as the root user, and you will need an empty partition which you can encrypt. The steps are generic: they assume you are encrypting a brand new home partition (and not something else), after storing your user data under the /home folder on the root partition. They have been tested on Slackware64 but will work on all Linux distributions. Please adjust the partitions, runlevel scripts and installation procedure for your Linux distribution (as an example, for Ubuntu, Truecrypt might be available via Aptitude repositories vs. a binary installation package, and the runlevels will not be in traditional BSD style).
- Install Truecrypt after downloading from here:
# tar vxf ./truecrypt-7.1a-linux-x64.tar.gz
- Create an encrypted Truecrypt partition. You will be asked about the partition, passwords and keyfiles to use:
# truecrypt --text --create
- Mount the new encrypted volume in a temporary location and copy all sensitive data to it. This should be done as root from singleuser runlevel if operating on the /home folder:
# telinit 1
# mkdir /tmp/encrypted
# /usr/bin/truecrypt --text --mount --protect-hidden=no --volume-type=normal --keyfiles= /dev/sda6 /tmp/encrypted
# cp -aR --preserve=all /home/* /tmp/encrypted/
# rm -rf /home/*
- Configure mounting/unmounting on startup/shutdown:
Edit /etc/rc.d/rc.S and add the following line after “/sbin/mount -a …”:
/usr/bin/truecrypt --text --mount --protect-hidden=no --volume-type=normal --keyfiles= /dev/sda6 /home
Edit /etc/rc.d/rc.6 and add the following line before “/sbin/umount -a …”:
/usr/bin/truecrypt --text --dismount /dev/sda6
- Test with a reboot!
Filed under #!, Slackware