Tuesday, May 1, 2012

Some TrueCrypt sugar for Linux

Intro

Currently we have a fast growing trend called "Clouds". In the Clouds we can store about everything and be sure that we are able to get it back anywhere and anytime. The only thing is Clouds do not belong to us. That's why we should think critical when we upload a very-very private data there. This way of thinking leads us to use various file encryption tools like encfs, TrueCrypt and other.

I like TrueCrypt. It is installed on my every Linux workstation. But sometimes I am not the only user of such workstations. There could be several concurrent users who are able to browse computer's filesystem. Do you remember the default behavior of TrueCrypt when it is asked (I mean double-click inside File Manager) to mount an encrypted volume? Right! By default it mounts a specified container somewhere to /mnt (/media) directory which could be browsed by other online users. That means they are able to see my private data stored in the mounted TrueCrypt container! Nein, I do not want this! I want to make double-click on a TrueCrypt container and be the only viewer of it's contents.

That's why I have written a kind of mounter of TrueCrypt containers which connects decrypted volume to user's home folder.

In Action

Suppose that our encrypted volumes have ".private" extension in the filename. To make them always be opened with the mounter we should make a corresponding file association:
Make TrueCrypt container association with the truecrypt-mount application
TrueCrypt mounter (simple wrapper over TrueCrypt) is located in /usr/bin:
Specify an absolute path to truecrypt-mount application
Then TrueCrypt asks for the password:
Enter container's password to unlock the data
User-Locally (!) mounted container is immediately shown in a new window of File Manager. Please notice the path where the container is mounted to.
Immediate browsing of mounted TrueCrypt volume
If there is an attempt to mount already connected TrueCrypt's volume with truecrypt-mount application there will be a corresponding error message:
Already mounted TrueCrypt volume error message


In details

truecrypt-mount as I have already mentioned above is a simple wrapper over TrueCrypt itself. The wrapper is just a POSIX shell script which redirects volume mount requests from the user to TrueCrypt application with the "correct" arguments.

truecrypt-mount is configured through /etc/default/truecrypt file. The following options are supported:

TRUECRYPT_BINARY -- path where TrueCrypt itself is installed. By default points to /usr/bin/truecrypt.

USER_MOUNT_ROOT -- path where will be created user-specific mounts.

EXPLORE_MOUNTED_VOLUME -- boolean value which specifies should be a newly mounted TrueCrypt volume shown in the File Browser or not.

ERROR_REPORTING_CHANNEL -- specifies how errors while mounting are shown.

Download

The wrapper is available for download from the git repository http://git.thekondor.net
truecrypt-mount is a part of truecrypt-extra package since there is not the only thing how the experience with TrueCrypt could be improved (see below).

The application as well as the package is distributed in the terms on GNU GPL v3.0+ license.

As a benefit

Exploring volume in XFCE

Have you ever tried to launch TrueCrypt from a command line with '--explore' option being in XFCE? If you have, you must have also probably received an error that "Nautilus" is not found. Accordingly to the source codes of TrueCrypt it knows nothing about Thunar! Then you possibly tried to work around the problem by creating a fake Nautilus "application".

Thanks to EXPLORE_MOUNTED_VOLUME option for truecrypt-mount there is no need in such workarounds anymore; we get it just for free! By calling /usr/bin/xdg-open there will be opened default File Manager.

Sleep means Sleep

That's all about being kinda paranoid :). What if a laptop while hibernated is stolen? What if there are several mounted TrueCrypt volumes? That means that a Bad Guy having a hibernation image is able to retrieve sensitive data from those volumes because they were not disconnected! To prevent this kind of hole user should always unmount its TrueCrypt volumes when laptop is sent to sleep/hibernate mode.

truecrypt-extra package provides PM-Utils script 20_unmount-truecrypt-containers which unmounts ALL connected TrueCrypt volumes in the user's system when it goes sleep/hibernate. This behavior could be disabled by UNMOUNT_ON_SLEEP option.

Not a summary

I still have several ideas about improving TrueCrypt experience in Linux which might be implemented in the terms on truecrypt-extra package. So stay tuned and send your feedback regarding the package if any.

No comments:

Post a Comment