View Full Version : Cryptsetup and tcplay as Truecrypt alternatives

25th April 2014, 01:18 AM
Hello everyone,

According to https://fedoraproject.org/wiki/Forbidden_items?rd=ForbiddenItems#TrueCrypt :

"The TrueCrypt software is under a poor license, which is not only non-free, but has the potential to be actively dangerous to end users or distributors who agree to it, opening them to possible legal action even if they abide by all of the licensing terms, depending on the intent of the upstream copyright holder. Fedora continues to make efforts to try to work with the TrueCrypt upstream to fix all of the issues in their license so that it can be considered Free, but have not yet been successful.

Fedora Suggests: cryptsetup allows to map existing Truecrypt device since version 1.6 (Fedora 18). For full functionality tcplay is an independently developed TrueCrypt-compatible program under the BSD license. It is available in the official Fedora repository. It is recommended if you need TrueCrypt compatibility."

This article will explain the use of tcplay to create truecrypt containers and cryptsetup to mount and unmount said containers.

The following script utilizes tcplay to create truecrypt containers:

# Make truecrypt containers with tcplay

#User is your username
#Cryptsize is your container size (e.g. 20M)
#Cryptname is your container name
#Cryptpath is your container location (e.g. /home/user/file)

#Cryptpath should be in the following format: /FillInPathHere/"$cryptname"

loopdev=$(losetup -f)

# must be run as root
if [[ $EUID != 0 ]]; then
printf "%s\n" "You must be root to run this."
exit 1

# create a new container
dd if=/dev/zero of="$cryptpath" bs=1 count=0 seek="$cryptsize"
losetup "$loopdev" "$cryptpath"
tcplay -c -d "$loopdev" -a whirlpool -b AES-256-XTS #Enter password twice

# map the volume, create a filesystem on it and unmap the volume
tcplay -m "$cryptname" -d "$loopdev" #Enter password once
mkfs.vfat /dev/mapper/"$cryptname"
dmsetup remove "$cryptname"
losetup -d "$loopdev"

# make the volume user-writable
chown "$user" "$cryptpath"
chmod 755 "$cryptpath"

The following script uses cryptsetup to mount and unmount truecrypt containers:

# Mount and unmount truecrypt containers using cryptsetup

#User is your username
#Cryptname is your container name
#Cryptpath is your container location (e.g. /home/user/file)

#Cryptpath should be in the following format: /FillInPathHere/"$cryptname"


# must be run as root
if [[ $EUID != 0 ]]; then
printf "%s\n" "You must be root to run this."
exit 1

# open and mount container
if [[ "$1" == "1" ]]; then
cryptsetup --type tcrypt open "$cryptpath" "$cryptname" #Enter password
mkdir /media/"$cryptname"

# mount options for a user-writable volume
userid=$(id -u "$user")
groupid=$(id -g "$user")
mount -o nosuid,uid="$userid",gid="$groupid" /dev/mapper/"$cryptname" /media/"$cryptname"

# unmount, close container and clean up
elif [[ "$1" == "2" ]]; then
umount /media/"$cryptname"
cryptsetup --type tcrypt close "$cryptname"
rmdir /media/"$cryptname"

printf "%s\n" "To open container, type: sh foo.sh 1"
printf "%s\n" "Or, to close container, type: sh foo.sh 2"

To activate the scripts, just copy each of the two scripts into two separate text files and save them. You might need to make the bash scripts executable by typing something like: chmod +x ______.sh

For the first script, to create a truecrypt container, type something like: sh ______.sh.

For the second script, which uses cryptsetup:

To open a truecrypt container, type something like: sh ______.sh 1

To close a truecrypt container, type something like: sh ______.sh 2

EDIT: Here's an added section on keyfiles:

If your truecrypt container requires at least 1 keyfile:

Add the variable(s):

(Eliminate or add variables such as keyfile3, keyfile4, etc. as needed, depending on how many keyfiles you have for the container. For example, if my container requires only 1 keyfile, I just need keyfile1, and I don't need keyfile2.)

To the following section:

Be sure to list the location for all of your keyfiles, though (e.g. keyfile1=/home/user/fookeyfile1, keyfile2=/home/user/fookeyfile2)

And change the following line:
cryptsetup --type tcrypt open "$cryptpath" "$cryptname"

To the following code:
cryptsetup --type tcrypt open "$cryptpath" "$cryptname" --key-file="$keyfile1"

(If your container needs more than 1 keyfile, you can add: --key-file="$keyfile2", --key-file="$keyfile3", --key-file="$keyfile4", etc.)

For example:
cryptsetup --type tcrypt open "$cryptpath" "$cryptname" --key-file="$keyfile1" --key-file="$keyfile2"



https://wiki.archlinux.org/index.php/TrueCrypt#Accessing_a_TrueCrypt_container_using_cr yptsetup

11th May 2014, 04:08 AM
many thanks for your script, that is really what I need.

However I'm getting an error:
sudo sh cryptsetup-script.sh 1
cryptsetup-script.sh: line 39: syntax error: unexpected end of file

Well, it may be better to explain what I did.

vi cryptsetup-script.sh
copied your script into the file

then edited your script as follows:


I am confused regarding user. Truecrypt always asked me only a password to mount the volume contained in my file example.jpg. Truecrypt never asked for a username.

So I wonder if it is possible to use your script to mount a volume contained in a file.