Take note if you had problems using dmsetup-tc, the program I published last month that allows you to use TrueCrypt®’s encrypted system drives/partitions (also called the “pre-boot authentication” feature) from Linux environments (and possibly other Unices). I have found a few rather embarassing bugs in it that made it rather unusable in pretty much all cases (it’s actually really astonishing that it even worked for myself…). So if previously you got a cryptic message like “fatal error: Success”, now would be a great time to try again.
Download dmsetup-tc 0.2 or review the original article about dmsetup-tc that explains the details. As usual, feedback is appreciated.
Built new dmsetup-tc with -DDEBUG CFLAG. This time around, the software appears to be operating perfectly. In contrast to my earlier post (attached to your original article about dmsetup-tc), this was my successful output:
Loading header from /dev/hda…
Deriving header key…
Decrypting header…
Validating header…
* Validating header signature
Could not decrypt the volume. You probably entered a wrong password.root@risa:~#
root@risa:~# modprobe dm-crypt
root@risa:~# dmsetup-tc /dev/hda /dev/hda1 | dmsetup create hda1
Enter passphrase for encrypted volume:
Loading header from /dev/hda…
Deriving header key…
Decrypting header…
Validating header…
* Validating header signature
* Validating header checksum
* Validating checksum of master keys
* Making sure we’re dealing with system encryption
* Making sure we’re not dealing with partial encryption
root@risa:~# mount -t ntfs-3g /dev/mapper/hda1 /media/hda1 -o ro
root@risa:~#
I am about to try some read-write access and see if things are still working nicely.
Thanks alot, Jan, for your hard work on this!
Question: Is it the case that dmsetup-tc exists just to decrypt the volume master keys from the device record using your passphrase, and then the dm-crypt facility handles all the encryption/decryption effort for the mounted volume, not your program?
-Andrew
Andrew: I’m glad things work for you now. As for your question; yes, that’s exactly what happens. Once my program reads the volume key from the volume header and calculates the right tweak value (that’s XTS-related magic; feel free to read the source code to find out more ;)), all it does is output the right data for dmsetup (which you pipe into it; a later version of dmsetup-tc might call dmsetup itself but I don’t see all that much of an added benefit).
By the way, the official TrueCrypt(R) program does some more things when mounting volumes on Linux, including the use of FUSE for reasons not entirely clear to me, but in the end, it lets dmsetup handle the encryption stuff, too.