How to use TrueCrypt®-encrypted Windows system drives on Linux

Update: I made this program in 2008. In the meantime, some other guy appears to have written his own, apparently much more complete re-implementation. Feel free to check it out here: https://github.com/bwalex/tc-play – chances are that if that one works for you, I won’t be updating dmsetup-tc anymore.


TrueCrypt® is a multi-platform on-the-fly drive encryption tool. It allows you to encrypt all your data in a filesystem and still use everything normally. On Windows, it supports encrypting the system (boot) partition (or the entire boot drive); you can even make TrueCrypt® encrypt your existing partitions live and continue working (though the I/O performance sucks until it’s finished encrypting everything), pause and resume the encryption process (even across reboots). In short: it’s rather useful.

Even though TrueCrypt® introduced Windows system encryption in version 5.0 in February 2008 (that’s five months ago), its Linux version still doesn’t support accessing these encrypted partitions at all (it does mount “normal” TrueCrypt® volumes though). Since I recently encrypted my entire Windows drive but couldn’t live without the music files stored on it, I now humbly present the result of two wasted nights: a solution.

This just in!

A letter from the friendly folks over at truecrypt.org (®?) notified me that they don’t like my using their trademark TrueCrypt® in the name of my tool. To help avoid uncomfortable situations, I would like to point out to everybody that this tool is called dmsetup-tc and not dmsetup-TrueCrypt®.

To demonstrate that I take trademarks very seriously, I have taken great care in this article to give the trademark all the attention it undoubtedly deserves.

Before you join the fun…

I’d love to take a dive into technical details now but you’ll probably go away before I even get myself warmed up properly, so I’ll try and appease myself by mentioning that I learned lots of new things, including the gory details of XTS and PKCS#5/PBKDF2. Oh, and I first tried patching this stuff into TrueCrypt® but failed mainly due to two reasons: first, TrueCrypt® is written in C++ and it shows in the architecture; second, C++ itself. When I had everything but the correct initialization of the XTS tweak working, I gave up and started writing a separate tool. The positive side: it compiles in about a second and is snappier than TrueCrypt® when it runs, too (and it doesn’t do whatever weird things TrueCrypt® does with FUSE).

Oh, right, I wanted to keep the details out of this. Sorry.

What you need

  • A computer with a little-endian architecture (rule of thumb: if Windows runs on it, you’re fine). Support for big-endian architectures will be added if someone else writes a patch. ;)
  • A Windows sytem partition or drive that has been encrypted (completely; partial encryption is absolutely not supported) with TrueCrypt®. Normal TrueCrypt® partitions are not supported; after all, TrueCrypt® for Linux works fine for them.
  • A Linux system that you want to access the partition(s) from.
  • libgcrypt (tested with version 1.2.4) and its development files.
  • GNU make.
  • A C compiler (tested with GCC 4.2.3).
  • Optionally, experience with C and so on if you want to track down (and fix) bugs or add features.

Install it

  1. Download the source code: dmsetup-tc-0.6.tar.bz2 (updated 15th January 2013). Alternatively, visit the git repository page.
  2. Extract it somewhere.
  3. Run make. You know the drill.
  4. Put the resulting binary wherever you like.

Use it

Now, suppose you’ve got an encrypted system drive on /dev/sda and you want to mount the partition /dev/sda1. Then you just do the following (as root):

…/dmsetup-tc /dev/sda /dev/sda1 | dmsetup create win1

(As of 2 Sep 2012, you can alternatively pass a TC volume header file, i.e. the volume header dumped to a plain file, as the first parameter.)

This will create a DM device /dev/mapper/win1. You can now mount it. Assuming it’s got an NTFS filesystem (and you actually have a mountpoint called /media/win1):

mount -t ntfs-3g -o uid=(your numeric uid),umask=077 /dev/mapper/win1 /media/win1

There, all done. After umounting, remember to remove the DM device so that even root can’t get at your data anymore:

dmsetup remove win1

Important: don’t use dmsetup-tc on its own; always pipe its output directly into dmsetup! It outputs your volume master keys. You don’t want anybody to get a hold of those. There is a certain security risk to piping the data, too (it might get paged out and end up in your swap, which is problematic if you don’t use encrypted swap; additionally, the data from the pipe might reside somewhere in your physical memory for some time, possibly allowing root to read the master key even after you have removed the DM device). You have been warned.

Contribute

I’m developing the tool in a Git repository and you can join in! See the repository page for details.

You can also contribute by sending me feedback, but my capacity for actively adding new features to this tool is very limited.

In either case, thank you very much!

Comments

This is an anti-social blog. No interactive commenting is available. Please feel free to send me an e-mail to leave feedback. If you wish to "participate", anonymously or not, please let me know in your e-mail if I can publish your feedback.