Realcrypt: Mandriva’s Truecrypt – Howto Part 2

19 01 2008

Now that we’ve gone over the basics of using Realcrypt [or Truecrypt] in Part 1 of the Howto, we’ll move on to discover the true genius of a hidden volumes in Part 2. Using Realcrypt as outlined in Part 1 is more than adequate for storing your sensitive data, but for even better protection we can use the normal volume we created as a decoy and store our truly private data on a hidden volume with in it. I know you’re bound to ask; “Why the hell would I need or want to do that?”. Well, you don’t really; but it’s purpose is plausible deniability.

Before we move on to creating the hidden volume, let’s create a keyfile to protect it.

********************************************************************************

[altoptions@desktop1 ~]$ realcrypt –keyfile-create mykey
RealCrypt will now collect random data.

Is your mouse connected directly to computer where RealCrypt is running? [Y/n]:

Please move the mouse randomly until the required amount of data is captured…
Mouse data captured: 100%

Keyfile created.
[altoptions@desktop1 ~]$

********************************************************************************

For the example we called the keyfile mykey, you can call it whatever you like, but generally you shouldn’t name it something that will hint at its purpose, but for the purpose of the Howto will stick with that.

Now that we’ve created a keyfile we’ll use it for additional security for the hidden volume we’re going to create with in the volume [volume.tc] we created in Part 1. In order to create the hidden volume we’ll need to map volume.tc as shown below.

********************************************************************************

[altoptions@desktop1 ~]$ sudo realcrypt -i
Enter volume path: volume.tc
Enter mount directory [none]:
Protect hidden volume? [y/N]:
Enter keyfile path [none]:
Enter password for ‘/home/altoptions/volume.tc’:## Enter the password you chose in Part 1

********************************************************************************

Now that it’s mapped we’ll issue the same command we used in Part 1 but add the type flag -type hidden as well as indicating the Realcrypt volume to skip the first two steps of the process. We could run through all the steps like we did in Part 1, but I’ve chosen to do it like this to demonstrate the usage of flags, which you can build on beyond this lesson.

********************************************************************************

[altoptions@desktop1 ~]$ sudo realcrypt -type hidden -c volume.tc
Filesystem:
1) FAT
2) None
Select [1]: 2

Enter volume size (bytes – size/sizeK/sizeM/sizeG): 50M

Hash algorithm:
1) RIPEMD-160
2) SHA-1
3) Whirlpool
Select [1]:##the default is 1 – just hit <enter>

Encryption algorithm:
1) AES
2) Blowfish
3) CAST5
4) Serpent
5) Triple DES
6) Twofish
7) AES-Twofish
8) AES-Twofish-Serpent
9) Serpent-AES
10) Serpent-Twofish-AES
11) Twofish-Serpent
Select [1]: 8

Enter password for new volume ‘volume.tc’:## enter your desired password For the HIDDEN Volume
Re-enter password::## re-enter the password

Enter keyfile path [none]:mykey
Enter keyfile path [finish]:

RealCrypt will now collect random data.

Is your mouse connected directly to computer where RealCrypt is running? [Y/n]:

Please move the mouse randomly until the required amount of data is captured…
Mouse data captured: 100%

Volume created.
[altoptions@desktop1 ~]$

********************************************************************************

Now that we’ve created the unformatted hidden volume, we need to map it and then format with ext3

********************************************************************************

[altoptions@desktop1 ~]$ sudo realcrypt -i
Enter volume path: volume.tc
Enter mount directory [none]:
Protect hidden volume? [y/N]:
Enter keyfile path [none]: mykey
Enter keyfile path [finish]:
Enter password for ‘/home/altoptions/volume.tc’:##Enter the Password you chose
[altoptions@desktop1 ~]$

********************************************************************************

Let’s double check that the volume is mapped

********************************************************************************

[altoptions@desktop1 ~]$ sudo realcrypt -l
/dev/mapper/realcrypt0 /home/altoptions/volume.tc
[altoptions@desktop1 ~]$

********************************************************************************

Now that we confirmed it’s mapped to realcrypt0 we can format it with ext3

********************************************************************************

[altoptions@desktop1 ~]$ sudo mkfs.ext3 /dev/mapper/realcrypt0
mke2fs 1.40.2 (12-Jul-2007)
Filesystem label=
OS type: Linux
Block size=1024 (log=0)
Fragment size=1024 (log=0)
12824 inodes, 51200 blocks
2560 blocks (5.00%) reserved for the super user
First data block=1
Maximum filesystem blocks=52428800
7 block groups
8192 blocks per group, 8192 fragments per group
1832 inodes per group
Superblock backups stored on blocks:
8193, 24577, 40961

Writing inode tables: done
Creating journal (4096 blocks): done
Writing superblocks and filesystem accounting information: done

This filesystem will be automatically checked every 38 mounts or
180 days, whichever comes first. Use tune2fs -c or -i to override.
[altoptions@desktop1 ~]$

********************************************************************************

Now we mount it like we did in Part 1, but we don’t need to create the safe mount point like we did in Part 1 because that directory already exists in our home directory.

********************************************************************************

[altoptions@desktop1 ~]$ sudo mount /dev/mapper/realcrypt0 safe
[altoptions@desktop1 ~]$ cd safe
[altoptions@desktop1 safe]$ ls -l
total 12
drwx—— 2 root root 12288 2008-01-16 00:13 lost+found/

********************************************************************************

As you can see from the ls -l output it’s a new volume, the my_safe directory we created in the normal volume isn’t listed.

Just like in Part 1, we need to create a directory within the volume that we can chown so that we can write to it as a normal user. We’ll differentiate it so that in the future we can easily tell if we’ve mounted the normal or hidden volume; we’ll name this directory my_secret_safe

********************************************************************************

[altoptions@desktop1 safe]$ sudo mkdir my_secret_safe
[altoptions@desktop1 safe]$ sudo chown altoptions:altoptions my_secret_safe
[altoptions@desktop1 safe]$ ls -l
total 13
drwx—— 2 root root 12288 2008-01-16 00:13 lost+found/
drwxr-xr-x 2 altoptions altoptions 1024 2008-01-16 00:15 my_secret_safe/
[altoptions@desktop1 safe]$

********************************************************************************

We’ve now successfully created the hidden volume, while the volume is mapped and mounted, we can read/write to the my_secret_safe directory like we can with any normal user directory and it will be encrypted/decrypted on the fly.

Just to further differentiate the two volumes, we’ll use touch to create a text file we’ll call this time secret_test.txt.

********************************************************************************

[altoptions@desktop1 safe]$ cd my_secret_safe
[altoptions@desktop1 my_secret_safe]$ touch secret_test.txt
[altoptions@desktop1 my_secret_safe]$ ls -l
total 0
-rw-r–r– 1 altoptions altoptions 0 2008-01-19 13:29 secret_test.txt
[altoptions@desktop1 my_secret_safe]$

********************************************************************************

To un-mount the volume, we’ll need to change directory out of the mounted volume which we did in the above step, then un-mount the volume, and then double check that no volumes are mapped.

********************************************************************************

[altoptions@desktop1 my_secret_safe]$ cd ~
[altoptions@desktop1 ~]$ sudo realcrypt -d
[altoptions@desktop1 ~]$ sudo realcrypt -l
No volumes mapped
[altoptions@desktop1 ~]$

********************************************************************************

We’re done with the creation process, when you want to map and mount the hidden volume to use it regularly the process would be as follows

********************************************************************************

[altoptions@desktop1 ~]$ sudo realcrypt -i
Enter volume path: volume.tc
Enter mount directory [none]: safe
Protect hidden volume? [y/N]:
Enter keyfile path [none]: mykey
Enter keyfile path [finish]:
Enter password for ‘/home/altoptions/volume.tc’:## enter the hidden volumes password
[altoptions@desktop1 ~]$

********************************************************************************

We differential between the normal and hidden volume by using the hidden volume password and the keyfile; if you don’t chose to use a keyfile or two – the volumes are differentiated by the password.

Let’s check the contents of the hidden volume

********************************************************************************

[altoptions@desktop1 ~]$ cd safe
[altoptions@desktop1 safe]$ ls -l
total 13
drwx—— 2 root root 12288 2008-01-19 13:05 lost+found/
drwxr-xr-x 2 altoptions altoptions 1024 2008-01-19 13:29 my_secret_safe/
[altoptions@desktop1 safe]$ cd my_secret_safe
[altoptions@desktop1 my_secret_safe]$ ls -l
total 0
-rw-r–r– 1 altoptions altoptions 0 2008-01-19 13:29 secret_test.txt
[altoptions@desktop1 my_secret_safe]$

********************************************************************************

We’ll change directories and unmap the volume

********************************************************************************

[altoptions@desktop1 my_secret_safe]$ cd ~
[altoptions@desktop1 ~]$ sudo realcrypt -d
[altoptions@desktop1 ~]$ sudo realcrypt -l
No volumes mapped
[altoptions@desktop1 ~]$

********************************************************************************

In review, the determining factor of whether the normal or hidden volume is mapped and mounted is by the issued password and/or keyfile. In our example we used just a password to protect the normal volume and with the hidden volume we used a password and a keyfile. To access the normal volume we’d go through the process of sudo realcrypt -i using just the password we created for that volume and for the hidden volume we use it’s password and keyfile for access. Once the volume is mapped and mounted we use the volume as a normal directory with Realcrypt encrypting and decrypting the contents on the fly, ummount/unmapping the volume when we’re done using it.

To finish off Part 2 of the Howto, we’ll mount the normal volume we created in Part 1 and look at it’s contents to demonstrate how access to which volume is determined by the passwords an/or keyfile(s).

********************************************************************************

[altoptions@desktop1 ~]$ sudo realcrypt -i
Enter volume path: volume.tc
Enter mount directory [none]: safe
Protect hidden volume? [y/N]:
Enter keyfile path [none]:
Enter password for ‘/home/altoptions/volume.tc’:## enter the password for the normal volume
[altoptions@desktop1 ~]$ cd safe
[altoptions@desktop1 safe]$ ls -l
total 13
drwx—— 2 root root 12288 2008-01-19 12:51 lost+found/
drwxr-xr-x 2 altoptions altoptions 1024 2008-01-19 12:52 my_safe/
[altoptions@desktop1 safe]$ cd my_safe
[altoptions@desktop1 my_safe]$ ls -l
total 0
-rw-r–r– 1 altoptions altoptions 0 2008-01-19 12:52 test.txt
[altoptions@desktop1 my_safe]$ cd ~
[altoptions@desktop1 ~]$ sudo realcrypt -d
[altoptions@desktop1 ~]$ sudo realcrypt -l
No volumes mapped
[altoptions@desktop1 ~]$

********************************************************************************

So as you can see from the output the normal volume was accessed by using the normal volumes password and their is no evidence of the hidden volume contained within it.

Cool eh?

That’s ends Part 2 of the Howto, the final instalment will be a summary of both parts, as well as an a bit of an editorial on best practises.

Continue to the Summary

This work is licensed under a
Creative Commons Licence.

Blogged with Flock

Tags: , , , ,

Advertisements

Actions

Information

2 responses

19 01 2008
Realcrypt: Mandriva’s Truecrypt - Howto Part 1 « alt options

[…] it for part 1 of the Howto, in part 2 we’ll look at creating and using a keyfile as well as the process of creating and using a […]

22 04 2009
Jane Goody

I can tell that this is not the first time you write about the topic. Why have you decided to touch it again?

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s




%d bloggers like this: