NAME¶
tcplay
—
tool to manage TrueCrypt volumes
SYNOPSIS¶
tcplay |
-c
-d
device
[-g ]
[-z ]
[-w ]
[-a
pbkdf_hash ]
[-b
cipher ]
[-f
keyfile_hidden ]
[-k
keyfile ]
[-x
pbkdf_hash ]
[-y
cipher ] |
tcplay |
-i
-d
device
[-e ]
[-f
keyfile_hidden ]
[-k
keyfile ]
[-s
system_device ]
[--fde ]
[--use-backup ] |
tcplay |
-m
mapping
-d
device
[-e ]
[-f
keyfile_hidden ]
[-k
keyfile ]
[-s
system_device ]
[--fde ]
[--use-backup ] |
tcplay |
--modify
-d
device
[-k
keyfile ]
[--new-keyfile
new_keyfile ]
[--new-pbkdf-prf
pbkdf_hash ]
[-s
system_device ]
[--fde ]
[--use-backup ]
[-w ] |
tcplay |
--modify
-d
device
[-k
keyfile ]
--restore-from-backup-hdr
[-w ] |
DESCRIPTION¶
The
tcplay
utility provides full support for
creating and opening/mapping TrueCrypt-compatible volumes. It supports the
following commands, each with a set of options detailed further below:
-c
,
--create
- Create a new encrypted TrueCrypt volume on the device specified by
--device
.
-h,
--help
- Print help message and exit.
-i
,
--info
- Print out information about the encrypted device specified by
--device
.
-j
mapping,
--info-mapped
=mapping
- Print out information about the mapped tcplay volume specified by
mapping. Information such as key CRC and
the PBKDF2 PRF is not available via this command.
--modify
- Modify the volume header. This mode allows changing passphrase, keyfiles,
PBKDF2 PRF as well as restoring from a backup header.
-m
mapping,
--map
=mapping
- Map the encrypted TrueCrypt volume on the device specified by
--device
as a
dm(4) mapping called
mapping. The
mapping argument should not contain any
spaces or special characters.
-u
mapping,
--unmap
=mapping
- Removes (unmaps) the dm(4) mapping specified
by mapping as well as any related cascade
mappings. If you mapped a volume using full disk encryption and created
mapping for individual partitions using
kpartx(8), you must remove these prior to
unmapping the volume.
-v,
--version
- Print version message and exit.
Options common to all commands are:
-d
device,
--device
=device
- Specifies the disk device on which the
TrueCrypt volume resides/will reside. This option is mandatory for all
commands.
-f
keyfile_hidden,
--keyfile-hidden
=keyfile_hidden
- Specifies a keyfile to use in addition to the passphrase when either
creating a hidden volume or when protecting a hidden volume while mapping
or querying the outer volume. If you only intend to map a hidden volume,
the
--keyfile
option has to be used.
This option can appear multiple times; if so, multiple keyfiles will be
used. This option is not valid in the
--modify
mode.
-k
keyfile,
--keyfile
=keyfile
- Specifies a keyfile to use in addition to
the passphrase. This option can appear multiple times; if so, multiple
keyfiles will be used.
Additional options for the
--create
command
are:
-a
pbkdf_hash,
--pbkdf-prf
=pbkdf_hash
- Specifies which hash algorithm to use for the PBKDF2 password derivation.
To see which algorithms are supported, specify
--pbkdf-prf
=help
.
-b
cipher,
--cipher
=cipher
- Specifies which cipher algorithm or cascade of ciphers to use to encrypt
the new volume. To see which algorithms are supported, specify
--cipher
=help
.
-g,
--hidden
- Specifies that the newly created volume will contain a hidden volume. The
keyfiles applied to the passphrase for the hidden volume are those
specified by
--keyfile-hidden
. The user
will be prompted for the size of the hidden volume interactively.
-w,
--weak-keys
- Use urandom(4) for key material instead of a
strong entropy source. This is in general a really bad idea and should
only be used for testing.
-x
pbkdf_hash,
--pbkdf-prf-hidden
=pbkdf_hash
- Specifies which hash algorithm to use for the PBKDF2 password derivation
for the hidden volume. Only valid in conjunction with
--hidden
. If no algorithm is specified,
the same as for the outer volume will be used. To see which algorithms are
supported, specify
--pbkdf-prf-hidden
=help
.
-y
cipher,
--cipher-hidden
=cipher
- Specifies which cipher algorithm or cascade of ciphers to use to encrypt
the hidden volume on the new TrueCrypt volume. Only valid in conjunction
with
--hidden
. If no cipher is
specified, the same as for the outer volume will be used. To see which
algorithms are supported, specify
--cipher-hidden
=help
.
-z,
--insecure-erase
- Skips the secure erase of the disk. Use this option carefully as it is a
security risk!
Additional options for the
--info
,
--map
and
--modify
commands are:
-e,
--protect-hidden
- Specifies that an outer volume will be queried or mapped, but its reported
size will be adjusted accordingly to the size of the hidden volume
contained in it. Both the hidden volume and outer volume passphrase and
keyfiles will be required. This option only applies to the
--info
and
--map
commands.
-s
system_device,
--system-encryption
=system_device
- This option is required if you are attempting to access a device that uses
system encryption, for example an encrypted Windows system partition. It
does not apply to disks using full disk encryption. The
--device
option will point at the
actual encrypted partition, while the
system_device argument will point to the
parent device (i.e. underlying physical disk) of the encrypted
partition.
--fde
- This option is intended to be used with disks using full disk encryption
(FDE). When a disk has been encrypted using TrueCrypt's FDE, the complete
disk is encrypted except for the first 63 sectors. The
--device
option should point to the
whole disk device, not to any particular partition. The resultant mapping
will cover the whole disk, and will not appear as separate partitions. To
access individual partitions after mapping,
kpartx(8) can be used.
--use-backup
- This option is intended to be used when the primary headers of a volume
have been corrupted. This option will force
tcplay
to use the backup headers, which
are located at the end of the device, to access the volume.
Additional options only for the
--modify
command are:
--new-pbkdf-prf
=pbkdf_hash
- Specifies which hash algorithm to use for the PBKDF2 password derivation
on reencrypting the volume header. If this option is not specified, the
reencrypted header will use the current PRF. To see which algorithms are
supported, specify
--pbkdf-prf
=help
.
--new-keyfile
=keyfile
- Specifies a keyfile to use in addition to
the new passphrase on reencrypting the volume header. This option can
appear multiple times; if so, multiple keyfiles will be used.
--restore-from-backup-hdr
- If this option is specified, neither
--new-pbkdf-prf
nor
--new-keyfile
should be specified. This
option implies --use-backup
. Use this
option to restore the volume headers from the backup header.
NOTES¶
TrueCrypt limits passphrases to 64 characters (including the terminating null
character). To be compatible with it,
tcplay
does the same. All passphrases
(excluding keyfiles) are trimmed to 64 characters. Similarly, keyfiles are
limited to a size of 1 MB, but up to 256 keyfiles can be used.
PLAUSIBLE DENIABILITY¶
tcplay
offers plausible deniability. Hidden
volumes are created within an outer volume. Which volume is accessed solely
depends on the passphrase and keyfile(s) used. If the passphrase and keyfiles
for the outer volume are specified, no information about the existance of the
hidden volume is exposed. Without knowledge of the passphrase and keyfile(s)
of the hidden volume its existence remains unexposed. The hidden volume can be
protected when mapping the outer volume by using the
--protect-hidden
option and specifying the
passphrase and keyfiles for both the outer and hidden volumes.
EXAMPLES¶
Create a new TrueCrypt volume on
/dev/vn0
using the cipher cascade of AES and Twofish and the Whirlpool hash algorithm
for PBKDF2 password derivation and two keyfiles,
one.key and
two.key:
tcplay
--create
--device
=/dev/vn0
--cipher
=AES-256-XTS,TWOFISH-256-XTS
--pbkdf-prf
=whirlpool
--keyfile
=one.key
--keyfile
=two.key
Map the outer volume on the TrueCrypt volume on
/dev/vn0 as
truecrypt1, but protect the hidden volume, using
the keyfile
hidden.key, from being
overwritten:
tcplay
--map
=truecrypt1
--device
=/dev/vn0
--protect-hidden
--keyfile-hidden
=hidden.key
Map the hidden volume on the TrueCrypt volume on
/dev/vn0 as
truecrypt2, using the keyfile
hidden.key:
tcplay
--map
=truecrypt2
--device
=/dev/vn0
--keyfile
=hidden.key
Map and mount the volume in the file
secvol
on Linux:
losetup
/dev/loop1
secvol
tcplay
--map
=secv
--device
=/dev/loop1
mount
/dev/mapper/secv
/mnt
Similarly on
DragonFly:
vnconfig
vn1
secvol
tcplay
--map
=secv
--device
=/dev/vn1
mount
/dev/mapper/secv
/mnt
Unmapping the volume
truecrypt2 on both Linux and
DragonFly after unmounting:
dmsetup
remove
truecrypt2
Or alternatively:
tcplay
--unmap
=truecrypt2
A hidden volume whose existance can be plausibly denied and its outer volume can
for example be created with
tcplay
--create
--hidden
--device
=/dev/loop0
--cipher
=AES-256-XTS,TWOFISH-256-XTS
--pbkdf-prf
=whirlpool
--keyfile
=one.key
--cipher-hidden
=AES-256-XTS
--pbkdf-prf-hidden
=whirlpool
--keyfile-hidden
=hidden.key
tcplay
will prompt the user for the
passphrase for both the outer and hidden volume as well as the size of the
hidden volume inside the outer volume. The hidden volume will be created
inside the area spanned by the outer volume. The hidden volume can optionally
use a different cipher and prf function as specified by the
--cipher-hidden
and
--pbkdf-prf-hidden
options. Which volume is
later accessed depends only on which passphrase and keyfile(s) are being used,
so that the existance of the hidden volume remains unknown without knowledge
of the passphrase and keyfile it is protected by since it is located within
the outer volume. To map the outer volume without potentially damaging the
hidden volume, the passphrase and keyfile(s) of the hidden volume must be
known and provided alongside the
--protect-hidden
option.
A disk encrypted using full disk encryption can be mapped using
tcplay
--map
=tcplay_sdb
--device
=/dev/sdb
--fde
To access individual partitions on the now mapped disk, the following command
will generate mappings for each individual partition on the encrypted disk:
kpartx
--av
/dev/mapper/tcplay_sdb
SEE ALSO¶
crypttab(5),
cryptsetup(8),
dmsetup(8),
kpartx(8)
HISTORY¶
The
tcplay
utility appeared in
DragonFly 2.11.
AUTHORS¶
Alex Hornung