Jump to content
MortenSchmidt

Using Truecrypt in Unraid 5 and 6

7 posts in this topic Last Reply

Recommended Posts

Guide to to using Truecrypt in Unraid 5 and 6

 

Thanks to the user doron for first describing how to use the console only binaries and the nokernelcrypto mount option in this thread: http://lime-technology.com/forum/index.php?topic=4560.msg262568#msg262568

 

Prior to that, lots of clever people were discussing how to compile truecrypt from source, but as doron noted, with the binary it "just works" and is actually very easy. There is only one optional library package to install, namely NTFS-3G (if you want to use the ntfs filesystem), so it is very suitable for running directly on unraid.

 

I have used this for my offsite backup disks for a while and wanted to make a comprehensive guide for others to follow, including creating new encrypted volumes or drives in unraid. I like using the ntfs filesystem, because it can be mounted in windows, but if you don't care about that feel free to use another filesystem. If you are using it for offsite backup, consider that in the scenario where you need this data, you may no longer have a working unraid server, and being able to access from windows may be a good thing.

 

Your first step should be to read up on the status of the truecrypt project at https://www.grc.com/misc/truecrypt/truecrypt.htm

 

Assuming you are still OK with using truecrypt, download the 64-bit binary "truecrypt-7.1a-linux-console-x64.tar.gz" for unraid 6 or get the 32-bit version "truecrypt-7.1a-linux-console-x86.tar.gz" if you are on unraid 5 from the grc.com site.

 

Unpack the.gz file, and then run the binary on unraid to unpack the install files. Store the resulting "truecrypt" binary in /boot/custom/truecrypt.

 

Assuming you will want to use NTFS (optional), download the NTFS-3G package from http://pkgs.org/slackware-14.1/slackware-x86_64/ntfs-3g-2013.1.13-x86_64-1.txz.html and store that in /boot/custom/truecrypt as well (or your preferred location). I am presently using "*ntfs-3g-2013.1.13-x86_64-1.txz", but there is a 2014 release as well. Same package for 32 and 64-bit. I think you'll also get this package automatically if you install the popular SNAP plugin.

 

Put the following lines in your go script

# Install NTFS-3G and Copy Truecrypt binary
installpkg /boot/custom/truecrypt/ntfs-3g-2013.1.13-x86_64-1.txz
cp /boot/custom/truecrypt/truecrypt /usr/bin
mkdir /mnt/tc

 

Optionally, if you want to be able to access the encrypted volume on the network, share it with samba by adding this to your smb-extra.conf file. If smb-extra.conf doesn't exist, create it in /boot/config

[tc]
path = /mnt/tc
valid users = [uSER]
write list = [uSER]
force user = root
create mask = 0711
directory mask = 0711
browsable = no
guest ok = no

 

Creating and mounting TrueCrypt FAT format volumes (baby steps to get you started):

Encrypt an entire disk (erasing it's contents!). Do this only with a non-array drive that you are certain has no data.

truecrypt -c --filesystem=fat /dev/sd$ (replace $ with your non-array drive)

It will politeley ask you for size, password, ciphers etc. If you want to encrypt an entire drive, just enter a size larger than the drive (for a 2TB drive, enter 3000G etc.).

 

Or, create a volume in a file (this can be on cache drive, or in the array):

truecrypt -c --filesystem=fat /mnt/disk$/truectyptvolume

Note : When creating containers not necessary to state a nokernelcrypto option, but whenever mounting them this option is required.

 

Now, to mount your newly created volume, or a volume created with windows (ntfs format)

truecrypt -m nokernelcrypto [volume] /mnt/tc

[voume] can be a path to your container on the array, or the /dev/sd$ disk. In cases you have a drive with an encrypted partition, use /dev/sd$1.

 

That's it! Your truecrypt FAT volume is accessible at /mnt/tc. The FAT filesystem does have some notable limitations, mainly 4GB max filesize and no owner/permissions model. The rsync archive mode (rsync -a) will give errors and may hang, but as long as you have files less than 4GB, you can use "rsync -rt $SRC $DST" instead and effortlessly backup your data this way.

 

Creating and mounting TrueCrypt NTFS format volumes:

To use NTFS in writable mode, you will need to install NTFS-3G, and when mounting the volumes will need to specify --filesystem=NTFS-3G as it will otherwise default to the stock read-only NTFS driver. Also, the linux version of truecrypt can't format your volume as NTFS, so you  will need to do this manually, as outlined below:

 

truecrypt -c --filesystem=none [volume]

 

Mount new volume that doesn't have filesystem

truecrypt -m nokernelcrypto --filesystem=none [volume]

 

Find mount point (default on unraid /dev/loop1)

truecrypt -l

 

Make NTFS filesystem on the mountpoint you found above (first one will be on /dev/loop0)

mkfs.ntfs -f /dev/loop$ (-f for fast format, and replace $ with the mountpoint)

 

Dismount and remount with filesystem

truecrypt -d [volume] (or just truecrypt -d to dismount all volumes)

 

Now, to mount your newly created volume, or a volume created with windows (ntfs format)

truecrypt -m nokernelcrypto --filesystem=ntfs-3g [volume] /mnt/tc

 

Known issues :

1) If a file on the array is mounted with truecrypt, the array will not be able to stop. I'd love it if someone could come up with a bulletproof and safe rc.truecrypt script that could dismount truecrypt volumes when array needs to stop (after samba has stopped, see below).

 

2) Sometimes dismounting fails, citing a busy volume. The solution is to stop samba, dismount and restart samba.

/root/samba stop
truecrypt -d
/root/samba start

 

3) Sometimes truectypt will be able to unmount the filesystem, but unable to unmount the volume from it's temp file, which will be a problem if the volume is a file on your array and you want to stop the array. To solve, use "mount" and note which tmp file is still attached with truecrypt, and then use for example "umount -l /tmp/.truecrypt_aux_mnt1" to detach. The '-l' is a lazy detach option, that seems to get the job done.

Share this post


Link to post

First, sorry for reviving a thread that is almost 2 years old.  Second, thanks MortenSchmidt for the excellent writeup on getting Truecrypt working.  It works great. 

 

My problem is that I cannot get the container shared over Samba.  I put the code into /boot/config/smb-extra.conf as suggested but it doesnt show up on the network.  I tried stopping Samba and then starting Samba, then when that didnt work I tried rebooting unraid.  Do you have any suggestions?

Share this post


Link to post

First, sorry for reviving a thread that is almost 2 years old.  Second, thanks MortenSchmidt for the excellent writeup on getting Truecrypt working.  It works great. 

 

My problem is that I cannot get the container shared over Samba.  I put the code into /boot/config/smb-extra.conf as suggested but it doesnt show up on the network.  I tried stopping Samba and then starting Samba, then when that didnt work I tried rebooting unraid.  Do you have any suggestions?

What exactly do you have in smb-extra.conf?

Share this post


Link to post

Well, originally I had what he listed in the original post:

 

[tc]
path = /mnt/tc
valid users = [uSER]
write list = [uSER]
force user = root
create mask = 0711
directory mask = 0711
browsable = no
guest ok = no

 

That didn't work.  So I did some googling and some RTFMnoob and eventually I came up with:

 

[tc]
path = /mnt/tc
valid users =[my users here]
write list = [my users here]
browsable = yes
guest ok = no

 

That seems to work in my initial tests with my user account.  I am going to experiment with other users and see if that is what I want.  Which is to say, other people on the network cannot see the files, the desired users can see and read/write the files.

Share this post


Link to post

Ok, so in my smb-extra.conf file i have the following:

 

[tc]
path = /mnt/tc
valid users = user1 user2
write list = user1 user2
browsable = yes
guest ok = no

 

User1 can go into the share, edit files, create files, etc.  However user2 cannot.  She can see the files but not edit or create. 

 

I tried changing the order of the users after "valid user" and "write list".  That didnt work.

 

I tried eliminating "write list" altogether.  That just made both users read only.

 

I tried adding "writeable = yes".  user2 still is read only.

 

I added a third user "user3" to the list and that user had the same read only problem.

 

Finally, i think I solved this.  I had to put the "force user", "create mask", and "directory mask" back in.  I think what this does is forces any user who connects to the share to be translated to "root", then anything they do within that share is as the "root" user. 

 

Now i just have to try and use this process to encrypt my offside backups O_o

 

here is my final smb-extra.conf file:

 

[tc]
path = /mnt/tc
writeable = yes
valid users = user1 user2
force user = root
create mask = 0766
directory mask = 0766
browsable = yes
guest ok = no

 

Share this post


Link to post

Finally, i think I solved this.  I had to put the "force user", "create mask", and "directory mask" back in.  I think what this does is forces any user who connects to the share to be translated to "root", then anything they do within that share is as the "root" user. 

 

Now i just have to try and use this process to encrypt my offside backups O_o

 

here is my final smb-extra.conf file:

 

[tc]
path = /mnt/tc
writeable = yes
valid users = user1 user2
force user = root
create mask = 0766
directory mask = 0766
browsable = yes
guest ok = no

I thought that's what the force and mask lines probably did, but since I never removed them in the first place I never had the problem.

 

I also never changed the browsable to yes. Leaving it no keeps anyone from seeing it, but you can still get to it by specifying the path. That way if you don't know it's there you won't see it's there, and if you do know it's there you just have to ask for it by name.

 

One thing I did change was the mountpoint and share name, so it isn't called tc anymore on my system, but something else only I know.

Share this post


Link to post

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.