MortenSchmidt Posted May 21, 2015 Share Posted May 21, 2015 Guide to to using Truecrypt in Unraid 5 and 6 Thanks to the user doron for first describing how to use the console only binaries and the nokernelcrypto mount option in this thread: http://lime-technology.com/forum/index.php?topic=4560.msg262568#msg262568 Prior to that, lots of clever people were discussing how to compile truecrypt from source, but as doron noted, with the binary it "just works" and is actually very easy. There is only one optional library package to install, namely NTFS-3G (if you want to use the ntfs filesystem), so it is very suitable for running directly on unraid. I have used this for my offsite backup disks for a while and wanted to make a comprehensive guide for others to follow, including creating new encrypted volumes or drives in unraid. I like using the ntfs filesystem, because it can be mounted in windows, but if you don't care about that feel free to use another filesystem. If you are using it for offsite backup, consider that in the scenario where you need this data, you may no longer have a working unraid server, and being able to access from windows may be a good thing. Your first step should be to read up on the status of the truecrypt project at https://www.grc.com/misc/truecrypt/truecrypt.htm Assuming you are still OK with using truecrypt, download the 64-bit binary "truecrypt-7.1a-linux-console-x64.tar.gz" for unraid 6 or get the 32-bit version "truecrypt-7.1a-linux-console-x86.tar.gz" if you are on unraid 5 from the grc.com site. Unpack the.gz file, and then run the binary on unraid to unpack the install files. Store the resulting "truecrypt" binary in /boot/custom/truecrypt. Assuming you will want to use NTFS (optional), download the NTFS-3G package from http://pkgs.org/slackware-14.1/slackware-x86_64/ntfs-3g-2013.1.13-x86_64-1.txz.html and store that in /boot/custom/truecrypt as well (or your preferred location). I am presently using "*ntfs-3g-2013.1.13-x86_64-1.txz", but there is a 2014 release as well. Same package for 32 and 64-bit. I think you'll also get this package automatically if you install the popular SNAP plugin. Put the following lines in your go script # Install NTFS-3G and Copy Truecrypt binary installpkg /boot/custom/truecrypt/ntfs-3g-2013.1.13-x86_64-1.txz cp /boot/custom/truecrypt/truecrypt /usr/bin mkdir /mnt/tc Optionally, if you want to be able to access the encrypted volume on the network, share it with samba by adding this to your smb-extra.conf file. If smb-extra.conf doesn't exist, create it in /boot/config [tc] path = /mnt/tc valid users = [uSER] write list = [uSER] force user = root create mask = 0711 directory mask = 0711 browsable = no guest ok = no Creating and mounting TrueCrypt FAT format volumes (baby steps to get you started): Encrypt an entire disk (erasing it's contents!). Do this only with a non-array drive that you are certain has no data. truecrypt -c --filesystem=fat /dev/sd$ (replace $ with your non-array drive) It will politeley ask you for size, password, ciphers etc. If you want to encrypt an entire drive, just enter a size larger than the drive (for a 2TB drive, enter 3000G etc.). Or, create a volume in a file (this can be on cache drive, or in the array): truecrypt -c --filesystem=fat /mnt/disk$/truectyptvolume Note : When creating containers not necessary to state a nokernelcrypto option, but whenever mounting them this option is required. Now, to mount your newly created volume, or a volume created with windows (ntfs format) truecrypt -m nokernelcrypto [volume] /mnt/tc [voume] can be a path to your container on the array, or the /dev/sd$ disk. In cases you have a drive with an encrypted partition, use /dev/sd$1. That's it! Your truecrypt FAT volume is accessible at /mnt/tc. The FAT filesystem does have some notable limitations, mainly 4GB max filesize and no owner/permissions model. The rsync archive mode (rsync -a) will give errors and may hang, but as long as you have files less than 4GB, you can use "rsync -rt $SRC $DST" instead and effortlessly backup your data this way. Creating and mounting TrueCrypt NTFS format volumes: To use NTFS in writable mode, you will need to install NTFS-3G, and when mounting the volumes will need to specify --filesystem=NTFS-3G as it will otherwise default to the stock read-only NTFS driver. Also, the linux version of truecrypt can't format your volume as NTFS, so you will need to do this manually, as outlined below: truecrypt -c --filesystem=none [volume] Mount new volume that doesn't have filesystem truecrypt -m nokernelcrypto --filesystem=none [volume] Find mount point (default on unraid /dev/loop1) truecrypt -l Make NTFS filesystem on the mountpoint you found above (first one will be on /dev/loop0) mkfs.ntfs -f /dev/loop$ (-f for fast format, and replace $ with the mountpoint) Dismount and remount with filesystem truecrypt -d [volume] (or just truecrypt -d to dismount all volumes) Now, to mount your newly created volume, or a volume created with windows (ntfs format) truecrypt -m nokernelcrypto --filesystem=ntfs-3g [volume] /mnt/tc Known issues : 1) If a file on the array is mounted with truecrypt, the array will not be able to stop. I'd love it if someone could come up with a bulletproof and safe rc.truecrypt script that could dismount truecrypt volumes when array needs to stop (after samba has stopped, see below). 2) Sometimes dismounting fails, citing a busy volume. The solution is to stop samba, dismount and restart samba. /root/samba stop truecrypt -d /root/samba start 3) Sometimes truectypt will be able to unmount the filesystem, but unable to unmount the volume from it's temp file, which will be a problem if the volume is a file on your array and you want to stop the array. To solve, use "mount" and note which tmp file is still attached with truecrypt, and then use for example "umount -l /tmp/.truecrypt_aux_mnt1" to detach. The '-l' is a lazy detach option, that seems to get the job done. Quote Link to comment
MortenSchmidt Posted May 21, 2015 Author Share Posted May 21, 2015 *** Reserved *** Quote Link to comment
leodavinci Posted January 15, 2017 Share Posted January 15, 2017 First, sorry for reviving a thread that is almost 2 years old. Second, thanks MortenSchmidt for the excellent writeup on getting Truecrypt working. It works great. My problem is that I cannot get the container shared over Samba. I put the code into /boot/config/smb-extra.conf as suggested but it doesnt show up on the network. I tried stopping Samba and then starting Samba, then when that didnt work I tried rebooting unraid. Do you have any suggestions? Quote Link to comment
trurl Posted January 15, 2017 Share Posted January 15, 2017 First, sorry for reviving a thread that is almost 2 years old. Second, thanks MortenSchmidt for the excellent writeup on getting Truecrypt working. It works great. My problem is that I cannot get the container shared over Samba. I put the code into /boot/config/smb-extra.conf as suggested but it doesnt show up on the network. I tried stopping Samba and then starting Samba, then when that didnt work I tried rebooting unraid. Do you have any suggestions? What exactly do you have in smb-extra.conf? Quote Link to comment
leodavinci Posted January 15, 2017 Share Posted January 15, 2017 Well, originally I had what he listed in the original post: [tc] path = /mnt/tc valid users = [uSER] write list = [uSER] force user = root create mask = 0711 directory mask = 0711 browsable = no guest ok = no That didn't work. So I did some googling and some RTFMnoob and eventually I came up with: [tc] path = /mnt/tc valid users =[my users here] write list = [my users here] browsable = yes guest ok = no That seems to work in my initial tests with my user account. I am going to experiment with other users and see if that is what I want. Which is to say, other people on the network cannot see the files, the desired users can see and read/write the files. Quote Link to comment
leodavinci Posted January 15, 2017 Share Posted January 15, 2017 Ok, so in my smb-extra.conf file i have the following: [tc] path = /mnt/tc valid users = user1 user2 write list = user1 user2 browsable = yes guest ok = no User1 can go into the share, edit files, create files, etc. However user2 cannot. She can see the files but not edit or create. I tried changing the order of the users after "valid user" and "write list". That didnt work. I tried eliminating "write list" altogether. That just made both users read only. I tried adding "writeable = yes". user2 still is read only. I added a third user "user3" to the list and that user had the same read only problem. Finally, i think I solved this. I had to put the "force user", "create mask", and "directory mask" back in. I think what this does is forces any user who connects to the share to be translated to "root", then anything they do within that share is as the "root" user. Now i just have to try and use this process to encrypt my offside backups O_o here is my final smb-extra.conf file: [tc] path = /mnt/tc writeable = yes valid users = user1 user2 force user = root create mask = 0766 directory mask = 0766 browsable = yes guest ok = no Quote Link to comment
trurl Posted January 15, 2017 Share Posted January 15, 2017 Finally, i think I solved this. I had to put the "force user", "create mask", and "directory mask" back in. I think what this does is forces any user who connects to the share to be translated to "root", then anything they do within that share is as the "root" user. Now i just have to try and use this process to encrypt my offside backups O_o here is my final smb-extra.conf file: [tc] path = /mnt/tc writeable = yes valid users = user1 user2 force user = root create mask = 0766 directory mask = 0766 browsable = yes guest ok = no I thought that's what the force and mask lines probably did, but since I never removed them in the first place I never had the problem. I also never changed the browsable to yes. Leaving it no keeps anyone from seeing it, but you can still get to it by specifying the path. That way if you don't know it's there you won't see it's there, and if you do know it's there you just have to ask for it by name. One thing I did change was the mountpoint and share name, so it isn't called tc anymore on my system, but something else only I know. Quote Link to comment
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.