| 2005-11-20 | First version |
|---|---|
| 2006-07-22 | Upgraded documentation for TrueCrypt 4.2a |
| 2006-07-24 | Some tweaks |
| 2006-07-24 | Updated truecrypt_mount.vbs |
Using opensc with TrueCrypt under Linux and Windows
IntroductionPreparing software
Using opensc with TrueCrypt under Linux
Using opensc with TrueCrypt under Windows
Improvement ideas
Introduction
I have been playing with smartcards some time now and setted up encrypted partitions, secure logins etc. with smart cards and opensc. However world has been lacking opensource (and free) cross-platform solutions for encryption until now. TrueCrypt 4.0 was relesed at 2th November 2005 and it has been ported finally to Linux. This opens whole new possibilities like encrypted file store which can be accessed from Windows and Linux (hopefully in future with other os'es too), encrypted home paritions likewise etc. TrueCrypt also is designed with some sanity so it's possible to bundle it with opensc and smart cards.
Preparing software
You need to install and set up opensc and TrueCrypt in both environments. Install at least version 4.2a - these instructions have been upgraded for it and older versions won't support some stuff used here. I won't go to the details since these things has been instructed already in many places. You may get some help from my article Using Rainbow iKey 3000 under Linux (or any other smart card). Also I recommend Smart Card Bundle for Windows which provides fully working opensc for you and as bonus opensc-aware PuTTY: http://www.opensc.org/scb/
To use encrypted volumes in both environments you need to set up encrypted volumes in partition read-writable from both os'es. This limits your solution to ext2/ext3 only since NTFS cannot be writed under Linux and FAT32 supports files only up to 4GB. ext2/ext3 however can handle big files and is supported natively under Linux and with 3rd party driver in Windows (Ext2 IFS has been reialble for me, other projects also exists, just google with keywords ext2 and windows).
To create encrypted volumes under Linux, you need at least TrueCrypt version 4.2a. Example follows (password is generated to file where from you must copy-paste it to pwd prompt):
giant:~# modprobe truecrypt giant:~# makepasswd --maxchars 63 --minchars 63 > crypt1.pwd.plain ; cat crypt1.pwd.plain giant:~# truecrypt --type normal --filesystem none --size 40G --hash RIPEMD-160 --encryption AES --create crypt1.tc Enter password for new volume 'crypt1.tc': password Re-enter password: password Enter keyfile path [none]: TrueCrypt will now collect random data. Is your mouse connected directly to computer where TrueCrypt is running? [Y/n]: y Please move the mouse randomly until the required amount of data is captured... Mouse data captured: 100% Done: 40960.00 MB Speed: 37.38 MB/s Left: 0:00:00 Volume created. giant:~# cat crypt1.pwd.plain | truecrypt crypt1.tc giant:~# mkfs.ext2 /dev/mapper/truecrypt0 giant:~# mount /dev/mapper/truecrypt0 /media/crypt1 giant:~# truecrypt -d crypt1.tc
If you have performance problems when creating filesystem (pdflush going crazy and freezing whole system), try to upgrade to the latest kernel and TrueCrypt. Sadly it may not be enough, I had to even run Linux under Windows + vmware to get filesystem right!
Using opensc with TrueCrypt under Linux
Using opensc with TrueCrypt should be pretty straightforward and can be done with small scripts and commands. I'll include pretty simple but effective examples below. There are some hardcoded stuff so you should have general awarness of scripting should problems arise. I have used harfcoded key number 45 in all examples so if your smart card uses other id with key, change them.
First, encrypt your password using public key from your smart card:
giant:~# pkcs15-tool --read-public-key 45 > /tmp/opensc.key.pub giant:~# openssl rsautl -encrypt -pubin -inkey /tmp/opensc.key.pub -in crypt1.pwd.plain -pkcs -out crypt1.pwd giant:~# rm crypt1.pwd.plain giant:~# rm /tmp/opensc.key.pub
giant:~# pkcs15-crypt --pkcs1 --decipher -k 45 -i crypt1.pwd Enter PIN [PIN]: password
Now you should have asymmetrically encrypted password which should be secure even if stolen. Let's write little script for automaticly mounting your encrypted volumes under Linux. mount_truecrypt.sh:
#!/bin/sh VOLUME=$1 MOUNTPOINT=$2 PWDFILE=$3 if [ $# != 3 ]; then echo "Usage: mount_truecrypt <volume file> <mount point> <password file>" exit fi pkcs15-crypt --pkcs1 --decipher -k 45 -i $PWDFILE | truecrypt $VOLUME $MOUNTPOINT
That was really short. If opensc binaries or truecrypt is not in path, modify commands to include paths. Then script for umounting, umount_truecrypt.sh:
#!/bin/sh
MOUNTPOINT=$1
if [ $# != 1 ]; then
echo "Usage: umount_truecrypt <mount point>"
exit
fi
truecrypt -d $MOUNTPOINT
Again include paths if needed. These script could be bundled with PAM to use TrueCrypt for encrypted home directories in example. If someone comes up to easy solution (interacting with pam is not very easy), please drop me an e-mail.
Using opensc with TrueCrypt under Windows
Whan comes to Windows, scripting with it is... well, challenging. I gave up trying to create .bat files for mounting (TrueCrypt programmers have made scripting even harder since password cannot be piped to truecrypt.exe, WTF?!) and switched to Windows Scripting Host. mount_truecrypt.vbs:
Dim Volume, Letter, PwdFile, OpenSCBin, TrueCryptBin, WshShell, oExec, Password, msg, i
If not WScript.Arguments.length = 3 Then
WScript.echo("Usage: mount_truecrypt.vbs <Volume> <Drive letter> <Passwordfile>")
WScript.quit(1)
End If
Volume = WScript.arguments(0)
Letter = WScript.arguments(1)
PwdFile = WScript.arguments(2)
OpenSCBin = "C:\Program Files\Smart card bundle\pkcs15-crypt.exe"
TrueCryptBin = "C:\Program Files\TrueCrypt\truecrypt.exe"
Msg = "Please give PIN-code for decrypting """ & Volume & """"
i=0
Do While True
Password = InputBox(msg)
Set WshShell = CreateObject("WScript.Shell")
Set oExec = WshShell.Exec(OpenSCBin & " --pkcs1 --decipher -k 45 -i """ & PwdFile & """ -p """ & Password & """")
Password = oExec.StdOut.ReadAll()
If Len(Password) > 0 Then Exit Do
msg = "Invalid PIN-code, try again. "
i = i + 1
If i >= 3 Then
WScript.echo("Invalid PIN-code given 3 times, aborting...")
WScript.quit(1)
End If
Loop
Set oExec = WshShell.Exec(Replace(TrueCryptBin & " /v """ & Volume & """ /letter " & Letter & " /auto /quit /password """ & Password & """", vbCrLf, ""))
WScript.quit(0)
Modify OpenSCBin and TrueCryptBin variables if paths are different. Please notice that this script is also way more unsecure and error-prone than Linux equivalent. God knows where PIN-code is cached and if intruder can read command line with full arguments. Oh well, be careful. Unmounting proabably are not needed with Windows, but it's easy. umount_truecrypt.vbs:
Dim PwdFile, Volume, OpenSCBin, TrueCryptBin, WshShell, oExec, Password, msg, i
If not WScript.Arguments.length = 1 Then
WScript.echo("Usage: umount_truecrypt.vbs <Drive letter>")
WScript.quit(1)
End If
Letter = WScript.arguments(0)
TrueCryptBin = "C:\Program Files\TrueCrypt\truecrypt.exe"
Set WshShell = CreateObject("WScript.Shell")
Set oExec = WshShell.Exec(TrueCryptBin & " /quit /dismount " & Letter)
WScript.quit(0)
Improvement ideas
Encrypted password is stored in separate file than encrypted volume. If password file will get lost encrypted voulmes are also lost. It would be great if one could add metadata to volume files and encrypted password could then be readed from encyrpted volume file. I know this is easily done but TrueCrypt staff would need to implement this (actually direct opensc support would be better).