Truecrypt On unRaid Questions

After much trial and error I was able to compile Truecrypt 6.2a on unRaid 4.5b6. During boot, the Truecrypt binary needs to be copied to /usr/bin/ and the fuse shared libs need to be copied to /lib/. I created a small 10meg encrypted container for testing. I used the NTFS file format for this test (read below). When I try to mount the file, I get an error:

 

No such file or directory: 
dmsetup

 

The container will mount the if I use the "--mount-options=nokernelcrypto" argument, but its read-only (even though TC volume info says its not). The directory attributes for the mounted volume is missing the "read" and I cannot change it with chmod. I was reading dm-crypt is needed, but is included in the official 2.6.4 kernel. This might be why I can only mount with the 'nokernelcrypto' argument. Also, I can not see this (read-only) volume on the network.  Do I need to set anything for the mounted drive to be visible on the network. I read somewhere I need to use --filesystem=NTFS-3g when mounting.

 

My ultimate goal is to move my encrypted drive from my windows XP machine to unRaid. That is why I'm testing with a NTFS container. Also, would I need to use the ntfs-3g-2009.3.8-i486-1.tgz (NTFS read/write file system driver) to read/write the data after I get it properly mounted?

 

Much Thanks

After much trial and error I was able to compile Truecrypt 6.2a on unRaid 4.5b6. During boot, the Truecrypt binary needs to be copied to /usr/bin/ and the fuse shared libs need to be copied to /lib/. I created a small 10meg encrypted container for testing. I used the NTFS file format for this test (read below). When I try to mount the file, I get an error:

 

No such file or directory: 
dmsetup

 

The container will mount the if I use the "--mount-options=nokernelcrypto" argument, but its read-only (even though TC volume info says its not). The directory attributes for the mounted volume is missing the "read" and I cannot change it with chmod. I was reading dm-crypt is needed, but is included in the official 2.6.4 kernel. This might be why I can only mount with the 'nokernelcrypto' argument. Also, I can not see this (read-only) volume on the network.  Do I need to set anything for the mounted drive to be visible on the network. I read somewhere I need to use --filesystem=NTFS-3g when mounting.

 

My ultimate goal is to move my encrypted drive from my windows XP machine to unRaid. That is why I'm testing with a NTFS container. Also, would I need to use the ntfs-3g-2009.3.8-i486-1.tgz (NTFS read/write file system driver) to read/write the data after I get it properly mounted?

 

Much Thanks

It seems to be telling you the "dmsetup" program is not in your path at the time you attempt to invoke it.  That makes sense, since unRAID has no such command.  It is part of the linux Logical Volume Command interface, and unRAID does not use LVM.  (I'd be shocked if dmsetup had been found in 4.5b6 unRAID)

 

The only way I can see you getting a protected TrueCrypt device would be to use a loop device with the TrueCrypt volume living in a file on one of the protected disks.  Now, that file might be an image of any file-system you like.  If you use NTFS you must use one of the ntfs-3g drivers, since the supplied module in unRAID is read-only capable. (It cannot create or grow files in size.  It can only write to existing files as long as it does not change their size)

 

Joe L.

The only way I can see you getting a protected TrueCrypt device would be to use a loop device with the TrueCrypt volume living in a file on one of the protected disks. 

 

Thanks for the quick reply. I don't plan to make the encrypted disk part of the protected array (since I back it up each night). I have tried installing the LVM2 package (found here) and tried the Multipath tools (could not 'make') with no such luck.

I compiled TC and copied it from the source/Main directory to /bin. If I try to mount a container, it complains libfuse.so.2 is missing from /lib. As soon as I copy this file or all the libfuse* files to /lib (I compiled fuse-2.8.1 myself), ALL MY USER SHARES DISAPPEAR.

 

Truecrypt will let me get a little farther with libfuse.so.2 in place, but then I get an error: No such file or directory: dmsetup. I found a device-mapper (device-mapper-1.02.12-i486-1kjz.tgz) package. I had to manually copy dmsetup to /sbin. TC will let me get even farther, but gives me an error: Is device-mapper driver missing from kernel?

 

I've seen others use Truecrypt on unRaid. What is needed I'm using unRaid v4.5b6 and Truecrypt 6.2a

 

 

Don't copy... use symlinks.  Some subsystems will complain if certain libs are files and not symlinks.

Thanks bubbaQ

 

/lib/ln -s -f /boot/TC/libfuse.so.2 <-- an older version of fuse lib's are in /lib/ I just replaced this one file with a symlink

/lib/ln -s -f /boot/TC/libdevmapper.so.1.02

/sbin/ln -s /boot/TC/dmsetup

cp /boot/TC/truecrypt /usr/bin/truecrypt  <--symlink didn't work so I copied

 

Now I get the following error when I try to mount:

 

Error: /proc/misc: No entry for device-mapper found
Is device-mapper driver missing from kernel?
Failure to communicate with kernel device-mapper driver.

 

You need to modprobe the device mapper.

Thanks BubbaQ. I found kernel-modules-2.6.24.5-i486-2.tgz package with a bunch of modules. I think I only need the dm-mod.ko file to fix my error.

 

If I follow your instructions Permanently adding packages to unRAID 4.1, can I simply copy dm-mod.ko to /mnt/disk1/bz-mod/lib/modules/2.6.30.8-unRAID/kernel/drivers/md and rebuild the bzroot?

YOu can try it, but it will likely complain about version mismatch and refuse to load unless you force it.

This might be beyond the forums scope. I'm using unRaid 4.5b11. I've downloaded the linux kernel source 2.6.31.6 to match the unRaid kernel. I copy the entire source to "/mnt/disk#1/linux-src/". I type 'make oldconfig' and 'make drivers'. This compiles everything in the drivers sub folders. I'm only concerned with "/drivers/md/". I seem to only get *.o files. I need .ko files (specifically dm-mod.ko). Searching the interwebs yields nothing useful to me. Am I even on the right track? If so, added modules should show up with the 'lsmod' command. How would I incorporate dm-mod.ko into into this list? Thanks

A friend of a friend was able to Truecrypt working for me. 

 

My drive is a full partition encrypted drive and not part of the array. I did not need to recompile unRaid bzroot and didn't need to run a full slackware distro. So far it works. The only issue is that I have two drives and need to put the PW in twice. The windows client would allow using cached passwords if another mounted device had the same PW. Something to look into, but for now it works.

So you have a TC container on unRAID, and are mounting and accessing it from your Windows box... correct?

 

The problem with this is that if you sleep/suspend/hibernate your Windows box, you can corrupt the TC container (at worst) or loose the connection and have to force an unmount (at best).

 

You also can not have any backend applications running on unRAID (torrents, web server, SQL, etc) reading/writing to protected storage.

 

Also, if you do timed/scheduled backups to unRAID, and want them to go into the protected container, you have to make sure the container is mounted, and remains mounted.

 

And finally, you can't safely share a TC container among clients.

 

This is why I want to have TC running natively on unRAID itself -- enter the PW once when mounting, then torrents, SQL, Apache, etc., can run with protected, encrypted datasources, and I can have multiple clients access the encrypted data on unRAID at the same time.

So you have a TC container on unRAID, and are mounting and accessing it from your Windows box... correct?

No, its a NTFS full encrypted disk partition which is mounted on the unRAID box. I do access it though samba.

 

The problem with this is that if you sleep/suspend/hibernate your Windows box, you can corrupt the TC container (at worst) or loose the connection and have to force an unmount (at best).

This is good to know. There is no Windows mounting happening here so disk corruption shouldn't be an issue. I actually dismount all TC mounts before my S3 sleep happens (and before power down). This was done for some security and not to leave my encrypted files open 24/7.

 

You also can not have any backend applications running on unRAID (torrents, web server, SQL, etc) reading/writing to protected storage.

 

Also, if you do timed/scheduled backups to unRAID, and want them to go into the protected container, you have to make sure the container is mounted, and remains mounted.

Thanks, nothing like that is going on. And the backups are covered.

 

One feature that is not supported in the command line of TC is caching passwords (login required). I have two encrypted drives with the same password (one if a backup of the source). Ideally, I would only like to mount the backup when rsync runs and dismount it, but right now I just need to have them both mounted. Embedding my PW in the command line is definitively not secure.

No, its a NTFS full encrypted disk partition which is mounted on the unRAID box. I do access it though samba.

 

So how do you mount it without running TC on the unRAID box?  The only way I've come up with for that is AoE.

 

TC is running on unRAID. I installed the ntfs-3g package, mount the partition specifying the file system type.

How did you get device mapper installed?  I thought it conflicted with unRAID as Tom had ripped it out of unRAID distro.

I had a friend (15yrs using slackware) set this up for me. I wonder what the issue Tom was seeing which made him take it out. I haven't had any problems yet. I do know the device mapper driver had to be compiled with the exact same kernel version that unRaid uses.

Okay, it's been like 3.5 years since the last post on this topic. A couple questions:

 

1. kapperz, do you have this working in unRAID 5.0?

2. Would you share details of how it was done? I'm very interested, and would prefer not to go the path of encFS or remote TC mounts.

 

Thanks!

No, I have not tried to get this working on 5.0.

 

Here are the directions I used to get TC working in unRaid 4.7 (I used Ubuntu 9.10)

 

Get Linux kernel from Kernel.org for same version as unRaid

wget http://www.kernel.org/pub/linux/kernel/v2.6/linux-2.6.31.6.tar.gz

 

unzip/tar the kernel and copy it to Ubuntu

tar xzf filename.tar.gz

- OR -

gzip -dc filename.tar.gz | tar xf -

 

copy /usr/src/linux/.config from unRaid to root of linux source

(might need to do "ls -a" to see all the files as files with a "." are hidden)

 

In a terminal window of Ubuntu type:

 

sudo apt-get install libncurses5-dev

 

make menuconfig

 

- Scroll down and select Device Drivers

- Scroll down to Multiple device Driver Support (LVM)

- Select Device Mapper Support and type "M" (for module)

 

Escape all the way back and click "Y" when asked to save the new config.

 

Back in the terminal type:

 

make

make modules

sudo make modules_install

(might need to enter system pw)

 

The dm_mod.ko file will be in the /drivers/md/ folder

Thanks very much!!

 

I already have a kernel build setup on a Slackware alongside unRAID. I'll try to figure out how to import this into 5.0.

 

Just out of curiosity, you didn't try this on 5.0 because you have an alternative to TC and/or not interested anymore, or because you haven't moved to 5.0 yet?

 

Thanks again for taking the time to document this. It is extremely helpful!

I'm still using unRaid 4.7 (if it aint broke, don't fix it).

 

After you have the .ko file, I have this in my go script to install truecrypt...

 

cp -rv /boot/truecrypt/sbin/dmsetup /sbin/dmsetup
cp -rv /boot/truecrypt/usr-bin/truecrypt /usr/bin/truecrypt
cp -v /boot/truecrypt/drivers/dm-mod.ko /lib/modules/2.6.32.9-unRAID/kernel/drivers/md
depmod -a
modprobe dm-mod

 

To mount a drive (mine are formatted NTFS so I can easily use in a windows machine)...

 

/usr/bin/truecrypt -k "" --protect-hidden=no -m nokernelcrypto --filesystem=ntfs-3g -p "$TCPASS" /dev/$DRIVE /mnt/$MOUNT_POINT

 

$TCPASS = truecrypt password

$DRIVE = device drive.

$MOUNT_POINT = mount point

Fantastic. Thanks. I already made the dm-mod.ko before I went out to work today, will check the rest later tonight.

 

Looking at your mount command I saw that you're mounting /dev/<dev>, which made me realize that I missed your earlier statement about the drive you're mounting not being part of the array. This is a bit different than my need (I do want this to be protected storage). I suppose I will end up mounting a file container.

 

Ideally, I'd wish unRAID would have been able to have an encryption layer under its array rather than on top. So that you'd need to supply the password or keyfile during array mount. Hopefully, a future version feature.

 

Thanks!

Okay, I have a few findings. Kinda interesting.

 

I'll start with the bottom line. I got Truecrypt 7.1a to work nicely under unRAID 5.0. The "nokernelcrypto" option is key.

 

The beef:

 

a. I made the device mapper kernel module (dm-mod), which was only the beginning: to actually run, truecrypt in turn required a few other modules: dm-crypt, xts and gf128mul. Once all these were made available, there were no more kernel complaints; however, trying to mount a volume with truecrypt hung (never returned), and the mount did not complete. I could interrupt (^C), at which time I found that the work was half done - "tryecrypt -l" reports the volume as open, but it is not mounted. I didn't follow this path further, due to 2 below.

 

b. Once you use "nokernelcrypto", and you have kernel support for the FS you're mounting, you don't actually need the device mapper (or any related kernel module for that matter). I used a truecrypt binary(!!) from the truecrypt.org, and it "just works". If your FS is NTFS, you do need the ntfs-3g or else you're stuck with r/o, but this was expected and has already been covered in this topic.

 

c. In terms of performance, I don't know how much better would using kernel crypto have been, had I managed to make it work. I made some rough, crude measurements, and in my setup, TC adds ~25% to the wall-clock timing of copying a 800MB file. I tested with a set of zeros (dd if=/dev/zero of=/mnt/t/testfile bs=100K count=8000) and with a random file which I generated from /dev/urandom (to isolate the effect of built-in compression). Both gave similar readings.

 

Bottom line: to mount a TC volume in unRAID, you can do this:

 

1. Download the "Console-Only, 32bit" installer from truecrypt.org

2. Run it (I did it on a separate system, but you can probably do it on unRAID). Select the "extract TAR" option (not "install"). untar the file. Pick up the resulting "truecrypt" binary from .../usr/bin and copy it to a permanent location (say /boot/truecrypt/ or on the array).

3. Copy that binary to /usr/bin (can do it permanently as part of "go").

4. If your volume filesystem is NTFS, make sure ntfs-3g is installed (can do via uumenu).

5. Mount your volumes. You can either use kapperz' mount command to mount a whole drive (not part of the array), like so:

/usr/bin/truecrypt -k "" --protect-hidden=no -m nokernelcrypto --filesystem=ntfs-3g -p "$TCPASS" /dev/$DRIVE /mnt/$MOUNT_POINT

or mount a file container as a volume, like so:

/usr/bin/truecrypt -k "" --protect-hidden=no -m nokernelcrypto --filesystem=ntfs-3g -p "$TCPASS" /mnt/disk1/$TCVOL /mnt/$MOUNT_POINT

This is what I plan to do, in which case the volume is on protected storage.

 

It is possible to create new volumes and keyfiles with the command line truecrypt, but I'm creating mine in a GUI-ed system.

 

Hope this will help someone. Again, many thanks to kapperz for all the work and info!!

 

 

 

 

 

Well done, this sounds like real progress. I have some TC file containers that I created on the array remotely via the Windows GUI. I was unable to create volumes greater than about 400Gb using that method, as the connection kept timing out. Maybe using this Linux command line on the UnRAID itself will get around that problem too and I can finally have very large file containers on the protected array.

 

 

 

Well done, this sounds like real progress. I have some TC file containers that I created on the array remotely via the Windows GUI. I was unable to create volumes greater than about 400Gb using that method, as the connection kept timing out. Maybe using this Linux command line on the UnRAID itself will get around that problem too and I can finally have very large file containers on the protected array.

 

The way to get around the time out issue is to create the container on a Windows box and then just copy it onto the unRAID drive where it will live.

 

Stephen