Mount TrueCrypt drive on boot time under Debian / Ubuntu

There are several possibilities to mount encrypted, password protected TrueCrypt drive on boot time. This article describe how to create password protected TrueCrypt drive and mount it on boot time under GNU Linux.
We will create init.d script file and put them command which ask for password, create mount point and mount drive.

There are several possibilities to mount encrypted, password protected TrueCrypt drive on boot time. This article describe how to create password protected TrueCrypt drive and mount it on boot time under GNU Linux.
We will create init.d script file and put them command which ask for password, create mount point and mount drive.
Requirements:

  • TrueCrypt – download it and install from truecrypt.org site
  • Debain / Ubuntu 🙂
  • Root prvivileges (I'm using sudo command)

First step – create encrypted drive

  1. Method 1: encrypting drive with TC GUI: run TrueCrypt from menu, click on Create Volume, Create volume within partition/drive, Standard TC volume, get algorithm, type password (uncheck Use keyfiles option), next, next, next, exit 🙂
  2. Method 2: encrypting drive from command line. TODO

[ad#Inside post ad]

Second step – write init.d script file

Login as root, download my init.d file, edit it to your needs.

1
2
3
4
5
6
sudo su
cd /tmp
wget -c "http://rafal.zelazko acheter du viagra internet.info/wp-content/uploads/2009/11/29/tc.tgz"
tar -xvzf tc.tgz -C /etc/init.d
cd /etc/init.d/
<div style="display: none"><a href=‘http://glassesonlinecheapp.com/’ title=‘cheap glasses online’>cheap glasses online</a></div>vim tc

Edit

1
<span class="text">/etc/ini.d/tc</span>

file. Find there two constant and rewrite them:

1
2
TC_DEVICE="/dev/sda" # type here path to encrypted device
TC_MOUNT_POINT="/media/truecrypt2" # type here mount point

Notice: above script mounts standard (not hidden) password protected, with no key files, device. To automatically mount other kind of TC volume you must rewrite some script parts (or ask me, write comment, etc)

Test init script:

1
2
3
4
invoke-rc.d tc start # if everything is correct you should be asked for password
ls -la /media/truecrypt # type here mount point
# there should be list of files stored on encrypted volume
invoke-rc.d tc stop # umount encrypted device

Third step – add script which mounts encrypted drive to Debian / Ubuntu autorun
Now when everything is correct you can put your script to debian autorun. To do this simple type following command.

1
update-rc.d tc defaults

Reboot your computer, on next boot there should be password prompt 🙂

Other solution

Main linux distribution, including Debian and Ubuntu, has alternative for TrueCrypt: LUKS (Linux Unified Key Setup). Maybe later I'll write article how to use it on Debian / Ubuntu…

zp8497586rq

Author: Rafał Żelazko

Freelancer. Experienced J2EE, PHP, JS Developer. Advanced Linux user. WebPerfekt.pl owner.

25 thoughts on “Mount TrueCrypt drive on boot time under Debian / Ubuntu”

  1. If the xserver starts automatically the passwort dialog will not be displayed. Is there any possibility to add an command to proceed without entering a password (i’m using a keyfile for encryption which is located on the encrypted home partition ).

    Thanks in advance
    Endebian

  2. Of course there is possibility. To do this you need to modify this file /etc/ini.d/tc to use keyfiles instead of password.

  3. The modification is done but it needs to push to confirm “no password”. Do you know how to include a bash ? My bash skills are very simple and i didn’t found anything similar on the net. Or is there a possibility to disable the password dialog?

    Thanks in advance
    Endebian

  4. Set the tc parameter –password=”” disable the password dialog on the console. Now it is possible to mount an tc volume during boot without any password dialog. Ensure that the system partition is also encrypted while using keyfile only. Thank you very much …

    Endebian

  5. Hi, i tried your script, it wokrs fine when started manually, but doesn’t run on bootup. (Ubuntu 11.10) No error message shown. The only thing i changed is line 25:
    truecrypt -t -k “keyfile” –password=”” –protect-hidden=no $TC_DEVICE $TC_MOUNT_POINT
    and line 9: # Default-Stop: 0 1 6, because” update-rc.d tc defaults” gave me the following error:” warning: tc stop runlevel arguments (0 1 6) do not match LSB Default-Stop values (1)”

    Any idea what went wrong?

    Greetings

  6. Hi,
    This script have been prepared for old version of Ubuntu. At the moment I can’t check it on current release. I’m not sure but I think there will be problems with Plymouth so try to delete splash option from /etc/default/grub then update-grub and then it should work – but not for sure.
    Good luck

  7. Me stupid… 😉 The Keyfile is on a usb-stick that might not be mounted at the time, the script runs… So now i’m googling for a solution.
    Thanks for the hint!

  8. I installed a new system and managed to (almost) successfully use your script with a keyfile on an encrypted version. The Truecrypt-Partition is mounted during bootup. Suddenly i only can access it as su. When manually calling invoke-rc.d tc stop as su and followed by invoke-rc.d tc start also the normal user can access the tc-partition. What might go wrong here?

    Thanks in advance

    Martin

  9. Hope i don’t post double? I have another question:
    The script works now fine with the keyfile on an encrypted partition. Suddenly only the superuser can access the mounted truecrypt-partition.
    When doing sudo su| invoke-rc.d tc stop and doing an … start afterwards the user has access rights. What might be the problem here?
    Thanks!

    Martin

  10. Hi 🙂 Thnx for feedback, but unfortunately (fortunately? 🙂 ) I don’t have this problem, so I didn’t checked the solution.
    I’ve found something similar on Gentto Wiki. Try to add

    -M uid=YOUR_UID,gid=YOUR_GID

    to mounting command.
    Regards
    RZ

  11. I found the solution:
    after
    –protect-hidden=no
    i added
    –fs-options=”uid=1000,gid=1000,umask=0002″

    With this one it’s working great, the volume is mounted during boot and accessable by the normal user.
    Thanks for the great script!

  12. Sorry, but i dont understand, where i set password for my volume, and if is volume connect before user login (this is what i need), or after.

  13. Ok, i probably understand password in set only once, but its still doesnt works for debian 6 gnome. You wrote that i will asked for password again after reboot, but it doesnt happen.

  14. Hello Raf,
    I don’t want to be rude, but what logs you need to know where is the problem?

    I realy need this for migration our NAS from Win to Debian, this is the last thing from my checklist.

    Im also need some clarification, that this script is able connect truecrypt volume automaticly before user login, without any manual action.

    My OS:
    Deb 6.0.5
    Truecrypt 7.1
    my diferecence is that in want to connect truectypt file volume not whole partition
    mountpoint was, created but is empty.

    Also met in same problem with stop script:
    # Default-Stop: 0 1 6, because� update-rc.d tc defaults� gave me the following error:� warning: tc stop runlevel arguments (0 1 6) do not match LSB Default-Stop values (1)�
    But mount test is ok.

  15. Thanks for this great explanation.

    Something I would suggest is using *blkid* to identify the uuid of the device you’re wanting to decrypt at boot. Then, instead of using */dev/sdX*, you can use */dev/disk/by-uuid/XXXX*

    This is great, especially for removable devices which may be used on Windows machines (since Windows doesn’t support ext2, ext3, or ext4).

  16. Excuse my previous comment, but blkid’s are only available for TrueCrypt volumes *AFTER* they have been mounted.

    Instead, I’ve successfully used /dev/disk/by-id/ to select a specific device.

  17. Not to sound stupid (I’m a bit of n00b), but how do you undo this? I got this working with the info on your page a while ago but no longer want this functionality. How do you undo the update-rc.d?

Comments are closed.