DragonFly On-Line Manual Pages
TCPLAY(3) DragonFly Library Functions Manual TCPLAY(3)
NAME
tc_api_init, tc_api_uninit, tc_api_has, tc_api_cipher_iterate,
tc_api_prf_iterate, tc_api_task_init, tc_api_task_uninit,
tc_api_task_set, tc_api_task_do, tc_api_task_info_get,
tc_api_task_get_error - TrueCrypt volume management
LIBRARY
TrueCrypt-compatible API library (libtcplay, -ltcplay)
SYNOPSIS
#include <tcplay_api.h>
typedef int
(*tc_api_cipher_iterator_fn)(void *priv, const char *name,
int key_length_in_bits, int ciphers_in_chain);
typedef int
(*tc_api_prf_iterator_fn)(void *priv, const char *name);
typedef int
(*tc_api_state_change_fn)(void *priv, const char *state,
int enter_state);
int
tc_api_init(int verbose);
int
tc_api_uninit(void);
int
tc_api_has(const char *feature);
int
tc_api_cipher_iterate(tc_api_cipher_iterator_fn fn, void *priv);
int
tc_api_prf_iterate(tc_api_prf_iterator_fn fn, void *priv);
tc_api_task
tc_api_task_init(const char *op);
int
tc_api_task_uninit(tc_api_task task);
int
tc_api_task_set(tc_api_task task, const char *key, ...);
int
tc_api_task_do(tc_api_task task);
int
tc_api_task_info_get(tc_api_task task, const char *key, ...);
const char *
tc_api_task_get_error(tc_api_task task);
DESCRIPTION
The tcplay library provides an interface to create, query, map and manage
TrueCrypt-compatible volumes.
The tc_api_init() function initializes the library internals and prepares
it for use via the API. This function has to be called before using any
other API function. If the verbose argument is non-zero, then the
library will output information such as errors via stdout and stderr.
The tc_api_uninit() function clears up all internal secure memory, such
as memory used for decrypted headers, passphrases, keyfiles, etc.
The tc_api_has() function checks whether the loaded tcplay library has
the feature specified by the feature argument. The current version of
the tcplay library supports the following features:
Feature Description
trim Allows enabling discards/TRIM when mapping a volume
The tc_api_cipher_iterate() function passes every available cipher chain
to the callback provided in the fn argument. The priv argument is passed
on every call of the callback function. The name of the cipher chain is
passed to the callback function in the name argument. Similarly, the
ciphers_in_chain argument holds the number of ciphers in the current
chain, and key_length_in_bits holds the total key length for the cipher
chain, in bits.
The tc_api_prf_iterate() function passes every available cipher chain to
the callback provided in the fn argument. The priv argument is passed on
every call of the callback function. The name of the PKBDF2 PRF
algorithm is passed to the callback function in the name argument.
The tc_api_task_init() function initializes and returns a tc_api_task
opaque pointer that can be used to run tcplay commands. Each task can be
used only for a single tc_api_task_do() call, and must be deallocated
using tc_api_task_uninit(). The op argument can be one of the following:
create Create a new encrypted TrueCrypt volume.
map Map an existing TrueCrypt volume.
info Request information about an encrypted TrueCrypt volume.
info_mapped
Request information about a mapped TrueCrypt volume.
unmap Unmap a mapped TrueCrypt volume.
modify Modify the TrueCrypt volume by changing the passphrase, keyfiles,
PRF algorithm, restoring from a backup header, restoring from a
header file or saving to a header file.
restore
Modify the TrueCrypt volume as modify does, but without changing
the passphrase, keyfiles or PRF algorithm.
The tc_api_task_set() function allows settting a number of different
options for the current task. The following table shows which keys are
available on calls to tc_api_task_set() for each of the operations. The
letter M indicates the setting is mandatory, whilst * indicates the
setting is optional.
Key create info map unmap info_mapped modify restore
dev M M M * M M
map_name M M M
interactive * * * * *
retries * * * * *
timeout * * *
state_change_fn * * *
weak_keys_and_salt * * *
secure_erase *
hidden_size_bytes *
prf_algo *
h_prf_algo *
cipher_chain *
h_cipher_chain *
protect_hidden * *
fde * *
sys * * ? ?
use_backup_header * * * *
header_from_file * * * *
hidden_header_from_file * * * *
allow_trim *
save_header_to_file *
passphrase * * * * *
h_passphrase * * * * *
keyfiles * * * * *
h_keyfiles * * * * *
new_passphrase *
new_keyfiles *
new_prf_algo *
The varargs accepted by the tc_api_task_set() function depend on the key
being set.
dev The vararg is of type const char *. It sets the device that
contains the TrueCrypt volume to operate on.
map_name
The vararg is of type const char *. It set the name of the
mapped volume.
interactive
The vararg is of type int. It determines whether the user will
be prompted for a passphrase or whether the settings are taken
from the arguments set using tc_api_task_set().
retries
The vararg is of type int. It determines the number of
passphrase retries if interactive is set.
weak_keys_and_salt
The vararg is of type int. It determines whether to use a weak
source of entropy for key material and/or the salt.
secure_erase
The vararg is of type int. It determines whether a secure erase
is performed as part of the volume creation.
hidden_size_bytes
The vararg is of type int64_t. If set to 0 it implies no hidden
volume will be created. A positive value implies a hidden volume
of the specified size in bytes is created.
prf_algo
The vararg is of type const char * and must be a valid PBKDF2 PRF
algorithm. It determines which PBKDF2 PRF algorithm is used for
the outer volume.
h_prf_algo
The vararg is of type const char * and must be a valid PBKDF2 PRF
algorithm. It determines which PBKDF2 PRF algorithm is used for
the hidden volume.
cipher_chain
The vararg is of type const char * and must be a valid tcplay
cipher chain. It determines which cipher chain is used to
encrypt the outer volume.
h_cipher_chain
The vararg is of type const char * and must be a valid tcplay
cipher chain. It determines which cipher chain is used to
encrypt the hidden volume.
protect_hidden
The vararg is of type int. It determines whether the size of the
outer volume should be adjusted to protect any hidden volume.
Using this mode requires both outer and hidden passphrases and
keyfiles.
sys The vararg is of type const char *. It determines whether the
volume is a system encrypted volume, and if so, which disk is the
system disk and hence contains the header. If set to NULL the
volume will implicitly be treated as a non-system encrypted
volume.
fde The vararg is of type int. It determines whether the disk uses
full disk encryption or not. If specified, the device pointed to
by the dev setting should be a whole disk device, not any
partition. The device will be mapped or queried as a whole. For
more details on full disk encryption, see tcplay(8).
use_backup_header
The vararg is of type int. It determines whether the backup
header should be used instead of the regular header to access the
volume.
header_from_file
The vararg is of type const char *. If not NULL it forces tcplay
to use the header in the specified file instead of the regular
outer volume header.
hidden_header_from_file
The vararg is of type const char *. If not NULL it forces tcplay
to use the header in the specified file instead of the regular
hidden volume header.
allow_trim
The vararg is of type int. It specifies whether the mapped
volume should allow discards (TRIM).
save_header_to_file
The vararg is of type const char *. If not NULL it forces tcplay
to write the (modified) header to the specified file instead of
replacing the volume headers.
passphrase
The vararg is of type const char *. It sets the passphrase that
tcplay uses to access the volume.
h_passphrase
The vararg is of type const char *. It sets the passphrase that
tcplay uses to unlock the hidden volume header. This option is
only used if a hidden volume is being created or the
protect_hidden setting is set. Otherwise tcplay will first use
the regular passphrase to try to unlock the outer volume and then
try to unlock the hidden volume header with the same passphrase
without ever using h_passphrase.
keyfiles
The vararg is of type const char *. If not NULL the given
keyfile will be added to the keyfile pool. Multiple calls to set
this option with a non- NULL argument result add additional
keyfiles. If NULL all keyfiles are cleared.
h_keyfiles
The vararg is of type const char *. If not NULL the given
keyfile will be added to the keyfile pool. Multiple calls to set
this option with a non- NULL argument result add additional
keyfiles. If NULL all keyfiles are cleared. This option is only
used if a hidden volume is being created or the protect_hidden
setting is set. Otherwise tcplay will first use the regular
keyfiles to try to unlock the outer volume and then try to unlock
the hidden volume header with the same keyfiles without ever
using h_keyfiles.
new_passphrase
The vararg is of type const char *. It specifies the new
passphrase to use when modifying the volume header.
new_keyfiles
The vararg is of type const char *. If not NULL the given
keyfile will be added to the new keyfile pool. Multiple calls to
set this option with a non- NULL argument result add additional
keyfiles. If NULL all new keyfiles are cleared. When the volume
header is modified, it will be reencrypted using the new
keyfiles.
new_prf_algo
The vararg is of type const char * and must be a valid PBKDF2 PRF
algorithm. It determines which PBKDF2 PRF algorithm is used when
reencrypting the (modified) volume header.
state_change_fn
The first vararg is of type tc_api_state_change_fn and the second
vararg is of type void *. It allows the consumer to provide a
callback function which will be called when starting and stopping
a time-intensive sub-operation such as collecting entropy or
erasing a volume. The second vararg is passed as the priv
argument to the callback. The enter_state argument to the
callback determines whether tcplay is starting or stopping the
time-intensive sub-task specified in the state argument.
The tc_api_task_do() function runs the task specified in the task
argument. Before running the task, tc_api_task_do() performs a simple
sanity check of the arguments set previously using tc_api_task_set()
before performing the actual operation. After a call to tc_api_task_do()
for the info or info_mapped operations, the queried information is
available to be accessed using tc_api_task_info_get().
The tc_api_task_info_get() function can be used to query the result of a
info or info_mapped operation. The task argument is the task used in a
previous tc_api_task_do() call. The key argument can be one of the
following:
Key type Description
device char * Corresponding device node
cipher char * Used cipher chain
prf char * Used PBKDF2 PRF algorithm
key_bits int * Number of key bits
size int64_t * Volume size in bytes
iv_offset int64_t * IV Offset of volume in bytes
block_offset int64_t * Block Offset of volume in bytes
The second vararg argument must be of the type specified in the above
table. The first vararg argument is always the size of the storage
provided in the second argument. For a char * argument, the size
corresponds to the size of the buffer at the provided location and must
be of type size_t. For an int * or int64_t * argument, it should be the
size of the underlying type.
The tc_api_task_get_error() function can be used to get a detailed error
message after a failed tc_api_task_do call. The task argument is the
task used in a previous tc_api_task_do() call.
NOTES
TrueCrypt limits passphrases to 64 characters (including the terminating
null character). To be compatible with it, tcplay does the same. All
passphrases (exlcuding keyfiles) are trimmed to 64 characters.
Similarly, keyfiles are limited to a size of 1 MB, but up to 256 keyfiles
can be used.
RETURN VALUES
All functions except tc_api_task_init() and tc_api_task_get_error()
return either TC_OK to indicate that the operation completed
successfully, or TC_ERR_UNIMPL to indicate that the operation is not
implemented , or TC_ERR to indicate that any other error occurred.
The tc_api_task_get_error() function always return a valid, but possibly
empty (or irrelevant, if not called after an error occurred) string.
The tc_api_task_init() function returns NULL if an error occurred and an
opaque tc_api_task otherwise.
COMPATIBILITY
The tcplay library offers full compatibility with TrueCrypt volumes
including hidden volumes, system encryption (map-only), keyfiles and
cipher cascading.
SEE ALSO
tcplay(8)
HISTORY
The tcplay library appeared in DragonFly 2.11.
AUTHORS
Alex Hornung
DragonFly 5.9-DEVELOPMENT May 2, 2020 DragonFly 5.9-DEVELOPMENT