DragonFly On-Line Manual Pages
TCPLAY(8) DragonFly System Manager's Manual TCPLAY(8)
NAME
tcplay - tool to manage TrueCrypt volumes
SYNOPSIS
tcplay -c -d device [-g] [-z] [-w] [-a pbkdf_hash] [-b cipher]
[-f keyfile_hidden] [-k keyfile] [-x pbkdf_hash] [-y cipher]
[--fde]
tcplay -i -d device [-e] [-p] [-f keyfile_hidden] [-k keyfile]
[-s system_device] [--use-backup] [--use-hdr-file hdr_file]
[--use-hidden-hdr-file hdr_file]
tcplay -j mapping
tcplay -m mapping -d device [-e] [-p] [-f keyfile_hidden] [-k keyfile]
[-s system_device] [-t] [--fde] [--use-backup]
[--use-hdr-file hdr_file] [--use-hidden-hdr-file hdr_file]
tcplay --modify -d device [-k keyfile] [--new-keyfile new_keyfile]
[--new-pbkdf-prf pbkdf_hash] [-s system_device] [--fde]
[--use-backup] [--use-hdr-file hdr_file]
[--use-hidden-hdr-file hdr_file] [--save-hdr-backup hdr_file] [-w]
tcplay --modify -d device [-k keyfile] --restore-from-backup-hdr [-w]
tcplay -u mapping
tcplay -h | -v
DESCRIPTION
The tcplay utility provides full support for creating and opening/mapping
TrueCrypt-compatible volumes. It supports the following commands, each
with a set of options detailed further below:
-c, --create
Create a new encrypted TrueCrypt volume on the device specified
by --device.
-h, --help
Print help message and exit.
-i, --info
Print out information about the encrypted device specified by
--device.
-j mapping, --info-mapped=mapping
Print out information about the mapped tcplay volume specified by
mapping. Information such as key CRC and the PBKDF2 PRF is not
available via this command.
--modify
Modify the volume header. This mode allows changing passphrase,
keyfiles, PBKDF2 PRF as well as restoring from a backup header.
-m mapping, --map=mapping
Map the encrypted TrueCrypt volume on the device specified by
--device as a dm(4) mapping called mapping. The mapping argument
should not contain any spaces or special characters.
-u mapping, --unmap=mapping
Removes (unmaps) the dm(4) mapping specified by mapping as well
as any related cascade mappings.
-v, --version
Print version message and exit.
Options common to all commands are:
-d device, --device=device
Specifies the disk device on which the TrueCrypt volume
resides/will reside. This option is mandatory for all commands.
-f keyfile_hidden, --keyfile-hidden=keyfile_hidden
Specifies a keyfile to use in addition to the passphrase when
either creating a hidden volume or when protecting a hidden
volume while mapping or querying the outer volume. If you only
intend to map a hidden volume, the --keyfile option has to be
used. This option can appear multiple times; if so, multiple
keyfiles will be used. This option is not valid in the --modify
mode.
-k keyfile, --keyfile=keyfile
Specifies a keyfile to use in addition to the passphrase. This
option can appear multiple times; if so, multiple keyfiles will
be used.
Additional options for the --create command are:
-a pbkdf_hash, --pbkdf-prf=pbkdf_hash
Specifies which hash algorithm to use for the PBKDF2 password
derivation. To see which algorithms are supported, specify
--pbkdf-prf=help.
-b cipher, --cipher=cipher
Specifies which cipher algorithm or cascade of ciphers to use to
encrypt the new volume. To see which algorithms are supported,
specify --cipher=help.
-g, --hidden
Specifies that the newly created volume will contain a hidden
volume. The keyfiles applied to the passphrase for the hidden
volume are those specified by --keyfile-hidden. The user will be
prompted for the size of the hidden volume interactively.
-w, --weak-keys
Use urandom(4) for key material instead of a strong entropy
source. This is in general a really bad idea and should only be
used for testing.
-x pbkdf_hash, --pbkdf-prf-hidden=pbkdf_hash
Specifies which hash algorithm to use for the PBKDF2 password
derivation for the hidden volume. Only valid in conjunction with
--hidden. If no algorithm is specified, the same as for the
outer volume will be used. To see which algorithms are
supported, specify --pbkdf-prf-hidden=help.
-y cipher, --cipher-hidden=cipher
Specifies which cipher algorithm or cascade of ciphers to use to
encrypt the hidden volume on the new TrueCrypt volume. Only
valid in conjunction with --hidden. If no cipher is specified,
the same as for the outer volume will be used. To see which
algorithms are supported, specify --cipher-hidden=help.
-z, --insecure-erase
Skips the secure erase of the disk. Use this option carefully as
it is a security risk!
Additional options for the --info, --map and --modify commands are:
-e, --protect-hidden
Specifies that an outer volume will be queried or mapped, but its
reported size will be adjusted accordingly to the size of the
hidden volume contained in it. Both the hidden volume and outer
volume passphrase and keyfiles will be required. This option
only applies to the --info and --map commands.
-p, --prompt-passphrase
This option causes tcplay to prompt for a passphrase immediately,
even if a keyfile is provided. Normally, if a keyfile is
supplied, tcplay will first attempt to unlock the volume using
only the keyfile, and only prompt for a passphrase if that first
unlocking attempt fails. However, since a failed unlocking
attempt can take a non-trivial amount of time, specifying this
option can reduce the total unlocking time if both a keyfile and
passphrase are required. This option only makes sense if -k or
-f are used.
-s system_device, --system-encryption=system_device
This option is required if you are attempting to access a device
that uses system encryption, for example an encrypted Windows
system partition. It does not apply to disks using full disk
encryption. The --device option will point at the actual
encrypted partition, while the system_device argument will point
to the parent device (i.e. underlying physical disk) of the
encrypted partition.
--fde This option is intended to be used with disks using full disk
encryption (FDE). When a disk has been encrypted using
TrueCrypt's FDE, the complete disk is encrypted except for the
first 63 sectors. The --device option should point to the whole
disk device, not to any particular partition. The resultant
mapping will cover the whole disk, and will not appear as
separate partitions.
--use-backup
This option is intended to be used when the primary headers of a
volume have been corrupted. This option will force tcplay to use
the backup headers, which are located at the end of the device,
to access the volume.
Additional options only for the --map command are:
-t, --allow-trim
This option enables TRIM (discard) support on the mapped volume.
Additional options only for the --modify command are:
--new-pbkdf-prf=pbkdf_hash
Specifies which hash algorithm to use for the PBKDF2 password
derivation on reencrypting the volume header. If this option is
not specified, the reencrypted header will use the current PRF.
To see which algorithms are supported, specify --pbkdf-prf=help.
--new-keyfile=keyfile
Specifies a keyfile to use in addition to the new passphrase on
reencrypting the volume header. This option can appear multiple
times; if so, multiple keyfiles will be used.
--restore-from-backup-hdr
If this option is specified, neither --new-pbkdf-prf nor
--new-keyfile should be specified. This option implies
--use-backup. Use this option to restore the volume headers from
the backup header.
Sending a SIGINFO or SIGUSR1 signal to a running tcplay process makes it
print progress on slower tasks such as gathering entropy or wiping the
volume.
NOTES
TrueCrypt limits passphrases to 64 characters (including the terminating
null character). To be compatible with it, tcplay does the same. All
passphrases (excluding keyfiles) are trimmed to 64 characters.
Similarly, keyfiles are limited to a size of 1 MB, but up to 256 keyfiles
can be used.
PLAUSIBLE DENIABILITY
tcplay offers plausible deniability. Hidden volumes are created within an
outer volume. Which volume is accessed solely depends on the passphrase
and keyfile(s) used. If the passphrase and keyfiles for the outer volume
are specified, no information about the existence of the hidden volume is
exposed. Without knowledge of the passphrase and keyfile(s) of the
hidden volume its existence remains unexposed. The hidden volume can be
protected when mapping the outer volume by using the --protect-hidden
option and specifying the passphrase and keyfiles for both the outer and
hidden volumes.
VERACRYPT SUPPORT
tcplay offers both legacy TrueCrypt as well as VeraCrypt support. When
creating a new volume, the selected PBKDF2 PRF determines whether the
volume will use the TrueCrypt or VeraCrypt format. The formats are
identical other than the rounds of the key derivation functions as well
as the volume signature and minver fields in the header. Converting
volumes from one format or another using tcplay is simply a matter of
using the --modify option specifying a PBKDF2 PRF hash matching the
intended target format with the --new-pbkdf-prf argument.
PBKDF2 PRFs suffixed with -VC are VeraCrypt PRFs, whilst all others are
legacy TrueCrypt PRFs. By default, new volumes are created with a
VeraCrypt PRF to offer better security.
NOTE: Failed unlocking attempts even for legacy TrueCrypt volumes now
take significantly longer than before, as tcplay will cycle through all
PRFs, including the VeraCrypt PRFs with much higher number of PRF
iterations. Successful attempts should still take the same amount of
time as before, as the legacy PRF settings are tried first. One notable
exception is if both a keyfile and a passphrase is required. Normally,
tcplay would first attempt an unlock attempt with just the keyfile, and
only prompt for a passphrase after that attempt failed. If it is known
in advance that both a keyfile and passphrase are required to unlock a
volume, the -p option to --info and --map can more than halve the time
required to unlock the volume.
EXAMPLES
Create a new TrueCrypt volume on /dev/vn0 using the cipher cascade of AES
and Twofish and the Whirlpool hash algorithm for PBKDF2 password
derivation and two keyfiles, one.key and two.key:
tcplay --create --device=/dev/vn0
--cipher=TWOFISH-256-XTS,AES-256-XTS --pbkdf-prf=whirlpool
--keyfile=one.key --keyfile=two.key
Map the outer volume on the TrueCrypt volume on /dev/vn0 as truecrypt1,
but protect the hidden volume, using the keyfile hidden.key, from being
overwritten:
tcplay --map=truecrypt1 --device=/dev/vn0 --protect-hidden
--keyfile-hidden=hidden.key
Map the hidden volume on the TrueCrypt volume on /dev/vn0 as truecrypt2,
using the keyfile hidden.key:
tcplay --map=truecrypt2 --device=/dev/vn0 --keyfile=hidden.key
Map and mount the volume in the file secvol:
vnconfig vn1 secvol
tcplay --map=secv --device=/dev/vn1
mount /dev/mapper/secv /mnt
Unmapping the volume truecrypt2 after unmounting:
dmsetup remove truecrypt2
Or alternatively:
tcplay --unmap=truecrypt2
A hidden volume whose existence can be plausibly denied and its outer
volume can for example be created with
tcplay --create --hidden --device=/dev/vn0
--cipher=TWOFISH-256-XTS,AES-256-XTS --pbkdf-prf=whirlpool
--keyfile=one.key --cipher-hidden=AES-256-XTS
--pbkdf-prf-hidden=whirlpool --keyfile-hidden=hidden.key
tcplay will prompt the user for the passphrase for both the outer and
hidden volume as well as the size of the hidden volume inside the outer
volume. The hidden volume will be created inside the area spanned by the
outer volume. The hidden volume can optionally use a different cipher
and prf function as specified by the --cipher-hidden and
--pbkdf-prf-hidden options. Which volume is later accessed depends only
on which passphrase and keyfile(s) are being used, so that the existence
of the hidden volume remains unknown without knowledge of the passphrase
and keyfile it is protected by since it is located within the outer
volume. To map the outer volume without potentially damaging the hidden
volume, the passphrase and keyfile(s) of the hidden volume must be known
and provided alongside the --protect-hidden option.
A disk encrypted using full disk encryption can be mapped using
tcplay --map=tcplay_da2 --device=/dev/da2 --fde
To restore the main volume header from the backup header, the following
command can be used:
tcplay --modify --device=/dev/da2 --restore-from-backup-hdr
As with most other commands, which header is saved (used as source)
depends on the passphrase and keyfiles used.
To save a backup copy of a header, the following command can be used:
tcplay --modify --device=/dev/da2
--save-hdr-backup=/tmp/da2_backup_header.hdr
As with most other commands, which header is saved (used as source)
depends on the passphrase and keyfiles used.
To restore a header from a backup header file, the following command can
be used:
tcplay --modify --device=/dev/da2
--use-hdr-file=/tmp/da2_backup_header.hdr
Similarly, to restore a hidden header from a backup header file:
tcplay --modify --device=/dev/da2
--use-hidden-hdr-file=/tmp/da2_backup_hidden_header.hdr
Which header is used as the source of the operation will still depend on
the passphrase and keyfiles used. Even if you use the
--use-hidden-hdr-file option, if you specify the passphrase and keyfiles
for the main header, the main header will be used instead.
SEE ALSO
crypttab(5), cryptsetup(8), dmsetup(8)
HISTORY
The tcplay utility appeared in DragonFly 2.11.
AUTHORS
Alex Hornung
DragonFly 5.9-DEVELOPMENT April 30, 2020 DragonFly 5.9-DEVELOPMENT