Paranoid Penguin - Customizing Linux Live CDs, Part II
Voilà! You now have a mountable, usable encrypted virtual volume! If you want to test it or begin populating it with confidential data you intend to use with your live CD, you can mount it “for real” by going back to the TrueCrypt GUI, clicking Dismount, and then clicking Mount (the same button; it's context-sensitive). (This time, do not select the Do not mount button.) If you don't specify a mountpoint, TrueCrypt automatically creates one called /media/truecrypt1.
Note that if you mount different TrueCrypt volumes in succession, the mountpoints will be named /media/truecrypt1, /media/truecrypt2 and so on, where the trailing digit corresponds to the Slot number TrueCrypt uses in creating virtual device mappings (Figure 1). Note also that when mounting a TrueCrypt volume from the GUI, you may need to click on an empty slot number before clicking the Mount number, if one isn't selected already.
By default, TrueCrypt mounts your ext3-formatted TrueCrypt volume with root ownership. Depending on how you plan to use it, that may be appropriate. But, as a matter of principle, you don't want to use root privileges for ordinary tasks like word processing. If you're going to use this volume as your Documents directory, it's going to need to be usable by some unprivileged user.
The custom live CD image we created last month has only the default Ubuntu accounts on it. For now, let's stick with those—that way, you'll be able to use this encrypted volume with any Ubuntu 7.10 live CD, not just your custom image. Here's how to make your volume usable by the default live CD user account ubuntu.
First, create, map, format and mount your volume as described above. I'll assume that TrueCrypt mounted it to /media/truecrypt1.
TrueCrypt 5.x Idiosyncracies
With version 5.0, TrueCrypt added a GUI to the Linux version that is very similar to that of the Windows version (in prior versions, TrueCrypt for Linux was command-line-only). But, TrueCrypt versions 5.0 and 5.0a for Linux both had serious limitations and bugs, including the omission of the -c option that allows you to create TrueCrypt volumes from a command line and of the TrueCrypt man page.
Toward the end of the day that I submitted this article for publication, TrueCrypt 5.1 was released, and the -c option has been restored in this version. Other bugs in 5.0/a may or may not be fixed (some users have complained of performance problems and even TrueCrypt-induced system crashes with the Linux version). Although I have changed the filenames in this article's examples to reflect the new version, I didn't have time to test version 5.1 myself, so I can't tell you how significant an improvement it is.
So, be forewarned. On the one hand, there doesn't appear to be any serious security issues with TrueCrypt 5 for Linux. Obviously, as I've devoted most of this article to it, I think it's useful and trustworthy enough for the purposes described herein.
But, TrueCrypt historically has been a very Windows-oriented project, and this still appears to be the case. So, as with anything, be sure to test TrueCrypt thoroughly before depending on it in any kind of production or mission-critical context. One alternative to consider is TrueCrypt version 4.3, a known, stable release that's still available (at the time of this writing) on the www.truecrypt.org Web site. But, it's seldom a good idea to trust obsolete software for too long.
Open or switch to a terminal window. If you do an ls -l of /media, the listing for your volume should look like this:
drwxr-xr-x 3 root root 1024 2008-03-09 23:21 truecrypt1
As you can see, only root can use this directory. Because we want it to be usable by our live CD's ubuntu account, and because that account's user ID (UID) and group ID (GID) are 999 and 999, respectively, we issue this command:
05-$ sudo chown -R 999:999 /media/truecrypt1
This performs a bit of magic. The user/group ownerships you just specified are now embedded in your TrueCrypt volume's filesystem. From this point on, wherever you mount this volume, regardless of the mountpoint's ownership and permissions when it isn't in use, your volume will be mounted with UID and GID both set to 999.
If you subsequently mount the TrueCrypt volume on a system on which some user or group other than ubuntu has a numeric ID of 999 (per its local /etc/passwd and /etc/group files), then that user or group will own the mounted volume, even if that system has an account or group named ubuntu. And, if on that system the UID 999 doesn't correspond to any user, you'll need to be root in order to use the mounted volume. (But, in that case, you'll be no worse off than if you had skipped the chown exercise!)