• Irongeek Security
• Hacking Illustrated Videos
• InfoSec Articles
• Mobile Pen-testing Tools
• Apps/Scripts
• Reviews
• RSS
• Your IP
• Podcasts
• Hoosier Hackers
• Newscat
• Links
• Contact
• Forums
• Workout
• Nutrition
• Supplements
• Humor
• Irongeek Campuses
• Fed Watch
• Books
• Store
• About
• Follow @irongeek_adc

---

Manual Reference Pages  - TRUECRYPT (1)

---

NAME

truecrypt - manage TrueCrypt volumes

CONTENTS

Synopsis
Description
Options
Examples
Diagnostics
Copyright

SYNOPSIS

truecrypt [OPTIONS] VOLUME_PATH [MOUNT_DIRECTORY]
truecrypt [OPTIONS] -i
truecrypt [OPTIONS] -c | --create | -C | --change [VOLUME_PATH]
truecrypt [OPTIONS] -d | --dismount | -l | --list [MAPPED_VOLUME]
truecrypt [OPTIONS] --backup-headers | --restore-header FILE [VOLUME]
truecrypt [OPTIONS] --properties [VOLUME_PATH]
truecrypt [OPTIONS] --keyfile-create FILE
truecrypt -h | --help | --test | -V | --version

DESCRIPTION

Manages encrypted TrueCrypt volumes, which can be mapped as virtual block devices and used as any other standard block device. All data being read from a mapped TrueCrypt volume is transparently decrypted and all data being written to it is transparently encrypted.

OPTIONS

VOLUME_PATH [MOUNT_DIRECTORY]

	Open a TrueCrypt volume specified by VOLUME_PATH and map it as a block device /dev/mapper/truecryptN. N is the first available device number if not otherwise specified with -N. Filesystem of the mapped volume is mounted at MOUNT_DIRECTORY if specified. To open a hidden volume, specify its password and/or keyfiles (the outer volume cannot be mapped at the same time). See also EXAMPLES and options --display-password, --filesystem, -k, -M, -p, -P, --password-tries, -r, -u, --update-time. Note that passing some of the options may affect security (see options -i and -p for more information). This command requires administrator privileges (sudo(8) is used if available).
--backup-headers BACKUP_FILE [VOLUME_PATH]
	Backup headers of a volume specified by VOLUME_PATH to a file BACKUP_FILE. Volume path is requested from user if not specified on command line. Both normal/outer and hidden volume headers are stored in the backup file even if there is no hidden volume within the volume (to preserve plausible deniability). When restoring the volume header, it is possible to select which header is to be restored. See also --restore-header.
-c, --create [VOLUME_PATH]
	Create a new volume. Most options are requested from user if not specified on command line. Hidden volume can be created only in an existing file or device. Size of the hidden volume should not exceed the free space of the filesystem on the outer volume. Hidden volume protection (see option -P) should be used to update the outer volume contents after the hidden volume is created. WARNING: To prevent data corruption, you should follow the instructions in the EXAMPLES section on how to create a hidden volume. See also options --cluster, --disable-progress, --display-keys, --encryption, -k, --filesystem, --hash, -p, --random-source, --quick, --size, --type. Note that passing some of the options may affect security (see option -p for more information).
-C, --change [VOLUME_PATH]
	Change a password and/or keyfile(s) of a volume. Volume path and passwords are requested from user if not specified on command line. PKCS-5 PRF HMAC hash algorithm can be changed with option --hash. See also options -k, --keyfile-add, -p, --random-source, -v.
-d, --dismount [MAPPED_VOLUME]
	Dismount and unmap mapped volumes. If MAPPED_VOLUME is not specified, all volumes are dismounted and unmapped. See below for a description of MAPPED_VOLUME. This command requires administrator privileges (sudo(8) is used if available).
-h, --help
	Display help information.
-i, --interactive
	Map and mount a volume interactively. Options which may affect security are requested from the user. See option -p for more information. This command requires administrator privileges (sudo(8) is used if available).
-l, --list [MAPPED_VOLUME]
	Display a list of mapped volumes. If MAPPED_VOLUME is not specified, all volumes are listed. By default, the list contains only volume path and mapped device name pairs. A more detailed list can be enabled by verbose output option (-v). See below for a description of MAPPED_VOLUME. This command requires administrator privileges (sudo(8) is used if available).
--keyfile-create FILE
	Create a new keyfile using the random number generator. FILE argument specifies the output file.
--properties [VOLUME_PATH]
	Display properties of a volume specified by VOLUME_PATH.
--restore-header BACKUP_FILE [VOLUME_PATH]
	Restore header of a volume specified by VOLUME_PATH from a file BACKUP_FILE. Volume path is requested from user if not specified on command line. Type of the restored volume header (normal/hidden) is requested from user if not specified with --type. See also --backup-headers.
--test
	Test all internal algorithms used in the process of encryption and decryption.
-V, --version
	Display program version and legal notices.

    MAPPED_VOLUME:

	Specifies a mapped or mounted volume. One of the following forms can be used:
	1) Path to the encrypted TrueCrypt volume.
	2) Mount directory of the volume’s filesystem (if mounted).
	3) Device number of the mapped volume.
	4) Device name of the mapped volume.
--cluster SIZE
	Use specified cluster size when creating a new volume. SIZE defines the number of sectors per cluster.
--disable-progress
	Disable display of progress information during creation of a new volume.
--display-keys
	Display encryption keys generated during creation of a new volume.
--display-password
	Display password characters while typing.
--encryption ENCRYPTION_ALGORITHM
	Use specified encryption algorithm when creating a new volume.
--filesystem TYPE
	Filesystem type to mount. The TYPE argument is passed to mount(8) command with option -t. Default type is ’auto’. When creating a new volume, this option specifies the filesystem to be created on the new volume.
--hash HASH
	Use specified hash algorithm when creating a new volume or changing password and/or keyfiles.
-k, --keyfile FILE | DIRECTORY
	Use specified keyfile to open a volume to be mapped (or when changing password and/or keyfiles). When a directory is specified, all files inside it will be used (non-recursively). Additional keyfiles can be specified with multiple -k options. Empty keyfile (-k ’’) disables interactive requests for keyfiles (e.g., when creating a new volume). See also option -K.
-K, --keyfile-protected FILE | DIRECTORY
	Use specified keyfile to open a hidden volume to be protected. This option may be used only when mounting an outer volume with hidden volume protected. See also options -k and -P.
--keyfile-add FILE | DIRECTORY
	Add specified keyfile to a volume when changing its password and/or keyfiles. This option must be also used to keep all previous keyfiles asigned to a volume. See EXAMPLES for more information.
-M, --mount-options OPTIONS
	Filesystem mount options. The OPTIONS argument is passed to mount(8) command with option -o. See also options -r and -u.
-N, --device-number N
	Use device number N when mapping a volume as a block device /dev/mapper/truecryptN. Default is the first available device.
--overwrite
	Overwrite files without prompting the user for confirmation.
-p, --password PASSWORD
	Use specified password to open a volume. Additional passwords can be specified with multiple -p options. An empty password can also be specified (’’ in most shells). Note that passing a password on the command line is potentially insecure as the password may be visible in the process list (see ps(1)) and/or stored in a command history file.
--password-tries NUMBER
	Prompt NUMBER of times for a password until the correct password is entered. Default is to prompt three times.
-P, --protect-hidden
	Write-protect a hidden volume when mapping an outer volume. Before mapping the outer volume, the user will be prompted for a password to open the hidden volume. The size and position of the hidden volume is then determined and the outer volume is mapped with all sectors belonging to the hidden volume protected against write operations. When a write to the protected area is prevented, the whole volume is switched to read-only mode. Verbose list command (-vl) can be used to query the state of the hidden volume protection. Warning message is displayed when a volume switched to read-only is being dismounted. See also options -r and -i.
--quick
	Use quick format when creating a new volume. This option can be used only when creating a device-hosted volume. Quick format is always used when creating a hidden volume.
--random-source FILE
	Use FILE as a source of random numbers. Standard input is used if ’-’ is specified.
-r, --read-only
	Map and mount a volume as read-only. Write operations to the volume may not fail immediately due to the write buffering performed by the system, but the physical write will still be prevented.
--size SIZE
	Use specified size when creating a new volume. SIZE is defined as number of bytes or, when a size suffix K/M/G is used, Kilobytes/Megabytes/Gigabytes. Note that size must be a multiple of 512 bytes.
--type TYPE
	Use specified volume type when creating a new volume or restoring a volume header. TYPE can be ’normal’ or ’hidden’.
-u, --user-mount
	Make a volume being mounted accessible in a non-administrator account. Some filesystems (e.g., FAT) do not support Unix-style access control and it is necessary to use this option when mounting them. Ownership of the mounted filesystem is determined by environment variables set by sudo(8) command. Note that Unix-style filesystems (e.g., ext2) do not support this option.
--update-time
	Do not preserve access and modification timestamps of file containers. By default, timestamps are restored after a volume is unmapped.
-v, --verbose
	Enable verbose output. Multiple -v options can be specified to increase the level of verbosity.

EXAMPLES

truecrypt /root/volume.tc /mnt/tc

	Map a volume /root/volume.tc and mount its filesystem at directory /mnt/tc.
truecrypt -u /dev/hda2 /mnt/tc
	Map a volume /dev/hda2 (first ATA disk, primary partition 2) and mount its filesystem at /mnt/tc. Default user-id is set, which is useful when mounting a filesystem, such as FAT, for use in a non-administrative account.
truecrypt -i
	Map and mount a volume. Options are requested interactively.
truecrypt -d
	Dismount and unmap all mapped volumes.
truecrypt -d /root/volume.tc
	Dismount and unmap a volume /root/volume.tc.
truecrypt -d /mnt/tc
	Dismount and unmap a volume mounted at /mnt/tc.
truecrypt -vl
	Display a detailed list of all mapped volumes.
truecrypt -N 1 /dev/hdc1 && mkfs /dev/mapper/truecrypt1
	Map a volume /dev/hdc1 and create a new filesystem on it.
truecrypt -P /dev/hdc1 /mnt/tc
	Map and mount outer volume /dev/hdc1 and protect hidden volume within it.
truecrypt -p ’’ -p ’’ -k key1 -k key2 -K key_hidden -P volume.tc
	Map outer volume ./volume.tc and protect hidden volume within it. The outer volume is opened with keyfiles ./key1 and ./key2 and the hidden volume with ./key_hidden. Passwords for both volumes are empty.
truecrypt -c
	Create a new volume. Options are requested interactively.
truecrypt -c /dev/hda2
	Create a new volume hosted at the second primary partition of the first ATA disk.
truecrypt -k keyfile --size 10M --encryption AES --hash SHA-1 -c vol.tc
	Create a new volume. Options which are not specified on command line are requested from the user.
truecrypt --keyfile-add keyfile -C volume.tc
	Change password and add a new keyfile to volume.
truecrypt -k keyfile -C volume.tc
	Change password and remove a keyfile from volume.
truecrypt -k keyfile --keyfile-add keyfile -C volume.tc
	Change password and keep previous keyfile.

    Creating a hidden volume without risking data corruption:

	1) Create an outer volume:
	truecrypt --type normal --size 100M -c volume.tc
	2) Create a hidden volume:
	truecrypt --type hidden --size 50M -c volume.tc
	3) Mount the outer volume with the hidden volume protected:
	truecrypt -P volume.tc /mnt/tc
	4) Copy files to the outer volume:
	cp outer_volume_file.txt /mnt/tc
	5) Dismount the outer volume:
	truecrypt -d volume.tc
	6) If a warning message has been displayed in 5), start again from 1). Either a larger outer volume should be created in 1), or less data should be copied to the outer volume in 4).

DIAGNOSTICS

Exit status 0 is returned if all requested actions completed successfully, otherwise 1 is returned. Kernel module reports errors via system log with facility kern. See syslogd(8) for more information.

REPORTING BUGS

Report bugs at <http://www.truecrypt.org/bugs/>.

COPYRIGHT

Copyright © 2003-2007 TrueCrypt Foundation. All Rights Reserved.
Copyright © 1998-2000 Paul Le Roux. All Rights Reserved.
Copyright © 1999-2006 Dr. Brian Gladman. All Rights Reserved.
Copyright © 1995-1997 Eric Young. All Rights Reserved.
Copyright © 2001 Markus Friedl. All Rights Reserved.

Released under the TrueCrypt Collective License 1.2

SEE ALSO

http://www.truecrypt.org/docs/
/usr/share/truecrypt/doc/TrueCrypt-User-Guide.pdf
mount(8), umount(8), losetup(8), fuser(1), mkfs(8), fsck(8), dmsetup(8)
Top of page | 

---

truecrypt 4.3a

TRUECRYPT (1)

May 2007

Generated by manServer 1.07 from /usr/local/man/man1/truecrypt.1 using man macros.

Printable version of this article