TrueCrypt

USBDLM

previous page next page

 

TrueCrypt / VeraCrypt

 

TrueCrypt is an open source software for creating encrypted drives. The drive's data is hold by a "container". This container can be a file, a whole disk partition or a whole disk.

 

https://www.grc.com/misc/truecrypt/truecrypt.htm

 

In May 2014 the TrueCrypt developers lost interest in developing the software and declared it as potential unsafe because "it may contain unfixed security issues". An audit of the TrueCrypt source code didn't reveal any real issues, so V7.1 can be assumed to be safe.

Based upon the TrueCrypt source code there is the VeraCrypt project, functionality, usage and command-line parameters are quite the same as with TrueCrypt. Only the mounting of a volume is very slow to make it safe against brute force attacks. With the latest release the hash algorithm can be selected on mounting, this makes the mounting fast enough.

https://veracrypt.codeplex.com

 

If TrueCrypt is mentioned in the following then it means VeraCrypt too.

 

 

A TrueCrypt container contains random data which is used for holding the encrypted data. From the outer point of view the container has no file system, no volume label. Nothing else than random data.

 

Only the TrueCrypt application with its driver is able to mount the container and make its contents available decrypted under an additional drive letter.

 

 

Whole drive as Container

 

The first sector of a drive is expected to contain a partition table or a boot sector. Therefore it is not a good idea to use a complete drive as a TrueCrypt container. When opening the Disk Management Windows might want to "initialize" the drive which is not so good for the TrueCrypt container. On the other hand the Windows Explorer asks to format a TrueCrypt container volume, which is not less dangerous.

Since V4.8 USBDLM has the new events OnDiskArrival, OnDiskRemovalRequest and OnDiskRemoval, so whole disks used as TC container can be handled too.

 

On disk arrival the disk number is known (it's the "device number") and Partition0 stands for the whole disk under Windows.

 

;mount it on J:

[OnDiskArrival]

DeviceType=TrueCrypt

open="%ProgramFiles%\TrueCrypt\TrueCrypt.exe" /q /v \Device\Harddisk%DeviceNumber%\Partition0 /letter J

 

On removal the DeviceType can be ReadSharingViolation or TrueCrypt, depending on if the volume was already mounted when the USBDLM service started.

 

;dismount J: on safe removal of the disk

[OnDiskRemovalRequest]

DeviceTypes=TrueCrypt,ReadSharingViolation

open="%ProgramFiles%\TrueCrypt\TrueCrypt.exe" /q /dJ

 

Instead of the TrueCrypt tool you can use my command-line tool EjectTcv to eject the TrueCrypt volume:

http://www.uwe-sieber.de/drivetools_e.html#ejecttcv

It can do it by a given container name and in a loop until success. Sample:

 

;dismount the TrueCrypt volume on safe removal of the disk, EjectTcv can do by container name

[OnDiskRemovalRequest]

DeviceTypes=TrueCrypt,ReadSharingViolation

open="C:\Tools\EjectTcv.exe" \Device\Harddisk%DeviceNumber%\Partition0 -L

 

 

Partition as Container

 

Best with an unknown partition type

 

If a whole partition is used as TrueCrypt container, then Windows will assign a drive letter anyway. This is useless and dangerous. The drive will be shown as having a file system "RAW" and Windows may give the suggestion to format it.

You can prevent this by patching the partition type to one Windows doesn't know, e.g. 0x7C. Windows still enumerates the partition but it does not create a volume device for it, so it is safe from being formatted and no drive letter is assigned. Without a volume device USBDLM gets the disk arrival notification only, so you have to use OnDiskArrival as shown above but with the right partition number instead of 0 for the whole disk.

Changing a partition type can be done by means of the Active@ Partition Manager 3.0: Right-click on the drive, Partition Table..., here set the partition's value "File system [hex]" on 7C.

 

 

With a standard partition type

 

With a standard partition type Windows creates a volume device and assigns a drive letter to the TrueCrypt container. Selected in the Windows Explorer it suggests to format it... Therefore it is a good idea to remove the drive letter of a partition used as TrueCrypt container. This can be done in the Windows Disk Management, but as all assignments made here stick exactly for the drive they are made for only.

 

USBDLM can remove the drive letter of any partition used as TrueCrypt container. In fact USBDLM checks the partition's first sector for random data. If random data is found, USBDLM gives the volume the DeviceType "TrueCrypt". If the container is already mounted by TrueCrypt then USBDLM cannot check it for random data since TrueCrypt holds the container open with exclusive access. The attempt to read is rejected with the error code "ERROR_SHARING_VIOLATION". That's why USBDLM gives the DeviceType "ReadSharingViolation" then. This usually happens when the USBDLM service is manually restarted.

 

 

Typical handling of a TrueCrypt container partition: Remove the container's drive letter and call TrueCrypt to mount it.

If the USBDLM service is restarted while the TrueCrypt container is mounted, then we want the letter for the container partition removed but the volume shall not tried to mount again by TrueCrypt, that's what this sample does:

 

;remove the volume's drive letter, it's useless

[DriveLetters]

DeviceType1=TrueCrypt

DeviceType2=ReadSharingViolation

Letter=-

 

;mount it on J:

[OnArrival]

DeviceType=TrueCrypt

open="%ProgramFiles%\TrueCrypt\TrueCrypt.exe" /q /v %PartitionName% /letter J

 

;an Explorer window with the mounted TrueCrypt volume

[OnArrival]

DeviceType=TrueCryptVolume

open="%windir%\explorer.exe" %root%

 

%PartitionName% is a USBDLM variable{linkID=} which USBDLM replaces with something like 

\Device\Harddisk2\Partition1 as expected by TrueCrypt.

 

 

File as Container

 

When a drive arrives then USBDLM can check for the presence of a file and let TrueCrypt mount it:

 

[OnArrival]

FileExists=%drive%\secret.tc

open="%ProgramFiles%\TrueCrypt\TrueCrypt.exe" /q /v "%drive%\secret.tc" /letter J

 

Maybe check if the target letter is available by means of the DirNotExists criteria, but then it is silently not mounted instead TrueCrypt showing a drive letter not available error message:

 

[OnArrival]

FileExists=%drive%\secret.tc

DirNotExists=J:\

open="%ProgramFiles%\TrueCrypt\TrueCrypt.exe" /q /v "%drive%\secret.tc" /letter J

 

 

 

Since V7.0 TrueCrypt can automatically mount containers itself.

 

 

The TrueCrypt Volume

 

When TrueCrypt mounts a container, then it makes its contents available under an additional drive letter. This drive isn't a full blown "storage volume", it is implemented partially only.

USBDLM sees the arrival of the drive letter and can trigger an OnArrival for it. The TrueCrypt drive's DeviceType is "TrueCryptVolume" ("VeraCryptVolume" resp). That's all. USBDLM knows it's drive letter and makes it available in the USBDLM variables as %drive%. But it cannot deal with the drive's drive letter. In fact it could but TrueCrypt would loose track.

 

By means of the Windows tool MOUNTVOL the TrueCrypt volume can be mounted into an existing folder on an NTFS drive:

 

[OnArrival]

DeviceType=TrueCryptVolume

open1="%windir%\System32\mountvol.exe" "C:\TrueCrypt" %VolumeName%

system1=1

open2="%windir%\explorer.exe" %root%

 

 

USBDLM does not know anything about the relation between TrueCrypt container and the mounted TrueCrypt drive. It just handles subsequent events.

 

 

 

Safe Removal

 

On a request for "Safe Removal" of the host drive, USBDLM can let unmount a TrueCrypt volume. Unfortunately TrueCrypt can unmount by drive letter only.

Since USBDLM V5.0 there is the criteria IsMountedTrueCryptContainer, which can check if a container (file, partition, disk) is mounted by TrueCrypt:

 

; check if secret.tc on the drive to remove is mounted by TrueCrypt

[OnRemovalRequest]

IsMountedTrueCryptContainer=%drive%\secret.tc

open="%ProgramFiles%\TrueCrypt\TrueCrypt.exe" /q /dismount J

 

; check if the volume to on the drive to remove is mounted by TrueCrypt

[OnRemovalRequest]

IsMountedTrueCryptContainer=%PartitionName%

open="%ProgramFiles%\TrueCrypt\TrueCrypt.exe" /q /dismount J

 

If the partition type is patchted the an unknown one then there is no OnRemovalRequest but a OnDiskRemovalRequest. We have to know and build the partition name ourself because there is no volume:

; check if partition 1 on the drive to remove is mounted by TrueCrypt

[OnDiskRemovalRequest]

IsMountedTrueCryptContainer=\Device\Harddisk%DeviceNumber%\Partition1

open="%ProgramFiles%\TrueCrypt\TrueCrypt.exe" /q /dismount J

 

 

The parameter /q or /quit is important because USBDLM answers the removal request not before the started TrueCrypt.exe ends. Without /quit TrueCrypt shows a window and USBDLM waits and waits... finally Windows will say "The service USBDLM prevents the removal".

 

For releasing a TrueCrypt volume I have made a command-line tool which accepts the TrueCrypt volume's container name as drive spec. Furthermore it can try again until success.

 

; EjectTcv can unmount by container name

[OnRemovalRequest]

IsMountedTrueCryptContainer=%drive%\secret.tc

open="C:\Tools\EjectTcv.exe" %drive%\secret.tc -L -H

 

http://www.uwe-sieber.de/drivetools_e.html#ejecttcv

 

 

 

 

 

 

previous page start next page