1TCPLAY(8) BSD System Manager's Manual TCPLAY(8)
2
4 tcplay — tool to manage TrueCrypt volumes
5
7 tcplay -c -d device [-g] [-z] [-w] [-a pbkdf_hash] [-b cipher]
8 [-f keyfile_hidden] [-k keyfile] [-x pbkdf_hash] [-y cipher]
9 tcplay -i -d device [-e] [-f keyfile_hidden] [-k keyfile]
10 [-s system_device] [--fde] [--use-backup]
11 [--use-hdr-file hdr_file] [--use-hidden-hdr-file hdr_file]
12 tcplay -j mapping
13 tcplay -m mapping -d device [-e] [-f keyfile_hidden] [-k keyfile]
14 [-s system_device] [-t] [--fde] [--use-backup]
15 [--use-hdr-file hdr_file] [--use-hidden-hdr-file hdr_file]
16 tcplay --modify -d device [-k keyfile] [--new-keyfile new_keyfile]
17 [--new-pbkdf-prf pbkdf_hash] [-s system_device] [--fde]
18 [--use-backup] [--use-hdr-file hdr_file]
19 [--use-hidden-hdr-file hdr_file] [--save-hdr-backup hdr_file] [-w]
20 tcplay --modify -d device [-k keyfile] --restore-from-backup-hdr [-w]
21 tcplay -u mapping
22 tcplay -h | -v
23
25 The tcplay utility provides full support for creating and opening/mapping
26 TrueCrypt-compatible volumes. It supports the following commands, each
27 with a set of options detailed further below:
28 -c, --create
30 Create a new encrypted TrueCrypt volume on the device specified
31 by --device.
32 -h, --help
34 Print help message and exit.
35 -i, --info
37 Print out information about the encrypted device specified by
38 --device.
39 -j mapping, --info-mapped=mapping
41 Print out information about the mapped tcplay volume specified by
42 mapping. Information such as key CRC and the PBKDF2 PRF is not
43 available via this command.
44 --modify
46 Modify the volume header. This mode allows changing passphrase,
47 keyfiles, PBKDF2 PRF as well as restoring from a backup header.
48 -m mapping, --map=mapping
50 Map the encrypted TrueCrypt volume on the device specified by
51 --device as a dm(4) mapping called mapping. The mapping argument
52 should not contain any spaces or special characters.
53 -u mapping, --unmap=mapping
55 Removes (unmaps) the dm(4) mapping specified by mapping as well
56 as any related cascade mappings. If you mapped a volume using
57 full disk encryption and created mapping for individual parti‐
58 tions using kpartx(8), you must remove these prior to unmapping
59 the volume.
60 -v, --version
62 Print version message and exit.
63 Options common to all commands are:
65 -d device, --device=device
67 Specifies the disk device on which the TrueCrypt volume
68 resides/will reside. This option is mandatory for all commands.
69 -f keyfile_hidden, --keyfile-hidden=keyfile_hidden
71 Specifies a keyfile to use in addition to the passphrase when
72 either creating a hidden volume or when protecting a hidden vol‐
73 ume while mapping or querying the outer volume. If you only
74 intend to map a hidden volume, the --keyfile option has to be
75 used. This option can appear multiple times; if so, multiple
76 keyfiles will be used. This option is not valid in the --modify
77 mode.
78 -k keyfile, --keyfile=keyfile
80 Specifies a keyfile to use in addition to the passphrase. This
81 option can appear multiple times; if so, multiple keyfiles will
82 be used.
83 Additional options for the --create command are:
85 -a pbkdf_hash, --pbkdf-prf=pbkdf_hash
87 Specifies which hash algorithm to use for the PBKDF2 password
88 derivation. To see which algorithms are supported, specify
89 --pbkdf-prf=help.
90 -b cipher, --cipher=cipher
92 Specifies which cipher algorithm or cascade of ciphers to use to
93 encrypt the new volume. To see which algorithms are supported,
94 specify --cipher=help.
95 -g, --hidden
97 Specifies that the newly created volume will contain a hidden
98 volume. The keyfiles applied to the passphrase for the hidden
99 volume are those specified by --keyfile-hidden. The user will be
100 prompted for the size of the hidden volume interactively.
101 -w, --weak-keys
103 Use urandom(4) for key material instead of a strong entropy
104 source. This is in general a really bad idea and should only be
105 used for testing.
106 -x pbkdf_hash, --pbkdf-prf-hidden=pbkdf_hash
108 Specifies which hash algorithm to use for the PBKDF2 password
109 derivation for the hidden volume. Only valid in conjunction with
110 --hidden. If no algorithm is specified, the same as for the
111 outer volume will be used. To see which algorithms are sup‐
112 ported, specify --pbkdf-prf-hidden=help.
113 -y cipher, --cipher-hidden=cipher
115 Specifies which cipher algorithm or cascade of ciphers to use to
116 encrypt the hidden volume on the new TrueCrypt volume. Only
117 valid in conjunction with --hidden. If no cipher is specified,
118 the same as for the outer volume will be used. To see which
119 algorithms are supported, specify --cipher-hidden=help.
120 -z, --insecure-erase
122 Skips the secure erase of the disk. Use this option carefully as
123 it is a security risk!
124 Additional options for the --info, --map and --modify commands are:
126 -e, --protect-hidden
128 Specifies that an outer volume will be queried or mapped, but its
129 reported size will be adjusted accordingly to the size of the
130 hidden volume contained in it. Both the hidden volume and outer
131 volume passphrase and keyfiles will be required. This option
132 only applies to the --info and --map commands.
133 -s system_device, --system-encryption=system_device
135 This option is required if you are attempting to access a device
136 that uses system encryption, for example an encrypted Windows
137 system partition. It does not apply to disks using full disk
138 encryption. The --device option will point at the actual
139 encrypted partition, while the system_device argument will point
140 to the parent device (i.e. underlying physical disk) of the
141 encrypted partition.
142 --fde This option is intended to be used with disks using full disk
144 encryption (FDE). When a disk has been encrypted using True‐
145 Crypt's FDE, the complete disk is encrypted except for the first
146 63 sectors. The --device option should point to the whole disk
147 device, not to any particular partition. The resultant mapping
148 will cover the whole disk, and will not appear as separate parti‐
149 tions. To access individual partitions after mapping, kpartx(8)
150 can be used.
151 --use-backup
153 This option is intended to be used when the primary headers of a
154 volume have been corrupted. This option will force tcplay to use
155 the backup headers, which are located at the end of the device,
156 to access the volume.
157 Additional options only for the --map command are:
159 -t, --allow-trim
161 This option enables TRIM (discard) support on the mapped volume.
162 Additional options only for the --modify command are:
164 --new-pbkdf-prf=pbkdf_hash
166 Specifies which hash algorithm to use for the PBKDF2 password
167 derivation on reencrypting the volume header. If this option is
168 not specified, the reencrypted header will use the current PRF.
169 To see which algorithms are supported, specify --pbkdf-prf=help.
170 --new-keyfile=keyfile
172 Specifies a keyfile to use in addition to the new passphrase on
173 reencrypting the volume header. This option can appear multiple
174 times; if so, multiple keyfiles will be used.
175 --restore-from-backup-hdr
177 If this option is specified, neither --new-pbkdf-prf nor
178 --new-keyfile should be specified. This option implies
179 --use-backup. Use this option to restore the volume headers from
180 the backup header.
181 Sending a SIGINFO or SIGUSR1 signal to a running tcplay process makes it
183 print progress on slower tasks such as gathering entropy or wiping the
184 volume.
185
187 TrueCrypt limits passphrases to 64 characters (including the terminating
188 null character). To be compatible with it, tcplay does the same. All
189 passphrases (excluding keyfiles) are trimmed to 64 characters. Simi‐
190 larly, keyfiles are limited to a size of 1 MB, but up to 256 keyfiles can
191 be used.
192
194 tcplay offers plausible deniability. Hidden volumes are created within an
195 outer volume. Which volume is accessed solely depends on the passphrase
196 and keyfile(s) used. If the passphrase and keyfiles for the outer volume
197 are specified, no information about the existance of the hidden volume is
198 exposed. Without knowledge of the passphrase and keyfile(s) of the hid‐
199 den volume its existence remains unexposed. The hidden volume can be
200 protected when mapping the outer volume by using the --protect-hidden
201 option and specifying the passphrase and keyfiles for both the outer and
202 hidden volumes.
203
205 Create a new TrueCrypt volume on /dev/vn0 using the cipher cascade of AES
206 and Twofish and the Whirlpool hash algorithm for PBKDF2 password deriva‐
207 tion and two keyfiles, one.key and two.key:
208 tcplay --create --device=/dev/vn0
210 --cipher=AES-256-XTS,TWOFISH-256-XTS --pbkdf-prf=whirlpool
211 --keyfile=one.key --keyfile=two.key
212 Map the outer volume on the TrueCrypt volume on /dev/vn0 as truecrypt1,
214 but protect the hidden volume, using the keyfile hidden.key, from being
215 overwritten:
216 tcplay --map=truecrypt1 --device=/dev/vn0 --protect-hidden
218 --keyfile-hidden=hidden.key
219 Map the hidden volume on the TrueCrypt volume on /dev/vn0 as truecrypt2,
221 using the keyfile hidden.key:
222 tcplay --map=truecrypt2 --device=/dev/vn0 --keyfile=hidden.key
224 Map and mount the volume in the file secvol on Linux:
226 losetup /dev/loop1 secvol
228 tcplay --map=secv --device=/dev/loop1
230 mount /dev/mapper/secv /mnt
232 Similarly on DragonFly:
234 vnconfig vn1 secvol
236 tcplay --map=secv --device=/dev/vn1
238 mount /dev/mapper/secv /mnt
240 Unmapping the volume truecrypt2 on both Linux and DragonFly after
242 unmounting:
243 dmsetup remove truecrypt2
245 Or alternatively:
247 tcplay --unmap=truecrypt2
249 A hidden volume whose existance can be plausibly denied and its outer
251 volume can for example be created with
252 tcplay --create --hidden --device=/dev/loop0
254 --cipher=AES-256-XTS,TWOFISH-256-XTS --pbkdf-prf=whirlpool
255 --keyfile=one.key --cipher-hidden=AES-256-XTS
256 --pbkdf-prf-hidden=whirlpool --keyfile-hidden=hidden.key
257 tcplay will prompt the user for the passphrase for both the outer and
259 hidden volume as well as the size of the hidden volume inside the outer
260 volume. The hidden volume will be created inside the area spanned by the
261 outer volume. The hidden volume can optionally use a different cipher
262 and prf function as specified by the --cipher-hidden and
263 --pbkdf-prf-hidden options. Which volume is later accessed depends only
264 on which passphrase and keyfile(s) are being used, so that the existance
265 of the hidden volume remains unknown without knowledge of the passphrase
266 and keyfile it is protected by since it is located within the outer vol‐
267 ume. To map the outer volume without potentially damaging the hidden
268 volume, the passphrase and keyfile(s) of the hidden volume must be known
269 and provided alongside the --protect-hidden option.
270 A disk encrypted using full disk encryption can be mapped using
272 tcplay --map=tcplay_sdb --device=/dev/sdb --fde
274 To access individual partitions on the now mapped disk, the following
276 command will generate mappings for each individual partition on the
277 encrypted disk:
278 kpartx --av /dev/mapper/tcplay_sdb
280 To restore the main volume header from the backup header, the following
282 command can be used:
283 tcplay --modify --device=/dev/sdb --restore-from-backup-hdr
285 As with most other commands, which header is saved (used as source)
287 depends on the passphrase and keyfiles used.
288 To save a backup copy of a header, the following command can be used:
290 tcplay --modify --device=/dev/sdb
292 --save-hdr-backup=/tmp/sdb_backup_header.hdr
293 As with most other commands, which header is saved (used as source)
295 depends on the passphrase and keyfiles used.
296 To restore a header from a backup header file, the following command can
298 be used:
299 tcplay --modify -use-hdr-file=/tmp/sdb_backup_header.hdr
301 Similarly, to restore a hidden header from a backup header file:
303 tcplay --modify
305 -use-hidden-hdr-file=/tmp/sdb_backup_hidden_header.hdr
306 Which header is used as the source of the operation will still depend on
308 the passphrase and keyfiles used. Even if you use the
309 --use-hidden-hdr-file option, if you specify the passphrase and keyfiles
310 for the main header, the main header will be used instead.
311
313 crypttab(5), cryptsetup(8), dmsetup(8), kpartx(8)
314
316 The tcplay utility appeared in DragonFly 2.11.
317
319 Alex Hornung
320BSD December 08, 2013 BSD